Confidentiality

This article is written by Ansari Qamar Zarfishan, pursuing a Diploma in Advanced Contract Drafting, Negotiation and Dispute Resolution from Lawsikho.

Introduction

With growing competition in business, it is very essential to maintain trust with your clients. To ensure trust and confidence of the client, one has to protect all the information whether professional or personal with utmost care and diligence. Failure to do so can result in a collapse of the business, termination of contract and even court cases.

Let us first understand what is confidentiality or what constitutes confidential information?

Download Now

“Confidentiality” means ensuring that access to information is given only to authorized individuals, in other words maintaining the security of information or data provided. It is the ethical principle of various professionals eg., medicine, law, journalism, psychiatrist, etc. It means that professionals or persons should not share personal details about someone with others unless that person has given its consent to disclose the same or is absolutely necessary.

What constitutes confidential information?

Confidential information can be of various types:

  • All employee related information such as personal information and things like compensation, access codes, passwords, financial information such as bank account or credit card details, etc. stored by the company.  Disclosure of such information can lead to fraud, discrimination and other violations.
  • Confidential management information including discussions about employee relation issues, termination, workplace investigations of employee misconduct, disciplinary actions, impending layoffs, etc. disclosure of such information can damage the reputation of the company.
  • Confidential information also includes Trade secrets. Trade secrets refer to data of utmost importance, on which the business relies. Trade secrets include chemical formulas for cleaning products, medicines, methods of manufacturing consumer products, technological processes like computer program processes, client list, method of converting raw materials into finished goods, a recipe for food or food products, etc.
  • In recent times, most of the work is done online, there is a higher risk of confidentiality, of storing databases or other sensitive information, or intellectual property; including proprietary software, marketing strategies, exclusive products and processes for manufacturing products, corporate branding, etc.
  • Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data and Information) Rules, 2011 provides that confidentiality also includes the protection of ‘sensitive personal data’ such as; biometric information; passwords; financial information such as bank account or credit card details; medical records and history; sexual orientation; physical, physiological and mental health.

Principles of confidentiality

There are six principles of confidentiality under namely:

  • Justify the purpose: The purpose for which the confidential information is used should be clearly defined and scrutinized.
  • Unless absolutely necessary do not use the patient’s identifiable information: Patient’s identifiable information should not be disclosed unless it is very essential.
  • Use the minimum necessary patient identifiable information: Wherever a patient’s identifiable information is essential, measures should be taken to include a minimum amount of identifiable information that is necessary to be transferred only for the given purpose.
  • Access to the patient identifiable information should be on a need-to-know basis: Only those who need access for a particular purpose should be given access to the patient identifiable information. 
  • Everyone with access to patient identifiable information should be aware of their responsibilities: Those handling patient identifiable information should be fully aware of their responsibility and obligations to respect the privacy of the patient’s confidentiality.
  • Understand and comply with the law: All the disclosure of patient identifiable information should be lawful and in compliance with the law.

Laws pertaining to confidentiality

Each country has its own laws pertaining to maintaining privacy and taking actions against breach of confidentiality. The following are the provisions under various acts that put forward the laws relating to confidentiality.

Breach of Privacy and Confidentiality under the Information Technology Act, 2000

This act lays down the main principles of data protection and privacy which are as follows:

  • Defining data, computer database, information, electronic form, originator, addressee, etc.
  • If any person gets access or secure access to computer, its system or various network civil or criminal liability will be accrued.
  • Penalty for breach of confidentiality and privacy will be imposed.
  • Hierarchy of regulatory authorities, such as adjudicating officers, the Cyber Regulations Appellate Tribunal etc. shall be set up.

Section 43 A of the Information Technology Act, 2000 states that where a company fails to protect sensitive personal data, or does not use reasonable security procedures to protect such sensitive personal data and such negligence results in a wrongful loss or wrongful gain.

Penalty for breach of confidentiality and privacy: 

Section 66 of the Act, provides for penalty for use of cookies without consent, such person shall be punished with imprisonment of three years, or with fine which may extend to five lakh rupees or with both.

Section 72 of the Information Technology Act, 2000 provides for a criminal penalty of a government official; it states that any person who, in pursuance of any of the powers conferred by the Act or its allied rules and regulations; has secured access to any electronic record, book, register, correspondence, information, document or other material. If such person discloses such electronic record, book, register, correspondence, information, document or other material to any other person, he shall be punished with imprisonment for a term, which may extend to two years, or with fine which may extend to one lakh rupees, or with both.

Section 72 A of the Act provides for a criminal penalty where the service provider in the course of performing a contract, discloses personal information without the consent of data provider or in breach of a lawful contract and with intent to cause or likely to cause wrongful loss or wrongful gain. Such service providers shall be punished with imprisonment for a term, which may extend to three years, or with fine which may extend to five lakh rupees, or with both.

Draft National Innovation Act, 2008

The Department of Science and Technology had introduced the Draft National Innovation Act, 2008. The Act aims at codifying and consolidating the law of confidentiality in aid of protecting Confidential Information, trade secrets and innovation. It also provides for remedies to protect and preserve confidentiality and order to prevent threatened or apprehended misappropriation. It also states the terms and conditions in respect of confidentiality, exceptions to misappropriation of confidential information.

What is a breach of confidentiality?

When information is disclosed to a third party without the data owner’s consent it is called a breach of confidentiality. The data owner is entitled to take legal action for the potential losses or damages occurred as a result of such a breach of confidentiality.

Examples of breach of confidentiality

  1. Breach of confidentiality can happen when an employee discloses information that is crucial for its owner’s business or invention or discloses trade secrets to its rival companies, which would cause losses to the company’s business or reputation.

For example; 

Mr A works under company X as associate manager, shifts to company Z where he gets high increments, promotion and perks, disclose company X’s client data, trade secrets and tries to solicit his employees, thus putting the entire business of X at risk of being ruined.

  1. Another example of a breach of confidentiality is when personal private information is leaked or disclosed by a medical practitioner, which results in loss of reputation or mental trauma to the patient.
  2. The most classic example of breach of confidentiality is the Coca-Cola case, in this case, the employee of Coca-Cola leaked the company’s “Coke” trade secrets to PepsiCo. Coke’s executive administrative assistant was found guilty of stealing secrets, including a sample of a new drink being developed from Coca-Cola. The court sentenced the executive administrative assistant for a period of 8 years and other employees for 5 years, along with a fine of $40,000 for restitution.

In CMI Centre for Medical Innovation GMBH and Anr, Vs Phytopharm PLC (1999) FSR 235, the court has laid down the principles as to what the owner must address in breach of confidence:

  • Information or idea relied on by the infringer, in order to obtain an unfair advantage, must be clearly identified;
  • Information or idea must be handed over to the infringer as confidential information;
  • The information or idea must be classified as confidential; and
  • Information or ideas must be used or threatened to be used without authorization.

Remedies for breach of confidentiality

Section 73 of Indian Contract Act, 1872 states that an action of claim to succeed, it is necessary to show that there was information confidential in nature which was shared under an obligation of confidence with the person proceeded against and there was an actual or threatened use or disclosure of the information. If the information is already in public no action shall be made.

There are three remedies available to the plaintiff for a breach of confidentiality namely:

  • Injunction

Under this remedy, the court orders an injunction to either restrain the defendant from doing the act that constitutes breach or misuse of information or compelling the defendant for doing something. Order 39, Rule (2) and (3) of the Criminal Procedure Code provides for interim injunctions.

  • Account of Profit

The defendant will be liable to account for profit or earnings made or has accrued out of the infringement of confidentiality.

  • Damages

The defendant will be liable to pay damages for the breach of confidentiality.

Exemption to the breach of confidentiality

Confidentiality is not absolute, there are exceptional conditions where disclosure of confidential information would not amount to breach. Following are the exemption to breach of confidentiality:

  • Consent- Where the information is disclosed or lawfully obtained with the consent of the authorized person, then such disclosure will not be considered as a breach.
  • Court Order or in Compliance with the Law- Where the confidential information is required to be disclosed or released upon receipt of an order of the court of competent jurisdiction, or in compliance with the ruling of a government or regulatory authority, or by mandatory Law.
  • Continued Treatment- A medical practitioner may release confidential information to other practitioners for further or continued treatment of the patient.
  • Communicate a Threat- Confidential information can be disclosed where there is a threat of violation or destruction which can cause injury or bodily harm to another person.
  • Already in Public- Where the information is already in public or possession of the other person without an obligation to confidentiality prior receipt from the owner of the information, it would not amount to breach.
  • Unaware- Where the information is lawfully obtained by a third person, and that person is not aware of any confidentiality relating to the information.

Case laws on enforcement of breach of confidentiality

Having explained the concept of confidentiality, breach of confidentiality and exception to breach of confidentiality, let us now look into the case laws that explain how a breach of confidentiality can be enforced.

Following are the Top 5 Case Laws explaining enforcement of a breach of confidentiality:

  • Zee Telefilms Ltd. & Anr. vs. Sundial Communications Pvt. Ltd. & Ors 2003 (27) PTC 457 (Bom) (DB)

In this case, the defendant had copied the idea and concept of the plaintiff’s work ‘Krish Kanhaiyya’ and was representing it to be his own idea or work. The plaintiff had, however, claimed injunction under three grounds- breach of confidentiality, infringement of copyright and reverse passing off of the plaintiff’s work.

 However, the court had held that to constitute a breach, it has to be established that unauthorized use of confidential information or an idea led the defendant to obtain an unfair advantage over its competitors or the owner of such confidential information. The court had held that the interlocutory injunction can be issued to restrain a breach of confidentiality. 

It was further held that the plaintiff would be entitled to have an injunction and not merely compensation, where the confidential information was used against the plaintiff in competition with the defendant. 

This judgement was followed by the court in other cases also such as Urmi Juvekar Chiang vs. Global Broadcast News Ltd. & Anr 2007, Daniel Corus BV vs Steel Authority of India 2017, Diljeet Titus vs. Alfred A. Adebare & Ors. 2006 (32) PTC 609 (Del).

  • Daniel Corus BV vs. Steel Authority of India 2017

In this case, the petitioner, respondent and Tata Project Limited had entered into a contract for setting up blast furnace no. 5 at Rourkela Steel Plant of the respondent.

 The petitioner claims that the respondent had disclosed the confidential information such as commercial drawings to the third party, due to which the tender had been granted to the third party. 

The court held the respondent liable for breach and had passed an ad-interim relief restraining the respondent or its agents from disclosing the confidential information to the third party.

  • Diljeet Titus vs. Alfred A. Adebare & Ors. 2006 (32) PTC 609 (Del)

This is the case of infringement of copyright and breach of confidentiality.

Instituted against the ex-employees of the plaintiff. 

The plaintiff claimed that the defendant had acquired the client-related information or data and template of the firm. 

The court had held the defendant liable for breach of confidentiality and had further stated that the act of the defendant would lead to a competitive disadvantage to the plaintiff and it would be difficult to undo such harm. Therefore, the plaintiff was successful in obtaining injunctive relief against the defendant.

  • R. Rajagopal vs. State of T.N 36 (Autoshankar Case)

In this case, the Supreme Court had, for the first time, discussed freedom of the press in the context of the right to privacy.

The petitioner wanted to publish the autobiography of the Autoshankar, the petitioner had filed a writ petition restraining the respondent from interfering with its publication in their timely magazine Nakkheeran.

The court had held that a citizen has a right to privacy of his own, his family, marriage, procreation, motherhood, childbearing and education among other matters. 

No information can be published about the said matters without the permission or consent of the person. If a person does so, he would be violating the right of privacy of that person and will be liable for an action for damages.

  • Arjesh Kumar Madhok vs. Centre for Fingerprinting & Diagnostics (CDFD), Ministry of Science and Technology, Hyderabad. Appeal No. CIC/WB/A/2007/00008 2007 J

Under this case, the Central Information Commission (CIC) specifically upheld that under RTI Act information regarding the purpose and results of medical testing was exempted from disclosure because it would cause unwarranted invasion of the privacy of the individual, as it was determined as personal information by Public Information Officer, the disclosure of which had no relationship to any public activity or interest. 

It was further held by the CIC that information made available during the fiduciary relationship of doctor-patient shall also be exempted from public disclosure. In this case, the party seeking the test result was the patient’s parent. Therefore, the judgement of CIC provides little guidance in deciding what would constitute a relevant and overriding public interest.

Conclusion

Confidentiality means protection of information whether public or private disclosure of which could lead to loss of business, termination of contract or loss of reputation. The Indian constitution does not guarantee the right to privacy; however, it has been derived from Article 19 (1) (a), Article 19 (1) (g), Article 21,. Where the information is disclosed without the consent of the party, by the person who is in possession of confidential information it leads to breach of confidentiality. The other party can claim injunction, account of profit or damages from the breaching party. There are certain exceptions to breach of confidentiality namely; where the information is already in public, information disclosed with the consent of the owner of confidential information, where the information is required by the order of the court, etc.

References


Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.

LEAVE A REPLY

Please enter your comment!
Please enter your name here