When judge Prue Leith accidentally tweeted the name of the winner before the Great British Bake Off final had aired, it was a high-profile example of how easily confidential information can be leaked. But when a secret slips out what can employers do about it? James Farad, Assistant Solicitor in the employment team at Blacks Solicitors LLP takes a look at the issue…
The recent incident involving Prue Leith, Twitter and the GBBO is an example – albeit an unusual one – of the all too common problem of confidential information being leaked, in this instance via social media. In May 2017 an Australian company had swathes of its confidential information leaked through four separate Twitter accounts; the culprit has yet to be identified. A data breach is likely to cause commercial damage and, if it involves personal data, may leave the employer facing a criminal sanction.
A key feature of the Prue saga is that her blunder was an accident; it was a careless or negligent act. Motive is important. The question whether an employee knowingly leaked confidential information, or did so purely by accident, is of critical importance to an employer when deciding what action to take.
Data breach
An employer should first take stock of the situation and see whether there has actually been a ‘data breach’. A data breach is an event in which data (complex, protected or confidential) has been viewed, taken or used by an individual without proper authority.
If there has been a breach, the next step is to look at the data handling policies and procedures the employer has in place and which the employee may have contravened. These may be contained in a staff handbook or in the employee’s contract of employment. It is then up to the employer to question the employee and to decide if the evidence points to action which was spiteful in nature or merely negligent.
Investigation
A thorough – and fair – investigation is vital. All too often employers exhibit a knee jerk reaction and suspend the employee (on full pay) whilst an investigation is carried out. Proceed with caution! Case law suggests that suspension may not always be seen as a neutral act. The courts have recently affirmed that, particularly in a professional environment, for example, suspension could be a breach of the implied term of mutual trust and confidence. That said, suspension may be necessary if the evidence suggests the employee acted maliciously, or if the employer fears that the employee may tamper with evidence or seek to intimidate or influence witnesses.
Policies and updates
Every employer should have a confidentiality policy, a social media policy, and a disciplinary procedure. These three vital documents will help to identify if the employee has breached a contractual obligation, and how the employer should deal with the employee.
Ultimately, the severity of any sanction depends on the seriousness and circumstances of the breach. Employees must be made aware that a substantial data breach could amount to gross misconduct – leading to immediate dismissal. However, if the employee acted innocently a formal written warning may be a more appropriate sanction.
Putting the correct policies and procedures in place is only a first step. If no-one understands or reads them they are next to pointless. Awareness of the policies and training in their implementation and operation are imperative. Regular workshops, meetings, or email updates to staff will help to ensure they are aware of data obligations, the risk of breach and how to handle confidential information in a secure fashion. This will increase employee awareness of the potential impact of their actions, but more importantly ensure employees adopt practices which minimise the risk of inadvertent data loss.
Of course an employer could keep all confidential information under lock and key. But with data usually needing to be readily accessible to legitimate users this is hardly a practicable approach.
Will Prue Leith be sacked from the GBBO? We hope not. Apparently the leak was caused by confusion over the time difference between the UK and Bhutan. We can only hope that she’s a little more careful in determining cooking times in her recipes!
