#Human Resources #Employer

HR Guide: How to Manage Confidentiality in the Workplace

Mohamad Danial bin Ab. Khalil
by Mohamad Danial bin Ab. Khalil
Aug 06, 2020 at 6:30 PM

Every organisation has information it must keep confidential for the sake of the company and its employees. HR is usually in charge of sensitive information and making sure it stays confidential. But it's not easy to keep everything safe, a breach in confidentiality can cause consequences that may affect employees or even the organisation itself.

That's why handling the confidentiality of sensitive information is very important. Human Resources departments must install procedures to safeguard all of this information and more. These elements should be present in the procedures:

  • Non-disclosure agreements (NDA) for employees, contractors, and vendors, to protect the organisation's information.
  • Confidentiality training for all HR staff throughout the year.
  • High security, password-protected databases for digital files.
  • A detailed orientation process for new HR employees on confidentiality procedures.
  • A thorough process for taking action should any breach of private information happen, including notifying the affected employees.
  • Locked cabinets to collect paper copies of documents holding any sensitive information. The HR manager should carry the cabinets' keys at all times.

Confidentiality is a matter of concern for every industry. Every company has information it does not want competitors or outsiders to know, such as financial details or creative content.


The Non-Disclosure Agreement

NDA is a greater way to ensure the organisation is protected from any party that becomes privy to this information as part of their work with the organisation, whether as a full-time employee or temporary contractor.

An NDA acts as a legally-binding contract between the signing parties to not disclose the information outlined within. This confidential agreement protects the organisation, since the signing parties would be subject to legal action if any party violates the accord. 

An NDA should:

  • identify the parties involved,
  • define the information that is confidential as narrowly or as broadly as necessary, and
  • define the time period during which the confidentiality applies.

In some cases, an organisation can choose to extend the confidentiality period for months or years after an employee exits the company, to prevent them from sharing private information with competitors.

HR is responsible for making sure that all employees fully understand the confidentiality policy. Signing the NDA is the starting point, and even though many companies do not go beyond that, it may be worthwhile to do so.

company document
Confidential documents should not be lying around on an employee's desk

Employees and confidentiality

In the modern age of social media, it's very easy for employees to make a mistake and share a private piece of information about the organisation without even meaning to.

Training and reminders can help employees understand the complicated nature of confidentiality, and not only how to avoid accidentally sharing the company's sensitive information, but also about how the HR department handles their own private information. The more informed the employees are, the more they will come to understand the necessity for confidentiality and respect it.


Confidentiality breach

Be wary, a breach in confidentiality can still happen even after you have taken all the precautions. If an employee's personal information or company-related information has become compromised, the first thing to do is to inform the employee and their supervisor. Depending on the type of breach, it is recommended to change security measures, such as passwords and locks.

If the confidentiality breach affects company information, through a current employee or employee, several steps needed to be taken. In the case of an employee, the breach may be cause for termination. With a contractor, the contract may be voided. In both cases, legal action may be taken against the violating party, especially if they have consented to the NDA.


Personal Data Protection Act 2010

The Personal Data Protection Act 2010 ("PDPA") came into force on 15 November 2013 and imposes particular obligations on 'data users' in dealing with all personal data processed by them.

The PDPA applies to employee data. The Personal Data Protection Department ("PDP Department") published a paper named "Guide on The Management of Employee Data" ("Employment Guideline"). The Employment Guideline has removed any doubt as it says that:

"It is clear that employer-employee relationship is commercial and contractual in nature as it arises from a contract of services in exchange for remuneration and the PDPA applies to such a relationship"

The PDPA also applies to personal data collected at the recruitment stage. Prospective employers must remember that they are expected to strike a balance between their need for information and an applicant's right to respect for their private life.  The spirit of the PDPA is also that it needs openness in respect to the data collected and the purposes for which it is collected.

internet screen security
Companies should also make sure confidential online data are encrypted and stored in a safe place.

How to comply with the PDPA

These are some good practices on dealing with employee personal data:

  1. Carry out scheduled audits on all personal data in the company's possession to decide which data is essential, and non-essential data that needs to be destroyed;
  2. Assign a mode of contact and contact person whom employees can reach to access or correct their personal data and notify all employees of the same;
  3. Set operating procedures to deal with inquiries, complaints, and access and correction requests;
  4. Establish retention duration for personal data and erase personal data after expiry of the same;
  5. Abstain from collecting data unnecessarily from employees; and
  6. Implement awareness and training for all employees in the company, particularly those responsible for handling personal data.

Special care must be used when handling sensitive personal data. Sensitive personal data refers to:

  • personal data in respect of the physical or mental health or condition of a data subject,
  • their political opinions,
  • their religious beliefs or other beliefs of a similar nature,
  • or the commission or alleged commission by them of any offence (section 4).

The organisation may process sensitive personal data only if required and must receive explicit consent before processing the data. It must be noted that in this context, "processing" of personal data includes the collecting, using, storing or disclosing of such data.

Any consent given by the employee must be capable of being recorded and must be maintained properly by the employer. If consent is solicited in a manner which is also used for some other purposes, the consent for use of personal data must be prominently shown.


The function of HR in keeping sensitive information for both the organisation and its employees is of the utmost importance. The HR department should take every measure to make sure that no such breach happens. If the breach occurs, HR should handle the matter quickly and professionally, no matter the circumstances.

Are You Short on Staff? Reach up to four million job seekers on Maukerja, Ricebowl, LinkedIn and more when you post a job on AJobThing.com Register today!

Sources: eSkill & Skrine (Mondaq)

Related articles
HR Guide: The Process of Employee Promotion    
HR Guide: What is Secondment and How Does it Work?    
HR Guide: Managing Talent Using the Nine Box Grid Model