Protecting confidential information – what steps can a company take when information is disclosed to the wrong person?
05 August 2019
The High Court has entered judgment in default in favour of the Advertising Standards Authority (ASA) in a claim brought to protect its confidential information and privileged material accidentally emailed by an employee to the wrong person. The Court had previously granted the ASA an interim injunction to prevent disclosure of the information by the recipient, pending a hearing of the claim. This case highlights steps employers can take to protect confidential information in these circumstances.
How did the ASA, a body more used to making rulings, find itself applying to the court for one in this case? It all started with a bad day at work for one ASA investigating officer. He had been investigating a complaint about a particular billboard advert, apparently funded by a Mr Mitchell.
One Friday, the investigating officer sent an email attaching the complaint, a photo of the billboard, correspondence with Mr Mitchell, draft recommendations, an email of advice from an external solicitor and an earlier counsel’s opinion. The email and attachments were meant to go to the solicitor for further legal advice, but were sent by mistake to the subject of the complaint - Mr Mitchell. The officer quickly realised the mistake and sent a message recall.
Application for an interim injunction: the ASA’s case
By various means (email, letter, voicemail, text message), the ASA and its solicitors asked Mr Mitchell to delete the email and its attachments and not disclose the confidential and privileged information, but he declined by email. He also posted tweets criticising the conduct of the ASA and its lawyers.
The ASA then issued an urgent court application (on informal notice to Mr Mitchell) seeking an interim injunction and order:
- to prohibit Mr Mitchell from using, publishing, communicating or disclosing all or any part of the email and attachments other than the photograph; and
- for disclosure of what Mr Mitchell had done with the email, attachments, and the information they contained.
The ASA argued that the information was confidential (part of it protected by legal professional privilege), mistakenly disclosed to Mr Mitchell and he had no right to use or retain it – save for certain limited purposes to do with the ASA complaint.
Interim injunction granted
The Court heard the application the following day. Mr Mitchell did not attend the hearing and was not represented.
Having dealt with a number of procedural issues, the Court took account of its earlier decision in Linklaters v Mellish concerning the granting of injunctions against absent third parties (which we have previously commented on), and went on to consider the substantive issues.
Risk of disclosure
The Court was satisfied that there was a real risk that, unless restrained, Mr Mitchell would carry out the acts which the injunction would prohibit (i.e. publish, disclose or use at least some of the materials or information in question). For example, there was evidence that Mr Mitchell had previously emailed the ASA making clear that he refused to consider himself bound by its confidentiality provisions and a “refrain in his correspondence” was that the public interest justified some disclosure.
Merits of the claims in confidence
Further, on the evidence, the Court concluded that the ASA would be likely to satisfy a trial court that apart from the photograph (in which no confidentiality was alleged) the information in the email and its attachments were confidential in nature, the information had come to Mr Mitchell’s attention under circumstances importing a duty of confidence and his publication or use of it would represent a breach of confidence.
The Court also decided that where disclosure of legally privileged documents is the result of an obvious mistake, the courts should ordinarily intervene. The mistake in this case was clear on the face of the email (addressed to “Dear Rupert” and referring to Mr Mitchell in the third person). There was no reason to depart from the default rule that privileged material may not be used or disclosed by the accidental recipient.
The Court concluded that it was not in the public interest for the duty of confidentiality imposed on Mr Mitchell to be breached. On the contrary, there was an obvious public interest in upholding: (a) the anonymity of the complainant (to encourage candour from other complainants); and (b) the confidentiality of the ASA processes (in the interests of efficient administration).
Ultimately, the Court granted the ASA the interim injunction and orders it was seeking.
The Court has now granted a final order in the ASA’s favour. The judgment in default was granted because Mr Mitchell failed to file a formal acknowledgment of service of the ASA’s claim within the required deadline.
Implications for employers
Typically, employers apply for injunctions to protect confidential information where an employee has deliberately stolen the information, either because of some kind of grudge or to use it to compete with the business. This case is a helpful illustration of the protection afforded to employers in different circumstances – where no wrongdoing is involved and an employee simply divulges company confidential information by mistake.
Here are some key practical points for employers arising from the case:
- Mark any confidential information as “confidential”. The courts will be much more likely to find that documents are confidential in nature, imposing a duty of confidence on the recipient, if the documents expressly assert their confidentiality (like much of the ASA documentation did).
- Check your company’s standard email footer. Check that your company adds automated wording to emails which: (a) makes clear that the email and any attachments are for the addressee only and may contain confidential and/or privileged information; and (b) asks anyone who is not the addressee to delete the email, notify the sender and not copy, distribute or disclose the content. The judge commented in this case (when extending the interim injunction) that such wording “strengthens the case for the imposition of a duty of confidentiality on the recipient.”
- Consider all your options… The ASA made various attempts – both before applying to court and after the interim injunction was granted – to get Mr Mitchell to give undertakings that he would delete and not disclose the email and attachments. With another individual, those efforts outside the court process might have worked, saving time and cost;
- …but don’t delay. Delay may defeat an injunction application. Here, the email was mistakenly sent around midday on the Friday, the ASA issued its application the next Wednesday, which was heard in court on Thursday morning and a draft judgment circulated that afternoon. Had the confidential information been made public before the ASA got to court, the injunction may not have been granted.
- Don’t forget about data protection. Where an employee knowingly or recklessly obtains or discloses personal data without the consent of the data controller, an employer may have a duty to protect that information by taking steps to prevent its misuse. It may also have a duty to report the loss of that data (the ASA self-reported to the ICO in this case).