United Arab Emirates: Confidentiality and your business in the Middle East

Every business holds information it regards as commercially sensitive and confidential. Employees will require access to this information in the course of their employment. The issue for employers is how to permit access to information whilst protecting the business.

Putting in place a suitable infrastructure for the management of information is increasingly known by a term coined in the US as "Information Governance." This describes the rules, policies, and procedures which govern the integrity, security and use of information within an organization, taking into account legal obligations such as data protection and privacy, data governance, information security and records management. Additional protection is required where the employer operates in a sector which entails the holding of third party information; such as financial services, health and education, retail and leisure.

The starting point for an employer looking to protect its business in the United Arab Emirates is the UAE Civil Code, article 905 of which states that ' the employee must keep the industrial or trade secrets of the employer, including after the termination of the contract, as required by the agreement or by custom, and Law No 8 of 1980 on the Regulation of Labour Relations (UAE Labour Law), article 120 of which provides that an employee may be terminated without notice or the payment of end of service gratuity where he reveals the secrets of his employer. Article 379 of the UAE Penal Code also provides that it is a criminal offence for an individual to use a third party's information without consent for his own or another's advantage where that information was gained as a result of the individual exercising his profession, craft or art.

The provisions of article 120 in the UAE Labour Law are replicated in article 80 of the Saudi Arabian Labour Law; Royal Decree M/51, 27 September 2005 and Article 61 of the Qatari Labour Law, Law no 14 of 2004. Both the Saudi Arabian and Qatari penal codes also criminalise the disclosure of confidential information without consent.

In addition to relying on the protection of the legal provisions listed above, employers in the region are advised to put in place a system whereby confidential or commercially sensitive information is clearly identifiable; whereby employees are aware of their obligations; and whereby the organization has identified ways to manage the risk that confidential information might be leaked or stolen by an employee.

Simply defining information as confidential will not make it confidential. The nature, purpose, and origin of the information must be examined together with the potential damage its disclosure could do to the business must be assessed. Secret recipes or formulae, manufacturing processes, designs or special methods of construction, lists of key business contacts and customers, specialized IT computer systems and data, trade contacts, names of customers and goods they buy, accounting information, projections and business leads are all examples of confidential information, but by no means constitute an exhaustive list.

Access to confidential information will depend on the role of any employee and, for those who require daily access (for example research assistants or sales managers) it would be impractical to keep information under lock and key. Practical precautions include (i) password protection of certain documents or databases; (ii) limiting employees' ability to access remotely the employer's computer system; (iii) marking or stamping certain documents as confidential; and (iv) circulating documents in sealed envelopes marked confidential.

Where the protection of confidential information is involved, any relevant employment contract should impose the following obligations on an employee: (i) to act honestly towards the employer and to use his skill and knowledge in the best interests of the employer; (ii) to disclose to the employer all information relevant to the employer's business; (iii) not to make secret profits from the business; (iv) to respect the confidentiality of the employer's commercial and business information; and (v) not to compete with the business. These last two obligations should apply both during the employment and, for an appropriate period of time and geographical area in the case of non-competition restrictions, after it ceases.

When an employee is to leave his employment his interests will clearly no longer be aligned with his employer. In order to limit potential damage, employees should be monitored for: (i) unusual absences or timings in the office; (ii) carrying out an unusual amount of photocopying; (iii) working on projects or maintaining regular contact with clients without the line manager's knowledge; (iv) emailing documents to personal email accounts; (v) using a memory card at work; and (vi) taking documents without authorization.

Termination of employment for misuse of confidential information will require the employee to have received proper notification on what constituted confidential information and what was his permitted use of such information. It is important to distinguish between confidential information and information which is part of the skill and knowledge of the employee. An employer may be able to claim damages from an employee who misuses its confidential information.

Where third party information is involved, such as consumer or customer details (complicated further where the organization outsources customer relationship management services) an effective Information Governance system will involve identifying: (i) what kind of information is kept by the business; (ii) where the data enters the organisation, where it is held and how it is used; (iii) how long it is being held; and (iv) the potential risks of disclosure or misuse.

Article 282 of the UAE Civil Code provides that an individual or entity will be responsible for any act by him causing harm to others and that such an act shall be compensated. Such are the broad terms of this article that it could well extend to the negligent or careless disclosure of a third party's confidential information.

Both the Qatar Financial Centre and the Dubai International Financial Centre have data protection legislation modeled on the European Union's Data Protection Directive; the Data Protection Regulations 2005 and the Data Protection Law No 1 of 2007, respectively. These set out rules under which personal data may be collected and held, with the owner or the subject of this data having a right of access and a right to ensure details are accurate or corrected if wrong. This legislation also sets restrictions on the lawful transfer of data by the organization holding the data. Special restrictions apply to sensitive personal data, for example, relating to an individual's health.

A UK governmental review committee recently recommended that 'as a matter of best practice, companies should review at least annually their systems of internal controls over using and sharing personal information and they should report to shareholders that they have done so.' With the growing importance of corporate governance, it is likely that compulsory reporting of any breaches (already applicable in the USA) involving, for example, a duty to inform customers of the loss of their sensitive data, may be introduced in various jurisdictions.

As a matter of good corporate governance, multi-national organizations operating across jurisdictions would be wise to put in place measures: (i) assigning responsibility at senior level for dealing with data security and providing a remit to liaise with other parts of the business including HR, finance, senior management, compliance and audit, and IT; (ii) establishing a specific committee to assess monitor and control data security risk; (iii) putting in place written policies which are accessible and easily understandable by all; and (iv) providing training, regular updates and notifications to employees on their obligations and permitted use of confidential and commercially sensitive information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.