S 3.55 Non-disclosure agreements (NDAs)

Initiation responsibility: Head of Personnel, Data Protection Officer, IT Security Officer

Implementation responsibility: Supervisor, Personnel Department

External employees are often provided access to confidential information in order to do their work or achieve results that need to be handled confidentially. In such cases, they must be required to handle these accordingly. Non-disclosure agreements should be signed by the external employees for this purpose.

The following should be described in a non-disclosure agreement:

• which information needs to be handled confidentially,
• what period the non-disclosure agreement is valid for,
• what action needs to be taken when the agreement is terminated (i.e. the data media must be destroyed or returned, for example),
• who has the rights of ownership to the information,
• which rules and regulations apply to the use and disclosure of confidential information to additional partners, if this is necessary,
• which consequences are caused by violating the terms of the agreement.

The non-disclosure agreement can also point out the relevant security policies and additional guidelines of the organisation. If the external employees are provided with access to the internal IT infrastructure of the organisation, then they should also sign the IT security policies for the use of the particular IT systems in addition to signing the non-disclosure agreement.

A non-disclosure agreement provides a legal foundation for the obligation of external employees to handle information confidentially. For this reason, it must take into account all laws and regulations applying to the organisation in the special area of application, should be formulated clearly, and kept up to date.

It may make sense to use different non-disclosure agreements depending on the purpose. In this case, the organisation must clearly define which agreements are necessary in which cases.

Review questions:

• Are non-disclosure agreements concluded with external employees before they are granted access to confidential information?
• Do the non-disclosure agreements used take into account all important aspects relating to the protection of the organisation's internal information?