Confidential Information Guidelines

Introduction

From time to time, university employees may come to have access to confidential or proprietary information (hereinafter referred to as “CI”). Especially in a University setting, where information is normally distributed freely, it is critical that NC State employees renew their appreciation for reasonable standards of care with respect to the confidential and proprietary information of NC State University as well as that of third parties.

Acceptance of CI on behalf of the University substantially supplements your obligations as an employee. Acceptance of CI on behalf of the University or as an individual adds significant personal responsibility and liability that you should avoid if at all possible. You are strongly encouraged to AVOID RECEIPT OF CI except when absolutely necessary for performance of your duties as an employee of the University. The basis for the preceding caution is the fact that the University environment is not naturally conducive to maintenance of confidentiality and to add such obligation in such an environment requires substantial care and concern by the steward of such information.

Be aware that:

  • If a third party, such as a research sponsor, prospective center member, or similar person or entity intends to share confidential or proprietary information with you, contact the Office of Technology Transfer to codify the expectations and obligations in a properly executed confidential information or non-disclosure agreement.
  • There are many forms of contracts that cover confidential information, including but not limited to…
    • Non-disclosure Agreement (NDA)
    • Confidentiality Agreement (CA)
    • Proprietary Information Agreement (PIA)
    • Sponsored Project Agreement (SPA)
  • Agreements should detail how confidential or proprietary information will be shared and how the recipient will know they are in receipt of such information.
  • Agreements should define and limit the institution’s obligations with respect to confidentiality to a reasonable standard of care that the institution would afford to its own confidential or proprietary information.

Standards and Action for Consideration

If you are to come to have confidential information, you are personally responsible for it’s proper, safe and secure maintenance. As such, you may want to consider implementing some reasonable standards for protection and preservation of confidential or proprietary information. Below are some standards, that when coupled with your own controls and oversight and sound ethical behavior will help you avoid unintentional breach of confidentiality:

  1. Establish and implement a protocol that covers access to CI information
    1. Ensure that CI is maintained in a locked filing cabinet and/or under strict password protection if it is electronic media.
    2. Define where CI will be stored and avoid moving CI from location to location.
    3. Identify who has key or card key access to the physical space.
    4. Establish need to know.
    5. Maintain a log of access.
    6. Define the disposition of CI – pursuant to your contract if one exists – once it is no longer necessary for you to maintain in your possession.
    7. Ensure you afford the provider of CI with an opportunity to review materials you have created that may be based in whole or in part upon their CI so that they have an opportunity to request modification of your materials to remove their CI.
  2. Evaluate your CI protocol periodically and update as necessary
  3. If you suspect CI has been compromised, immediately report the matter to the Office of Technology Transfer or the Sponsored Programs and Regulatory Compliance Services for mitigation and response.
  4. Perpetually avoid receiving CI and constantly remind your sponsors or third-party collaborators of the limitations of control you have on CI that is shared with you.
  5. Do not make unapproved arrangements on CI related to otherwise formalized arrangements (such as a sponsored agreement) because such “side-deals” can deteriorate the fundamental research exemption from export controls surrounding your work.
  6. Contact the Office of Technology Transfer or Sponsored Programs and Regulatory Compliance Services if you have any questions about your obligations under confidentiality provisions of any contracts.

Reference Material