Protecting Your Confidential Information – Lessons from Data Protection and Employment Perspectives

Introduction

The protection of confidential information continues to be a thorny issue for employers. Employees have to be provided access to corporate documents in the course of their work, which frequently include valuable and proprietary information such as client data, trade secrets, sales, marketing, operational, financial or personal data. In the modern context where such information is generally digitally stored, the risk of employees wrongfully downloading, exfiltrating and/or misusing such information is high—particularly since such unauthorised acts can involve large amounts of data accessed and transferred in seconds.

How then should employers protect their confidential information? This is necessarily a multi-pronged endeavour. From the employment law perspective, there should be sufficient contractual protection over the definition, access, retention and use of confidential information in the employment agreement. From the data protection perspective, there should be robust data management policies and practices in place to restrict access to, and monitor the usage of, sensitive data

The above issues and practical concerns were brought to the forefront in the Singapore High Court case of Hayate Partners Pte Ltd v Rajan Sunil Kumar [2025] SGHC 41. The claimant in the matter was a financial institution, and the defendant was its employee who had accessed and downloaded a large number of its files and had retained them after the termination of his employment. The claimant successfully claimed against the defendant for breaches of both his contractual and equitable confidentiality obligations.

The Court’s decision clarified the interplay between contract and equity, including whether a court can impose additional or more extensive obligations of confidentiality in equity beyond those provided in the employment agreement. The facts of the case also demonstrate the practical issues involved in relation to cloud storage and information technology (“IT“) security policies.

This Update provides a summary of the Court’s decision and highlights the key takeaways for businesses looking to protect their corporate documents and confidential information. 

Brief Facts

The claimant had employed the defendant as Head of Investor Relations pursuant to an Employment Agreement, which required him to reach out to and engage with prospective investors. The Employment Agreement included Clause 6, which required the defendant to deliver all documents and information to the claimant upon termination of his appointment, and prohibited the use and revelation of the claimant’s confidential information.

The claimant had implemented a set of guidelines governing IT security (“IT Security Guidelines“), which prohibited employees from forwarding and downloading the claimant’s information to their personal accounts and devices. It also limited access to the claimant’s information to office-issued personal computers and pre-registered personal mobile devices. Notwithstanding these restrictions, the defendant used his personal devices to access and download documents from the claimant’s Google Drive and denied having ever been made aware of the IT Security Guidelines. He claimed that the claimant was aware of and did not object to the use of his personal devices for accessing corporate documents. 

After the defendant tendered his resignation, the claimant conducted an audit of his activities and found that the defendant had accessed and downloaded a large number of its files from its Google Drive (allegedly into his personal computer) and had retained them after the termination of his employment. The documents included investment strategies, business development and client-related material (including clients’ personal data), material relating to business operations, and legal advice. The claimant thus brought claims against the defendant for breaches of his contractual confidentiality obligations and the equitable duty of confidence.

Holding of the High Court

The Court held mostly in favour of the claimant, finding that: (i) the defendant had breached his contractual obligations of confidentiality by retaining confidential documents after the termination of his employment in breach of Clause 6; and (ii) the defendant had also breached his equitable obligations of confidence by accessing and downloading the files and retaining them beyond the termination of his employment.

In reaching its decision, the Court set out the following principles on the interplay between contractual and equitable duties of confidence:

1. Even if there is already an express duty of confidentiality in the contract between the parties, equity can intervene to impose a duty of confidence.

2. To determine whether additional or more extensive obligations of confidentiality in equity should be imposed, the court will apply a two-step inquiry.

• • If the contract specifies the information to be treated as confidential and/or the extent and/or duration of the obligations in respect of the information, the starting pointis that equity will not ordinarily impose additional obligations. 

• • However, the starting point may still be departed from if a reasonable person’s conscience would be offended if additional or more extensive obligations were not so imposed.

Applying these principles, the Court was of the view that Clause 6 of the Employment Agreement did not expressly prevent the accessing and downloading of information for non-work-related purposes. Nonetheless, the Court found that such obligations were imposed in equity as it would plainly offend a reasonable man’s conscience if these obligations were not imposed by equity on the defendant.

On the facts, the Court found that the defendant had breached his equitable obligations of confidence.

1. The information which the defendant had accessed and downloaded possessed the necessary quality of confidence and had been communicated in circumstances importing an obligation of confidence.

2. The defendant had failed to show that his conscience was not affected when he accessed and downloaded the confidential information. In particular, the Court gave short shrift to the defendant’s claim that he had downloaded the entirety of the information in the claimant’s Google Drive just to find his own payslips.

For further details on the legal basis of the Court’s decision, please see our May 2025 Legal Update titled “Confidential Documents in the Employment Context – Court Sets Out Relationship between Contractual and Equitable Confidentiality Obligations”.

Implications on Data Protection

This case demonstrates the risks that many employers face when making confidential data accessible to employees. In particular, the defendant was able to access and download large quantities of sensitive data due to, among others, the following circumstances:

1. The defendant was given access to the claimant’s Google Drive, which was not restricted to documents specifically pertaining to the defendant;

2. The defendant was able to download data from the claimant’s Google Drive freely onto his personal devices, with apparently no restrictions requiring downloads onto official office-issued devices; and

3. There were doubts as to whether the claimant’s IT Security Guidelines were sufficiently brought to the defendant’s attention and whether they had been incorporated into the Employment Agreement.

The stark reality facing employers today is that once confidential information has been taken, the proverbial horse has bolted. The remedial process of mitigating loss, attempting to prevent the unauthorised onward transmission or usage of the confidential information and/or seeking damages by initiating legal proceedings and seeking the return/destruction of the documents or an injunction over their use can be tedious and costly. Therefore, as a starting point, employers should ensure that they have sufficiently robust IT policies and processes in place to prevent unauthorised access or downloading of confidential information. This may include the following measures:

1. Restricting access to confidential information based on necessity for each employee’s work scope;

2. Implementing protocols preventing the transfer of documents onto personal devices;

3. Monitoring of access to and downloading of data, with live alerts for unauthorised transfers;

4. Setting out a comprehensive IT security policy, and ensuring such policy is incorporated into the employment agreement; and

5. Conducting regular training for employees on the importance of IT security and data protection, not just to build awareness and education, but also as a defensive measure to preclude employees from later asserting that they were not informed about such policies and that they acted unknowingly.

The above measures are also important from a regulatory standpoint. The information taken by the defendant in this case included clients’ personal data. Organisations should be aware that they are subject to strict obligations under the Personal Data Protection Act 2012 to have reasonable security arrangements to protect the personal data in their possession to prevent unauthorised access, use, and disclosure. Lapses in the implementation of such measures may expose the organisation to regulatory repercussions.

Implications on Employment Agreements

In this case, the Court applied equitable principles to impose a duty not to access and download confidential information for non-work-related purposes to hold the defendant employee liable. However, employers should not leave it to the court to step in to fill in the gaps of an employment agreement. The clear and comprehensive definition of confidentiality obligations would go a long way to providing greater certainty and protection over the relevant data.

As such, employers should always seek to comprehensively articulate and set out the employee’s contractual duties of confidence to prevent any future disputes. This should include the following:

1. What is considered confidential information or a trade secret;

2. The parameters as to what an employee can or cannot do with such information;

3. The restrictions placed upon employees in dealing with such information, e.g. relating to the access, use, disclosure, download, transfer, and retention of such information;

4. The scope of such restrictions, including their extent and duration; and

5. The consequences for breach of contractual confidentiality obligations – including the contractual requirement for the employee to indemnify the employer for all forensic and manpower costs incurred in any subsequent investigation necessitated by the employee’s misconduct.

Employers should also ensure that they have in place comprehensive policies setting out the access rights to confidential information, the processes for access to and use of such information, and the restrictions over such information. These policies should be regularly brought to the attention of all employees through employee training and should be incorporated into the employment agreements as far as possible. 

Concluding Words

Information is often the lifeblood of a business, and companies must ensure that their confidential information is duly protected. While such information has to be protected from external intrusion, its internal usage also has to be adequately managed.

The protection of confidential information, especially in the digital age, requires a multi-faceted approach. Rajah & Tann’s Employment and Data Protection practices comprise top-ranked lawyers who are experts not just in their fields, but also in working seamlessly with employers, often across jurisdictions, to assess and risk-mitigate your business operations from the threat of unauthorised exfiltration or the misuse of confidential information.

For further queries on these issues, please reach out to our Team members set out on this page.