Reading time: 6 minutes

Your business’ information and intellectual property may be its biggest asset. Your business might have confidential information about the business itself, alongside information that relates to your customers and clients. If so, it is always important to ensure that this confidential information is not leaked by one of your employees. This article will discuss what you should do if you believe an employee has leaked confidential information. It also provides some tips to prevent and manage this type of behaviour.

How Can I Prevent Information Leaks?


The best method to prevent confidential information leaking is to ensure you invest in secure IT systems and manage employee behaviour. You may want to establish systems that can monitor staff internet usage. This system can create alerts if your staff access unsecured websites, or input a USB device into a work computer. Keep in mind that if you do want to surveil your staff’s IT usage, you may need to provide them with the appropriate notice before doing so. 

For example, in NSW, you must provide existing employees with 14 days notice if you wish to surveil them. Further, you need to provide new employees with notice that they will be surveilled before they commence work. 

Each state has different legislation surrounding workplace surveillance, so it is important to make sure that you are aware of your obligations as an employer before you start any workplace surveillance or monitoring of IT systems.


You should regularly train your staff on safe IT practices in the workplace. You should also remind them of their confidentiality obligations and best practice. Here, for example, you can:

  • run training sessions on how to identify malicious websites or scams; or 
  • provide them with practical tips on how to make sure that they do not accidentally breach confidentiality obligations.

Most of the time, a cybersecurity risk or information leak will happen innocently, and not out of malice. By educating your staff on best practice, you will lower the risk of confidential information being inadvertently leaked.

Policies Regulating Employee Conduct

You should have clearly written workplace policies on IT usage and handling confidential information. This might include the fact employees should not download information onto a USB, or use personal devices to handle work information. 

You can also include an IT policy that sets out unacceptable behaviour, such as visiting certain websites or downloading software of any kind from the internet.

What to Do if You Believe An Employee Is Leaking Information

If you think a current or former employee may be at risk of leaking confidential information about your business, you could send them a warning letter to remind them of their confidentiality obligations. If you know that a breach has occurred, you could opt to send a more strongly worded letter of demand that details the legal action you will take. 

In contrast, if you believe an employee has leaked confidential client information, this could potentially be a much more serious matter. As such, you must deal with this issue as a matter of priority. You should take immediate action to discern: 

  • if any confidential information was leaked; 
  • the extent of the leak; and 
  • whether the conduct was intentional or accidental.

Consequences of a Leak of Client Information

Breach Of Contract

Your contracts with your clients will typically contain confidentiality provisions. If your staff have disclosed confidential client information to a party outside the workplace, your business may have breached your contract with your client. As such, you could be responsible for paying compensation to your client for damages they faced due to this breach.

Notifiable Data Breaches

If you are an APP entity, the Privacy Act may impose additional steps that you must take if you think a notifiable data breach has occurred.

Your business will be an APP entity if your business has:

  • an annual turnover of over $3 million; or
  • less turnover than $3 million, but provide health services, contracts with the Commonwealth Government, and sell personal information.

If you are an APP entity, you need to comply with the Notifiable Data Breach Scheme. This means that if an eligible data breach occurs, you will need to notify the individuals affected by the breach, as well as the Office of the Australian Information Commissioner (OAIC).

Not all data breaches will be eligible to be reported to the individual and OAIC. The test as to whether the leak of confidential information amounts to a notifiable data breach is that:

  1. there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information that your organisation holds;
  2. this leak is likely to result in serious harm to one or more individuals; and
  3. your organisation has not been able to prevent the likely risk of serious harm with remedial action.

If you are an APP entity, and you think that an eligible data breach may have occurred, you should contact an experienced privacy lawyer immediately to understand how to respond, and who should be notified.

Managing Employees Who Have Leaked Information

If you have evidence that an employee has breached business or client information, you should investigate the matter thoroughly before taking any action. If you can confirm that the employee is responsible, you may have grounds to discipline them.

However, you should speak to a lawyer before commencing disciplinary action to ensure that you minimise your risk of exposure for unfair termination or disciplinary action.

Key Takeaways

The best way to prevent confidential information leaving the workplace is to make sure you have secure IT systems and procedures. You also need to educate your staff on acceptable conduct. A leak of confidential client information can be far more serious than a leak of confidential business information. If you leak confidential client information, you may be responsible for a breach of contract claim. APP entities also need to follow the Notifiable Data Breach scheme and make sure you take appropriate steps. If you have any questions about how to appropriately handle a leak of confidential information, contact LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.


Australia’s Global Talent Visa: How to Attract Top Talent

Thursday 7 October | 11:00 - 11:45am

Understand how to navigate Australia’s complex migration system to attract top overseas talent with our free webinar.
Register Now

5 Essential Contracts for your Online Business

Thursday 14 October | 11:00 - 11:45am

Learn which key contracts will best protect your online business with our free webinar.
Register Now

Key Considerations When Buying a Business

Thursday 11 November | 11:00 - 11:45am

Learn which questions to ask when buying a business to avoid legal and operational pitfalls, so you can hit the ground running. Join our free webinar.
Register Now

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards

  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2019 Most Innovative Firm - Australasian Lawyer