Reviewing confidentiality agreements

The employment contracts specify the responsibilities of the employee and the organization for cyber security.

Contracts should include e.g.:

• the employee's legal responsibilities and rights, such as those related to copyright or data protection law
• the employee's responsibility for following the instructions, e.g. related to the use of hardware and data and the classification of information
• the employee's or temporary employee's responsibility for processing information received from other companies or other parties
• measures if the employee or temporary worker violates the safety requirements of the organization
• continuing obligations after termination of employment

All employees handling confidential information should sign a confidentiality or non-disclosure agreement before processing confidential information.

The confidentiality commitment should include, among other things:

• a clear definition of confidential information
• the expected duration of the commitment
• required actions when the commitment is terminated
• the responsibilities and actions of signatories to prevent unauthorized disclosure of information
• ownership of information, trade secrets, and intellectual property and how this relates to the protection of confidential information
• permissible use of confidential information and the signatory's rights to use the information
• the right to audit and monitor activities involving confidential information

The requirements and needs for confidentiality agreements are reviewed and updated at regular intervals.

The organization must ensure that the new employee signs an employment contract before he or she has access to any of the organization's records or data systems.

The employment contract should reflect the employee's responsibilities for information security and other roles relevant to the organization's information security.

Confidentiality and non-disclosure requirements are reviewed at regular intervals and whenever changes affecting these requirements occur.

Our organization has defined the actions to be taken in the event of a breach of confidentiality. These may include e.g. the following steps:

• investigating what data was breached and how harmful this was
• investigating the intentionality of the act
• investigating what was set as conseguence on the confidentiality agreement
• deciding whether and how to proceed (e.g. legal actions)
• deciding whether outside assistance is needed

The employees of our organization accept the general information security policy formed by the management with their signatures. The policy may refer to a number of more specific security guidelines.

Organization's confidentiality or non-disclosure agreements continue beyond the employment contract or order.

Organization also has defined a procedure handling violations of the personnel obligations.