Protection of Confidential Information in India

Abstract:This article talks about confidential information and the laws concerning its protection in India. There is no legislation in India which expressly defines ‘Confidential information’. The concept has been discussed around the world.

A trade secret is any norm of a business that includes any formula, practice, process, design, instrument, pattern or compilation of information used by a person or company to obtain an advantage over competitors within the same industry or profession ^[1] . It includes within its ambit “know-how” which are unique skills unknown to others and thus provide an economic edge over others. For example, if A wants to start manufacturing a soft-drink and consults B, the manufacturer of a soft-drink company X, even the basic process common for all soft-drinks and not particular to company X becomes know-how and hence a trade secret. Trade secret has three aspects to it, first, that the information should be a secret which means it should not be readily or accessibly known to people in a similar business, second, there should be commercial value due to its secrecy and third that there should be reasonable steps taken to maintain its secrecy ^[2] .

Confidential Informationmay be defined as the type of information which is classified, privileged or specific for which there is a clear and compelling need to withhold from disclosure that can be legally protected.

Section 2(3) of the National Innovation Act(Draft), 2008 has defined confidential information as ‘Any information including a formula, pattern, compilation, program device, method, technique or process, that:

a)      Is secret, in that it is not, a body or a precise configuration and assembly of its components generally known among or readily accessible to persons who normally deal with this kind of information in question.

b)      Has commercial value because it is secret.

c)      Has been subject to responsible steps under the circumstances by the person lawfully in control of the information to be kept secret [3] .

Some of the laws in India pertaining to ‘Confidentiality and Trade secrets’

Indian Contract Act, 1872

Section 27 of the Indian Contract Act, 1872 says that every agreement by which any person is restrained from carrying on any lawful occupation is void. Article 19(1)(g) of the Constitution also reaffirms the same. Section 27 has two aspects to it, namely non-compete and non-disclosure agreements in relation with trade secrets. A non-compete agreement is an agreement that denies access to the seller from conducting a similar business in the specified area for a certain period of time. ^[4]  

In Niranjan ShankerGolikari v. Century spinning & Manufacturing Co Ltd [1967 AIR 1098, 1967 SCR (2) 378],a foreign producer offered collaboration to a company on the condition that the company shall maintain the secrecy of all the technical information and obtain secrecy contracts from its employees as well. The defendant was appointed for a period of 5 years, the condition being that during this period he shall not serve anywhere else even if he left the service earlier. This was held to be a valid agreement. Non-disclosure agreements are agreements where there is non-compliance to reveal any information.  [5]

In a Delhi High Court case of Escorts Const. Equipment Ltd. v/s Action Const. Equipment P. Ltd., there were certain designs of the plaintiff that the defendants had used for the manufacture of Pick-N-Carry Mobile Cranes. The Court ordered strict prohibition to transfer any sort of information particulars or details of manufacturing processes, technical know-how, administration and/or organisational matters pertaining to the Company which may be one’s personal privilege to know by virtue of being in the employment of the Company. It was also held that confidential information of the employer can be protected post-employment period. However, non-disclosure agreements are not a specified part of the legislation but are built into the laws via case laws. Confidentiality clauses usually come with the concept of goodwill. Goodwill is an intangible asset that comprises of reputation, contact networks and intellectual property. ^[6]

Right to Information Act, 2005.

Section 8(1)(d) of the Right to Information Act, 2005 says that there is no obligation to provide any information to any citizen regarding commercial confidence, trade secrets or intellectual property unless there is a larger public interest involved. In this context, there is always a problem while balancing the citizen’s right to have access to any information and preserving a company’s interests. [7]

Indian Penal Code, 1860.

Section 405 of the Indian Penal Code talks about criminal breach of trust wherein, if any person is trusted with any property and the person misappropriates it contrary to the given directions, he will be liable under this section. Section 405 states that:

 “Whoever, being in any manner entrusted with property, or with any dominion over property, dishonestly misappropriates or converts to his own use that property, or dishonestly uses or disposes of that property in violation of any direction of law prescribing the mode in which such trust is to be discharged, or of any legal contract, express or implied, which he has made touching the discharge of such trust, or wilfully suffers any other person so to do, commits “criminal breach of trust” ^[8] .

In the case of RK Dalmia v Delhi Administration AIR [1962] SC 1821 Property might also talk about intellectual property protection as it does not talk about “movable” property under the Section and thus scope of “property” cannot be restricted. During any employment contract, there is always information revealed according to which the firm or employer operates. The employer trusts the employee that he will not reveal the trusted information either by contractual or non-contractual obligations. [9]

In the case of Narayan Chandra Mukherjee v State of Bihar [2001] 1 BLJR 680 an employee accepted the role of the Chief Executive Officer of a rival company while still being employed at his former company. During his appointment there was a clause which prevented him from divulging any trade or official secrets of the company. However, he divulged the official trade secrets, equipment, plans and drawings, terms and conditions pricing policy, names of the customers, etc. to his supposed former company for his personal gain as well as for the gain of his former company and to the loss of the rival company in violation of the terms and conditions of the appointment letter issued to him and took away all the valuable documents, paper, receipts, etc. of the rival company causing loss to the rival company. The employee was held liable under Section 405 as all the ingredients were satisfied ^[10] .

Information Technology Act, 2000-

Section 65 of the Act elucidates the punishment for tampering with documents including stealing, destroying or altering any information. However, trade secrets are much more than what is stored or written. Trade secrets are the expertise that someone has gained by their hard work and intellect. It is usually something they know and hence might not write it down or store it in a computer. [11]

Section 72 of Information Technology deals withPenalty for breach of confidentiality and privacy which states that:“If any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both’ ^[12] .

In the case of Lalit Kumar Modi Vs. Board of Control for Cricket in India and Others: a show cause notice was issued after receiving a complaint from a bidder alleging breach of confidentiality against the Petitioner. The Petitioner was therefore, suspended from his position, which also alleged inter-alia that he was seeking to create a parallel cricket body at international level (particularly in England) and thereby subvert the present International Cricket structure ^[13]

Remedies in case of  ‘Breach of Confidentiality’-

1. “Injunction- In many cases, the plaintiff may not be claiming monetary compensation but would rather keep the information out of public domain. This may be achieved by the court order of Injunction.
2. Account of profit- An account of profit is a remedy which strips the defendant of all the profits made by the Infringement or disclosure.
3. Damages- There can be damages awarded by the court for breach of contract or disclosure of such information”.

Also, recently The Government has notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 The Rules only deals with protection of "Sensitive personal data or information of a person", which includes such personal information which consists of information relating to-

• Passwords.
• Financial information such as bank account or credit card or debit card or other payment instrument details.
• Physical, physiological and mental health condition. v  Sexual orientation.
• Medical records and history.
• Biometric information ^[14]

The rules provide the reasonable security practices and procedures, which the body corporate or any person who on behalf of body corporate collects, receives, possess, store, deals or handle information is required to follow while dealing with "Personal sensitive data or information". In case of any breach, the body corporate or any other person acting on behalf of body corporate, the body corporate may be held liable to pay damages to the person so affected.

The main highlights of the 2011 Rules are as follows–

• “The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 only apply to bodies corporate and persons located in India. This was clarified vide a press note dated August 24, 2011 issued by the Ministry of Communication and Information Technology wherein it was stated the 2011 Rules were applicable to a body corporate or any person located within India. [15]
• Rule 3 of the 2011 Rules provides a list of items that are to be treated as "sensitive personal data", and includes inter alia information relating to passwords, credit/ debit cards information, biometric information (such as DNA, fingerprints, voice patterns, etc. that are used for authentication purposes), physical, physiological and mental health condition, etc. It is further clarified that any information is freely available or accessible in the public domain is not considered to be sensitive personal data [16]
• Rule 4 imposes a duty on Body Corporates seeking sensitive personal data to draft a privacy policy and make it easily accessible for people who are providing the information. The privacy policy should be clearly published on the website of the body corporate and should contain details on the type of information that is being collected, the purpose for which it has been collected and the reasonable security practices that have been undertaken to maintain the confidentiality of such information [17]
• Rule 5 provides the guidelines that need to be followed by a Body Corporate while collecting information and imposes the following duties on the Body Corporate:

a.       Obtain consent from the person(s) providing information in writing or by Fax or by e-mail before collecting such sensitive personal data given by any mode of electronic communication.

b.      Information shall not be collected unless it is for lawful use and is considered necessary for the purpose. The information collected shall be used only for the purpose for which it is collected and shall not be retained for a period longer than which is required;

c.       Ensure that the person(s) providing information are aware about the fact that the information is being collected, its purposes & recipients, name and addresses of the agencies retaining and collecting the information;

d.      Retain the information for no longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force;

e.       Offer the person(s) providing information an opportunity to review the information provided and make corrections, if required;

f.       Before collection of the information, provide an option to the person(s) providing information to not provide the information sought

g.      Maintain the security of the information provided; and

h.      Designate a Grievance Officer, whose name and contact details should be on the website who shall be responsible to address grievances of information providers expeditiously [18] .

• Rule 6 provides that a Body Corporate must seek prior permission of the information provider before disclosing such information to a third party. However, no prior permission is required if request for such information is made by government agencies mandated under law or any other third party by an order under law ^[19]


• Rule 8 provides the reasonable security processes and procedures that may be implemented by Body Corporates. International Standards (IS / ISO / IEC 27001) is one such standard which can be implemented by a body corporate to maintain data security ^[20] .”

                                                ********************************

DISCLAIMER: The information contained on this article is intended solely to provide general guidance on matters of interest for the personal use of the reader, who accepts full responsibility for its use. Accordingly, the information on this article is provided with the understanding that the author(s) and publisher(s) are not herein engaged in rendering professional advice or services.