Company property: how to ensure you get it back!

05 May 2021

The sight of former employees exiting a building with a cardboard box of their belongings is not too unusual. However, when the employee in question is the Government’s Adviser Dominic Cummings and not only is he seen leaving Downing Street with a box of belongings but it is reported later that he has taken his employer’s information with him, then that is a cause for concern. If he was treated like any other employee, then two questions arise - how was the employee able to take the information and can the employee lawfully use it? Fundamentally though, what can an employer do to protect their property and information when an employee leaves them?

We are increasingly encountering employees trying to retain employer property and hold onto confidential information after their employment ends. It’s usually an area overlooked by employers who don’t fully appreciate the risks associated with a disgruntled exiting employee, attempting to use their information later to damage them.

Prevention is better than the cure
From the start of the employment relationship, an employer should include obligations in the contract of employment to require employees to return the employer’s property and to protect confidential information. Carefully-drafted contractual clauses should expand on the implied duties that exist in all employment relationships, which includes the duty not to disclose confidential information to third parties or misuse confidential information and trade secrets for the employee’s own purposes. Employers should include more onerous confidentiality obligations in the contract to be very clear on what information the employer regards as confidential. The Integrity and Confidentiality Principle of the GDPR requires that employers have appropriate security measures in place to protect the personal data they hold, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. While information security is sometimes considered as cybersecurity, it also covers other things like physical and organisational security measures.

The employment contract should also include a clause that states that an employee is required to return the employer’s property when requested and on termination of the employment (and in a good condition). Recently, we have experienced an increasing number of employees who are demanding that their employer arranges and pays for a courier to collect the property. In some instances, the employees are refusing to return the items if they are not collected - clearly in breach of their contract. Some employers are prepared to meet such demands to ensure the safe return of their property, but it does highlight the importance of clear contractual terms requiring employees to return property at their own expense. Employers should also consider including a specific deduction clause allowing the employer to lawfully deduct the cost to replace the property from an employee’s final salary, if the employee has failed to return the property.

As well as having contractual obligations to return property, employers should have an exit process which has a built-in process about the return of property and reminding the employee of their obligations. Ideally, you would want to have an up-to-date list of what equipment and access to information each member of the team has while employed at home or in the workplace. This list can then be used as evidence of the items that belong to the employer and need to be returned and can be part of the exit process. Of course, this does not help if the property is information and you are unaware what the employee may have retained.

The cure
Returning employer’s information can be more complicated because it may not have been retained on the employer’s property. The information may have been sent to the employee’s personal email account or copied onto their personal devices. It’s important to make sure all information wherever stored is then deleted or returned to the employer when the employment ends as there could be damaging consequences for the organisation otherwise. As well as having a contractual obligation to do this, an employer could also require that the employee signs undertakings when they exit the business to confirm they have deleted the information and not kept any copies.

Having a monitoring clause in the contract would enable an employer to check if any information has been sent to a personal account. Employers can face potential repercussions if an employee, either during employment or after, misuses personal information which they have access to. In a recent Supreme Court case of WM Morrisons Supermarkets plc v. Various Claimants, the Court examined the extent an employer can be responsible for a data breach when an employee has leaked personal information about employees. This employee was disgruntled and maliciously committed a personal data breach involving a payroll database of 100,000 employees. Morrisons were not found to be liable for this incident although they did spend six years (and a lot of expense) defending their position. The Court commented that Morrisons had taken appropriate technical and organisational measures to mitigate the risks of data protection leaks, for example, by enforcing clear data protection and IT policies. The decision clearly would have been different for employers who had not taken the necessary steps to protect personal data and confidential information.

Even with appropriate steps in place, problems can arise where employees deliberately fail to return the employer’s information at the end of their employment. If an ex-employee retains information, they may not necessarily be doing that to use it as an insurance policy to protect themselves and they may instead be using it to contact the employer’s clients or customers to gain an advantage in their new role. What the employer can do to stop this and seek redress will to a large extent depend on the contractual terms in place. It may be necessary to consider pursuing civil action to seek an injunction or damages which will be easier to obtain with the right contractual terms in place. Failing that it may also be possible to get a Springboard Injunction.

With all of the above in mind, it’s essential employers take proactive steps at the outset and throughout the employment to look after the employer’s property, confidential information and to act quickly if a potential breach has occurred.

Pam Loch, Employment Law Solicitor and Managing Director of Loch Employment Law.