Working with confidential documents
The division responsible for working with confidential documents in the company must have an understanding of the specifics of their creation, storage, and execution. There are standard rules to optimize processes and avoid accidental or intentional information leakage.
Confidential document concept
In Russia, information is considered confidential if it is recognized as such on the basis of special laws restricting its distribution and use. Restricted information includes:
- state secret;
- official secrets (for public service);
- secrecy of investigation, court;
- medical, attorney's secret;
- personal data;
- trade secret.
Departments responsible for working with confidential documents most often deal with trade secrets or personal data, other types of confidential information are usually formed in the work of special market entities (banks, government corporations).
For commercial information to be protected by law, a company must fulfill the following conditions:
- compile a list of information related to trade secrets, if necessary, determine the degree of their protection. Usually, such a list of confidential information is drawn up by the head of the company, but for a clearer definition and description of the data, in order to avoid controversial situations when considering cases in court, it is possible to involve analyst consultants;
- adopt regulations defining the mode of work with documents and other carriers of commercial secrets;
- affix the classification of secrecy to all material media containing confidential information. Failure to comply with this rule will not allow bringing the violator of the regime, who willingly or unwittingly disseminated confidential information, to responsibility;
- make a list of persons who have access to documents containing commercial secrets, taking into account the clearance levels;
- include provisions in labor contracts that oblige not to disclose the commercial secrets of the company and its counterparties;
- create a unit responsible for maintaining the trade secret regime.
After completing this set of tasks, each document containing elements of confidential information will be protected in accordance with the accepted rules. In order to comply with the trade secret regime, a document means not only paper, original, copy, draft, but also an electronic document in any format - text, visual (drawing, photograph), audio - processed in databases.
The adopted regulations are far from being exhaustive, which has led to the emergence of a special market for services for protecting trade secrets and other types of confidential information, but in most cases, compliance with the minimum security rules allows you to avoid leaks.
Protection of confidential documents
The department responsible for working with confidential documents is created either within the general document management service or within the security service.
Its tasks include:
- timely updating of databases containing a list of information related to commercial secrets, and places of their storage on tangible media and in electronic form. The security mode of confidential information implies understanding where, how and in what form the objects of protection exist;
- the need to note the time of the introduction of the trade secret regime in relation to each document and material carrier in the stamp stamped on it, the period of validity of the regime, the date of the last update of information;
- notification of employees against signature about the change or introduction of the confidentiality regime in relation to the documents entrusted to them.
Affixing a security stamp on a document containing confidential information is mandatory, its absence does not make it possible to confirm that the employee reliably knew: the document entrusted to him is a commercial secret. On paper documents, the stamp is placed on the first page, on electronic documents - on each page.
The task of the department in order to ensure the security regime when working with confidential documents includes fixing the following facts:
- employee access to confidential information: date, time, place of access, mobile or stationary device, documents or other media to which access was obtained, employee data, information about the person who provided access, and data about the log, which records the fact of access ;
- information leakage and its forms;
- causing damages, including the amount of damages, causal relationship with the employee's actions, the presence of guilt.
Some of the facts are recorded on physical media, some in electronic accounting registers. Choose software tools that are easy to search for evidence and that system administrators cannot make arbitrary edits or changes.
Organization of work with documents containing commercial secrets
To control the observance of the confidentiality of information, organizational, hardware and technical, software are used, the choice of which is determined by the enterprise security strategy. They should be sufficient to ensure the protection of information when working with confidential documents, but not redundant. Often the security system is an end in itself, making it difficult for the normal course of business processes. At the same time, the refusal to implement a system for controlling access to documents and evasion of mandatory security measures will lead to the court's refusal to bring an employee to justice for violation of the rules for working with confidential documents and disclosure of commercial secrets. Thus, in the ruling of the Intellectual Property Rights Court in case No. С001-922 / 17, the plaintiff was denied, since the drawings distributed by publication on the website did not contain the stamp "Commercial secret".
This set of solutions is designed to exclude the physical access of unauthorized persons to documents containing confidential information, to record the actions of employees at workplaces, to complicate or exclude unauthorized manipulations. The Law "On Trade Secrets" directly obliges the employer to create a regime for the employee that makes it easier for him to randomly nondisclose confidential information, which requires the protection of premises and data carriers.
The technical measures to protect confidential information for most organizations include:
- Physical protection means - premises certified according to certain security classes, grilles on windows, armored doors, electronic locks.
- A video surveillance system that allows, among other things, to record what is happening on the monitors of workstations on which confidential information is processed.
- Use of data access control devices, blocking the ability to copy documents.
Such measures are generally accepted and implemented regardless of the trade secret regime.
Organizational measures and organization of office work
In this case, it is necessary to develop a set of solutions that, when working with confidential documents, will not only provide protection against leaks, but will also bring the culprit to justice. Records management should be conducted in a manner that excludes access to documents containing confidential information for persons not authorized to do so, which requires the creation of a separate unit with the development of its own position and job descriptions for employees. Employees and the head of the department are personally responsible for the safety of information constituting a commercial secret, this duty is assigned to them by order of the head of the organization.
The main rules of confidential record keeping are as follows:
- documents with confidentiality stamps are formed into separate cases that do not overlap with the nomenclature of cases of ordinary business processes. The seal of secrecy is placed on the cover of the case, a list of employees allowed to work with it is placed inside, the list is updated in a timely manner;
- the sheets of the case are numbered in pencil, at the end of the volume there is a list of documents;
- all files are kept in a safe, which is sealed by the responsible person. No one, except this employee, has access to the safe;
- each document is recorded in a special card, its account number is indicated in the secrecy stamp;
- for work, documents of a high degree of confidentiality are transferred to the contractor or performers against signature, indicating the time of receipt. At the end of the working day, documents are also handed over to the responsible person against signature, unless otherwise provided by the rules of the organization. Storing them at the workplace is possible if the room is equipped with an electronic lock and a safe;
- when transferring a document between several performers, they draw up a receipt, which also indicates the time of transfer, or the transfer is made out by the secretary and registered in the register of the movement of documents with a secrecy stamp.
The secrecy stamp is a stamp confirming the organization's ownership of data, in the columns of which the basic accounting information is indicated:
- confidentiality level;
- the procedure for using the document;
- number of copies;
- the location of each copy;
- the mark about the artist and his signature.
On the back of the title page of a confidential document, the head of the company writes a list of employees who he allows to use this document in his work. For printing confidential documents, a separate printer is used that is not connected to the general network, or a separate room. This task is also performed by a responsible clerk. Documents containing confidential information are registered in a separate accounting register. If there is a large flow of documents labeled "CT", it is permissible to maintain three journals: for incoming, outgoing and internal company documents. Records are also kept in a sealed cabinet.
When the organization receives a package of documents containing the commercial secret of the counterparty, the envelope is opened by the executive secretary. At the same time, the integrity of the correspondence, the presence of all documents and the number of sheets in them are checked. If a shortage is revealed, an act is drawn up in two copies, one of which is sent to the sender.
When creating a document containing a trade secret, within the organization, all drafts and original revisions of files are destroyed with a separate act on this.
Also among the rules for working with confidential documents the following:
- it is forbidden to take them out of the premises of the organization without the written permission of the head;
- copying is made only by the responsible clerk with the permission of the manager, and each copy is subject to accounting. After being used in work, the copies are destroyed with the preparation of an act;
- at the end of the year, the commission checks the presence and safety of all documents with the stamp "CT", the compliance of their storage location with the declared one, makes a decision on the destruction of the waste;
- upon dismissal of the clerk, he transfers all cases to the newly appointed person under the act.
Compliance with these rules will help protect the organization's trade secrets from leaks.