M1.3.2 - CONFIDENTIALITY AGREEMENTS Implementation Guidance
The entity shall establish requirements for confidentiality or non-disclosure agreements reflecting the entity’s needs for the protection of information.
Back to M1.3.2 - P2 - CONFIDENTIALITY AGREEMENTS
Confidentiality or non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms. To identify requirements for confidentiality or non-disclosure agreements, the following elements should be considered:
- A. A definition of the information to be protected (e.g. confidential information);
- B. Expected duration of an agreement, including cases where confidentiality might need to be maintained indefinitely
- C. Required actions when an agreement is terminated
- D. Responsibilities and actions of signatories to avoid unauthorized information disclosure (such as ‘need to know’)
- E. Ownership of information, trade secrets and intellectual property, and how this relates to the protection of confidential information
- F. The permitted use of confidential information, and rights of the signatory to use information
- G. The right to audit and monitor activities that involve confidential information
- H. Process for notification and reporting of unauthorized disclosure or confidential information breaches
- I. Terms for information to be returned or destroyed at agreement cessation
- J. Expected actions to be taken in case of a breach of this agreement
Based on an entity’s security requirements, other elements may be needed in a confidentiality or non-disclosure agreement.
Confidentiality and non-disclosure agreements should comply with all applicable laws and regulations for the jurisdiction to which it applies.
Requirements for confidentiality and non-disclosure agreements should be reviewed periodically and when changes occur that influence these requirements
