Year: 2020

How In-House Counsel can Protect Company Trade Secrets

Trade secrets differ from other forms of Intellectual property (“IP”) in that the mode of their protection is not codified under Kenyan law. This does not mean that they are not important. In fact, if well protected, trade secrets can give an organisation a distinctive competitive advantage. This article considers ways in which in-house counsels can drive the trade secret protection agenda in their organisations. WHAT IS A TRADE SECRET? As stated in the preceding section, there is no legislation in Kenya governing trade secrets and hence no local definition of the term “trade secret”. However, Kenya is a member of the World Trade Organisation and by extension a party to the Trade-Related Aspects of Intellectual Property Rights (TRIPS) Agreement. This Agreement sets the minimum standards for regulation of various forms of IP, including trade secrets. According to Article 39 (2) of TRIPS, trade secrets contain three distinctive characteristics: – Accordingly, any and all information that meets the above requirements may be considered a trade secret. Typical examples of trade secrets include strategy and business plans, customer/client lists, pricing lists, products, models, marketing and sales plans, financial projections, financial statements, budgets, test procedures, proposed products, source code, software, hardware, employee employment records, salary, etc. TRIPS further provides that the owner of a trade secret has the right to prevent the information from being disclosed, acquired or used by others without their lawful consent. STEPS FOR PROTECTING TRADE SECRETS In-House counsel can drive the protection strategy in the ways discussed below. 1. Sensitize Management In-House projects work best when supported by the leadership and other key stakeholders within an organisation. As a first step, the Head of Legal or the departmental leader should sell the agenda of trade secret protection to management teams so as to get their buy-in.  The most effective way to get buy-in is to demonstrate the benefits of the project to the organisation. Some potential advantages include:- 2. Develop Trade Secret Protection Procedures Trade secrets can be protected through a raft of internal and external measures. Internal protection measures include IT security measures such as data encryption, data access controls, firewalls, etc.   Physical controls are also useful in internal protection. For example, biometric access should be installed for strong rooms, filing spaces and any other place where trade secrets are kept. Further, use fireproof safes for storing confidential information. Finally, use physical controls to restrict access to office spaces. For documents, consider measures such as marking hard and soft copy information as confidential. Finally, endeavor to limit access to confidential information by sharing it on a need-to-know basis. When working with external parties, such as suppliers and contractors use a confidentiality agreement.  You can get more information on 3rd party confidentiality agreements in my earlier article accessible here. 3. Determine Applicable Enforcement Measures According to the World Intellectual Property Organisation, 80% of trade secrets are leaked or stolen by employees and trusted insiders. If there are no consequences for breach of the policy, then it will be hard to get the desired results from your employees.  Demand adherence to trade secret policies in your employment policies and contracts by stating that deliberate leakages may lead to termination of employment. Contracts can also specify further action such as seeking injunctive orders to prevent further leakages and monetary compensations (damages) for any loss suffered. 4. Maintain a Culture that Promotes Secrecy of Information Prior to hiring, conduct reference checks on prospective employees. The checks should determine the employee’s propensity to leak/mishandle company information. Once they join the company, train them on the need to maintain confidentiality and require them to sign employee confidentiality agreements. During the course of employment, conduct regular refresher training on confidentiality. There is no hard and fast rule on the frequency of the training but at a minimum, they should be done annually. Conduct exit interviews and remind employees that the duty to protect trade secrets continues post-employment. The duty to maintain confidentiality survives the employment contract. This means that if there is an attempt to move with the information to a competitor, the employee should be informed that the enforcement measures will still apply. 5. Promote Employee Loyalty Keeping trade secrets confidential is an uphill task that cannot be fully accomplished by merely setting out organizational policies and processes. If employees do not commit to the success of your policies, they will have limited effectiveness.  Employee commitment comes from loyalty and this in turn comes from developing a favourable workplace culture. Employees will feel committed to your cause where the organisational culture is open, low power distance, genuine care, and concern and a general familial feel. Advocate for cultural change through the initiation of staff welfare activities or attractive pay packages that encourage observance of trade secrets protection. CONCLUSION Compared with other forms of IP, it is fairly easy to protect trade secrets. A Trade Secret Policy can help in effective management of trade secrets. The success of this policy hinges on the culture of your workplace. Without a transparent culture that promotes loyalty, you may not get enough traction in your promotion activities.

10 Key Words in the Data Protection Act

The Kenya Data Protection Act (“DPA“)applies to all persons who handle personal data. For effective compliance, it is necessary to understand the Act’s key terms. Outlined below, is my take on some of the key terms that may be relevant in your compliance journey. Data Protection Key Terms 1. Data Subject The DPA defines a data subject as any identified or identifiable natural person who is the subject of personal data. In other words, a data subject is any human being whose data is being collected, held or processed.  2. Personal Data Any information relating to an identified or identifiable natural person i.e. a human being. The illustration below shows some common forms of personal data. 3. Sensitive Personal Data In addition to the forms of personal data described above, the DPA establishes a special category of data known as Sensitive Personal Data. In essence, this is any information that reveals a human being’s, race, health status, social origin, property details, marital status, conscience, belief, genetic data, biometric data, family details including the name of the person’s spouse, children, sex or sexual orientation.  4. Data Controller A data controller is an individual, body corporate, public authority, agency or any other similar body which, alone or jointly with others, determines the purpose and ways of processing personal data.  Examples: In summary, a data controller is any person or organization that determines the purpose and means by which data is processed. 5. Data Processor This is an individual, body corporate, public authority, agency or similar body that processes data on behalf of the Data Controller.  6. Consent The DPA defines consent as “any manifestation of express, unequivocal, free, specific and informed indication of the data subject’s wishes by a statement or by clear affirmative action, signifying agreement to the processing of personal data relating to the data subject.” Data Subject consent should be:- 7. Data Retention This refers to the period of time that data can be held by a controller or a processor. The DPA provides that data controllers and processors may only retain data for as long as may be reasonably necessary but it does not prescribe specific timeframes for retention of data.  Instead, data processors and controllers should develop organisational measures that adequately address data retention.   In practice,  development and implementation data retention policies and processes may suffice. 8.  Data Commissioner This is the regulatory body responsible for regulating/enforcing compliance with provisions of the DPA.  As I write this,  the appointment and establishment of the Data Commissioner’s office has not been effected. However, there are indications that the appointment may be done within the second half of 2020. 9. Data Protection Officer (DPO) The primary obligation of DPO’s appointed pursuant to the Act is to provide oversight on compliance. In particular, DPO’s advise the business on the requirements of the Act but to also oversee compliance and facilitate capacity building of staff involved in Data Protection activities. Finally, the DPO is the liaison between the Data Controller and Data Processor on all matters relating to Data Protection 10. Personal Data Breach Under the DPA, a “personal data breach” means a breach of security leading to the accidental and unlawful destruction, loss alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Personal data breaches can occur in many ways. Firstly, a personal data breach may happen accidentally e.g. an email sent to the wrong recipients. It can also arise through deliberate actions or omissions of data controllers or data processors. Other examples include breaches arising from the theft of computer devices and the alteration of personal data. Data controllers should report data breaches to the Data Commissioner within 72 hours of occurrence. In addition, inform the concerned data subject of the breach within a reasonably practical period. Data processors must report breaches within 48 hours of occurrence. Section 43 of the DPA sets out the procedure for reporting personal data breaches.

4 Steps Towards Data Protection Compliance

Kenya’s new Data Protection Act (“DPA”) was recently hailed as a trailblazer and pace setter for data privacy in Africa. The DPA came into force in November 2019. Since then, business leaders have been making concerted efforts to understand its requirements and to formulate compliance plans.