Employees today work across multiple devices, cloud platforms, and messaging apps, which means sensitive information is constantly moving and confidentiality breaches are one of the fastest-growing risks for Malaysian businesses.
That’s why companies need a clear Confidentiality Policy, and this guide breaks down what Malaysian employers should include and practical steps to implement it in their organisation.
Why a Confidentiality Policy matters
A strong Confidentiality Policy protects your business in three critical areas:
Trade secrets
A clear policy helps prevent staff from sharing or mishandling information that could weaken your competitive position.
Confidential information from business partners
Companies often receive sensitive information from vendors and collaborators and in many cases, have signed an NDA that legally binds the company to protect that information.
Customer data
Employees frequently handle customer personal data, names, emails, phone numbers and financial details. Any unauthorised sharing or accidental leak can result in:
- a data breach
- violation of the PDPA Security Principle, and
- reputational damage or regulatory investigation.
A Confidentiality Policy helps employees clearly understand these obligations, what information they are prohibited from disclosing, and the consequences of non-compliance, reducing the risk of the company breaching NDAs.
Without a clear policy, employees may unintentionally mishandle information simply because the rules were never formalised or explained to them.
5 key terms
These are not exhaustive, and companies may include additional rules based on their operational needs, industry requirements, or internal risk considerations.
Definition of confidential information
Confidential information includes any non-public data employees handle during work, such as:
- client information and personal data
- financial records, pricing, and costing
- contracts, proposals, and internal documents
- business processes, strategy plans, and know-how
- technology, source code, software, and technical materials
- HR information and employee personal data
Employee responsibilities
Employees must handle confidential information properly and only for legitimate work purposes:
- access information only when required for work
- avoid sharing documents with anyone not authorised
- do not copy, download, or remove documents without approval
- avoid discussing internal matters publicly or on social media
- do not forward company information to personal email or devices
- do not save company data in personal cloud accounts
Confidentiality after employment ends
Employees must continue protecting company information even after leaving the organisation:
- return or permanently delete all company documents
- avoid keeping any copies of data on personal devices
- do not contact or solicit clients using confidential information
- continue complying with confidentiality obligations after termination
Reporting suspected breaches
Employees should immediately report any situation that may involve a breach of confidentiality:
- report suspected breaches to HR or a direct manager
- use the company’s Whistleblower channel if the issue involves misconduct or cannot be reported through normal hierarchy
Policies, Employment Contracts & NDAs
Employment Contract
Most employment contracts only mention confidentiality in general terms, and a Confidentiality Policy supplements the contract with detailed rules that a short clause cannot cover such as consequences for breaches, creating a more complete framework.
Non-Disclosure Agreements (NDA)
Many employers skip contracts that focus entirely on confidentiality obligations due to perceiving it as unnecessary, and a Confidentiality Policy helps close this gap by applying consistent confidentiality rules across the entire organisation, even for employees who do not sign an NDA.
How to implement it
Step 1: Communicate clearly
Let employees know the policy exists and what it covers:
- send via email with employee acknowledgement
- include it inside the Employee Handbook so all rules sit in one place
Step 2: Train employees
A short briefing helps avoid mistakes. Focus on:
- what information is confidential
- how to store and transfer documents
- how to report suspected breaches
Step 3: Control access
Employees should only access information they genuinely need for work. You may adopt access-control practices such as:
- locking physical documents in cabinets or drawers
- using password-protected company devices
- locking the screen whenever stepping away from the workstation
- restricting access based on job role
- enabling multi-factor authentication for key systems
Step 4: Enforce consistently
The policy should state that disciplinary action may be taken for:
- intentional disclosure
- negligence
- unauthorised access
Step 5: Review Regularly
Confidentiality risks are tied to who accesses information, how it is stored, and how it is shared, the policy should be reviewed when:
- new systems or software are introduced
- access rights change, such as new departments, new senior hires, or restructuring
- data flows change, for example when onboarding a new vendor, partner, or outsourcing work
Final thoughts
A clear Confidentiality Policy helps every employee understand how to handle information properly and reduces the chances of accidental leaks, disputes, or misunderstandings. If you are looking to introduce or update an existing one, we can help you develop a clear, practical, and enforceable Confidentiality Policy tailored to your business needs.
