Procedures for Handling Confidential Information at Virginia Tech
No confidential information should be either received or provided until a confidentiality (nondisclosure) agreement has been negotiated and executed by the Office of Sponsored Programs. This is a limited signature authority. The faculty member has no authority to sign a non-disclosure agreement.
The university is obligated to treat confidential information in accordance with the negotiated terms and conditions of the non-disclosure agreement. In most cases, the agreement will require that we treat confidential information with the same degree of care that we do our own, but in no case with less than reasonable care.
An employee receiving or providing confidential information must always read the terms and conditions of the non-disclosure agreement. All non-disclosure agreements are negotiated so the terms and conditions may be different. If you do not comply with these terms, your information will not be protected and the other party will be able to use or disclose the information any way he/she chooses. Following are general guidelines for handling confidential information.
Providing Confidential Information
- Complete the Request a Non-Disclosure Agreement (NDA). This will provide the purpose and description of the confidential information as well as other information needed to draft the appropriate terms. Determine what length of time the information should be protected as “confidential." We normally use a 5-year period, but this can change depending on the nature of the information.
- Read the executed agreement. Once the non-disclosure agreement has been negotiated and executed, a copy will be provided to you. You must read the terms so you know your obligations.
- Identify and label all confidential information as “confidential,” “business sensitive," “proprietary,” etc., according to the terms of the agreement. If you have a question on whether the information is or is not confidential, always treat it as confidential.
- Written information. Make sure confidential information provided is clearly labeled in accordance with any requirements of the non-disclosure agreement.
- Visual information. If you allow visitors into the lab, make sure any confidential information is out of sight. Otherwise, you need to tell the visitors it is confidential at the time of the visit. Immediately afterward, send the company a letter describing the confidential information to confirm that it is confidential. Otherwise, they will be able to use the information in any way they wish or disclose it to anyone they chose.
- Slides and Handouts. Any visual slides or handouts should be labeled as confidential. Make sure you either hand out hard copies of visual slides with the confidential label or you must write and confirm this information as confidential within 30 days of disclosure.
- E-mail and file documents. If you disclose the information by e-mail, make sure it is labeled as confidential. All files must also be labeled.
- Verbally disclosed information. If you discuss confidential information that is not provided in written form, you should identify it as confidential at the time of the discussion. It will not be protected as confidential unless you also send a written notice to the company, describing the information and confirming that it is confidential.
- Written information. Make sure confidential information provided is clearly labeled in accordance with any requirements of the non-disclosure agreement.
- Keep all confidential information in a secure place. Do not leave it lying on your desk top or any where it can be easily accessed by unauthorized persons. It is best to keep it in a locked drawer or file cabinet.
Receiving Confidential Information
- Do not accept any confidential information until there is an executed non-disclosure agreement in place. You can not execute a non-disclosure agreement.
- Send the company’s non-disclosure agreement to the Office of Sponsored Programs for review or complete the non-disclosure agreement. The Office of Sponsored Programs will negotiate and execute the agreement and provide you with a copy.
- You must protect confidential information you receive in accordance with the terms of the agreement so read the executed agreement. The terms normally are:
- Do not disclose or transfer confidential information to anyone outside the university—and only within the university to those university employees with a need to know. The agreement may allow you to disclose to others if they have signed a similar nondisclosure agreement. Otherwise, you must get the prior written consent of the owner.
- Do not use the owner’s confidential information for any purpose other than the purpose authorized in the agreement.
- Only disclose the confidential information to those within the university who have a bonafide need-to-know, making sure they know it is confidential information that may not be further disclosed.
- Do not disclose any confidential information to a student, unless that student has signed a separate non-disclosure agreement containing similar terms. University employees are obligated by their employment agreements and state law to protect confidential information to which they have access; students are not.
- All confidential information must be marked “confidential." If you receive any verbal or visual confidential information, the owner must confirm in writing that it is confidential, normally within 30 days of disclosure. If in question at time of receipt, ask the owner if it is “confidential."
- If you copy any confidential information, make sure all copies retain the “confidential” label.
- Keep all confidential information in a secure place. Do not leave it lying on your desk top or anywhere it can be easily accessed by unauthorized persons. It is best to keep it in a locked drawer or file cabinet. You may be asked to return all confidential information, or destroy it at the option of the owner.
- If confidential information is also labeled or identified as subject to export control restrictions, do not disclose it to any Foreign Person (a non-U.S. Citizen or foreign national without a green card or asylum papers). If there is a question on export control, contact the Office of Export and Secure Research Compliance.
- Treat the information as confidential for the period of time specified in the agreement (normally 3 or 5 years).
- If there has been any unauthorized release of the confidential information, contact university legal counsel immediately. Some agreements will provide that there will not be any legal liability if such release is inadvertent and is reported immediately to the owner.
- Do not disclose or transfer confidential information to anyone outside the university—and only within the university to those university employees with a need to know. The agreement may allow you to disclose to others if they have signed a similar nondisclosure agreement. Otherwise, you must get the prior written consent of the owner.