Contract Accord 9: Disclosure and Protection of Confidential Information
Accord Revision Date: October 2019
Page Updated: January 2020.
©2020 University-Industry Demonstration Partnership (UIDP). Please refer to the copyright and disclosure statement for UIDP Contract Accords usage and rights.
OVERVIEW AND BACKGROUND
Universities and Companies often need to receive or disclose confidential information to assess their willingness and capability to conduct research or participate in other types of projects. An agreement to maintain the secrecy of proprietary or confidential information prior to developing a project plan or executing a related agreement may be used to allow two or more parties to disclose confidential information while exploring potential partnership opportunities. These agreements are commonly referred to as Confidential Disclosure Agreements (CDAs), Non-Disclosure Agreements (NDAs), or Proprietary Information Agreements (PIAs). For the purposes of this contract accord, CDA will be used to represent confidentiality agreements. Sponsored Research Agreements (SRAs) or other types of agreement, e.g., materials transfer agreements, service agreements, or licenses, often include provisions covering disclosure and protection of confidential information.1
Requirements to maintain the confidentiality of information received from the other party should be distinguished from issues surrounding the request by a Company for the University to keep results generated by the University confidential. This Contract Accord addresses the former topic.2
Industrial and academic cultures diverge sharply with respect to disclosing and sharing information with individuals and organizations. Companies wish to generate market value and be profitable. Maintaining the secrecy of certain information relevant to commercialization may be of paramount importance for achieving that mission. Universities (and the researchers and students who pursue scholarly activities) create and disseminate knowledge. Universities need the ability to publish and share information, research results, and findings. These objectives are at the heart of academic freedom and are reflected in the tax-exempt status of academic institutions.
Both parties need to consider in advance whether the other party needs to know confidential information or whether their mutual objectives can be achieved by consideration of non-confidential information. For both Companies and Universities, the disclosing party may want to avoid “contamination” through inadvertent exposure to confidential information that it does not own or have rights to use. For example, a party disclosing a confidential new product may not wish to be informed about the receiving party’s ideas for improving that product for fear of “contaminating” the disclosing party’s own planned improvements for that product. Thus, the parties should consider whether the situation requires disclosure of confidential information and, if so, whether types of information and conditions on disclosure, receipt, and use are necessary and achievable.3
Universities and Companies will benefit from understanding their differing and diverse perspectives and how the disclosure of confidential and proprietary information will be treated by each other so that SRAs, CDAs, and other agreements are workable and meet the needs of all parties. The basic assumptions and practical implications regarding confidentiality provisions require discussion to ensure that all parties’ expectations, both short-term and long-term, are addressed.
Companies seek to keep information confidential to protect essential proprietary information and ensure a competitive advantage in the marketplace for as long as possible. In order to maintain a competitive advantage, Companies often seek expert advice or partnerships with owners or creators of complementary technology. Pursuit of these relationships with Universities may require Companies to disclose their proprietary information and would give rise to the need for a CDA or confidentiality provisions in another type of agreement prior to disclosure.4
Companies face a conundrum in that they must disclose their own confidential information in sufficient detail for the University to develop or conduct a proposed research plan or other project, while at the same time preserving the confidential nature of the information. Once its confidential information is disclosed, the Company risks that the information will be shared with others and the valued competitive advantage of the information will be lost.5
Companies need to ensure that, at a minimum, certain core information will remain confidential for a sufficient length of time—or perhaps indefinitely—to preserve the information’s value in the marketplace. Absent absolute secrecy or another legal mechanism (e.g., patent protection), a CDA or confidentiality provisions in an agreement may be the only means available to Companies to protect their essential information in situations when it is necessary to be disclosed outside the Company.
In addition, Companies may need to keep the terms of an agreement, the scope of work or project details, or even the existence of the agreement itself confidential. This may be due to concerns about valuable competitive intelligence that could be gleaned from information about research areas and specific project plans in which a Company is engaged.
Companies expect that the University has appropriate procedures in place to safeguard confidential information it receives (for instance, by properly securing access to lab notebooks that contain confidential information), as well as to clearly outline the responsibilities of the principal investigator (PI) and others who receive confidential information. Companies expect that the University will assure that the individuals to whom confidential information is disclosed understand and honor the confidentiality obligations in exchange with fellow lab members or other University employees for the entire period of the obligations, which generally extend beyond the performance period of the related project. For instance, members of core labs who may perform downstream services for the principle investigator (or primary researcher, PI) may be subject to the confidentiality obligations even though they are not part of the PI’s sponsored project team. Companies should be clear and appropriately cautious about disclosing any sensitive information unnecessarily or in a situation in which they do not trust that it can or will be strictly and consistently controlled by the University, its employees, students, and contractors.
Traditionally, Universities have a culture of openness and shared knowledge, as their mission includes teaching students and publication of research results for the public good. The need to protect certain kinds of information from disclosure either as a contractual obligation or to maintain the value of its own confidential information (e.g., potentially patentable inventions), is a concern for Universities.
Some Universities require any confidential information disclosed to the University to be marked as such by the discloser. Similarly, any oral disclosures should identify confidential information and subsequently reduce it to writing. These types of provisions help the University to recognize the information that is subject to confidentiality obligations and to limit the risk of unintentional breach of confidentiality obligations.
When a University agrees to keep information provided to it by a Company confidential, it usually requires a limitation on the duration of the obligation and prefers a relatively short period of time. As a general rule, Universities will avoid entering into collaborations in which certain information may never be disclosed as a matter of both policy and practicality given the open and collaborative nature of these institutions.
Inclusion of a Company’s confidential information and potential embargo of student publications, particularly theses or other works that are required for obtaining a degree or completing a course, are of particular concern to Universities. This concern arises from the University’s obligation to ensure that they do not enter into agreements that prevent or impede students from graduating. If confidential information is provided to a student, attention is required to assure that the student will be able to complete necessary coursework and/or publish results of their work without violating confidentiality provisions.
To mitigate risk given the nature of research performed at Universities, there are common exceptions to confidentiality obligations that Universities will request. (See point seven in Guidelines and Suggestions below.)
A University also faces a conundrum when disclosing its own confidential information. As an example, a University faculty member who is engaged in research may want to disclose his or her research results to a Company colleague in hopes that the Company will sponsor all or part of a research project, or with the hope that the Company may agree to license and commercialize the researcher’s University-based invention. Once the information is disclosed, the University faces the risk of its confidential information being shared with others. As a result, the University may lose its valued competitive advantage (should the research result in a patentable invention), the ability to attract other sponsors, or the ability to compete for research funding as a novel research idea may be lost.
It should be noted that many Universities are experienced in receiving and protecting confidential information and are required by law to maintain the secrecy of certain types of information related to patients6 (HIPAA) and students7 (FERPA). Universities also may have the need to maintain confidentiality of other types of information, such as unpublished data and inventions, not yet covered by a patent as mentioned above.
Universities may be restricted by applicable tax or other laws that keep results confidential except in established circumstances, such as protection of unpublished patentable inventions or personally identifiable information about human subjects. Public Universities may not be permitted to keep the existence of their contracts or contracting partners confidential under their state’s open records, freedom of information, or sunshine laws. These laws designate the public University as a state agency and require the University to provide information to the public upon request. Such requests can be used to compel Universities to disclose information unless that information meets specific exceptions and other criteria set forth in the applicable law. These laws may override the obligations of confidentiality in an agreement between the University and another party.
GUIDELINES AND SUGGESTIONS
- Incremental Sharing of Confidential Information. 8 When operating under a CDA, an incremental exchange of information may better allow the parties to become familiar with each other’s norms and potential incompatibilities while minimizing risks associated with sharing proprietary information. This approach may be prudent if the parties are not certain that they share similar perspectives on the identification, sharing, and handling of sensitive information.
- Duration of CDAs or Confidentiality Obligations. The duration of the confidentiality obligation is the amount of time that information must be kept confidential. However, two time periods are frequently involved in a confidentiality agreement or provision: (a) the disclosure period during which information subject to the obligation of confidentiality will be provided by the disclosing party (for a CDA, this is generally the effective date plus some specified period of time, e.g., one year); and (b) the protection period, i.e., the period of time usually beginning with the actual disclosure of confidential information by the disclosing party that information must be kept confidential.
- Protection Period. Companies may desire a long protection period for the confidentiality obligation (10 years or perpetual) to protect the information from uncontrolled dissemination and possible subsequent re-disclosure. The University may not have mechanisms in place to ensure campus-wide compliance with such an agreement and prefer to establish a period that is as short as possible so that the need to monitor to assure compliance with a confidentiality obligation is practical under the circumstances. The protection period should be reasonably related to the necessity to maintain confidentiality given the nature of the particular confidential information being disclosed.9
- Scope of Confidentiality in a CDA or SRA. In most cases, neither party intends to disclose all of its confidential information, nor does it wish to undertake obligations to ensure the confidential handling of more information than is necessary. However, it is often impractical to compile an exhaustive list of the information to be shared that will be subject to the obligations of confidentiality. Two useful techniques are: (a) to specify the range of subject matter that the parties to the agreement anticipate will be received and held in confidence; and (b) to specify that information is only subject to the terms of the agreement if: (i) it is provided in writing suitably marked as confidential, or (ii) it is disclosed other than in writing and, thus, designated as confidential at the time of disclosure, subsequently reduced to a writing by the disclosing party that is delivered to the receiving party within a specified period of time, e.g., five days. Some open records laws may specify how information is to be disclosed or identified in order to be protected from disclosure under the law.
- Purpose of Disclosure. In many jurisdictions, the disclosure of information from one party to another without specifying and limiting the purposes for which the receiving party may use the information constitutes a license to use the information for whatever purpose the receiving party desires, even though the recipient must preserve the confidentiality of the information. It is, therefore, generally recommended that the confidentiality provision specify the reason that the parties are exchanging information and the ways in which the receiving party may use the information and contain a clear statement that the receiving party may not use the information for any other purpose.
- Individuals Covered by Confidentiality Obligations. Individuals should only receive confidential information if they have a “need to know.” The University usually sees the confidentiality obligations as being specific to a particular researcher or project, e.g., conducting a specific research project or evaluating specific information in contemplation of a collaborative research project or technology licensing opportunity. But, since the disclosing party will expect all individuals who receive its confidential information to be covered by the obligations of confidentiality, care should be given to who actually receives this information. This is particularly true if students or visitors are involved since they may not be considered employees of the University (i.e., not subject to its policies requiring employees to honor obligations of confidentiality.) Confidentiality agreements or provisions may require individuals receiving confidential information to, at least, acknowledge the confidentiality obligations even if they are not parties to the agreements .
- Common Exceptions to Confidentiality Obligation. The following are typical exceptions made to the obligation of confidentiality and provide a defense to alleged breach of contract in case of disclosure. The information was:
- available to the public prior to disclosure by the disclosing party to the receiving party or thereafter becomes available to the public other than as a result of breach of confidentiality obligations by the receiving party;
- in the possession of the receiving party on or before the date of disclosure as evidenced by competent written records;
- acquired by the receiving party from a third party that the receiving party reasonably believed was not under an obligation of confidentiality to the disclosing party;
- independently developed by the receiving party without use of the confidential information of the disclosing party, as evidenced by competent written records;10 or
- disclosed pursuant to operation of law or a legal process.
- Copy Retention. SRAs, CDAs, and confidentiality clauses often state that upon expiration of the term of the agreement, or at the disclosing party’s written request, the receiving party will either return all confidential information to the disclosing party or destroy all copies of the confidential information in their possession. The receiving party is generally allowed to retain one archival copy in its records to be able to demonstrate compliance with the agreement. In order to prevent unauthorized use of the confidential information, these copies may be kept in offices other than those of the individuals who initially received the information (for example, the archival copy may be kept in the office of the receiving party’s legal counsel).11
- Trade Secrets. Companies should give serious consideration to possible ramifications before providing its trade secrets to Universities, paying particular attention to the fact that Universities favor openness, do not generally have mechanisms in place to review and implement extensive security provisions, do not control students after graduation or employees who leave the University, and may be subject to laws that are contrary to the objectives of trade secret laws.
- Delegated Signature Authority. Industrial employees generally understand that they are unable to sign documents that are legally binding upon their employers. University faculty members are not always cognizant that the documents they sign may purport to bind the University and that they personally lack the capacity to sign such agreements. It is advisable for Companies to inquire whether a University employee will be receiving and using the Company’s confidential information within the scope of their University employment or in some other capacity to assess the applicability of state law and University policies to the agreement and to assess whether the employee has authority to sign a CDA.
- Controlling Law. Generally, both parties to an agreement will be most knowledgeable about the laws of their home state and prefer that agreements be governed by those laws. Both parties to an agreement may agree to remain silent as to controlling law or specify the laws of a particular jurisdiction. Specifying a particular state’s laws as controlling will cause the agreement to be construed and interpreted according to these laws but may not override the obligations of a party to comply with applicable laws (e.g., open records or freedom of information) as a matter of public policy. Since state laws on trade secrets and protection of certain kinds of information (e.g., biometric identifiers) vary, the parties should be aware of how these laws may affect their use and treatment of confidential information.
- Injunctive Relief. A party may wish to include language in an SRA or CDA to ensure adequate remedy for breach or threatened breach of the confidentiality obligations, including the right to injunctive relief or specific performance, as is customary in the commercial environment. Such language may require the parties to agree that monetary damages would not be sufficient to remedy a breach. Universities may find such wording unacceptable as they may constitute a violation of principles of state sovereignty or be construed as an open door to additional litigation or contractual admission of fault. In such situations, resolution may be the inclusion of language in the agreement specifying that a party may seek injunctive relief rather than language stating that the parties are entitled to injunctive relief. This right, of course, is available to the parties even absent such a provision.
- The parties should first consider whether their mutual objectives can be achieved without disclosure of confidential information before incurring obligations related to protection of the other’s confidential information.
- Obligations on the part of University researchers to keep information provided by a Company confidential require detailed terms describing the parties’ obligations. Provisions may include specific measures for identifying and labeling confidential information, receiving, controlling, and securing confidential information and tracking the initial disclosure, as well as any subsequent disclosures to others, to properly safeguard the confidential information.
- Confidentiality provisions in agreements need to be consistent with publication and patent protection provisions.
- Some public Universities may be subject to their state’s public record, freedom of information, or sunshine laws, so confidentiality provisions should recognize and be consistent with such laws.
- Public Universities generally are restricted under state law from keeping the existence of an agreement secret and may require provisions in agreements that clearly permit the University to disclose the name of the Company partner, general purpose of the disclosure or agreement, and often, the total funded amount of sponsored projects.
The following topics are not covered in this Contract Accord:
- Applicability of Export Control Laws to Provisions in CDAs or SRAs that Restrict Publication (See UIDP Contract Accord 7: Export Control.);
- Cybersecurity and Information Security;
- Confidentiality Provisions in Faculty Consulting Agreements; and
- Trade Secret Laws and Applicability to University-Industry Agreements.
 For additional information on other types of agreements, see UIDP Contract Accord 10: Material Transfer Agreements, UIDP Contract Accord 13: Specialized Services and Testing Agreements, or Contract Accord 14: Data
 Confidentiality of the results of University research raises several issues, which are addressed in UIDP Contract Accord 3: Publication. Also, see UIDP Contract Accord 13: Specialized Services and Testing Agreements for information on the confidential treatment of the results from these kinds of agreements.
 Protection of proprietary confidential information is generally addressed by a contract law or trade secret law. The key feature of these laws is the promise of the parties to maintain the secrecy of the disclosed confidential information. Once information is disclosed without protection of a confidentiality agreement, it can no longer be protected as confidential information.
 Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104–191, 110 Stat. 1936, enacted August 21, 1996); HIPAA overview: http//www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html
 The Family Educational Rights and Privacy Act (FERPA) requires a written agreement to disclose Personally Identifiable Information (PII) from educational records without consent. These written requirements must meet DFR 99.31(1)(6)(iii)(C) or 99.35(a)(3).
 An incremental scheme is usually conducted in roughly three stages:
1) Relatively informal sharing of non-confidential information; such discussions would be used to gauge the capabilities and interests of each party for future work and need not involve a confidentiality agreement.
2) Sharing of only the minimum amount of confidential information required to establish a Statement of Work, budgets, and anticipated deliverables from an expected project; a confidentiality agreement would normally be implemented at some point during this stage.
3) Performance of the actual collaborative work with the ongoing exchange of detailed confidential information; a more detailed confidentiality agreement (or confidentiality provisions in a fully negotiated SRA) should be in place by this stage of the relationship.
 This issue is frequently resolved by the Company agreeing to provide certain information under a time-limited obligation of confidentiality, after which the information loses its confidential status. If a CDA is put in place solely for the development of a SRA, then it should have a term that covers at least the time period needed to develop the Statement of Work, budget, and deliverables. If a SRA is subsequently established, then the earlier agreement should be referenced in the research agreement (usually either to be incorporated by reference into the SRA or to be superseded so that the SRA and the CDA are not in conflict with one another).
Consideration should also be given to specifying both a (shorter) time period, during which information may be exchanged, and a (longer) time period, during which the information must be kept in confidence, as doing so avoids situations in which information shared near the end of an agreement’s term ceases to become confidential soon thereafter. In addition, the agreement should be precise about whether the obligations of confidentiality expire based on date of signing of the agreement or the date of exchange of information so that there is no doubt as to how long those obligations last.
 Residual information clause may affect this exception. Residual Information is information kept in non-written form in a person’s memory. Sometimes, the parties clarify that the memory is “unaided” memory, or the person did not intentionally undertake to commit information to memory for the purpose of avoiding relevant obligations, and that disclosure and/or receipt of confidential information is not meant to create an obligation limiting or restricting the work assignments of employees who have had access.
 The parties should bear in mind that Universities frequently have obligations to maintain laboratory notebooks in order to verify the integrity of work performed and results published. For this reason, it is good practice to avoid including confidential information obtained from another party in a laboratory notebook.