1.1 This policy establishes the Organization's comprehensive requirements for the identification, classification, protection, handling, and non-disclosure of confidential, proprietary, and sensitive information by all individuals who have access to such information in the course of their relationship with the Organization. It applies to all employees regardless of employment type or grade, contractors, consultants, temporary workers, interns, board members, and any third party who has been granted access to the Organization's confidential information under a contractual or fiduciary obligation. This policy is designed to safeguard the Organization's trade secrets, intellectual property, client data, financial information, strategic plans, and other proprietary assets from unauthorised disclosure, misuse, or loss, and to ensure compliance with applicable data protection, privacy, and trade secret legislation. It supplements but does not replace individual non-disclosure agreements that employees or third parties may have executed with the Organization.

1.2 For the purposes of this policy, confidential information encompasses all non-public information related to the Organization's business operations, financial condition, technology, products, services, clients, employees, and strategic plans, regardless of the medium or form in which the information is created, stored, or communicated. This includes, without limitation, trade secrets, proprietary algorithms, source code, product designs, and technical specifications; client lists, pricing structures, contract terms, and business proposals; financial statements, budgets, forecasts, and merger or acquisition plans; employee compensation data, performance records, and personal information; marketing strategies, competitive analyses, and business development plans; and any information that is marked as confidential, designated as restricted, or that a reasonable person would understand to be confidential given the circumstances of its disclosure. Information that is publicly available through no fault of the employee, independently developed without reference to the Organization's confidential information, or lawfully obtained from a third party without restriction shall not be considered confidential for the purposes of this policy.

2.1 The Organization shall classify all information assets into four categories based on sensitivity and the potential impact of unauthorised disclosure: Public information that is intended for unrestricted distribution and poses no risk if disclosed; Internal information that is intended for use within the Organization and is not harmful if disclosed but is not intended for external distribution; Confidential information that could cause material harm to the Organization, its clients, or its employees if disclosed and must be protected with enhanced security controls; and Restricted information, the most sensitive category, which includes trade secrets, material non-public financial data, and personal data subject to regulatory protection, and which requires the highest level of security, including encryption, access logging, and need-to-know restrictions. Each classification level carries defined requirements for labelling, storage, electronic and physical transmission, access controls, and secure disposal. The information owner, typically the department head or project lead who created or received the information, is responsible for assigning the appropriate classification. The Information Security team shall publish and maintain a detailed data handling guide for each classification level.

2.2 Access to confidential and restricted information shall be granted on a strict need-to-know basis, meaning that employees may access only the information that is directly necessary for the performance of their assigned job duties. Employees shall not share, copy, transmit, photograph, or otherwise reproduce confidential information and make it available to any individual, whether inside or outside the Organization, who does not have a legitimate business need and appropriate authorisation to receive it. Where confidential information must be shared with authorised external parties such as clients, vendors, auditors, or legal advisors, the disclosure must be approved by the information owner and the recipient must be bound by a non-disclosure agreement or equivalent contractual obligation. Confidential information shall be transmitted only through Organization-approved secure channels, including encrypted email, secure file transfer platforms, and approved collaboration tools. Employees shall not use personal email accounts, unapproved cloud storage services, or removable media to store or transmit confidential information unless expressly authorised by the Information Security team.

2.3 When confidential or restricted information is no longer required for its intended business purpose and is not subject to a legal hold or regulatory retention obligation, it shall be disposed of securely using methods approved by the Information Security team. Physical documents classified as Confidential or Restricted shall be disposed of using cross-cut shredding or secure destruction services provided by an approved third-party vendor. Electronic media, including hard drives, USB devices, and optical discs, shall be disposed of through certified data wiping using industry-standard overwriting algorithms, degaussing, or physical destruction, with a certificate of destruction obtained and retained for audit purposes. Electronic files stored on Organization servers, cloud platforms, or collaboration tools shall be permanently deleted in accordance with the Organization's data retention schedule, and the IT department shall confirm deletion upon request. Employees shall not dispose of confidential documents in regular waste bins, recycling containers, or unsecured disposal methods. The Information Security team shall conduct periodic spot checks to verify compliance with disposal requirements.

3.1 All employees shall be required to sign a non-disclosure agreement as a condition of employment, which shall be executed before or on the employee's first day of work and before the employee is granted access to any confidential or restricted information. The NDA shall set out the employee's obligations regarding the protection and non-disclosure of confidential information, the permitted uses of confidential information, the consequences of unauthorised disclosure, and the employee's obligations upon termination. The confidentiality obligations imposed by the NDA shall remain in full force and effect throughout the duration of the employee's employment and for a minimum period of 24 months following the termination of employment for any reason, or indefinitely for information that constitutes a trade secret under applicable law. Contractors, consultants, and third-party service providers shall be required to execute a separate NDA or shall be bound by equivalent confidentiality provisions in their service agreement before receiving access to confidential information.

3.2 Employees shall not use confidential or proprietary information obtained through their employment for personal financial gain, to benefit a competitor, family member, or any third party, or for any purpose other than the legitimate and authorised business purposes of the Organization. This prohibition extends to using confidential information to make personal investment decisions, to establish or assist a competing business, to negotiate personal employment terms with a competitor, or to develop products, services, or processes that incorporate the Organization's proprietary knowledge without authorisation. Any misuse of confidential information, whether during or after employment, shall constitute a material breach of the employee's obligations and grounds for immediate disciplinary action, up to and including summary termination of employment. The Organization shall also pursue all available legal remedies, including injunctive relief, disgorgement of profits, and monetary damages, against any individual found to have misused its confidential information.

3.3 Upon the termination of employment for any reason, whether voluntary or involuntary, the departing employee shall immediately return to the Organization all confidential and proprietary information in their possession, custody, or control, including but not limited to physical documents, printed materials, notebooks, and handwritten notes; electronic files, data, and correspondence stored on Organization-issued or personal devices; copies, extracts, summaries, and analyses derived from confidential information; access tokens, encryption keys, and credentials for Organization systems; and any other materials containing or derived from confidential information. The employee shall certify in writing, using the Organization's standard exit declaration form, that all confidential information has been returned, that no copies have been retained in any form, and that the employee understands and acknowledges their ongoing confidentiality obligations. The IT department shall conduct a remote wipe of Organization data from any personal devices that were used for work purposes under the Organization's BYOD policy. The HR department shall not issue the employee's relieving letter or process the final settlement until the exit declaration has been received and verified.

4.1 Notwithstanding the general prohibition on disclosure, confidential information may be disclosed where the disclosure is compelled by a valid court order, subpoena, or governmental or regulatory request that has the force of law. In such circumstances, the employee must immediately notify the Organization's Legal department before making any disclosure to allow the Organization an opportunity to seek protective measures, object to the disclosure, or limit its scope. The employee shall disclose only the minimum amount of information strictly required to satisfy the legal obligation and shall take all reasonable steps to preserve the confidentiality of the disclosed information, including requesting confidential treatment from the requesting authority where possible. Additionally, this policy shall not be interpreted to restrict an employee's rights under applicable whistleblower protection statutes to report suspected legal violations to governmental agencies, nor shall it restrict an employee's right to engage in protected concerted activity under applicable labor relations legislation. The Organization shall not retaliate against any employee who makes a disclosure that is required by law or protected under applicable whistleblower statutes.

4.2 Confidential information may be disclosed to authorised third parties in the ordinary course of business, including external auditors, legal advisors, tax consultants, regulatory authorities, potential acquirers or investors during due diligence, and strategic partners, provided that the disclosure has been approved in writing by the information owner and, for Restricted-level information, by the Legal department or the Chief Information Security Officer. Before any disclosure to a third party, the Organization must ensure that a binding non-disclosure agreement or equivalent contractual confidentiality obligation is in place that provides protections at least as stringent as those set out in this policy. The disclosing employee shall limit the scope of information shared to the minimum necessary for the stated business purpose, shall use Organization-approved secure transmission methods, and shall maintain a record of the disclosure, including the date, the recipient, the scope of information shared, and the business justification. The HR department and Legal Counsel shall maintain a register of all third-party NDA relationships and shall review compliance with third-party confidentiality obligations at least annually.

5.1 Any violation of this policy, whether through intentional unauthorised disclosure, negligent handling, or misuse of confidential or proprietary information, shall be investigated by the HR department in consultation with the Information Security team and Legal Counsel. Where a violation is substantiated, the Organization shall impose disciplinary action proportionate to the severity, intent, and impact of the breach, which may include formal counselling and a written warning, mandatory retraining on information security and confidentiality obligations, suspension with or without pay pending investigation, termination of employment, and referral to law enforcement where criminal conduct is suspected. In addition to internal disciplinary action, the Organization reserves the right to pursue civil remedies against the offending individual, including injunctive relief, damages, and disgorgement of any profits obtained through the misuse of confidential information. Employees who become aware of a suspected breach of this policy by any individual must report the matter immediately to their manager, the HR department, or the confidential reporting hotline.

5.2 This Non-Disclosure Policy shall be reviewed comprehensively at least once every 12 months by the HR department, Legal Counsel, and the Information Security team to ensure that it remains current, effective, and aligned with applicable data protection legislation, trade secret laws, and the Organization's information security framework. An interim review shall be triggered by any material change in applicable law, a significant data breach or security incident, or the findings of an internal or external audit that identifies gaps in the Organization's confidentiality protections. All employees shall complete mandatory training on their confidentiality obligations and information handling responsibilities during onboarding and annually thereafter. Training shall cover the provisions of this policy, the Organization's data classification framework, secure handling and disposal procedures, recognising and reporting security incidents, and the consequences of non-compliance. The Learning and Development team shall maintain records of training completion, and the HR department shall follow up with employees who do not complete the annual training within 30 calendar days of the due date.