Everywhere I’ve worked for the last 20+ years had formal NDAs and training on business confidentiality. Working at smaller companies before that was less formal. Some projects have formal disclosure procedures and lists, most do not, and that means “we trust your judgement about who needs to know”. Note that just hearing that phrase, coming from a Director or CxO, carries a lot of info about how seriously to take it.
Everywhere I’ve been, there is a bright line for use of the phrase “privileged and confidential”, with a requirement that the communication be to or from a lawyer on a topic the lawyer is engaged in.
For me, business confidentiality is pretty easy—the harm from over-sharing non-public information is usually easy to see.
Non-business confidentiality is much fuzzier, and I think fundamentally so (in the territory of harms for failure, not just the map of norms and expectations). A lot of “secrets” aren’t really that important, and the harm from sharing may be unclear or contentious (Bob might believe that disclosure to Carol is overall a benefit, even if Alice is annoyed). Perceived harm may be from sense of betrayal rather than actual harm of information.
I think, even if your question isn’t coming from general aspie/autism tendencies, you might do well on this topic to borrow some techniques. First and foremost , recognize the hole in your perception, and ask people or proactively tell them if they seem to be making assumptions you don’t understand. Generally, use more words—describe what level of secrecy you are willing/able to provide.
Everywhere I’ve worked for the last 20+ years had formal NDAs and training on business confidentiality. Working at smaller companies before that was less formal.
I think I mostly formed my sense of “haven’t seen companies actually taking this seriously” at smaller new orgs, good to know it’s more common. I figured it’d be common for, like, lawyers and therapists, but hadn’t heard of it in other contexts. I’m curious what the training entails?
(There was one 3000 person company I worked at that didn’t seem to have any training re: privacy, although I was also only hired there as a contractor so not too surprising if I just missed it)
“training” may imply more than I intended. We have an annual stupid video to watch and a bunch of wiki pages about basic infosec behaviors and mechanisms to keep some info off of shared build systems, and some “loose lips sink ships” posters. It does include guidance on baseline “company confidential” behavior and not talking with outsiders except on the narrow topics related to their work. We do have formal classes (with tests and mock presentations) before we’re allowed to give talks or speak to groups on behalf of the company.
There remains a _LOT_ of cultural and ad-hoc expectations on the topic, far more than official policy or training. And there are ongoing debates about the very large value in open sharing of information compared with the cost of leaks. This leads to a fair bit of nuance regarding which topics are “just don’t talk about” and which are “have a good reason before discussing with someone” and which are “don’t advertise widely, but feel free to discuss if it’s relevant”.
At a very basic level, for both private and commercial secrets, you have a LOT of evidence about how seriously it’s taken, just by the fact and manner that the secret is given to you. “If you want it kept secret, why are you telling ME?” Asking this question is a great opener for understanding what the specific expectations are.
Everywhere I’ve worked for the last 20+ years had formal NDAs and training on business confidentiality. Working at smaller companies before that was less formal. Some projects have formal disclosure procedures and lists, most do not, and that means “we trust your judgement about who needs to know”. Note that just hearing that phrase, coming from a Director or CxO, carries a lot of info about how seriously to take it.
Everywhere I’ve been, there is a bright line for use of the phrase “privileged and confidential”, with a requirement that the communication be to or from a lawyer on a topic the lawyer is engaged in.
For me, business confidentiality is pretty easy—the harm from over-sharing non-public information is usually easy to see.
Non-business confidentiality is much fuzzier, and I think fundamentally so (in the territory of harms for failure, not just the map of norms and expectations). A lot of “secrets” aren’t really that important, and the harm from sharing may be unclear or contentious (Bob might believe that disclosure to Carol is overall a benefit, even if Alice is annoyed). Perceived harm may be from sense of betrayal rather than actual harm of information.
I think, even if your question isn’t coming from general aspie/autism tendencies, you might do well on this topic to borrow some techniques. First and foremost , recognize the hole in your perception, and ask people or proactively tell them if they seem to be making assumptions you don’t understand. Generally, use more words—describe what level of secrecy you are willing/able to provide.
I think I mostly formed my sense of “haven’t seen companies actually taking this seriously” at smaller new orgs, good to know it’s more common. I figured it’d be common for, like, lawyers and therapists, but hadn’t heard of it in other contexts. I’m curious what the training entails?
(There was one 3000 person company I worked at that didn’t seem to have any training re: privacy, although I was also only hired there as a contractor so not too surprising if I just missed it)
“training” may imply more than I intended. We have an annual stupid video to watch and a bunch of wiki pages about basic infosec behaviors and mechanisms to keep some info off of shared build systems, and some “loose lips sink ships” posters. It does include guidance on baseline “company confidential” behavior and not talking with outsiders except on the narrow topics related to their work. We do have formal classes (with tests and mock presentations) before we’re allowed to give talks or speak to groups on behalf of the company.
There remains a _LOT_ of cultural and ad-hoc expectations on the topic, far more than official policy or training. And there are ongoing debates about the very large value in open sharing of information compared with the cost of leaks. This leads to a fair bit of nuance regarding which topics are “just don’t talk about” and which are “have a good reason before discussing with someone” and which are “don’t advertise widely, but feel free to discuss if it’s relevant”.
At a very basic level, for both private and commercial secrets, you have a LOT of evidence about how seriously it’s taken, just by the fact and manner that the secret is given to you. “If you want it kept secret, why are you telling ME?” Asking this question is a great opener for understanding what the specific expectations are.