Protecting Trade Secrets in Outsourcing: Creating Enforceable Confidentiality Agreements for Foreign BPO Clients (Philippine Legal Guide)
Introduction: why trade secrets and offshore data protection matter in Philippine outsourcing
Foreign companies that outsource work to the Philippines often share non-public commercial information such as product roadmaps, customer lists, pricing rules, internal workflows, source materials, and operational metrics. When work is performed remotely, the risk of copying, forwarding, or informal disclosure increases because the information is accessed outside the client’s physical premises.
Under Philippine law, protection is not limited to “registered” intellectual property. Confidential business information and trade secrets can be protected through contract design, evidence readiness, workplace policies, and security controls aligned with recognized legal standards on trade secrets and confidentiality.
Governing Philippine laws and issuances relevant to outsourcing confidentiality
Intellectual Property Code (R.A. No. 8293) recognizes intellectual property rights broadly and includes protection of undisclosed information in line with TRIPS concepts (R.A. No. 8293, 1997).
Revised Corporation Code (R.A. No. 11232) reflects Philippine policy that corporate records are inspectable by qualified persons but remain subject to confidentiality rules under prevailing laws, expressly including the Intellectual Property Code and the Data Privacy Act (R.A. No. 11232, 2019).
Telecommuting rules require telecommuting programs to include standards on data protection, confidentiality, and security consistent with the Data Privacy Act and related issuances (Department Order No. 237-22, IRR of R.A. No. 11165, 2022).
Rules on Evidence recognize privilege for trade secrets and allow courts to impose protective measures when disclosure is ordered (A.M. No. 19-08-15-SC, 2019 Amendments to the Rules on Evidence).
What Philippine jurisprudence treats as a “trade secret” and why it matters for BPO contracts
Philippine jurisprudence treats trade secrets as privileged and generally protected from compulsory disclosure, particularly where the information has economic value and is not generally known. The Supreme Court has recognized that courts should not compel production of trade secrets absent strong justification.
In Air Philippines Corporation v. Pennswell, Inc., G.R. No. 172835, April 23, 2007, the Supreme Court treated the chemical composition/formulation of lubricants as trade secrets and held that a party cannot be compelled to disclose such information. The Court cited factors used to assess trade secrets, including how widely the information is known, measures taken to guard secrecy, the value to the business and competitors, development cost, and ease of independent acquisition.
This is useful in outsourcing because it supports two themes you can build into agreements: (1) the information is economically valuable and non-public, and (2) the client and vendor took affirmative secrecy measures (contractual and technical), which strengthens enforceability and evidence.
Confidentiality policies must be specific: lessons from labor jurisprudence
Confidentiality clauses and company rules cannot be drafted so broadly that they become vague catch-all prohibitions. Overbreadth can weaken enforcement, especially in employment disputes where dismissal or discipline is imposed.
In Yonzon v. Coca-Cola Bottlers Philippines, Inc., G.R. No. 226244, July 7, 2021, the Supreme Court ruled that internal rules defining confidential information in an overly broad way were unfair and unreasonable because of vagueness; the employer could not simply label almost anything as confidential to justify sanctions. While the case arose in an employee discipline context, the drafting lesson applies to outsourcing: define what is confidential, why it is confidential, and what uses are allowed.
Using non-compete / non-involvement clauses for higher-risk roles
For certain roles (e.g., senior team leads, quality managers, solutions architects, workforce planners, analysts exposed to pricing models and playbooks), limited post-employment restrictions may be considered.
In Tiu v. Platinum Plans Phil., Inc., G.R. No. 163512, February 28, 2007, the Supreme Court held that a non-involvement / non-compete clause is not automatically void as restraint of trade if it is reasonable as to time, trade, and place, and not greater than necessary to protect the employer’s legitimate interests, especially where the employee had access to confidential strategies.
For BPO arrangements, the more defensible approach is to reserve non-compete obligations for a narrow set of employees with proven exposure to trade secrets, and to draft the restriction with clear limits (duration, scope of competing work, geography if relevant).
What to include in an enforceable confidentiality agreement for foreign BPO clients
1) Define “Confidential Information” with enough detail to avoid vagueness
A strong definition avoids “everything is confidential” language. It identifies categories that match real outsourcing data flows.
Recommended approach: define confidential information to include, for example:
(a) Trade secrets (formulas, models, processes, methods, client workflows, scoring logic, internal QA rubrics);
(b) Proprietary business information (pricing, margins, vendor terms, business plans, metrics, forecasting);
(c) Customer and supplier information (lists, contact data, purchase history, account notes, ticket logs);
(d) Technical and security information (architecture diagrams, security procedures, access credentials, incident reports);
(e) “Derived information” (summaries, analyses, screenshots, recordings, exports, notes created from access).
To strengthen enforceability under the reasoning in Air Philippines Corporation v. Pennswell, Inc., include a recital that the information is non-public, valuable, and subject to secrecy measures (G.R. No. 172835, April 23, 2007).
2) Clarify permitted use and strict purpose limitation
State that Confidential Information may be used only to perform the outsourced services, and never for personal benefit, side work, or other clients. Add a rule that any use outside the statement of work requires written client approval.
3) Identify “Authorized Persons” and require access control
Specify that access is limited to employees/contractors with a work-related need-to-know, and that the vendor must maintain role-based access. This supports the “measures taken to guard secrecy” element recognized in Air Philippines Corporation v. Pennswell, Inc. (G.R. No. 172835, April 23, 2007).
4) Confidentiality during remote work: contract + telecommuting compliance items
Remote work controls should be contractual obligations, not mere “best effort.” Telecommuting rules expect standards on data protection, confidentiality, and security to be included in the telecommuting program (Department Order No. 237-22, 2022).
Typical contract requirements for remote setups:
(a) Device and workspace rules (company-managed device, no shared computers, clean desk, no printing);
(b) Network rules (VPN-only access, no public Wi-Fi, router password standards);
(c) Monitoring and logging (audit logs, DLP alerts, file transfer restrictions);
(d) Meeting controls (no recording without approval; prevent shoulder-surfing);
(e) Incident reporting (time-bound reporting of suspected leak or compromise).
5) Return, deletion, and offboarding obligations (including “proof of destruction”)
Require return or secure deletion of client data upon request, termination, or role change. Consider requiring an attestation of deletion and confirmation that no copies remain in personal email, chat apps, cloud drives, or local folders.
6) Remedies, enforcement, and evidence readiness
Use layered remedies: (1) immediate injunctive relief where available, (2) indemnity for losses, and (3) liquidated damages if appropriate (carefully drafted). Also include audit rights tied to reasonable safeguards and confidentiality.
Because trade secrets are privileged, you can also include a clause allowing the parties to seek protective measures in court proceedings to prevent unnecessary disclosure, consistent with the privilege relating to trade secrets under the Rules on Evidence (A.M. No. 19-08-15-SC, 2019).
7) Avoid overbroad “confidentiality” that can backfire
Drafting should anticipate potential labor disputes or employee discipline issues. Yonzon v. Coca-Cola Bottlers Philippines, Inc., G.R. No. 226244, July 7, 2021, cautions against vague or overly broad rules on confidentiality. Consider carving out lawful disclosures such as those required by a lawful court order (subject to notice and protective steps) and disclosures to counsel for legitimate claims, subject to confidentiality handling.
Sample “confidentiality clause” structure (outline)
1. Definition of Confidential Information with categories and exclusions (public domain, independently developed, rightfully received).
2. Purpose limitation and no reverse engineering / no competitive use.
3. Access control, training, and subcontractor flow-down obligations.
4. Security measures for on-site and remote work aligned with telecommuting requirements (Department Order No. 237-22, 2022).
5. Prohibited acts (copying, screenshots, external drives, personal email forwarding, unauthorized recordings).
6. Incident response and notice timelines.
7. Return/deletion and certification.
8. Remedies including injunctive relief and damages.
9. Dispute resolution and governing law/forum selection clauses.
Table: contract controls matched with legal support
| Contract control | Why it helps legally | Supporting authority |
|---|---|---|
| Specific definition of confidential information; avoid catch-all labels | Reduces vagueness challenges; shows reasonableness of policy | Yonzon v. Coca-Cola Bottlers Philippines, Inc., G.R. No. 226244, July 7, 2021 |
| Documented secrecy measures (access limits, security controls, training) | Supports showing information is a protectable trade secret | Air Philippines Corporation v. Pennswell, Inc., G.R. No. 172835, April 23, 2007 |
| Protective orders / confidentiality handling in disputes | Supports non-disclosure of trade secrets in litigation; enables controlled disclosure if ordered | A.M. No. 19-08-15-SC (2019 Amendments to the Rules on Evidence) |
| Remote-work confidentiality and security standards in telecommuting program | Aligns employment arrangements with regulatory expectations on data protection and confidentiality | Department Order No. 237-22 (2022), IRR of R.A. No. 11165 |
| Narrow non-compete for high-access roles only | Improves enforceability by keeping restrictions reasonable | Tiu v. Platinum Plans Phil., Inc., G.R. No. 163512, February 28, 2007 |
Typical scenarios in outsourcing and how to address them in writing
Scenario 1: agent sends client templates to personal email to work faster
Contract response: prohibit external forwarding, require approved tools only, and treat unauthorized transfer as a material breach. Include immediate incident reporting and device forensics cooperation. This also strengthens the “secrecy measures” factor for trade secret protection (Air Philippines Corporation v. Pennswell, Inc., G.R. No. 172835, April 23, 2007).
Scenario 2: employee uses screenshots and screen recordings for “notes”
Contract response: expressly prohibit screenshots/recordings without approval, require watermarking, and enable technical restrictions. Avoid vague “confidential” labels; specify what is prohibited and why, consistent with the caution against vague rules (Yonzon v. Coca-Cola Bottlers Philippines, Inc., G.R. No. 226244, July 7, 2021).
Scenario 3: team lead resigns and joins a competitor servicing the same foreign market
Contract response: consider a narrowly tailored non-compete / non-involvement clause for senior positions with access to pricing, playbooks, and strategies, limited in duration and scope to satisfy reasonableness (Tiu v. Platinum Plans Phil., Inc., G.R. No. 163512, February 28, 2007). Pair it with continuing confidentiality obligations, which are generally more defensible than broad restraints.
Common drafting mistakes that weaken enforceability
(1) Overbroad definitions (“all information is confidential”) without categories or exclusions, inviting vagueness concerns (Yonzon v. Coca-Cola Bottlers Philippines, Inc., G.R. No. 226244, July 7, 2021).
(2) No proof of secrecy measures (no access control, no training, no monitoring), weakening trade secret characterization (Air Philippines Corporation v. Pennswell, Inc., G.R. No. 172835, April 23, 2007).
(3) One-size-fits-all non-competes applied to all employees regardless of role, risking invalidity for unreasonableness (Tiu v. Platinum Plans Phil., Inc., G.R. No. 163512, February 28, 2007).
(4) Remote work policies not integrated into telecommuting rules and written standards (Department Order No. 237-22, 2022).
(5) No litigation confidentiality plan (e.g., no clause on seeking protective measures), increasing the risk of forced disclosure in disputes (A.M. No. 19-08-15-SC, 2019).
Conclusion: recommended steps for foreign BPO clients and Philippine vendors
To reduce offshore data leakage risk under Philippine law, confidentiality agreements should be written with specific, defensible definitions, tied to documented secrecy measures, and reinforced by remote-work security obligations consistent with telecommuting rules. For select high-access roles, a narrow non-compete may be considered if it is reasonable in scope and duration.
On implementation, the most effective approach is to combine (1) clear contract prohibitions, (2) access controls and monitoring, (3) training and acknowledgments, and (4) an offboarding process that verifies return/deletion. These steps also position the client and vendor to demonstrate that the information qualifies as a protectable trade secret, and to seek protective measures if a dispute reaches court.
About Nicolas and De Vega Law Offices
Nicolas and de Vega Law Offices is a full-service law firm in the Philippines. You may visit us at the 16th Flr., Suite 1607 AIC Burgundy Empire Tower, ADB Ave., Ortigas Center, 1605 Pasig City, Metro Manila, Philippines. You may also call us at +632 84706126, +632 84706130, +632 84016392 or e-mail us at [email protected]. Visit our website https://ndvlaw.com.
