When you’re building a startup or scaling an SME, information moves fast.
You might have sales and product teams sharing the same Slack channels. You might be doing advisory work for multiple clients in the same industry. Or you might have a founder who sits on two boards, wears three hats, and is involved in fundraising discussions while also managing a key supplier relationship.
That speed is great for growth, but it can create real legal and commercial risk if sensitive information ends up in the wrong hands (even accidentally).
This is where an information barrier comes in.
An information barrier (sometimes called a “Chinese wall”) is a set of practical controls that help stop confidential or sensitive information flowing between teams, projects, or people who shouldn’t have access to it.
In this guide, we’ll walk you through what an information barrier is, when you should consider one, and how to build a practical, “works-in-real-life” approach that fits an Australian startup or SME. This article is general information only and isn’t legal advice.
An information barrier is a structured system of rules, processes and technical safeguards designed to:
- limit access to sensitive information on a “need to know” basis
- reduce the risk of conflicts of interest
- help your business demonstrate it acted appropriately if a dispute or investigation happens later.
Importantly, an information barrier isn’t just “telling people not to share”. It’s about building a defensible system that makes it hard for information to leak, and easy for staff to do the right thing.
For many small businesses, “confidential information” can include:
- customer lists, pricing, and pipeline data
- product roadmaps, source code, or prototypes
- marketing strategies and launch plans
- financials (especially around fundraising, valuations and budgets)
- HR information (performance issues, investigations, remuneration)
- supplier terms, costings, and margin data
- client data provided to you under confidentiality
- personal information you hold about customers, staff or users.
If you’re ever unsure whether something is “private” or “confidential”, it helps to clarify the concepts internally so your team is aligned. Many business owners find it useful to distinguish between privacy and confidentiality early on, because they drive different obligations and systems.
For reference, the difference between privacy and confidentiality often becomes crucial when you’re setting policies and deciding who can access what.
Even when you’re not in a heavily regulated industry, an information barrier can protect your business in practical ways, such as:
- Winning and keeping clients: many commercial clients want comfort that their data won’t be used to benefit a competitor (even indirectly).
- Reducing internal disputes: clear rules make it easier to manage staff expectations, especially during restructures, terminations or exits.
- Protecting your reputation: a single data leak can damage trust quickly.
- Supporting fundraising and exits: investors and buyers often ask about governance and data handling.
You don’t need to be a large bank or a law firm to benefit from an information barrier.
If any of the scenarios below sound familiar, it’s worth considering an information barrier as part of your governance toolkit.
You Serve Competing Clients Or Market Segments
If your business is an agency, developer studio, managed services provider, consultancy, recruiter, or outsourced operations team, you may work with clients who compete directly.
Example: you provide growth marketing services for two eCommerce brands in the same niche. Even if your intention is to keep things separate, your team could accidentally reuse customer insights, creative concepts, or pricing benchmarks.
An information barrier helps you separate projects so you can keep delivering value without putting either relationship (or your reputation) at risk.
You Run Multiple Products Or Business Lines
As you grow, it’s common to run multiple brands or product lines, sometimes even under the same company. If those products compete, or if they serve different partners, you may need separation internally.
This comes up often where there’s shared engineering resources, a single sales team, or shared leadership.
You Have Board-Level Or Founder-Level Conflicts
Founders and executives often sit on multiple boards, advise multiple startups, or have side ventures.
That can be great for networks and growth, but it can also create an actual or perceived conflict if confidential information from one role influences decisions in another.
A practical information barrier can include “deal team” separation for fundraising, restricted access to board packs, and clear conflict management processes.
You’re Handling Highly Sensitive Data
If your business handles sensitive information like health data, financial information, children’s information, or large volumes of personal information, you should be thinking beyond “basic security”.
In those cases, the barrier isn’t just about internal conflicts. It’s also about controlling access, preventing leaks, and meeting your obligations under contracts and privacy laws.
That often goes hand-in-hand with the right external-facing documents, like a Privacy Policy, and internal security governance (more on that below).
For most startups and SMEs, the best information barrier is one that is:
- simple enough that people will follow it
- specific enough that it’s enforceable
- documented enough that you can prove it existed when you need to.
A useful way to think about an information barrier is: People + Process + Technology.
1) People: Define Who Is In And Who Is Out
Your barrier starts with defining groups. For example:
- Client A project team vs Client B project team
- Fundraising “deal team” vs broader staff
- HR/investigations team vs operational managers
- Security/IT admins vs general users
Then, clarify who is allowed to move between groups, and what happens when someone switches (for example, when a developer moves from Client A to Client B).
In many cases, you may choose to implement a “cooling off” period or a structured handover process to reduce the risk of someone carrying sensitive information across projects. Whether this is appropriate (and what it should look like) will depend on your team and the type of information involved.
2) Process: Create Practical Rules For Day-To-Day Decisions
This is where many information barriers fail. If the rules are vague, people will make their own judgement calls under pressure.
Strong processes usually cover:
- Access approvals: who approves access to a restricted folder, CRM segment, or codebase?
- Meeting rules: who can attend which meetings, and how do you handle minutes and recordings?
- Conflict escalation: if someone thinks there’s a conflict, who do they report it to?
- Handover protocols: how do you transition a staff member between teams without migrating confidential information?
- Client communications: who is allowed to speak to which client, and on what channels?
This is also where you embed confidentiality expectations into onboarding and contracts. A well-drafted Employment Contract can support your information barrier by clearly setting expectations about confidentiality, IP, and acceptable use of company systems.
3) Technology: Limit Access (And Make It Auditable)
Technology isn’t the whole solution, but it’s a major part of making an information barrier credible.
Common technical controls include:
- Role-based access: only certain roles can access certain systems or folders.
- Separate workspaces: separate project management boards, shared drives, and Slack/Teams channels for each team.
- Separate environments: where appropriate, separate repos, environments, or databases for client projects.
- Logging and monitoring: access logs matter if you ever need to investigate a suspected leak.
- Device and account controls: MFA, password rules, and restrictions on external storage/forwarding.
For many businesses, it’s also worth formalising internal standards in an Information Security Policy, especially if you’re aiming to work with enterprise clients or you’re scaling quickly and need consistency across the team.
An information barrier is a practical business tool, but it also intersects with legal obligations.
Most problems arise when a business assumes “internal” means “safe”. In reality, internal mishandling can still lead to contractual claims, privacy complaints, employee disputes, and loss of IP.
Confidentiality And Contractual Obligations
If clients, suppliers, or partners share sensitive data with you, you may have obligations in your agreements to:
- restrict access to certain personnel
- only use the information for a limited purpose
- notify the other party if there’s an unauthorised disclosure
- return or destroy information at the end of the engagement.
If you’re sharing your own sensitive information externally (for example, with contractors, potential investors, or a joint venture partner), it’s often sensible to use a Non-Disclosure Agreement so you can share what’s needed while still protecting your position.
If your “sensitive data” includes personal information (for example, customer contact details, payment information, user behaviour, or HR records), your information barrier should align with how you comply with Australian privacy requirements.
In Australia, privacy obligations often come from the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Whether the APPs apply to your business can depend on factors like whether you’re an “APP entity” (for example, many organisations with annual turnover of $3 million or less are not covered, but there are important exceptions), and whether you handle certain categories of data or work in particular industries. Even where the Privacy Act doesn’t apply, contracts, customer expectations, and other laws can still effectively require privacy-grade handling as a baseline.
Having a clear Privacy Policy and internal access controls can reduce risk and help you build trust.
Employment And Workplace Governance
Your information barrier will usually be implemented by your team, so your workplace documents and processes need to support it.
At a practical level, consider:
- training staff on what “need to know” means in your business
- setting consequences for deliberate breaches (consistent with workplace laws and your contracts/policies)
- tight offboarding processes (revoking access promptly, confirming return/deletion of data).
It’s also important that your contracts match how you actually operate. If you tell clients you have strict separation, but your internal reality is “everyone can access everything”, you create a risk gap that’s hard to defend later.
Founder, Director And Shareholder Conflicts
If you’re operating through a company, information barriers can become part of your broader governance framework. This matters even more once you have co-founders, investors, or a board.
For example:
- a Shareholders Agreement can set expectations around decision-making, information rights, and how conflicts are handled between owners
- a Company Constitution can also help establish the rules for governance and how the company operates internally.
These documents don’t replace an information barrier, but they often support the “who can access what, and when” side of the story when there’s a dispute between founders or shareholders.
Think of an information barrier as a system. Documents and policies help you operationalise it and prove it exists.
Not every business needs every document below, but most startups and SMEs benefit from having a clear “paper trail” around how sensitive information is handled.
- Confidentiality terms in your Employment Contract: helps set baseline expectations and supports action if someone misuses confidential information.
- Non-Disclosure Agreement (NDA): helps protect sensitive information when you share it externally with contractors, potential partners, or service providers.
- Information Security Policy: sets internal rules for access control, passwords, devices, and safe data handling.
- Privacy Policy: explains to customers and users how you collect, store and use personal information (and supports trust and compliance).
- Client or supplier contracts: should clearly set out confidentiality, permitted use, and security expectations (especially if you handle third-party data).
- Shareholders Agreement / governance documents: useful when information rights and conflicts can arise at founder or investor level.
If you’re building an information barrier because you serve competing clients, it’s also worth checking your service agreements for promises like “exclusive service”, “non-compete” restrictions, or confidentiality clauses that might require extra controls.
Key Takeaways
- An information barrier is a practical system (people, process, and technology) designed to reduce the risk of sensitive information flowing to the wrong team or person.
- Startups and SMEs often consider information barriers when serving competing clients, running multiple business lines, managing fundraising “deal teams”, or handling sensitive personal information.
- The most effective information barriers are specific: define who is in each group, what information is restricted, and how access approvals and handovers work.
- Technical controls like role-based access, separate workspaces, and audit logs help make an information barrier defensible and easier to enforce.
- Supporting documents like NDAs, a Privacy Policy, and well-drafted employment and governance documents help align your legal position with how your business actually operates.
If you’d like help setting up an information barrier (including the right policies and contracts for your startup or SME), you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
