Confidentiality and Discretion for Administrative Assistants

Discretion is a daily discipline, not a personality trait. Most breaches of confidence in admin roles are not malicious — they are habits, defaults, and small assumptions that compound until something visible goes wrong.

Last reviewed on April 28, 2026

Almost every administrative role deals with information that other people in the organization would pay to know — pre-announcement reorganizations, executive compensation, candidate pipelines, board disagreements, customer churn that has not been disclosed, the names of the two finalists for the top job. The information itself is not the hard part. The hard part is that you encounter it inside an ordinary workflow, mixed in with calendar invites and expense receipts, and the discipline that keeps it contained has to operate at that ordinary speed.

This page covers the operating rules that produce reliable discretion. None of them are dramatic. The drama, when it happens, is what they are meant to prevent.

The Default Setting Is Closed

The single most important rule is the default. When you encounter information in the course of your work, the default is that you do not share it — not with peers, not with friends inside the company, not with your spouse, not with the next admin who asks an innocent-sounding question. Sharing requires an explicit reason, not the absence of a reason not to.

This is the inverse of how most office information moves. The typical default is "share unless told otherwise." Inverting it sounds rigid until you have been the source of a leak you did not intend. After that, it sounds like the only sensible policy.

What Never Goes in Email

Email is not a confidential medium. It is logged, archived, frequently forwarded, and trivially screenshotted. Some categories of information should not appear in email at all, even in encrypted email:

  • Salary and compensation specifics — current numbers, proposed numbers, bonus targets — are best handled in person, on the phone, or in a system specifically designed for compensation data. The HR system exists for this reason; use it.
  • Performance discussions about a named individual — particularly negative ones. "We need to talk about X" in an email is acceptable; the actual content of the conversation is not.
  • Pre-announcement personnel changes — promotions, terminations, reorganizations, departures. The accidental forward of a "draft announcement" email is one of the most common causes of leaks.
  • Active legal matters — anything where counsel has been engaged. Once a matter is in legal's hands, all correspondence about it should go through whichever channel they specify, not your normal email.
  • Active acquisitions, fundraising, or commercial negotiations — even between people internal to the deal. Code names exist for this reason.
  • Health and personal-circumstance information about anyone other than yourself.

If you find yourself typing any of the above into an email, stop. Pick a different channel — a phone call, a walk, a properly-permissioned document, or simply waiting for the next in-person meeting.

The "Need to Know" Test

Before sharing any sensitive piece of information with another person — even another admin, even another executive — apply two questions:

  1. Does this person need this information to do their job in the next twenty-four hours? If the answer is no, the answer is no — they may be entitled to know it eventually, but not from you, and not now.
  2. Has the owner of this information given me explicit permission to share it with this person? Implicit permission ("they're our peer team, they should know") is not the same as explicit permission.

This test is uncomfortable to apply in real time because it forces you to pause before responding to colleagues who are used to information moving faster. The discomfort is the point.

Physical and Digital Hygiene

The mechanical defenses matter less than the operating habits, but they still matter. Most of these are obvious in the abstract; the failure mode is doing them inconsistently.

At the desk

  • Lock the computer when you stand up. Always — not just when you leave for lunch.
  • Use a privacy filter on the screen if your desk faces a walkway or a window.
  • Print only what you actually need to print. Pick up print jobs immediately, not at the end of the day.
  • Shred anything sensitive that hits paper. Do not stack it for "later."
  • Keep no sticky notes on the monitor with anything but the most innocuous information.

In files and folders

  • Mark the sensitivity in the filename, not just in the document. Q3-board-CONFIDENTIAL.pdf is harder to forward by accident than Q3-board.pdf.
  • Use restrictive permissions by default and broaden them only when needed. The opposite default is harder to recover from.
  • Keep a separate, locked folder for anything currently embargoed — the documents that are technically yours to handle but that should not appear in any auto-suggested file list.

The broader file-hygiene practices these depend on — naming conventions, folder structure, permission audits — are covered in document and file management for administrative assistants.

In the calendar

Calendar entries are surprisingly permeable. Many companies' default setting shows the title of every meeting to peers. If a meeting title is "Termination conversation — [name]," the title alone leaks the news. Title sensitive meetings neutrally — "1:1," "HR sync," "Private appointment" — and put the real description in the body, where the visibility setting is tighter.

What to Do When You See Something You Should Not Have

This happens to every admin eventually. A printer queue shows a document that was not yours. A shared folder reveals a salary spreadsheet that someone forgot to lock down. An executive forwards a thread that includes an earlier message they did not mean to share with you. The reflex matters more than the content.

  1. Do not read further. Close the document, leave the folder, scroll past the thread.
  2. Tell the owner. A short, specific message: "I noticed a permissions issue on [folder] — you may want to check the access list." If it was an executive's mis-send, tell them too: "You probably didn't mean to include the earlier message; deleting from my end."
  3. Do not discuss it with anyone else. Including, especially, the person who would benefit most from knowing — a peer in the affected department, a friend, your own executive if they were not the source.
  4. Document the moment privately if it is significant. A short note in your own records, kept off shared systems, that says what you saw and what you did. If the information later surfaces some other way and you are asked whether you knew, you have a clean answer.

The Hardest Cases

Discretion is hardest when it conflicts with another loyalty — to a friend who is being terminated, to a peer being passed over for a promotion, to the team you came up with who deserve a heads-up. None of these create an exception. Carrying information you cannot share is part of the job, and the people who do it well find ways to support those colleagues that do not depend on telling them what is coming. Sometimes that means being unusually present, sometimes it means making sure they have a clean transition when the news lands, sometimes it means just being a person they can call afterward. None of those require a leak.

The companion problem is when you suspect something genuinely wrong is happening — fraud, harassment, an actual legal violation — and the discretion rule starts to feel like complicity. That is a different conversation, and it usually needs to be routed through whatever ethics, compliance, or legal channel your organization has set up. If you find yourself in that situation, do not handle it inside the normal admin chain of command. Reach for the formal channel directly.

Reputation Compounds

A reputation for discretion is built case by case, year over year, and lost in a single visible incident. The compounding works in your favor: every executive you support compares notes with their peers, and the admins who are quietly known for never being the source of a leak get offered the most interesting work and the largest scope. There is no shortcut to that reputation, but there is no mystery to it either — it is the cumulative effect of doing the small things in this guide, every day, without anyone needing to ask.

Two pages on this site that pair naturally with this one: the shared inbox guide, because most accidental disclosures happen through email, and the desk manual, because what counts as confidential in your specific role is one of the things that needs to be written down for whoever covers you.

Related reading

Build the operating habits that make discretion routine.

Shared Inbox Practices Digital Security Guide