Confidentiality and disclosure – an introduction
The majority of solicitors and employees in law firms understand that they are under a duty to protect confidential information relating to their relationship with clients. However, what is perhaps less understood is the ease with which that duty can be breached and the need to ensure that everyone within the firm understands the importance of client confidentiality – at all times – whether at work or in their private lives.
Linked to confidentiality, sort of the other side of the confidentiality coin, is the duty of disclosure. Unlike confidentiality, this requirement is not always understood so readily and many solicitors are at best unsure as to what is required of them and how the often conflicting duties of confidentiality and disclosure affect them and their firm.
In this article, we will consider the twin duties of confidentiality and disclosure and look at some of the more common situations in which that confidentiality can inadvertently be breached.
The Duty of Confidentiality
The principle regulatory duties relating to confidentiality are to be found in the SRA Principles 2011 and at Chapter 4 of the SRA Code of Conduct 2011 (“the Code”). The relevant Principles are:
- 1 – uphold the rule of law and the proper administration of justice;
- 4 – act in the best interests of each client;
- 5 – provide a proper standard of service to your clients; and
- 6 – behave in a way that maintains the trust the public places in you and in the provision of legal services.
whilst Outcome O (4.1) contains the main regulatory duty, namely that “you keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents;”
There is also a duty to ensure “that the affairs of clients should be kept confidential” which is to be found at section 1(3)(e) of the Legal Services Act 2007.
The Duty of Disclosure
As with confidentiality, the Principles governing disclosure are numbers 1, 4, 5 & 6. So far as the Code of conduct is concerned, the main regulatory duty is to be found in Outcome O (4.2) which provides “any individual who is advising a client makes that client aware of all information material to that retainer of which the individual has personal knowledge;”.
There is no corresponding provision in the Legal Services Act 2007 as there is in relation to confidentiality, although section 1(3)(c), “that authorised persons should act in the best interests of their clients”, applies equally to confidentiality and to disclosure.
Confidentiality v Disclosure
It can be seen immediately that there will be many occasions when the duty to keep information confidential could conflict with the duty to disclose information – and indeed acting for clients in such circumstances could constitute a conflict of interests as defined in Chapter 3 of the Code.
Outcome O (4.3) specifically addresses the situation where there is a conflict in the duties of confidentiality and disclosure. It states that “where your duty of confidentiality to one client comes into conflict with your duty of disclosure to another client, your duty of confidentiality takes precedence”.
However, and it is this that sometimes causes confusion, there is not an outright ban on acting in such circumstances. Outcome O (4.4) specifically provides that you may act for one client (client A) where their interests are adverse to those of another client (client B) about whom you hold confidential information provided that the “confidential information can be protected by the use of safeguards”. For this to happen, however, you must:
- reasonably believe that A is aware of, and understands, the relevant issues and gives informed consent;
- B gives informed consent and you agree with B the safeguards to protect B’s information; or
- where this is not possible, you put in place effective safeguards including information barriers which comply with the common law; and
it is reasonable in all the circumstances to act for A with such safeguards in place;
When Disclosure is Permitted
The general rule is that a solicitor must keep the affairs of their client confidential unless disclosure is required or permitted by law or the client consents. In this context, consent means informed consent (i.e. the client should understand the nature of the consent they are giving) and a client who lacks capacity will not be able to give consent. This applies no matter what the source of the client information and the duty to maintain confidentiality continues notwithstanding the fact that the retainer t which it related has come to an end.
However, simply because a person is a client does not mean that information gained by you that does not relate to a retainer is confidential. If, for example, you have information that is utterly unrelated to the retainer, for example because you have come by it personally outside of the work context, then this may not be covered by your duty.
You will not be under a duty of confidentiality if the client is trying to use you or the firm to perpetrate a fraud or other crime. The case of Gartside v Outram  26 LJ Ch (NS) 113, held that “there is no confidence as to the disclosure of an iniquity. You cannot make me the confident of a crime or fraud, and be entitled to close up my lips upon any secret which you have the audacity to disclose to me relating to any fraudulent intention on your part.”
Similarly, if you become aware that your client is involved in an offence such as money laundering you will not only be under a duty to disclose this to the relevant authorities but you must also do so in such a way that the client is not “tipped-off” that you are doing so.
The SRA have also provided a number of examples of when disclosure might be permitted. These include:
- Where a client has indicated their intention to commit suicide or serious self-harm – where you believe the client is genuine in their intention to commit suicide or serious self-harm and there is no other way of dealing with the issue, you should consider seeking consent from the client, if appropriate, to disclose the information to a third party so that help might be given. e.g. to a ward nurse where the client is in hospital. Where it is not possible or appropriate to get consent you may decide, to protect the client or another, to disclose that information without consent.
- Preventing harm to children or vulnerable adults – there may be circumstances involving children or vulnerable adults where you should consider revealing confidential information to an appropriate authority. This may be where the child or adult in question is the client and they reveal information which indicates they are suffering sexual or other abuse but refuse to allow disclosure of such information.
- Preventing the commission of a criminal offence – You may well be able to disclose information to prevent the commission of a future criminal offence by applying the principles discussed above: there is no confidence in an iniquity and communications that further a criminal purpose are simply not privileged….. You will need to balance the duty of confidentiality to your client with the public interest in preventing harm to others and will need to consider carefully the information available to you and whether this clearly identifies a proposed victim or is sufficiently detailed or compelling for you to form an opinion that a serious criminal offence will occur.
However, the SRA do advise some degree of caution and state:
“In considering disclosure you should have in mind the absolute nature of legal professional privilege and the fundamental nature of the duty of confidentiality and remember that the circumstances in which confidentiality can be overridden are rare.
If you are considering the disclosure of information without your client’s consent, you should always:
- consider whether the appropriate course is to discuss your concerns with the client in order to gain agreement to steps to prevent the harm which is worrying you.
- carefully consider the most appropriate person to disclose your concerns to, for example, a family member, the client’s doctor, social worker, police or other public authority.
- limit the amount of information being disclosed to that which is strictly necessary.
- keep a careful attendance note detailing your concerns and the factors that you considered prior to making the disclosure. This should include the reasons why you considered that it was not appropriate or practicable to obtain your client’s consent to the disclosure.
Exceptions to the Duty of Disclosure
Indicative Behaviour IB (4.4) provides that the duty of disclosure to a client need not, depending upon the circumstances, arise where:
- the client gives specific informed consent to non-disclosure or a different standard of disclosure arises;
- there is evidence that serious physical or mental injury will be caused to a person(s) if the information is disclosed to the client;
- legal restrictions effectively prohibit you from passing the information to the client, such as the provisions in the money-laundering and anti-terrorism legislation;
- it is obvious that privileged documents have been mistakenly disclosed to you;
- you come into possession of information relating to state security or intelligence matters to which the Official Secrets Act 1989 applies;
The Data Protection Act 1998 (DPA) regulates the use of personal information within all organisations, including solicitors’ practices. Under the provisions of the DPA, there is a duty upon all data processors to keep that data secure (the seventh data protection principle) and as such firms should, therefore, take such technical and organisational steps so as to ensure that there is no unauthorised or unlawful processing of personal data and no accidental loss or destruction of, or damage to, personal data.
Need for Systems
A further point to be borne in mind, and one that is often overlooked by firms, is that the duty to protect confidentiality is not a passive one requiring that you simply make sure you do it. It is an active one and requires, as is set out in Outcome O (4.5) that “you have effective systems and controls in place to enable you to identify risks to client confidentiality and to mitigate those risks.”
The SRA does not specify precisely what it means by “systems and controls”. However, it would make sense for firms, rather than simply relying on individuals not to breach client confidence, to address confidentiality pro-actively and as a minimum:
- Provide training to all partners and staff as to the need for, and importance of, confidentiality;
- Identify circumstances where confidentiality might be breached, even inadvertently, and ensure that all partners and staff are aware of these and how to avoid breaches;
- Identify risks within the firm – for example acting for two or more clients whose interests might be adverse – and put in place procedures for dealing with such situations;
- Ensure that all matter files and all other client information are kept secure;
- Ensure that procedures are in place for the disposal of old files and other information;
- Ensure that procedures are in place for other things that could affect confidentiality, including taking electronic devices out of the office, the use of social media, dealing with the press and the use of emails (we will look at these in more detail shortly); and
- Review all procedures and information on a regular basis and make any changes as should prove necessary.
The extent to which your firm will need to put in place formal systems and controls for identifying risks to client confidentiality should will depend upon the size and complexity of the firm and the nature of the work undertaken. Thus a firm dealing with high-profile clients’ matrimonial matters may need far more robust systems than a firm dealing with, for example, motor accident claims.
Confidentiality and conflict
One cannot really address confidentiality without also mentioning conflicts of interests since a conflict may arise, for example, where a duty of disclosure is contrary to the firms’ duty of confidentiality.
Conflicts of interests are dealt with from a regulatory perspective in Chapter 3 of the Code. This provides that if there is a conflict, or a significant risk of a conflict, between two or more current clients, then the firm must not act for all or both of those clients unless the matter falls within the scope of the limited exceptions set out at Outcomes O (3.6) or O (3.7). The Chapter goes on to state that in deciding whether to act in these limited circumstances, the overriding consideration will be the best interests of each of the clients concerned and, in particular, whether the benefits to the clients of you acting for all or both of the clients outweigh the risks.
The circumstances envisaged in Outcomes O (3.6) and O(3.7) are
- where there is a client conflict and the clients have a substantially common interest in relation to a matter or a particular aspect of it (3.6), and
- where there is a client conflict and the clients are competing for the same objective (3.7).
If your firm does act in a client conflict situation, then it is essential that the firm safeguards confidential information as between the respective clients.
When Confidentiality is at Risk
In order that firms can take steps to identify potential risks to confidentiality and thus prevent them from arising, they need to be aware of the kinds of situation in which a breach can arise. The following is a non-exhaustive list of some of the situations that might arise:
- Admitting to acting – all partners and staff should have it made clear to them that even admitting that the firm acts for someone could in itself be a breach of confidentiality, even if not accompanied by any other facts of the matter. This would be especially the case if the firm was a specialist firm undertaking only one type of work where an inference could very easily be drawn as to why the client had instructed the firm. This even applies to questions from the police who are known to carry out “fishing” expeditions to find out if a particular person is being legally represented.
- Careless Talk – one of the most common ways in which client confidentiality can be breached is from discussing client matters outside of the office. All partners and staff should have it impressed upon them that they must not, under any circumstances, discuss clients or their cases when they are out of the office and in particular when they are in public places. Even a discussion which does not name the client could, in certain circumstances, be sufficient to breach confidentiality if overheard by someone who was able to put a name to the circumstances.
- Careless Reading – another common way in which client confidentiality can be breached is where the solicitor or fee earner is reading papers or documents in a public area such as a train or coffee bar and they are seen by someone else. Even just seeing the clients name on the side of a closed file could in some circumstances be sufficient for there to be a breach of confidentiality.
- Loss and Theft – if removing paper files from the office, especial care must be taken to ensure that the files are not lost or stolen. Generally, files should not be left in cars, even in the boot, and certainly should not be left overnight. If carrying files on trains, do not leave them unattended in bags at any time – even very briefly – and always be very careful to make sure that bags are not left behind.
- Misdirected Messages – the ease with which firms can send information by email means that it is all too easy for confidential information to be sent to the wrong person. For example, the firm may have received a message from the solicitor on the other side and decided to forward this to the client with a query as to tactics or data. If the person sending the message inadvertently sends it by “reply” rather than “forward” then the message, together with the confidential information contained in it, will be sent to the opposing side. Firms must impress upon partners and staff that they must think before they email and always take steps to avoid inadvertent disclosure.
- Telephone Calls, Faxes and Reception – wherever possible firms should endeavour to make sure that telephone calls and faxes are not received in the same room as where clients are asked to wait pending an appointment. If the rooms cannot be separated, then under no circumstances should a receptionist repeat the name of the caller so that it can be heard by other clients and should never discuss the caller’s matter with other clients in the room. Likewise, faxes that arrive and are left unattended in a shared reception area for any length of time can easily be seen by clients.
- Outsourcing – before a firm outsources any of their work to a third party they must satisfy themselves that the provider of the service has taken all appropriate steps to ensure that their clients’ confidential information will be protected. This especially applies where the outsourcing provider acts for many different firms and could conceivably be acting on both sides of the same transaction. Outsourcing can take many forms and all carry with them a degree of risk which the firm must address before undertaking the outsourcing. The type of arrangements that can be classed as outsourcing can include using a print shop for bulk photocopying, paralegal type work, secretarial services, proof-reading, research, filing at Companies House, due diligence or business process outsourcing. Outsourcing is covered from a regulatory point of view in the Code at Indicative Behaviour IB (4.3) which states that a firm or solicitor should “only outsource services when …. satisfied that the provider has taken all appropriate steps to ensure [that the] clients’ confidential information will be protected;”
- Cloud Computing – one particular form of outsourcing that firms may not consider to be outsourcing is the use of a cloud computing service. This could be anything from storing files on a shared drive, cloud-based software and management programmes, online accounting systems and cloud-based intranets. The firm must verify that the service is secure before any data is stored or shared utilising such a system.
- Disposal of files and papers – any files or papers that contain confidential information or could be linked in any way to a client of the firm must be disposed of using a confidential waste service that the firm has verified is secure and trustworthy. Likewise, if a solicitor makes notes about a case which he or she does not intend to keep, or drafts a document in longhand, then those notes or drafts should also be disposed of confidentially and not simply placed in the normal rubbish.
- Disposal of electronic data – firms that dispose of old computer equipment must make sure that all data previously contained on that computer has been safely destroyed. This does not mean simply deleting the files as deleted files can often be recovered with comparative ease. It means either physically destroying the hard disk or at the very least wiping the disc or formatting it to ensure all data is destroyed.
- Taking care with portable equipment – all partners and staff must have it impressed upon them that they are to take great care if they take out of the office portable equipment such as laptops, tablets, phones or memory sticks that contain client data. A lost laptop on a train could disclose large amounts of client data. It must be a rule within the firm that such data is only removed from the office in exceptional circumstances and even then steps must be taken to password access to the equipment and if possible to the individual file and pieces of information. Loss of such an item should be reported immediately to the firm so that remedial steps can be taken. See also the article “Keeping it Safe – the importance of Passwords” elsewhere on this web site (http://www.lawyersdefencegroup.org.uk/passwords/)
- Social Media – we have covered elsewhere on this site the problems that can arise from the use of social media and the dangers to confidentiality that can arise (Managing Social Media – http://www.lawyersdefencegroup.org.uk/managing-social-media/). Thus, for example, a member of the firm Tweeting who they are acting for, inviting a client to link with them on Facebook, commenting on the work of a colleague in relation to a particular client’s matter, conducting an online discussion about work with a colleague without first ensuring that the conversation is secure or responding openly to a comment from a colleague or business associate are all obvious ways in which confidentiality may be breached using social media. Partners and staff need to be made aware of the fact that they should be circumspect about all of their social networking activities – wherever and whenever they are undertaken – including personal accounts.
- Hacking and Data Theft – increasingly solicitors’ firms are becoming subject to hacking and data breaches. Many cybercriminals regard solicitors as being the easy way in to client information. Thus, a client business may have very tight security controls in place but use a solicitor for their commercial agreements that do not. Firms must make sure that partners and staff, who are often the weakest link, are aware of the dangers that cybercrime presents and take steps to avoid becoming a victim. For further information, see our articles Avoiding Cyber Scams (http://www.lawyersdefencegroup.org.uk/avoiding-cyber-scams/) and Bogus Law Firms and Identity Theft (http://www.lawyersdefencegroup.org.uk/bogus-law-firms-identity-theft/) .
- Media and the Press – everyone in the firm should be very wary of commenting to the media or press about any matter in which they are involved. Even replying by saying that you cannot discuss a client’s matter will tell the enquirer that your firm is acting – a fact which might not previously have been known. The best way is simply to have a blanket refusal to take unsolicited calls from the media or press, to not respond to emails about client issues and if a member of the press gets through to someone in the firm simply to state that the firm does not talk to the press at all and then hang up. In the event that a member of staff is contacted they should report the matter to their line manager or managing partner.
- Third party audits – if your firm has arrangements with suppliers or funders of work which require you to make client files available to them for the purposes of audit, then there will be a breach of confidentiality if you do not first obtain the client’s consent. This will apply even if the audit is by an organisation such as the Legal Service Commission in relation to their Specialist Quality Mark.
- Disillusioned Employees and Former Employees – firms should never underestimate the damage that an unhappy employee can cause – be they current or former. Although it is difficult to do so, steps should always be taken to ensure that the employees are not leaving with any electronic or printed information about clients and any passwords that the employees had for accessing your system remotely should be terminated. Bear in mind, also, that it is not unknown for criminal gangs or those seeking confidential business information to plant someone within the firm for the sole purposes of passing confidential data. For this reason firms must be careful who they employ, the access they are given to sensitive data and wherever possible make checks as to identity and background.
- Staff leaving a firm – especial care should be taken by firms if a member of staff is leaving the firm to join another firm and the other firm acts for a client who is a competitor of or has an interest adverse to a client of your firm. In such circumstances agreements may have to be obtained from the other firm as to who the person leaving the firm can act for at the new firm.
- Complex firm structures – although not something that is going to affect many, firms that have complex structures should be especially careful as to the information which they share with others in the structure. As the SRA have said in their Guidance Note, this can even extend to:
“carrying out conflict checks and other due diligence where the firm needs actively to consider the risks and whether it is in the best interests of that prospective client to share its confidential information with other authorised or non-authorised bodies within a group structure. This applies particularly to those in other jurisdictions, including overseas or connected practices or Verein participants, where they are separate entities. This obligation continues to apply during the course of the retainer.
“Where relevant, firms should provide present and prospective clients with an explanation of the group structure before seeking their informed consent to the disclosure of confidential information to separate legal entities in the group or non-authorised corporate or individual members or directors.
“As part of a retainer, firms may in terms of their engagement, also seek consent from clients to share, during the course of the performance of the retainer, a broader range of client confidential information with other group entities or corporate or individual members or directors who do not form part of the SRA authorised firm. If so, firms should again provide a clear explanation of any group structure and the need for disclosure of information to ensure that such consent is informed consent.”
- Mergers and acquisitions – if a firm is seeking to merge with or acquire an interest in another firm then issues of confidentiality and disclosure can arise. For this reason, it is imperative that during negotiations, sufficient steps are taken to protect confidential client information and, that where it is appropriate to do so, the consent of clients to any disclosure of confidential information is obtained.
Confidentiality must be regarded by all firms as being at the heart of everything they do. If clients cannot be confident that the information they give to a solicitor will remain confidential then the trust they have in the firm, even the trust they have in solicitors generally, will be undermined.
Clearly we cannot list every possible event where firms may find that confidentiality is at risk. What the firm must do, therefore, is to look at its processes, staff, work types, client base, structure and so forth and identify areas of risk that are unique to the firm.
The key, however, is to plan ahead, identify potential risks, take steps to avoid those risks and to ensure that staff are aware of the importance of the duty and the dangers that arise from ignoring it.