The importance of client confidentiality is something of which all solicitors should be acutely aware. Unfortunately, this is an area where breaches quite often occur, usually through simple mistakes and oversight. Leaving papers on a train, sending emails to the wrong recipient, or replying to all parties to the message instead of just the client are all common failings which are often reported, as are being overheard during phone conversations in public or being “shoulder surfed” when using a laptop in public. Furthermore, whereas most regulatory breaches will have to occur on a number of occasions before the regulatory breach can be said to be sufficiently “serious” to be reportable as such to the SRA, lapses in confidentiality have the potential to be serious issues in all cases and so be instantly reportable.
Against the backdrop of the increase in cases of confidentiality breach, the SRA have issued some additional guidance examining some of the more complex problems that arise in the reports received by them, including:
- circumstances where serious harm may occur, or is occurring, to the client or others;
- complex law firm structures;
- mergers and acquisitions;
- the use of information barriers; and
This article looks in a little more detail at some of those problems.
Serious harm – where disclosure may be justified
The guidance looks at those circumstances which can arise from time to time and which can cause confusion as to how they should be dealt with. These situations typically include those where the client, or others such as children or vulnerable adults, may be at risk of serious harm. This could include threats of suicide or reports of child abuse where the client refuses to allow disclosure to the appropriate authorities.
In each case, as the guidance makes clear, there is no easy answer, and the firm should always first consider the possibility of getting the client’s consent. Depending on the particular facts of each situation, inevitably, help should be sought where appropriate without client consent. It is confirmed that although this will amount to a breach of the duty of confidentiality, the action may well be justified.
Complex law firm structures
Increasingly, larger law firms are connected to other overseas offices or law firms involving separate entities working as part of a group. Conflict or due diligence checks may require the sharing of information within the group, with checks being carried out within one entity, meaning that information barriers may need to be established. As the guidance makes clear, clients should be informed about any such group structure and receive an explanation as to how it operates and where appropriate be asked to consent to the arrangements. A further overriding consideration should always be whether the arrangements work in a way that is in each client’s best interests.
Mergers and acquisitions
In carrying out due diligence, information may need to be sought by the acquiring firm about the other firm’s client base. This may require disclosure of client names and the nature of their business. Again, the guidance makes clear that client consent is necessary in such situations, but now recognises that this might be done through the contents of the terms of business, to a limited extent. The onus must always be on the firm being acquired to try to limit the information disclosed to the basic minimum necessary, and where more might be required, express client consent should be obtained. This, however, is likely to be problematic where the discussions between the firms are proceeding secretly.
The SRA has stressed that the clients’ interests in such situations should be seen to be paramount, and that records should be maintained of both firms’ decision making with regard to such disclosures. The guidance also sets out a step-by-step process which could usefully be followed where one firm needs to examine another firm’s client files. The importance of proceeding with care and client consent was underlined by a recent case where a firm was fined heavily for making available to an acquiring firm, without client consent, large quantities of client files containing unredacted client information, some of which was privileged. The acquiring firm was also fined for failing to act with independence and failing to maintain trust in legal services.
There are two exceptions to the rule that firms cannot act for a client whose interests are adverse to those of another current or former client, and confidential information is held for that client which is material to the new client. The first is that the consent of the client whose information is to be protected is obtained (and this must be in writing or evidenced in writing), and the second is where consent is not obtained but the firm puts in place “effective measures… which result in there being no real risk of disclosure of the confidential information”. Both situations require information barriers. The SRA guidance emphasises that strict tests will be applied and that it is often the court that will look at whether confidential information is properly protected. Measures now suggested in the guidance are:
- Systems that identify the potential confidentiality issue;
- Separate teams handling the matters, at all levels including non-fee-earning staff;
- Separate servers (and printers) so that information cannot be cross accessed;
- Information being encrypted, and password protected;
- Individuals in the firm being aware of who else in the organisation is working on the respective matters so that they know who they can and cannot discuss the matter with; and
- Appropriate organisational policies and training for staff.
This subject has been considered previously by the SRA and the issues are reasonably well rehearsed. It reiterates the importance of client consent, which will usually be obtained through the firm’s standard terms and conditions. There is now an update which deals with outsourcing information onto the cloud which suggests that firms consult the National Cyber Security Centre website which provides useful guidance on how to determine whether the cloud service provider that is being considered is sufficiently secure to protect client data. Data protection implication should also be considered – especially where information is likely to be held on servers outside of the UK.
The subject of client consent is integral to all of the difficult situations outlined above and the SRA has considered the issue more generally. Of overriding importance is the need to be sure that the client is clear about exactly what their consent covers and the possible implications to them that then arise. This is captured in the guidance where it says:
“Consent to disclosure of confidential information must be clear, so that the client knows to whom their information should be made available, when and for what purpose. Where you have their general consent, it may still be appropriate to obtain the client’s consent to a specific piece of information being disclosed as the issue arises, for example by sending them a draft letter to the opponent to approve.”
Finally, the guidance flags up the importance of being clear that seeking client consent does not undermine the client’s best interests. In other words, is the firm trying to achieve something which is more to do with the firm’s best interests rather than the client’s? This may well be a relevant consideration when a firm is trying to act for two or more clients through the protection of information barriers.
For further details of all these issues, the SRA’s guidance be accessed at https://www.sra.org.uk/solicitors/guidance/confidentiality-client-information/