Case study: Duty of confidentiality

September 2013

Outcome 4.1 of the Code of Conduct states that you must "keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents". This means that confidential information should not be disclosed to third parties, but equally means that it should be protected through appropriate processes, access and system security. Below are some recent examples of reports made to the SRA.

Confidentiality of a will

The SRA received a report from Mr A, the brother and Personal Representative (PR) of Mr B, deceased. Throughout most of his life, Mr B had been represented by the firm of C and Co—they had drawn up his will and were holding the will at the time of death. Miss D, Mr B's daughter, was also a long standing client of the firm and asked the solicitor, Mr C, to confirm the contents of the will, which he did.

Generally you should not disclose the content of a will on the death of a client unless consent has been provided by the PR (indicative behaviour 4.6). In this case, not only did Mr C not have the consent of Mr A, but he had expressly stated that Miss D should not be made aware of the contents of the will at that stage as a particular gift in the will was likely to be contentious.

When the matter was discussed with Mr C, his explanation was that Miss D was a long standing client of the firm—as her father had been—and therefore he did not believe the duty of confidentiality applied in the circumstances.

Remember that the duty of confidentiality continues even after the death of a client, it applies to each client in their own right and family loyalties or relations with other clients should not impact on that duty.

Disclosure to third parties

There are limited circumstances where confidential information can be disclosed without the client's consent. Where you receive a request for disclosure from a third party organisation or agency, always consider carefully whether you are permitted or required to make the disclosure in law.

A firm recently shared information with the SRA about requests they had received from an organisation in America describing itself as a "security agency". They had been asked to confirm whether they acted for three clients and details of the clients' assets were requested. The firm, rightly, did not disclose any confidential information to the third party, and did not confirm whether or not the individuals were clients. The security agency turned out to be a debt collection company.

Access to physical and electronic information

As well as the duty not to disclose, there is also a responsibility on firms to safeguard confidential information about clients. This includes having systems and controls for identifying risks to client confidentiality appropriate to the firm.

Firms will need to consider what safeguards are required in the office regarding access to paper and electronic information. Is there any third party access to the office, such as shared office space, and how is information kept confidential? Is there secure storage of files? Where the firm outsources services, what arrangements are in place for adequate protection of clients' confidential information?

Also consider the electronic security of information held by the firm. A recent report from a firm's COLP demonstrates the potential vulnerability of electronic information. The firm had received an email which triggered a virus within the firm's system allowing access to the firm's server and all the confidential information within that.

In this particular instance, no disciplinary action was taken as the firm had appropriate systems and controls in place through comprehensive IT security software. However, if there had been no mechanisms in place for ensuring security of the electronic information, formal investigation would have been likely.

Client consent

Disclosure of confidential information is permitted where the client consents to it. However, that should be appropriate and with informed consent.

The SRA received a report from a client where the firm were acting for her in a medical negligence case. The fee earner had contacted her to request a further copy of a document, which she could not locate from the file. The fee earner explained that "a group of people" had accessed her file of papers and medical notes for quality purposes and the papers were now out of order. The client was very distressed that her papers, including sensitive medical information, had been seen by third parties.

The third party was a personal injury disbursement funding provider. Part of their funding arrangement with the firm included the ability to review client papers for the purpose of "quality assurance". The firm considered that the client had consented to the disclosure because the initial client care letter stated "sometimes third parties may have access to your file" and the client had not explicitly objected to this.

Consent to disclosure must be informed consent and the client care letter should have been more explicit about who the third parties would be, why they would access files and therefore why disclosure might be necessary. The client should have been given an opportunity to object to disclosure, rather than consent being assumed.

More generally, firms need to consider when it is legitimate for third parties to access client papers and information. What is the purpose of such access and can it be achieved in other ways? Should there be limitations on the access? Is the firm satisfied that the client has genuinely given informed consent?