Guidance
Guidance
Confidentiality of client information
Confidentiality of client information
Updated 30 June 2022 (Date first published: 25 November 2019)
Status
This guidance is to help you understand your obligations and how to comply with them. We will have regard to it when exercising our regulatory functions.
Who is this guidance for?
All solicitors, registered European lawyers (RELs) or registered foreign lawyers (RFLs).
All SRA regulated firms, their managers, compliance officers and employees.
Purpose of this guidance
To help you to understand your SRA obligations in relation to keeping clients' information confidential.
This guidance advises you on your regulatory obligations. It does not include specific advice on requirements in relation to data protection legislation such as; subjects' rights in relation to personal data, the basis on which you can process or use data and periods of data retention. You should seek your own advice on these issues.
General - duty of confidentiality
Paragraph 6.3 of the Code of Conduct for Solicitors, RELs and RFLs and of the Code of Conduct for Firms (referred to collectively as ("the Codes") requires you to keep the affairs of current and former clients confidential unless disclosure is required or permitted by law or the client consents.
This duty of confidentiality exists as an obligation under both common law and data protection legislation as well as being one of the core professional principles set out in section 1(3)(e) of the Legal Services Act 2007 and professional standards in our Codes.
The Courts have stated that the duty to preserve confidentiality is unqualified, in that it is a duty to keep the information confidential, not merely to take all reasonable steps to do so. It is not limited to the duty not to communicate the information to a third party. It is a wider duty not to misuse it, ie, without the consent of a client or former client to make any use of it or to cause any use to be made of it by others otherwise than for the client's benefit. See Prince Jeffrey Bolkiah v KPMG [1998] UKHL.
The duty of confidentiality applies to information about your client's affairs irrespective of the source of the information. It continues despite the end of the retainer or the death of the client when the right to confidentiality passes to the client's personal representatives.
Confidentiality will attach to all information given to you, by your client or a third party, in connection with the retainer in which you or your firm are instructed. Should you have information unrelated to the retainer this may not be covered by your duty.
An example of this would be where you are attending the client at the police station and whilst there, the client steals another's phone. In these circumstances to give a statement to the police would not breach your duty of confidentiality as it is unrelated to the matter on which you are advising.
You will not have a duty of confidence if you are being used by a client to perpetrate a fraud, and, by analogy, any other crime. The common law has long recognised that information of this nature cannot be confidential. For example, in Gartside v Outram [1857] 26 LJ Ch (NS) 113 it was said:
"...there is no confidence as to the disclosure of an iniquity. You cannot make me the confident of a crime or fraud and be entitled to close up my lips upon any secret which you have the audacity to disclose to me relating to any fraudulent intention on your part."
You need to have appropriate arrangements in place to help you to meet your obligations in relation to confidentiality. This will mean that any information supplied to you by clients is kept confidential in accordance with, as well as data protection law, any terms of engagement between you and the client. For example:
- Information should not be passed to third parties without the client's consent. This includes via marketing materials (including contributions to law firm directories or league tables) or passing client details by way of referral.
- Confidential information regarding one client should not be passed to another.
- Consider limiting the confidential information that you obtain from the client before a conflict check has been carried out and it has been established that you can act. This minimises the risk of such information being inadvertently disclosed within the firm.
You should also comply with any special restrictions imposed by law or the court on the passing of confidential information, for example in cases involving children.
If you are a regulated firm, all your staff members including support staff, consultants and locums, owe a duty of confidentiality to all clients and disciplinary proceedings may involve both your firm and its employees.
Firms and individual practitioners should note the need to distinguish their professional obligations of confidentiality from the concept of legal professional privilege. Legal professional privilege can only be waived by the client (and not the firm). In brief terms, confidential information may be disclosed where it is appropriate to do so but privilege is absolute, and privileged information cannot therefore be disclosed. Confidential communications between lawyers and clients for the purpose of obtaining and giving legal advice are privileged. If you are considering whether to disclose information your first question may be whether it is privileged or simply confidential.
This issue arose in a case which highlights the importance of looking at the function and nature of documents. In this case, a client travelled to his solicitors' office after an alleged assault. The police asked the firm to confirm the time of his attendance to enable them to establish the facts. The firm declined on the grounds of privilege. The information was held not to be privileged because it was not a communication for the purpose of legal advice. See R v Manchester Crown Court ex parte Rogers [1999] 1 WLR 832.
This guidance discusses situations which involve communications between lawyer and client. However, it is assumed for the purposes of this guidance that whilst these are confidential, they do not directly relate to the matters on which advice is sought and are not privileged. The issues around disclosure to us and legal privilege are dealt with in our guidance on reporting and notification obligations.
The disclosure of clients' information with consent
Disclosure of information is only allowed where the client consents to it or it is permitted by law. Before approaching a client for consent, you should consider whether disclosure is necessary to proceed with a specific matter.
Consent to disclosure of confidential information must be clear, so that the client knows to whom their information should be made available, when and for what purpose. Where you have their general consent, it may still be appropriate to obtain the client's consent to a specific piece of information being disclosed as the issue arises, for example by sending them a draft letter to the opponent to approve.
However, whatever arrangements that you make for obtaining consent, the ultimate test will be that the client if asked would say "Yes I agreed to that information being disclosed for that purpose" rather than being surprised or concerned or not having understood.
Before seeking the client's consent you should consider
- What is the purpose of the third-party access to the information and can the purpose be achieved in other ways?
- Should there be any limitations on the access?
- Are you satisfied that seeking the client's consent to disclosure would not harm the client's best interests?
When information is shared, firms should consider any actions they can take to mitigate the risks. This may include entering into a formal confidentiality agreement with a third party.
When disclosure of client information is permitted by law
Disclosure may be permitted by law. For example, you may be permitted or even required by law to disclose the potential commission of a criminal offence by your client, such as money laundering.
You will also have certain powers or duties to disclose matters to the Courts. This might be in relation to proceedings or to third parties where they are lawfully acting on behalf of a client, such as an attorney appointed under a power of attorney or a Court appointed Deputy where the disclosure falls within the scope of their authority.
You have obligations to disclose certain information to the SRA - see our guidance on reporting and notification obligations for more details.
Other circumstances when disclosure of client information may be justified
Disclosure of confidential information, which is unauthorised by the client or by the law, could lead to disciplinary action being taken against you. It could also render you liable, in certain circumstances, to a civil action arising out of the misuse of confidential information.
However, we would not want concerns about possible regulatory action to prevent solicitors raising concerns when it is necessary to prevent an event which could lead to harm to the client or a third party. The guidance below does not allow for disclosure after the event (i.e., once the circumstances justifying the disclosure have passed). However, in the situations described below - although from a disciplinary perspective there will be a breach of your duty - the justification will be taken into account and is likely to mitigate against any regulatory action being taken against you by the SRA. You will also need to consider your other duties under the law (for example data protection legislation).
Where a client has indicated their intention to commit suicide or serious self-harm
Where you believe the client is genuine in their intention to commit suicide or serious self- harm, and there is no other way of dealing with the issue, you should consider seeking consent from the client. If appropriate this will be to disclose the information to a third party so that help can be given. e.g., to a ward nurse where the client is in hospital. Where it is not possible or appropriate to get consent you may decide, to protect the client or another, to disclose that information without consent.
Safeguarding concerns and preventing harm to children or vulnerable adults
Abuse can take many different forms and safeguarding and disclosure assessment plans can help inform your approach to these situations when they arise. Your assessment will enable you to think more broadly about safeguarding concerns – in particular it will help you to understand and recognise indicators that may suggest your client is at a particular risk of harm. These could include:
- physical abuse or neglect (including self – neglect)
- sexual abuse
- emotional abuse or appearing under duress
- domestic violence
- grooming behaviours
- modern slavery
Your assessment will also help you to evaluate:
- situations where your client is a child and not in a position to protect themselves from certain types of harm
- the extent and nature of any safeguarding concerns and the seriousness of the risk of harm to your client if no action is taken, for example – where you identify a risk to a client's life and where immediate action needs to be taken
- your client's capacity – see the separate section/ heading on this further below
- you should also include consideration of non-physical risks to the individual, such as financial abuse or coercion
There may be circumstances involving children or vulnerable adults where you should consider revealing confidential information to an appropriate authority. This may be where the child or adult in question is a client, and they reveal information which indicates they are suffering a form of sexual or other abuse but refuse to allow disclosure of such information.
Similarly, there may be situations where a client discloses abuse either by themselves or by another adult against a child or vulnerable adult but refuses to allow any disclosure. As noted above, the examples discussed do not allow for disclosure after the event, however you may have reason to be concerned about the risk of future harm.
You are not required by law to disclose this information. You must therefore consider whether the threat to the person's life, health or welfare is sufficiently serious to justify a breach of the duty of confidentiality. We recognise that in practice these judgments can be difficult, particularly where the facts or risks are not clear cut. However, we support solicitors erring on the side of disclosure when faced with genuine safeguarding concerns.
Preventing the commission of a criminal offence
You may well be able to disclose information to prevent the commission of a future criminal offence by applying the principles discussed above. There is no confidence in an iniquity and communications that further a criminal purpose are not privileged.
Notwithstanding the above, if there is a breach of your duty of confidentiality, that may be mitigated if you have disclosed confidential information to the extent that you believe it necessary to prevent your client, or a third party, from committing a criminal act that you believe, on reasonable grounds, is likely to result in serious bodily harm.
You will need to balance carefully the duty of confidentiality owed to your client with the public interest in preventing harm to others. You will need to consider carefully the information which is available to you and whether this clearly identifies a proposed victim or is sufficiently detailed or compelling enough for you to form an opinion that a serious criminal offence will occur.
Before disclosure
In considering any disclosure you should have in mind the absolute nature of legal professional privilege and the fundamental nature of the duty of confidentiality. You should remember that the circumstances in which confidentiality can be overridden are rare.
If you are considering the disclosure of information without your client's consent and where it is not otherwise permitted by law, you should always:
- consider whether the appropriate course is to discuss your concerns with the client in order to obtain their agreement to steps to prevent the harm which concerns you.
- carefully consider the most appropriate person to disclose your concerns to, for example: a family member, the client's doctor, social worker, police, or other public authority.
- limit the amount of information being disclosed to that which is strictly necessary.
- keep an attendance note detailing your concerns and the factors that you considered prior to making the disclosure. This should include the reasons why you considered that it was not appropriate or practicable to obtain your client's consent to the disclosure.
Telling your client about the disclosure
You may have discussed the disclosure with your client in advance, as part of the process of seeking their consent. However if you have not and have made the disclosure to the appropriate party, you should assess whether it is appropriate to disclose to the client the fact that you have passed confidential information to a third party. Your fiduciary duty to clients makes your position very difficult if you have disclosed their confidential information to others without their consent. Where you believe that disclosure would result in a risk of harm to your client or a third party, or would prejudice an investigation, you may feel it would not be appropriate to inform the client.
An example of such a circumstance would be where, in a family law case, your client has disclosed that, should the mother be successful in obtaining a residence order for the children, he will murder her. You, believing this to be an earnest intention, make a disclosure to the police to prevent the event. Such a communication from a client would be confidential in that it would not be appropriate to disclose it generally, but could be disclosed, carefully and proportionately, to a proper authority such as the police. Having done so, you would normally both wish and need to cease acting for the client.
Checking that your client has capacity to consent to the disclosure of confidential information
In some circumstances you may also need to consider the extent to which a vulnerable client has capacity to consent to their confidential information being disclosed to a third party. The Mental Capacity Act 2005 sets out principles for capacity assessments for individuals over 16 years old, including that a person:
- must be assumed to have capacity, unless it is established that they do not
- is not to be treated as unable to make a decision unless all practicable steps to help them to do so have been taken without success
- is not to be treated as unable to make a decision merely because they make an unwise decision.
The Act also sets out criteria that can be used to help establish a lack of capacity which will help determine if a client does or does not have capacity to consent to the disclosure of their confidential information. These are that:
- the person is unable to make a specific decision at the time it needs to be made
- because they have an impairment or disturbance that affects the way their mind or brain works
Safeguarding and disclosure assessment plans can help inform your approach to situations like these and help you to establish your client’s capacity to consent. They will also assist you in identifying any legal basis that allows, or requires you, to disclose confidential client information.
Confidentiality and specific situations
Complex structures
Some firms may have overseas or connected offices or be part of a group structure where they are separate legal entities (such structures are often known as a "Verein" after a type of association of separate legal entities allowed under Swiss law).
Such a firm may wish to share information about their clients with other parts of the group for conflict-of-interest checks or other due diligence. For example, a UK firm may be part of an international group that has set up a business acceptance unit within one overseas jurisdiction to carry out conflict and anti- money laundering checks for all the group's prospective clients.
Firms should provide current and prospective clients with an explanation of the group structure and of any data sharing and confidentiality arrangements within the group before seeking their consent to the disclosure of confidential information to separate legal entities in the group or their individual members or directors. As well as obtaining consent firms should consider whether it is in their client's best interests to share the information across other members of the group and should restrict access in terms of the data supplied, and those who see it, to that necessary for the purpose.
In the example given of the international group structure above, there may well be advantages to having all conflict and other checks carried out by a specific unit which puts in place information barriers to reduce the spread of information around the group. This could help prevent, for example, information about potential competing bids being shared between offices within the group and perhaps inadvertently released to clients (see case studies on reporting duties in the Overseas Rules).
Mergers and acquisitions
We recognise that, where firms are proposing to merge, or one firm is proposing to acquire another or part of another practice, that they will need to understand key information in relation to the other's business. This can present challenges in terms of sharing information about your client base.
You will wish to consider carefully what information you actually need and what is available in the public domain (for example where the firm is on the public record as acting for a key client) or without recourse to client specific information (for example, financial data about billing in respect of the business generally and specific practice areas or aggregated into bands).
During negotiations sufficient steps need to be taken to protect confidential client information and, where appropriate, to seek clients' consent to any disclosure of such information.
Any disclosure of confidential information should only be with consent and should be limited to that necessary for the purpose.
In order to enable conflict checks to be carried out you may wish to disclose the identity of key clients, and in general terms the type of work done for the client. Including a provision in the client's terms of business permitting disclosure expressly limited to this information for the purposes of merger discussions may be sufficient if it amounts to informed consent on the part of the client. More detailed information about work done or client billings is likely to require specific consent to be taken.
It should be borne in mind for example, that the merger or acquisition may not proceed and that the proposed acquiring firm may act for those with interests adverse to the other firm's clients. Therefore, there should be express requirements limiting the data to be disclosed and who sees it, their obligations to protect it and its return or destruction if the transaction does not proceed.
What will be key is to demonstrate that you have not put your business interests above those of the client and have given careful consideration to the question of confidentiality. Therefore, you should keep a note of your proposed course of action and any factors you took into account.
Example
Firm A begins negotiations to acquire the practice of Firm B. In order to assess B's financial stability and the value of its work in progress, A decides it is necessary to examine B's files.
Firm B should:
- Ensure that they have their clients consent to the disclosure – what will be disclosed, for what and to whom.
- Redact or remove any confidential information from the files that it is unnecessary to disclose for the limited purposes required by A.
- Agree with A exactly who will have access to the files, making sure that this is limited to only those necessary for the purpose.
- Satisfy itself that A has the appropriate measures in place to protect confidentiality.
- Ensure that any inspection takes place in a secure manner, and that for example copies of the clients' confidential documents are not taken.
- Ensure that legally privileged information is not disclosed.
Firm A should:
- Ensure that it limits its inspection in accordance with the agreement with B and the consent of B's clients.
- Have appropriate measures in place to protect the data internally and limit the disclosure of data to only those necessary.
- Not disclose the data to third parties unless agreed with B and their clients and ensure that any such third parties have appropriate data protection measures in place.
In 2018 an SRA regulated firm received a large fine after it disclosed unredacted (containing in some cases sensitive and privileged confidential information) documents from over 7,000 client matter files to another firm that was proposing to acquire it.
This disclosure was made without the knowledge or consent of the relevant clients. The purchasing firm which inspected that confidential material was also fined. This was on the basis that it had failed to act with independence and behave in a way that maintains public trust in legal services by inspecting the unredacted confidential information and documents provided by the other firm without the knowledge or consent of the relevant clients. It had also disclosed unredacted confidential information and documents from the acquisition targets' client matter files to two other firms without the relevant clients' knowledge or consent.
Outsourcing
Where firms outsource services, they will need to consider the arrangements they have in place to ensure adequate protection of clients' confidential information. Clients may not have agreed or understood that their confidential information may be considered by an unregulated third party and that in certain cases, information will be considered in a foreign jurisdiction. A firm's standard terms of engagement may set out details of any such arrangements and the agreements in place between organisations regarding the sharing of confidential information and personal data.
Outsourcing will include any arrangements for storing data with a third party via the cloud. The National Cyber Security Centre website provides useful guidance on how to determine whether the cloud service provider that you are considering is secure enough to protect your client data.
IT and confidentiality
Our guidance on technology and legal services includes a section on using advanced technology safely. It includes advice on how you can improve your own cyber security and help avoid your client's information being stolen or inadvertently disclosed.
Adverse interests and confidential information
Paragraph 6.5 of the Codes provides:
"You do not act for a client in a matter where that client has an interest adverse to the interest of another current or former client of you or your business or employer, for whom you or your business or employer holds confidential information which is material to that matter."
Example
You work for Y & Co, an authorised firm. Client A has been served with a claim for breach of a contract by a supplier and wishes to instruct you in the case. The search of Y & Co's database reveals that another employee of Y & Co gave advice to the supplier client B, six months ago on possible issues with their supply contract.
A will have an interest which is adverse to the former client B for whom the firm holds confidential information. This will prevent you from acting for client A - unless either of the two exceptions apply (see directly below).
Exceptions
There are two exceptions to the prohibition in paragraph 6.5 of the Codes.
Either
- (a) Effective measures are taken which result in there being no real risk of disclosure of the confidential information.
The test for whether such measures (sometime known as "information barriers") can be considered effective is quite high. The measures must protect one client's information from the other client, and you as their solicitor.
The leading case on the matter, Prince Jeffrey Bolkiah v KPMG [1998] UKHL emphasises that the courts will take a strict approach to protecting clients' information. A former client cannot be protected completely from accidental or inadvertent disclosure of confidential information but should be protected from any real risk of the disclosure. A real risk does not have to be substantial - but must be more than merely fanciful or theoretical.
Examples of effective measures which result in no real risk of disclosure could include a combination of:
- Systems that identify potential confidentiality issue
- Separate teams handling the matters, at all levels including non-fee-earning staff
- Separate servers (and printers) so that information cannot be cross accessed
- Information being encrypted, and password protected
- Individuals in the firm being aware of who else in the organisation is working on the respective matters so that they know who they can and cannot discuss the matter with.
- Appropriate organisational policies and training for staff
Or
- (b) the current or former client whose information you or your business or employer holds has given informed consent, given or evidenced in writing, to you acting, including to any measures taken to protect their information.
Informed consent will include an understanding by the client of any possible prejudice that could occur if the information were inadvertently disclosed. The onus will be on you to ensure that the client has understood the issues.
Third party complaints to the Legal Ombudsman
The Legal Ombudsman (LeO) has faced isolated difficulties in investigating third party complaints against law firms; mainly complaints brought by residuary beneficiaries against a firm's executor client(s).
The law firms have submitted that they are unable to disclose the information requested by LeO as to do so would breach either their duty of confidentiality owed to their executor client(s) or legal professional privilege (LPP).
This brings into play two possibly competing requirements:
- You are required to cooperate with LeO (paragraph 3.2 of the Code of Conduct for Firms and paragraph 7.3 of the Code of Conduct for Solicitors, RELs and RFLs).
- You are required to keep the affairs of your client(s) confidential unless disclosure is required or permitted by law or the client consents (paragraph 6.3 of the Code of Conduct for Solicitors, RELs and RFLs and the Code of Conduct for Firms).
If LeO request information from you because they are investigating a third party complaint against your firm, you should write to your client:
- notifying them of LeO’s request, what information they have requested and the basis of LeO's stated authority to request it.
- Informing them that unless they object, your firm will provide to LeO the information that has been requested.
- explaining that in the event that your client does object, your firm will notify LeO of this and require the serving by LeO on your firm of a notice under section 147 of the Legal Services Act which your firm would then comply with.
LeO have advised us that a notice under section 147 overrides any duty of confidentiality that firms may owe to their client(s) although this authority does not, of itself, extend to any material covered by LPP.
Further guidance
See also related guidance:
- Guidance on conflicts
- Guidance on reporting and notification obligations
- The Law Society's guidance Working with clients who may lack mental capacity
Further help
The issues arising from the situations described in this note raise significant legal as well as professional conduct issues. If you require further assistance with understanding your professional conduct obligations in relation to the above, please contact the Ethics Guidance Helpline. For any legal advice as to legal professional privilege and your legal duties, you are advised to speak to a colleague who specialises in this area.