Paragraph 6.3 of the Code of Conduct for Solicitors, RELs and RFLs and of the Code of Conduct for Businesses (collectively referred to as (‘the Codes’) allows you to keep current and former customers’ affairs private unless legislative or consumer agreement requires or permits disclosure.
As well as being one of the key ethical values set out in section 1(3)(e) of the Legal Services Act 2007 and professional standards in our codes, this duty of confidentiality exists as an obligation in both common law and data protection legislation.
The courts have held that the responsibility to protect confidentiality is unqualified, since it is a duty to keep the data secret, not only to take all appropriate steps to do so. It is not restricted to the requirement not to reveal information to a third party. It is a broader responsibility not to abuse it, i.e. to make some use of it or to allow some use to be made of it by someone other than for the benefit of the client, without the permission of a client or former client. See Jeffrey Prince Bolkiah v KPMG UKHL.
Regardless of the source of the material, the obligation of confidentiality extends to information regarding the affairs of your client. Despite the termination of the retainer or the client’s death, it persists until the right to secrecy transfers to the personal members of the client.
All information submitted to you, by your customer or a third party in connection with the retainer in which you or your firm are advised shall be subject to confidentiality. This may not be protected by the responsibility if you have data unrelated to the retainer.
An instance of this will be if at the police station you are attending the client and while there, the client steals the phone from another. In these cases, sending the police a statement does not compromise the duty of confidentiality because it is irrelevant to the matter you are advising on.
If you are being used by a client to commit a fraud, and, by comparison, any other crime, you would not have a duty of trust. It has long been accepted by common law that data of this type should not be confidential. In Gartside v Outram  26 LJ Ch (NS) 113.
To help you comply with your confidentiality obligations, you need to have adequate plans in place. This would ensure that all information given to you by customers is kept confidential in compliance with any conditions of agreement between you and the customer, as well as data protection regulations. For instance:
Without the consent of the customer, details can not be transferred to third parties. This includes marketing materials (including submissions to directories of law firms or league tables) or the transfer of customer information by comparison.
It is not appropriate to transfer sensitive information from one customer to another.
Before a dispute check has been carried out, consider restricting the confidential information you receive from the client and it has been defined that you can act. This minimizes the possibility of unintentionally revealing such knowledge inside the company.
You can also comply with any special limits on the sharing of sensitive information imposed by statute or court, such as in cases involving children.
If you are a controlled company, all your employees, including support staff, contractors and locals, owe all customers a duty of confidentiality and disciplinary proceedings can include both the company and staff.
The need to separate their professional responsibilities of confidentiality from the principle of legal professional privilege should be noted by companies and individual practitioners. Only the client may suspend legal professional privilege (and not the firm). In short, confidential information can be revealed where appropriate, but privilege is absolute, and it is therefore impossible to reveal protected information. There is a right of confidential contact between lawyers and clients for the purpose of receiving and offering legal advice. Your first concern could be whether it is privileged or merely confidential when you are deciding whether to share information.
This problem emerged in a case that illustrates the importance of looking at the documents’ purpose and existence. In that case, following an alleged assault, a client went to his solicitors’ office. In order to encourage them to determine the truth, the police asked the firm to confirm the time of his attendance. On the grounds of right, the company refused. It was considered that the information was not confidential because it was not a contact for the purpose of legal advice. See R v Manchester Crown Court for Rogers ex parte 1 WLR 832.
This advice describes circumstances involving interactions between attorneys and clients. For the purposes of this guidance, however, it is presumed that although they are confidential, they do not apply explicitly to the issues on which advice is sought and are not privileged. Our guidance on reporting and notification responsibilities discusses the issues around disclosure to us and legal privilege.
Information disclosure is only allowed if the consumer consents to it or is permitted by statute. You should determine whether disclosure is appropriate to proceed with a particular matter before asking a client for consent.
Consent to the disclosure of confidential information must be transparent so that the client knows to whom, who and for what reason their information should be made available. If you have their general approval, it might also be necessary to seek the consent of the client to reveal a particular piece of information as the problem arises, such as by giving them a draft letter to the opponent to accept.
The ultimate measure, however, whatever provisions you make for obtaining permission, is that if asked, the customer will say “Yes I agreed to that information being disclosed for that purpose” rather than being shocked or worried or not having understood.
Before obtaining approval from the customers, you should remember:
What is the objective of third-party data access and is it possible to accomplish that purpose in other ways?
Are you confident that it does not damage the best interests of the client to obtain the client’s consent to disclosure?
Companies should consider any steps they may take to minimize the risks when knowledge is exchanged. This could involve entering into a formal third party confidentiality arrangement.
By statute, disclosure can be allowed. For instance, you might be allowed or even required by law to report your client’s possible commission of a criminal offense, such as money laundering.
You may also have certain powers or obligations to report matters to the courts in connection with litigation or to third parties when they operate legitimately on behalf of a client, such as an attorney appointed under the jurisdiction of a judge or a court appointed deputy where the disclosure falls within the scope of their jurisdiction.
You are responsible for submitting such information to the SRA – see our reporting and notification responsibilities guide for more specifics.