Bronwen Still provides an overview of the regulatory requirements around confidentiality, and outlines some of the more common, and difficult, situations facing firms


All firms should be familiar with the duty of confidentiality – its importance really cannot be overstated. Some of the more difficult situations concerning confidentiality involve information barriers, firm mergers and acquisitions and complex business structures. These require careful planning about how clients’ confidential information is protected, the extent of any disclosure required, particularly in the case of acquisitions, and client consent. There is recent SRA guidance on this subject which sets out what the SRA expects from firms when faced with trickier situations.

In addition, the picture is not complete without considering the duty of disclosure and the circumstances where this comes into conflict with the duty of confidentiality.

Note that this article will not cover the General Data Protection Regulation, which has had extensive cover elsewhere.

The duty of confidentiality

The duty of confidentiality, arising from the fiduciary nature of the solicitor-client relationship, will always remain fundamental to the services provided by solicitors and their firms. Any breach of this duty, or significant threat to it, is potentially very serious and could have legal as well as disciplinary consequences. 

The governing regulatory obligations contained in the SRA Standards and Regulations are Principles 2 and 5 and paragraphs 6.3 – 6.5 in both the Codes of Conduct (for individuals and firms).

Principle 2 requires that you act “in a way that upholds public trust and confidence in the solicitors’ profession and in legal services…”. Principle 5 obliges you to act “in the best interests of each client”. These are very high-level ethical requirements and any breach of the duty of confidentiality will almost inevitably be seen by the SRA as a breach of one or both of these principles. In particular, when looking at some of the more difficult situations, such as where clients are being asked to consent to disclosure, firms should always ask whether this will undermine the best interests of the clients involved. 

Paragraph 6.3 sets out the basic duty of confidentiality in the following terms: “You keep the affairs of current and former clients confidential unless disclosure is required or permitted by law or the client consents.”

This duty applies, through the two codes, to both the individual regulated lawyer and also to the firm as a whole. It attaches to all communications received from clients, or from others on their behalf, in connection with their retainer with the firm. “Client” is defined in the SRA Glossary as including “prospective and former clients where the context permits”. This means that if someone comes to discuss a potential case with a firm but subsequently does not instruct the firm, any disclosures made must be treated confidentially. Finally, and importantly, this is a duty that continues after the retainer is ended. 

From a training and management perspective, managers and COLPs must ensure that all those joining and working within their firm, whatever role they undertake, are fully aware of the importance of client confidentiality and the procedures the firm has in place to ensure it is protected.

It is worth restating that most risks usually lie in mundane inadvertence. Conversations on a train, a laptop being used in a public place such as a coffee shop, a file left in a taxi or on a bench in a courtroom are probably situations that most lawyers will be familiar with. Other common examples concern emails and postal communications. Emails should always be checked to ensure they are being directed to the intended client. With postal communications, the danger is of the letter going in the wrong envelope or of enclosures being attached to the wrong letter. These are all situations which managers should periodically remind staff to be alert to.

Overriding the duty

Paragraph 6.3 makes clear that there are certain circumstances where confidentiality can be overridden. These are:

  • by the law
  • when the client consents to disclosure, or
  • where immediate and serious harm may result to the client or vulnerable others. 

The law

The law contains exceptions where, in the wider public interest, it is considered necessary for client information or documents to be disclosed to, for example, certain government bodies such as His Majesty’s Revenue & Customs (HMRC). The Proceeds of Crime Act 2002 and the Money Laundering Regulations 2017 contain obligations to report knowledge or suspicions of criminal offences to the appropriate authorities. Client bankruptcy or insolvency is another area where others, typically a trustee in bankruptcy, have a right to specific information concerning the client’s financial affairs. Similarly, court orders concerning the disclosure of documents and police warrants for access to documents must be complied with, subject to considerations of legal professional privilege. Firms are sometimes approached by the police for information concerning clients’ matters and in all such situations, client confidentiality must prevail until a court order is produced. 

Client consent to disclosure of information or documents is the main reason why confidentiality is overridden. Consent must always be “informed”, which means that the client must be given sufficient information to understand the reasons why their information needs to be passed to a third party and how, nonetheless, it will be protected. 

Most firms need to use external providers to support their service provision to clients and consent in this situation is usually obtained through the firm’s terms of business. Examples are likely to include the need for firms to use external service providers for IT support, Lexcel accreditation, accountancy services, document production, document storage or document shredding. Although the client will normally have signed a copy of the terms of business, for the consent to be informed there must be some explanation as to why confidential information may be passed to a third party and how it will be protected. This could include a brief explanation of why the services are outsourced and the protections in place, such as a confidentiality agreement with the provider, and that there has been due diligence carried out on providers used. 

Where information needs to be passed to a third party for a specific purpose on behalf of a client, separate consent must be obtained. Typically, this would be where the firm needs the expertise of an external individual or firm to assist with an aspect of the client’s case. For evidential purposes, consent should ideally be in writing as the Code of Conduct requires that a firm justifies its actions in order to demonstrate compliance. Again, it is important that consent is informed so the reasons for a third party having access to confidential information should be explained. 

There are also circumstances in which client information may need to be passed to other law firms within a group structure or in the context of a proposed firm merger or acquisition. These will be looked at in more detail below but the SRA says in general the conditions to getting client consent should be: 

  • What is the purpose of the third-party having access to the information and can the purpose be achieved in other ways?
  • Should there be any limitations on the access?
  • Are you satisfied that seeking the client’s consent to disclosure would not harm the client’s best interests?


The third situation where confidentiality may be overridden is likely to arise infrequently but will almost always require a difficult judgement call. These are situations where the client discloses that serious harm is being, or may be, inflicted on vulnerable others, such as children, or where the client is contemplating suicide. The first approach to dealing with this type of situation is to discuss with the client sources of help and to try to get the client to consent to this and to appropriate disclosures being made. Failing this, an agreed approach should be taken by appropriate managers in the firm and the COLP concerning the disclosure of information to others who may be able to help. A written record of the issues discussed and agreed should be kept for evidential purposes.

The duty of disclosure

Sitting alongside the duty of confidentiality is the duty of disclosure. It is a duty on the individual lawyer to make their client aware of any information that may be material to the client’s matter irrespective of the source of that information (paragraph 6.4 in both Codes). This duty only extends to information of which the lawyer is aware so there is no obligation to check whether such information resides elsewhere within the firm. Nonetheless, firms need to be alert to situations where, for example, they act for clients that may be competitors in a particular field. To deal with this type of situation, firms which have the infrastructure to do so may need to compartmentalise their work so that fee-earners do not inadvertently come into possession of information about the firm’s clients that they do not act for, but which would be material to clients for whom they do act. 

The duty of confidentiality will always be paramount if a conflict between these two duties arises. Where it does, it is almost inevitably the case that the firm will need to cease acting for the client to whom it is not possible to disclose material information because of the completing duty of confidentiality to the other client. The Court of Appeal made clear in the case of Hilton v Barker Booth and Eastwood [2002] All ER (D) 344 (May) that a firm cannot argue that because of its duty of confidentiality to one client it cannot fulfil its duty of disclosure to another 

Overriding the duty

Paragraph 6.4 sets out certain very limited circumstances in which the duty is overridden. These are where:

  • disclosure is prohibited by legal restrictions such as in cases involving money laundering;
  • disclosure may cause serious physical or mental injury to the client or a third party (this may typically concern the contents of a doctor’s report);
  • the information is contained in a privileged document which has been mistakenly disclosed; or
  • the client gives informed consent which must be given or evidenced in writing. 

There are difficulties in getting consent which is “informed” because it is unlikely to be possible to give the client details of information held for another client. This means that consent should usually only be sought from sophisticated clients and within defined parameters that they have agreed to. 

Where not to act

Paragraph 6.5 identifies one particular situation where the risk to a client’s confidential information is so high that instructions from another client must be refused. This is where the prospective client has an interest adverse to a current or former client. “Interest adverse” is not defined but is most likely to arise where the new client is, or is likely to become, the opposing party in a matter where

the firm already acts, or acted for, another client, whether in negotiations or dispute resolution.

Paragraph 6.5 does allow two exceptions where:

  • “effective measures have been taken which result in there being no real risk of disclosure of the confidential information; or 
  • the current or former client whose information you hold has given informed consent, given or evidenced in writing, to you acting, including to any measures taken to protect their information.”

Both require the use of information barriers to protect the client information that is at risk. These should only be used with great caution and are generally the preserve of large firms acting for sophisticated clients which have the infrastructure to ensure complete separation of information and personnel.

The first exception permits an information barrier where no consent from the client is sought. The test applied by the leading case of Prince Jefri Bolkiah v KPMG [1998] UKHL is that the client must be protected from any real risk of disclosure. If a court is not satisfied, it can grant an injunction to stop the firm acting as happened in Georgian American Alloys Inc v White & Case LLP [2014] EWHC 94. Although the code says nothing about the protections required, the SRA has issued guidance (see the first paragraph above) on what it would expect. These are:

  • systems that identify potential confidentiality issues;
  • separate teams handling the matters, at all levels including non-fee-earning staff;
  • separate servers (and printers) so that information cannot be cross accessed;
  • information being encrypted, and password protected;
  • individuals in the firm being aware of who else in the organisation is working on the respective matters so that they know who they can and cannot discuss the matter with; and
  • appropriate organisational policies and training for staff.

When using the second exception with client consent it would be expected that the protection arrangements would be agreed with the client. Again, it should be noted that consent must be informed which means that generally it would only be appropriate to agree this sort of arrangement with sophisticated clients who routinely use legal services and understand the circumstances which are involved.

It should not be overlooked that the decisions of the court can attract the attention of the SRA. In the case of Georgian American Alloys Inc v White & Case LLP, the firm was fined £250,000 and the partner concerned, £50,000. This case had many complexities attached to it with multiple global offices involved, staff moving from one office to another and client matters that lapsed and revived. It demonstrated the risks and problems which can arise in creating information barriers. 

Mergers and acquisitions

The SRA has clearly had cause to consider the problems which can arise where mergers and acquisitions are in contemplation. Its recent guidance refers to a case where a large firm disclosed unredacted documents from over 7,000 client files to a purchaser firm. The firm was fined for a breach of client confidentiality. Interestingly, the purchasing firm, which inspected the confidential information, was also fined for failing to act with independence and in a way that maintains public trust in legal services. This suggests that if you are an acquiring firm and you are provided with client documents you should enquire whether the clients consented.

The SRA guidance makes clear that there must be informed client consent to any confidential information disclosed, including just the client’s name. It could, in certain situations, be sufficient if this consent arises from the client’s signature to terms of business which encompass the disclosure of the client’s name and type of work undertaken in the case of merger or acquisition talks. Specific consent should always be sought where any client documents are to be disclosed with any information not essential to the acquiring firm being redacted. Also advised is that the acquiring firm gives an undertaking to preserve any confidential information it receives.

The bottom line is this – disclose as little as is absolutely necessary and only with client consent.  

Complex firm structures

Many large law firms have a global presence and operate through a group structure. This can potentially present problems where one firm wants to share client information with other firms in the group. It might be the case for example, that one entity in the group is set up to carry out conflict checks and money laundering checks for all firms within the group. Again, this is an issue which the SRA has had cause to consider. The SRA accepts that, generally speaking this is workable provided the structure is explained to the clients and prospective clients and their consent is sought to the specific circumstances where it is proposed their confidential information will be shared within the group. Vigilance should always be exercised to identify any situation where the sharing of information may not be in the best interests of a particular client.