Risk Update

Law Firm Confidentiality — Conflicts Management, Merger Due Diligence, Outsourcing Legal Services and More (Updated SRA Guidance)

SRA Guidance: Confidentiality of client information (Updated 5 April 2022)” —

  • “You need to have appropriate arrangements in place to help you to meet your obligations in relation to confidentiality. This will mean that any information supplied to you by clients is kept confidential in accordance with, as well as data protection law, any terms of engagement between you and the client. For example:
    • Information should not be passed to third parties without the client’s consent. This includes via marketing materials (including contributions to law firm directories or league tables) or passing client details by way of referral.
    • Confidential information regarding one client should not be passed to another.
    • Consider limiting the confidential information that you obtain from the client before a conflict check has been carried out and it has been established that you can act. This minimises the risk of such information being inadvertently disclosed, within the firm.”
  • “Disclosure may be permitted by law. For example, you may be permitted or even required by law to disclose the potential commission of a criminal offence by your client, such as money laundering.”
  • “Some firms may have overseas or connected offices or be part of a group structure where they are separate legal entities (such structures are often known as a “Verein” after a type of association of separate legal entities allowed under Swiss law).”
  • “Such a firm may wish to share information about their clients with other parts of the group for conflict of interest checks or other due diligence. For example, a UK firm may be part of an international group that has set up a business acceptance unit within one overseas jurisdiction to carry out conflict and anti- money laundering checks for all the group’s prospective clients.”
  • “Firms should provide current and prospective clients with an explanation of the group structure and of any data sharing and confidentiality arrangements within the group before seeking their consent to the disclosure of confidential information to separate legal entities in the group or their individual members or directors. As well as obtaining consent firms should consider whether it is in their client’s best interests to share the information across other members of the group and should restrict access in terms of the data supplied, and those who see it, to that necessary for the purpose.”
  • “In the example given of the international group structure above, there may well be advantages to having all conflict and other checks carried out by a specific unit which puts in place information barriers to reduce the spread of information around the group. This could help prevent, for example, information about potential competing bids being shared between offices within the group and perhaps inadvertently released to clients (see case studies on reporting duties in the Overseas Rules).”
  • “We recognise that, where firms are proposing to merge, or one firm is proposing to acquire another or part of another practice, that they will need to understand key information in relation to the other’s business. This can present challenges in terms of sharing information about your client base.”
  • “You will wish to consider carefully what information you actually need and what is available in the public domain (for example where the firm is on the public record as acting for a key client) or without recourse to client specific information (for example, financial data about billing in respect of the business generally and specific practice areas or aggregated into bands).”
  • “Any disclosure of confidential information should only be with consent and should be limited to that necessary for the purpose.”
  • “In order to enable conflict checks to be carried out you may wish to disclose the identity of key clients, and in general terms the type of work done for the client. Including a provision in the client’s terms of business permitting disclosure expressly limited to this information for the purposes of merger discussions may be sufficient if it amounts to informed consent on the part of the client. More detailed information about work done or client billings is likely to require specific consent to be taken.”
  • “It should be borne in mind for example, that the merger or acquisition may not proceed and that the proposed acquiring firm may act for those with interests adverse to the other firm’s clients. Therefore, there should be express requirements limiting the data to be disclosed and who sees it, their obligations to protect it and its return or destruction if the transaction does not proceed.”
  • “In 2018, an SRA regulated firm received a large fine after it disclosed unredacted and in some cases sensitive and privileged confidential information and documents from over 7,000 client matter files to another firm that was proposing to acquire it. This disclosure was made without the knowledge or consent of the relevant clients. The purchasing firm which inspected that confidential material was also fined on the basis that it had failed to act with independence and behave in a way that maintains public trust in legal services by inspecting the unredacted confidential information and documents provided by the other firm without the knowledge or consent of the relevant clients and also by disclosing unredacted confidential information and documents from the acquisition targets’ client matter files to two other firms without the relevant clients’ knowledge or consent.”