Technical helpsheet issued to help ICAEW members in business consider confidentiality requirements in the context of disclosure of confidential information.
This helpsheet has been issued by ICAEW’s Ethics Advisory Service to help ICAEW members in business consider confidentiality requirements in the context of disclosure of confidential information to third parties in a range of situations. This helpsheet has been issued for information only. Where there is any doubt on legal obligations, members should seek appropriate legal advice.
Members may also wish to refer to the following related helpsheets:
The principle of confidentiality
As chartered accountants, members have a duty to uphold the fundamental principle of confidentiality which is discussed in section 114 of the ICAEW Code of Ethics. Paragraph R114.1 states:
A professional accountant shall comply with the principle of confidentiality, which requires an accountant to respect the confidentiality of information acquired as a result of professional and business relationships.
The requirement to comply with the principle of confidentiality applies equally to prospective, current and former employers.
Members must not only keep information confidential, but also to take all reasonable steps to preserve confidentiality.
Whether information is confidential or not will depend on its nature. A safe and proper approach to adopt is to assume that all unpublished information about an employer’s affairs, however gained, is confidential.
Members in business may however receive requests for information from a wide range of third parties and agencies or might uncover defaults, errors or omissions which give cause for concern. Members may be asked to maintain confidentiality in circumstances where they consider openness and sharing such information is a better course of action or may be instructed to act in a particular way which does not take account of third parties’ rights to access information.
Members are ordinarily expected to follow the requests of their employer and keep information obtained in the course of their employment confidential. It is not reasonable however for an employer to expect a member to act in a manner inconsistent with legal, regulatory or professional obligations and there are therefore some circumstances in which a member may have a right or duty to breach that confidentiality and disclose.
Disclosure of confidential information
Paragraph R114.1(d) of the ICAEW Code of Ethics confirms that a professional accountant must:
Not disclose confidential information acquired as a result of professional and business relationships outside the firm or employing organisation without proper and specific authority, unless there is a legal or professional duty or right to disclose.
Such circumstances would normally include:
- Where disclosure is required by law;
- Where disclosure is permitted by law and authorised by the employing organisation; and
- Where there is a professional duty or right to disclose and it is not prohibited by law.
Disclosure is required by law
Disclosure may be required by law, for example, the production of documents or other evidence in the course of legal proceedings or to comply with legal obligations.
Disclosure is permitted by law and authorised by the client
Disclosure may be made if it is permitted by law and authorised by the employer, for example, disclosing budgetary information to other employees having sought agreement to do so from the employing organisation.
Professional duty or right to disclose and it is not prohibited by law
Examples may include to protect the professional interests of the accountant in legal proceedings or to comply with technical and professional standards, including ethical requirements. This may also therefore include disclosures in connection with non-compliance or suspected non-compliance with laws and regulations falling under section 260 of the ICAEW Code of Ethics.
In all cases where disclosure of confidential information is considered, members are advised to carefully document their considerations in case the appropriateness of the decision is challenged at a later date. Notes should include a record of any consent received from the employer, details of legal or other advice obtained, a schedule showing what has been disclosed and to whom, and copies of the information disclosed.
Where a disclosure is made in relation to non-compliance or suspected non-compliance with laws and regulations falling within section 260 of the ICAEW Code of Ethics, the professional accountant is encouraged to document:
- The matter;
- The results of discussions with the accountant’s superior, management and, where applicable, those charged with governance and other parties;
- How the accountant’s superior responded to the matter;
- The courses of action the accountant considered, the judgements made and the decisions that were taken; and
- How they were satisfied the disclosure was in the public interest.
Responding to requests for confidential information
Members in business may receive requests for access to confidential information held by their employer from a wide range of third parties and agencies, for example auditors, shareholders, suppliers, regulators and others. These can be difficult to handle, especially when such parties visit a premises in person. A member should first explain that they have a duty of confidentiality to their employer (referring to the ICAEW Code of Ethics as appropriate) and should be prepared to take a firm stance if necessary. The member should normally seek consent from their employer to the disclosure unless the party requesting the information asks them not to.
There may however be situations in which the requestor is not content with the employer being contacted to provide consent and they may have statutory rights to the information. Where there is any doubt about the validity of a request for access to confidential information or the rights of a particular party, a member should check the appropriateness and extent of the statutory rights being exercised. Where there is any doubt about the extent of those statutory rights, legal advice should be sought.
The following subsections explore a range of requests for confidential information members in business may experience.
Police or other enforcement agencies
Where a member receives a request for disclosure of confidential information from the police or other enforcement agencies they should refer to the helpsheet Disclosure of confidential information to the police and other enforcement agencies for guidance.
Members should review the helpsheet Disclosure of confidential information to insolvency practitioners if they receive requests from insolvency practitioners (or the insolvency service).
Child support agency
Members may receive requests from an inspector of the Child Support Agency. Such inspectors have power under s15 of the Child Support Act 1991 for information regarding an individual’s income, assets and other such information as the inspector may reasonably require. Members are required under this Act to provide such information and documents.
Disclosure required by court order
Parties seeking access to confidential information held by a member may obtain a court order to achieve this. Failure to comply with a court order may be an offence and subject a member to possible fines or imprisonment. Care must be taken to comply therefore.
Members should always read the terms of the court order carefully before complying with the request and if in doubt as to its validity should seek legal advice. Only the information detailed within the court order should be provided.
Disclosure without a request
Members may face situations where they are legally or professionally obliged to make disclosures to the relevant authorities or regulators proactively (i.e. without having received a request to provide such information). In other situations, members may have a right, but not an obligation to disclose information. The following subsections highlight a range of these situations.
Money laundering or terrorism
Members should review the helpsheet Disclosure of confidential information to the police and other enforcement agencies for disclosure requirements in relation to money laundering or terrorism.
Duty to report misconduct
ICAEW disciplinary bye-laws 9.2 and 9.2 provide that:
It shall be the duty of every member where it is in the public interest to do so to report any facts or matters indicating that a member and/or firm or provisional member may have become liable to disciplinary action. In determining whether it is in the public interest to report such facts or matters regard shall be had to such guidance as the Council shall give from time to time.
Members are therefore required to make a report through to ICAEW in such circumstances and should review the guidance Your duty to report misconduct for more information. Members may wish to discuss their obligations to make such a report with the Ethics Advisory Service.
Non-compliance with laws and regulations (NOCLAR)
Increasingly regulations place requirements on various types or organisations (e.g. high value dealers and those dealing with client money) and on various individuals (e.g. senior accounting officers) to report non-compliance or suspected non-compliance. Where a member is subject to such specific regulations, they must adhere to them.
Members must also have regard to section 260 of the ICAEW Code of Ethics in circumstances where they identify non-compliance or suspected non-compliance with laws and regulations. Paragraph 260.4 sets out that when responding to such non-compliance or suspected non-compliance, the objectives are:
(a) To comply with the principles of integrity and professional behaviour; (b) By alerting management or, where appropriate, those charged with governance of the employing organisation, to seek to: (i) Enable them to rectify, remediate or mitigate the consequences of the identified or suspected non-compliance; or (ii) Deter the non-compliance where it has not yet occurred; and (c) To take such further action as appropriate in the public interest.
Members are expected to obtain an understanding of the matter and discuss it with the appropriate level of management or those charged with governance, advising them to take appropriate and timely actions to rectify, remediate, mitigate, prevent and/or disclose the matter to the relevant authority as appropriate.
Members must then assess the appropriateness of the response in light of all relevant facts and circumstances and determine if further action is needed in the public interest.
Members may wish to seek legal advice as to whether external disclosure is justified and appropriate in the particular circumstances concerned and also on the relevant protections offered by the Public Interest Disclosure Act 1998. In addition free advice is available from Protect (formerly Public Concern at Work).
If, after seeking appropriate legal advice, a member determines disclosure is appropriate they will need to take care to ensure that the information disclosed is factual and complete and doesn’t include any unsubstantiated conclusions or judgements.
While working through the above steps, members must consider the employing organisation’s own protocols and procedures for addressing non-compliance or suspected non-compliance.
Disclosure to protect a member's interests
Members may also disclose confidential employer information to the proper authorities in order to protect their own interests. In general, members should only disclose information which is adequate, relevant and necessary in order to protect their interests (see paragraph 2.33 of ICAEW guidance statement ‘Defaults and unlawful acts’). For example it may be appropriate for a member to make such disclosure to the police in order to defend themselves against a criminal charge or to clear themselves of suspicion. In such circumstances a member should seek legal advice before any disclosure is made.
Data protection considerations
In addition to the fundamental principle of confidentiality set out in the ICAEW Code of Ethics, members should also consider requirements of relevant data protection legislation including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
In order to make any of the disclosures considered above, an organisation would need to have a lawful basis for processing any personal data contained within the disclosure. Where there is a legal obligation to make a disclosure, then the lawful basis for processing would usually be legal obligation. Where there is no such obligation, the lawful basis for processing would normally be consent (where the data subject provides consent for a disclosure) or legitimate interests. Further information is contained within the helpsheet GDPR – Lawful basis for processing. Members should carefully document the lawful basis for processing and should ensure that detailed records of exactly what is disclosed, to who and why are maintained.
Subject access requests
Organisations may receive subject access requests from data subjects. These could include requests from employees, customers, suppliers or even shareholders. Members should follow their organisational policy for handling subject access requests. Further information on subject access requests is contained within the ICO guidance on right of access.
If in doubt seek advice
ICAEW members based in England and Wales have access to a free legal signposting service provided by CABA. The 24 hour helpline can be contacted on +44 (0)1788 556 366.
ICAEW members, affiliates, ICAEW students and staff in eligible firms with member firm access can discuss their specific situation with the Ethics Advisory Service on +44 (0)1908 248 250 or via webchat.
© ICAEW 2021 All rights reserved.
ICAEW cannot accept responsibility for any person acting or refraining to act as a result of any material contained in this helpsheet. This helpsheet is designed to alert members to an important issue of general application. It is not intended to be a definitive statement covering all aspects but is a brief comment on a specific point.
ICAEW members have permission to use and reproduce this helpsheet on the following conditions:
- This permission is strictly limited to ICAEW members only who are using the helpsheet for guidance only.
- The helpsheet is to be reproduced for personal, non-commercial use only and is not for re-distribution.
For further details members are invited to telephone the Technical Advisory Service T +44 (0)1908 248250. The Technical Advisory Service comprises the technical enquiries, ethics advice, anti-money laundering and fraud helplines. For further details visit icaew.com/tas.
- 20 Oct 2021 (03: 30 PM BST)
- Changelog created, helpsheet converted to new template
- 20 Oct 2021 (03: 31 PM BST)
- Link added to another piece of guidance in Introduction (Production and Disclosure orders), updated link to Protect (previously PCAW).