Disclosure of confidential information (for members in business)

This helpsheet has been issued by ICAEW’s Ethics Advisory Service to help ICAEW members in business consider confidentiality requirements in the context of disclosure of confidential information to third parties in a range of situations. This helpsheet has been issued for information only. Where there is any doubt on legal obligations, members should seek appropriate legal advice.

Members may also wish to refer to the following related helpsheets:

• Disclosure of confidential information (for members in practice)
• Disclosure of confidential information to the police and other enforcement agencies
• Disclosure of confidential information to insolvency practitioners
• GDPR – Lawful basis for processing
• Production and Disclosure Orders

As chartered accountants, members have a duty to uphold the fundamental principle of confidentiality which is discussed in section 114 of the ICAEW Code of Ethics. Paragraph R114.1 states:

The requirement to comply with the principle of confidentiality applies equally to prospective, current and former employers.

Members must not only keep information confidential, but also to take all reasonable steps to preserve confidentiality.

Whether information is confidential or not will depend on its nature. A safe and proper approach to adopt is to assume that all unpublished information about an employer’s affairs, however gained, is confidential. It should also be noted that paragraph R114.2(d) states that even when information has become publicly available, the duty of confidentiality still applies.

Members in business may however receive requests for information from a wide range of third parties and agencies or might uncover defaults, errors or omissions which give cause for concern. Members may be asked to maintain confidentiality in circumstances where they consider openness and sharing such information is a better course of action or may be instructed to act in a particular way which does not take account of third parties’ rights to access information.

Members are ordinarily expected to follow the requests of their employer and keep information obtained in the course of their employment confidential. It is not reasonable however for an employer to expect a member to act in a manner inconsistent with legal, regulatory or professional obligations and there are therefore some circumstances in which a member may have a right or duty to breach that confidentiality and disclose.

As chartered accountants, members have a duty to uphold the fundamental principle of confidentiality which is discussed in section 114 of the ICAEW Code of Ethics. Paragraph R114.1 states:

Members changing firms or sectors must clearly understand their confidentiality obligations under both their leaving agreement and paragraphs (a-c) of R114.2.

A professional accountant shall not:

1. Disclose confidential information acquired in the course of professional and business relationships:
2. Use confidentiality information acquired in the course of professional and business relationship for the advantage of the accountant, the firm, the employing organisation or a third party; 
3. Use or disclose any confidential information either acquired or received in the course of a professional or business relationship after that relationship has ended.

Whilst the professional accountant may draw upon prior experience and skills gained during previous employment, it would not be appropriate to either use or appear to use special knowledge which could only have been acquired with access to confidentiality information. This would be a matter of judgement as to the boundary between experience gained and special knowledge acquired.

R114.3 provides exceptions to the above, in that a professional accountant may disclose or use confidential information where:

1. There is a legal or professional duty or right to do so; or
2. This is authorised by the client or any person with the authority to permit disclosure or use of the confidential information and this is not prohibited by law or regulation

Disclosure is required by law

Disclosure may be required by law, for example, the production of documents or other evidence in the course of legal proceedings or to comply with legal obligations.

Disclosure is permitted by law and authorised by the client

Disclosure may be made if it is permitted by law and authorised by the employer, for example, disclosing budgetary information to other employees having sought agreement to do so from the employing organisation.

Professional duty or right to disclose and it is not prohibited by law

Examples may include to protect the professional interests of the accountant in legal proceedings or to comply with technical and professional standards, including ethical requirements. This may also therefore include disclosures in connection with non-compliance or suspected non-compliance with laws and regulations falling under section 260 of the ICAEW Code of Ethics.

Documentation

In all cases where disclosure of confidential information is considered, members are advised to carefully document their considerations in case the appropriateness of the decision is challenged at a later date. Notes should include a record of any consent received from the employer, details of legal or other advice obtained, a schedule showing what has been disclosed and to whom, and copies of the information disclosed.

Where a disclosure is made in relation to non-compliance or suspected non-compliance with laws and regulations falling within section 260 of the ICAEW Code of Ethics, the professional accountant is encouraged to document:

• The matter;
• The results of discussions with the accountant’s superior, management and, where applicable, those charged with governance and other parties;
• How the accountant’s superior responded to the matter;
• The courses of action the accountant considered, the judgements made and the decisions that were taken; and
• How they were satisfied the disclosure was in the public interest.

Members in business may receive requests for access to confidential information held by their employer from a wide range of third parties and agencies, for example auditors, shareholders, suppliers, regulators and others. These can be difficult to handle, especially when such parties visit a premises in person. A member should first explain that they have a duty of confidentiality to their employer (referring to the ICAEW Code of Ethics as appropriate) and should be prepared to take a firm stance if necessary. The member should normally seek consent from their employer to the disclosure unless the party requesting the information asks them not to.

There may however be situations in which the requestor is not content with the employer being contacted to provide consent and they may have statutory rights to the information. Where there is any doubt about the validity of a request for access to confidential information or the rights of a particular party, a member should check the appropriateness and extent of the statutory rights being exercised. Where there is any doubt about the extent of those statutory rights, legal advice should be sought.

The following subsections explore a range of requests for confidential information members in business may experience.

Police or other enforcement agencies

Where a member receives a request for disclosure of confidential information from the police or other enforcement agencies they should refer to the helpsheet Disclosure of confidential information to the police and other enforcement agencies for guidance.

Insolvency

Members should review the helpsheet Disclosure of confidential information to insolvency practitioners if they receive requests from insolvency practitioners (or the insolvency service).

Child support agency

Members may receive requests from an inspector of the Child Support Agency. Such inspectors have power under s15 of the Child Support Act 1991 for information regarding an individual’s income, assets and other such information as the inspector may reasonably require. Members are required under this Act to provide such information and documents.

Disclosure required by court order

Parties seeking access to confidential information held by a member may obtain a court order to achieve this. Failure to comply with a court order may be an offence and subject a member to possible fines or imprisonment. Care must be taken to comply therefore.

Members should always read the terms of the court order carefully before complying with the request and if in doubt as to its validity, should seek legal advice. Only the information detailed within the court order should be provided.

Members may face situations where they are legally or professionally obliged to make disclosures to the relevant authorities or regulators proactively (i.e. without having received a request to provide such information). In other situations, members may have a right, but not an obligation to disclose information. The following subsections highlight a range of these situations.

Money laundering or terrorism

Members should review the helpsheet Disclosure of confidential information to the police and other enforcement agencies for disclosure requirements in relation to money laundering or terrorism.

Duty to report misconduct

ICAEW disciplinary bye-laws para 6.1 states that:

Members are therefore required to make a report through to ICAEW in such circumstances and should review the guidance Your duty to report misconduct for more information. Members may wish to discuss their obligations to make such a report with the Ethics Advisory Service.

Non-compliance with laws and regulations (NOCLAR)

Increasingly regulations place requirements on various types or organisations (e.g. high value dealers and those dealing with client money) and on various individuals (e.g. senior accounting officers) to report non-compliance or suspected non-compliance. Where a member is subject to such specific regulations, they must adhere to them.

Members must also have regard to section 260 of the ICAEW Code of Ethics in circumstances where they identify non-compliance or suspected non-compliance with laws and regulations. Paragraph 260.4 sets out that when responding to such non-compliance or suspected non-compliance, the objectives are:

Members are expected to obtain an understanding of the matter and discuss it with the appropriate level of management or those charged with governance, advising them to take appropriate and timely actions to rectify, remediate, mitigate, prevent and/or disclose the matter to the relevant authority as appropriate.

Members must then assess the appropriateness of the response in light of all relevant facts and circumstances and determine if further action is needed in the public interest.

Members may wish to seek legal advice as to whether external disclosure is justified and appropriate in the particular circumstances concerned and also on the relevant protections offered by the Public Interest Disclosure Act 1998. In addition, free advice is available from Protect (formerly Public Concern at Work).

If, after seeking appropriate legal advice, a member determines disclosure is appropriate they will need to take care to ensure that the information disclosed is factual and complete and doesn’t include any unsubstantiated conclusions or judgements.

While working through the above steps, members must consider the employing organisation’s own protocols and procedures for addressing non-compliance or suspected non-compliance.

Members may also disclose confidential employer information to the proper authorities in order to protect their own interests. In general, members should only disclose information which is adequate, relevant and necessary in order to protect their interests (see paragraph 2.33 of ICAEW guidance statement Professional conduct in relation to ‘Defaults and unlawful acts’). For example, it may be appropriate for a member to make such disclosure to the police in order to defend themselves against a criminal charge or to clear themselves of suspicion. In such circumstances a member should seek legal advice before any disclosure is made.

In addition to the fundamental principle of confidentiality set out in the ICAEW Code of Ethics, members should also consider requirements of relevant data protection legislation including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

In order to make any of the disclosures considered above, an organisation would need to have a lawful basis for processing any personal data contained within the disclosure. Where there is a legal obligation to make a disclosure, then the lawful basis for processing would usually be legal obligation. Where there is no such obligation, the lawful basis for processing would normally be consent (where the data subject provides consent for a disclosure) or legitimate interests. Further information is contained within the helpsheet UK GDPR – Lawful basis for processing. Members should carefully document the lawful basis for processing and should ensure that detailed records of exactly what is disclosed, to who and why are maintained.

Subject access requests

Organisations may receive subject access requests from data subjects. These could include requests from employees, customers, suppliers or even shareholders. Members should follow their organisational policy for handling subject access requests. Further information on subject access requests is contained within the ICO guidance on right of access.

ICAEW members based in England and Wales have access to a free legal signposting service provided by CABA. The 24 hour helpline can be contacted on +44 (0)1788 556 366.

ICAEW members, affiliates, ICAEW students and staff in eligible firms with member firm access can discuss their specific situation with the Ethics Advisory Service on +44 (0)1908 248 250 or via webchat.