This helpsheet has been issued by ICAEW’s Ethics Advisory Service to help ICAEW members in practice consider confidentiality requirements in the context of disclosure of confidential information to third parties in a range of situations. This helpsheet has been issued for information only. Where there is any doubt on legal obligations, members should seek appropriate legal advice.

Members may also wish to refer to the following related helpsheets:

• Disclosure of confidential information (for members in business)
• Disclosure of confidential information to the police and other enforcement agencies
• Disclosure of confidential information to insolvency practitioners
• GDPR – Lawful basis for processing
• GDPR – Client files
• Production and Disclosure Orders

As chartered accountants, members have a duty to uphold the fundamental principle of confidentiality which is discussed in section 114 of the ICAEW Code of Ethics. Paragraph R114.1 states:

The requirement to comply with the principle of confidentiality applies equally to prospective, current and former clients.

Members must not only keep information confidential, but also to take all reasonable steps to preserve confidentiality.

Whether information is confidential or not will depend on its nature. A safe and proper approach to adopt is to assume that all unpublished information about a client’s affairs, however gained, is confidential. Some clients may regard the mere fact of their relationship with a professional accountant as being confidential.

Member firms need to ensure that all who work on their behalf (including principals, employees or contractors) are trained in, and understand:

• The importance of confidentiality;
• The importance of identifying any conflicts of interest and confidentiality issues; and
• The procedures the firm has in place for the recognition and consideration of possible conflicts of interest and confidentiality issues.

Paragraph R114.1(d) of the ICAEW Code of Ethics confirms that a professional accountant must:

Such circumstances would normally include:

• Where disclosure is required by law;
• Where disclosure is permitted by law and authorised by the client; and
• Where there is a professional duty or right to disclose and it is not prohibited by law.

Disclosure is required by law

Disclosure may be required by law, for example, the production of documents or other evidence in the course of legal proceedings or to comply with legal obligations such as anti-money laundering regulations.
Disclosure is permitted by law and authorised by the client

Disclosure may be made if it is permitted by law and authorised by the client, for example, permitting access to working papers by investigating accountants or preparing a mortgage reference on behalf of a client.

Professional duty or right to disclose and it is not prohibited by law

Examples may include disclosure to comply with a quality review or investigation by a professional or regulatory body such as ICAEW, to protect the professional interests of the firm in legal proceedings or to comply with technical and professional standards, including ethical requirements. This may also therefore include disclosures in connection with non-compliance or suspected non-compliance with laws and regulations falling under section 360 of the ICAEW Code of Ethics.

Documentation

In all cases where disclosure of confidential information is considered, members are advised to carefully document their considerations in case the appropriateness of the decision is challenged at a later date. Notes should include a record of any consent received from the client, details of legal or other advice obtained, a schedule showing what has been disclosed and to whom, and copies of the information disclosed.

Where a disclosure is made in relation to non-compliance or suspected non-compliance with laws and regulations falling within section 360 of the ICAEW Code of Ethics, the professional accountant must document:

• How management and, where applicable, those charged with governance have responded to the matter;
• The courses of action the accountant considered, the judgements made and the decisions that were taken, having record to the reasonable and informed third party test; and
• How they are satisfied that the disclosure is needed in the public interest.

Members in practice may receive requests for access to confidential information held by the firm from a wide range of third parties and agencies. These can be difficult to handle, especially when such parties visit a premises in person. A member should first explain that they have a duty of confidentiality to their client (referring to the ICAEW Code of Ethics as appropriate) and should be prepared to take a firm stance if necessary. The member should normally seek consent from their client to the disclosure unless the party requesting the information asks them not to.

There may however be situations in which the requestor is not content with the client being contacted to provide consent and they may have statutory rights to the information. Where there is any doubt about the validity of a request for access to confidential information or the rights of a particular party, a member should obtain details of that party’s particular statutory rights and seek to confirm those rights. Where there is any doubt about the extent of those statutory rights, legal advice should be sought.

The following subsections explore a range of requests for confidential information members in practice may experience.

Police or other enforcement agencies

Where a member receives a request for disclosure of confidential information from the police or other enforcement agencies they should refer to the helpsheet Disclosure of confidential information to the police and other enforcement agencies for guidance.

Client dispute or divorce

Disputes within a client entity are often difficult to resolve and a professional accountant can become ‘caught in the middle’ or be forced to take sides.

Current directors of a company and members of an LLP have equal rights to information in connection with their business. As such it would not normally be appropriate to withhold information from such a person. The situation for partnerships can be more complicated and each case should be considered separately. In such cases it is recommended that further advice is sought from the Ethics Advisory Service.

In most circumstances, a former director, partner, or member has no current rights to information even where that information relates to a period when they would have had the right to the information at the time.

Shareholders of companies and members of a club or association have no automatic right to information. A request for information from such a person would need to be directed back to the client or authority obtained from the client for disclosure.

The legal representatives of any of the above have no rights to information unless authority has been given by the client.

Insolvency

Members should review the helpsheet Disclosure of confidential information to insolvency practitioners if they receive requests from insolvency practitioners (or the insolvency service).

Child support agency

Members may receive requests from an inspector of the Child Support Agency. Such inspectors have power under s15 of the Child Support Act 1991 for information regarding an individual’s income, assets and other such information as the inspector may reasonably require. Members are required under this Act to provide such information and documents.

Disclosure required by court order

Parties seeking access to confidential information held by a member may obtain a court order to achieve this. Failure to comply with a court order may be an offence and subject a member to possible fines or imprisonment. Care must be taken to comply therefore. Members should always read the terms of the court order carefully before complying with the request and if in doubt as to its validity should seek legal advice. Only the information detailed within the court order should be provided.

Change in a professional appointment

When a successor professional accountant writes a professional enquiry letter they will often also request information. Section 320 of the ICAEW Code of Ethics outlines the requirements is this respect, but information should not usually be disclosed without the client’s authority. Further guidance is available in the Change of professional appointment – Outgoing accountant helpsheet.

Auditors

Successor auditors usually have a right to access the working papers of a predecessor auditor. Most such requests would normally be with the client’s authority. Further guidance is available in the AAF 01/08 Access to information by successor auditors.

Auditors may also be asked to provide access to audit files by group auditors. Firms are not usually required to provide access to their working papers unless contractually obliged to do so (often as part of their appointment as component auditor). Firms may however be obliged to provide information or explanations to a group auditor by virtue of s499 of the Companies Act 2006. In the unusual event that the auditor holds the company’s books, accounts or vouchers, a group auditor may be able to exercise their rights under the same section for access to these too. Further guidance is available in the Audit and Assurance Faculty’s publication, Auditing groups: a practical guide.

An auditor must also consider reporting obligations arising from ISA (UK) 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements, ISA (UK) 250 Section A - Consideration of Laws and Regulations in an Audit of Financial Statements and ISA (UK) 250 Section B - The Auditor’s Statutory Right and Duty to Report to Regulators of Public Interest Entities and Regulators of Other Entities in the Financial Sector.

Investigating accounts

Firms may receive requests from investigating accountants for access to working papers and client files. Such requests typically arise when a business is being sold and due diligence work is being undertaken. Firms should consider carefully whether the contents of client files belong to the firm or the client. Guidance on ownership of documents and records is available in the guidance Documents and records: ownership, lien and rights of access.

Where the documents and records belong to the firm, it should consider carefully whether to volunteer access to working papers and may wish to consult with its insurers (members may wish to refer to TECH 09/15 BL Managing the professional liability of accountants). Firms would be advised to put a hold harmless letter in place, guidance on which is available in AUDIT 04/03 Access to working papers by Investigating Accountants. Where a firm does volunteer such access, it should ensure that the authority of the client is obtained beforehand.

It is entirely up to the client whether access is provided to documents and records belonging to them. To reduce potential liability, firms would be advised to provide documentation (or copies thereof) to the client rather than directly to the investigating accountant and indeed the authority of the client should again be obtained.

Mortgage and other client references

Members may receive requests from mortgage providers or other lenders for references on a client’s financial status. It is entirely up to the firm whether or not to respond to such requests but they must not do so unless they have the authority of the client.

If members do agree to respond to such a request, care should be taken as to what is being signed as standard wording provided by lenders may not be appropriate for an accountant to sign. Members should consult AUDIT 02/01 Requests for references on clients’ financial status and their ability to service loans and the helpsheet References on clients’ financial status for further guidance.

Members may face situations where they are legally or professionally obliged to make disclosures to the relevant authorities or regulators proactively (i.e. without having received a request to provide such information). In other situations, members may have a right, but not an obligation to disclose information. The following subsections highlight a range of these situations.

Money laundering or terrorism

Members should review the helpsheet Disclosure of confidential information to the police and other enforcement agencies  and the CCAB Anti-Money Laundering Guidance for the Accountancy Sector for disclosure requirements in relation to money laundering or terrorism.

Duty to report misconduct

ICAEW disciplinary bye-laws 9.2 and 9.2 provide that:

Members are therefore required to make a report through to ICAEW in such circumstances and should review the guidance Your duty to report misconduct for more information. Members may wish to discuss their obligations to make such a report with the Ethics Advisory Service.

Whistleblowing (regulated entities)

Professional accountants will be protected from a breach of confidentiality where they have a statutory duty or right to report to the regulator of a regulated entity. A professional accountant reporting to a regulator outside of these statutory protections would be a risk of breaching confidentiality.

Specific examples include, but are not limited to:

• Pension schemes – the auditor, actuary and professional advisor to a pension scheme has a statutory duty to report significant issues to the Pensions Regulator. The FRC’s guidance is contained within Practice Note 15 (Revised) The audit of occupational pension schemes in the United Kingdom.
• Charities - auditors and independent examiners of charities are obliged to report matters of material significance to the appropriate regulator. Guidance can be found in Matters of material significance reportable to the UK regulators, a joint publication of the Charity Commission for England and Wales, the Office of the Scottish Charity Regulator (OSCR) and the Charity Commission for Northern Ireland. The FRC’s guidance is contained within Practice Note 11 (Revised) The audit of charities in the United Kingdom.
• Financial institutions – auditors of entities subject to regulation by the Financial Conduct Authority (FCA) have a duty to report matters of material significance to the FCA. Further guidance can be found in ISA (UK) 250 Section B – The auditor’s statutory right and duty to report to regulators of public interest entities and regulators of other entities in the financial sector.
• Solicitors – accountants reporting on client money under the Solicitors’ Accounts Rules are obliged to report matters of material significance to the Solicitors Regulation Authority (SRA). Further guidance can be found in TECH 03/20 AAF Solicitors Regulation Authority Accounts Rules Guidance for reporting accountants following the 2019 changes.

Members are advised to review the contents of TECH 02/16 AAF Reporting to regulators on regulatory accounts when providing services to regulated entities.

Non-compliance with laws and regulations (NOCLAR)

Members should have regard to section 360 of the ICAEW Code of Ethics in circumstances where they identify non-compliance or suspected non-compliance with laws and regulations. Paragraph 360.4 sets out that when responding to such non-compliance or suspected non-compliance, the objectives are:

Members must therefore obtain an understanding of the matter and discuss the matter with the appropriate level of management or those charged with governance, advising them to take appropriate and timely actions to rectify, remediate, mitigate, prevent and/or disclose the matter to the relevant authority as appropriate.

Members must then assess the appropriateness of the response in light of all relevant facts and circumstances and determine if further action is needed in the public interest.

Members are advised to discuss the matter with appropriate levels of management within their own firm before any external disclosure is made. Members may wish to seek legal advice as to whether external disclosure is justified and appropriate in the particular circumstances concerned and also on the relevant protections offered by the Public Interest Disclosure Act 1998. In addition free advice is available from Protect (formerly Public Concern at Work).

If, after seeking appropriate legal advice, a member determines disclosure is appropriate they will need to take care to ensure that the information disclosed is factual and complete and doesn’t include any unsubstantiated conclusions or judgements.

In working through the above steps, members should also have regard to their firm’s own protocols and procedures, consulting with the firm’s Ethics partner or function as appropriate.

Privileged circumstances

In the above situations, care should be taken as disclosure may not be permitted without client consent where the work relates to the provision of legal advice in privileged circumstances. Members seeking to rely on this exemption should take legal advice as this is a complex area.

Members may also disclose confidential client information to the proper authorities in order to protect their own interests. In general, members should only disclose information which is adequate, relevant and necessary in order to protect their interests (see paragraph 2.33 of the Professional conduct in relation to defaults or unlawful acts guidance). For example, it may be appropriate for a member to make such disclosure to the police in order to defend themselves against a criminal charge or to clear themselves of suspicion. In such circumstances a member should seek legal advice before any disclosure is made.

In addition to the fundamental principle of confidentiality set out in the ICAEW Code of Ethics, members should also consider requirements of relevant data protection legislation including the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

In order to make any of the disclosures considered above, an organisation would need to have a lawful basis for processing any personal data contained within the disclosure. Where there is a legal obligation to make a disclosure, then the lawful basis for processing would usually be legal obligation. Where there is no such obligation, the lawful basis for processing would normally be consent (where the data subject provides consent for a disclosure) or legitimate interests. Further information is contained within the helpsheet UK GDPR – Lawful basis for processing. Members should carefully document the lawful basis for processing and should ensure that detailed records of exactly what is disclosed, to who and why are maintained.

Subject access requests

Firms may receive subject access requests from data subjects. These could include requests from employees, customers, suppliers or even relatives of clients. Firms would ordinarily (subject to the crime and taxation exemptions – see Disclosure of confidential information to the police and other enforcement agencies) be required to comply with such requests. Firms should take care however to redact confidential information from responses to subject access requests. Further information on subject access requests is contained within the helpsheet UK GDPR – Rights of an individual and the ICO guidance on right of access.

ICAEW members based in England and Wales have access to a free legal signposting service provided by CABA. The 24 hour helpline can be contacted on +44 (0)1788 556 366.

ICAEW members, affiliates, ICAEW students and staff in eligible firms with member firm access can discuss their specific situation with the Technical Advisory Service on +44 (0)1908 248 250 or via webchat.