To help you to understand your SRA obligations in relation to keeping clients' information confidential.

Paragraph 6.3 of the Code of Conduct for Solicitors, RELs and RFLs and of the Code of Conduct for Firms (referred to collectively as ("the Codes") requires you to keep the affairs of current and former clients confidential unless disclosure is required or permitted by law or the client consents.

This duty of confidentiality exists as an obligation under both common law and data protection legislation as well as being one of the core professional principles set out in section 1(3)(e) of the Legal Services Act 2007 and professional standards in our Codes. Information should not be passed to third parties without the client's consent. This includes via marketing materials (including contributions to law firm directories or league tables) or passing client details by way of referral. Confidential information regarding one client should not be passed to another. Consider limiting the confidential information that you obtain from the client before a conflict check has been carried out and it has been established that you can act. This minimises the risk of such information being inadvertently disclosed within the firm.

Consent to disclosure of confidential information must be clear, so that the client knows to whom their information should be made available, when and for what purpose. Where you have their general consent, it may still be appropriate to obtain the client's consent to a specific piece of information being disclosed as the issue arises, for example by sending them a draft letter to the opponent to approve. In considering any disclosure you should have in mind the absolute nature of legal professional privilege and the fundamental nature of the duty of confidentiality. You should remember that the circumstances in which confidentiality can be overridden are rare. Some firms may have overseas or connected offices or be part of a group structure where they are separate legal entities (such structures are often known as a "Verein" after a type of association of separate legal entities allowed under Swiss law).

Our guidance on technology and legal services includes a section on using advanced technology safely. It includes advice on how we can improve our own cyber security and help avoid our client's information being stolen or inadvertently disclosed.

Examples of effective measures which result in no real risk of disclosure could include a combination of:

• Systems that identify potential confidentiality issue
• Separate teams handling the matters, at all levels including non-fee-earning staff
• Separate servers (and printers) so that information cannot be cross accessed
• Information being encrypted, and password protected
• Individuals in the firm being aware of who else in the organisation is working on the respective matters so that they know who they can and cannot discuss the matter with.
• Appropriate organisational policies and training for staff.

It should be borne in mind for example, that the merger or acquisition may not proceed and that the proposed acquiring firm may act for those with interests adverse to the other firm's clients. Therefore, there should be express requirements limiting the data to be disclosed and who sees it, their obligations to protect it and its return or destruction if the transaction does not proceed.

Data Protection Act 2018 (legislation.gov.uk)

Data protection in the EU - European Commission (europa.eu)