CPAs in Canada are bound by a strict requirement of confidentiality that applies to all aspects of their professional work. In BC, the CPABC Code of Professional Conduct (CPA Code) outlines the requirements and provides registrants1 with extensive guidance on this topic. In this article, we cover the major confidentiality rules in the CPA Code, describe situations that are prone to potential breaches of confidentiality, and provide some cautionary examples.
Confidentiality and the CPA Code
The preamble to the CPA Code emphasizes that maintaining confidentiality is one of the fundamental principles governing a registrant’s conduct. These fundamental principles are integral to ensuring public confidence in our profession. The preamble states that registrants must “… protect confidential information acquired as a result of professional, employment and business relationships and [must] not disclose it without proper and specific authority [or] exploit such information for their personal advantage or the advantage of a third party.”
Rule 208 of the CPA Code (Confidentiality of information) consists of three sections, each of which is described here:
- 208.1 – Disclosure of confidential information;
- 208.2 –Use of confidential information; and
- 208.3 – Measures to maintain and protect confidential information.
Disclosure of confidential information
Simply put, registrants must respect the confidentiality of information acquired through professional or business relationships and, more importantly, must not disclose this information without proper and specific authority. This rule applies to the information of past and current clients and employers.
Registrants can disclose confidential information to a third party only if:
- They are properly carrying out their professional duties;
- They are lawfully required or allowed to do so;
- They are a defendant in a legal proceeding, are the plaintiff in a proceeding to recover unpaid professional fees, or are defending themselves against professional misconduct complaints that have been made to CPABC; or
- Their past or current client or employer has given consent.
While Rule 208 restricts the disclosure of confidential information to third parties, it does not restrain its disclosure within a registrant’s organization. However, paragraph 1 of Guidance – Rule 208 recommends that organizations should consider implementing policies that formally restrict access to confidential information within an organization. In addition to protecting the public, these kinds of policies may help protect registrants from inadvertent disclosures and conflicts of interest.
Use (and misuse) of confidential information
Rule 208.2 prohibits the use of confidential information of any current or former client or employer without their consent, whether for:
- The advantage of the registrant;
- The advantage of a third party; or
- The disadvantage of the client or employer.
Inappropriate use can easily land a registrant in court, given the various pieces of legislation that touch on this area. For example, under the Securities Act, individuals in a special relationship with a public company (such as an employee or service provider) must not trade securities of the company when they are privy to material, confidential information.
Maintaining confidential information
Rule 208.3 requires that registrants take appropriate measures to protect the confidential information of present and former clients and employers. This includes protecting confidential information within their organizations so that it is only accessible to those with legitimate purposes.
The shift to storing information in the cloud has presented new risks and responsibilities for maintaining the confidentiality of information. When using third-party services, including Software as a Service vendors, registrants should ensure that the security and privacy practices of these service providers satisfy confidentiality requirements set out by the CPA Code and privacy legislation outside of the profession.
Registrants may also wish to disclose their vendor’s practices to their clients in cases where it is appropriate to do so.
Other legislative requirements
As noted in the July/August 2019 issue of CPABC in Focus,3 registrants should be aware of the privacy and related confidentiality requirements set out in the following legislative acts:
- BC’s Personal Information Protection Act (PIPA) applies to provincially regulated private sector organizations in BC that collect, use, or disclose personal information. PIPA describes how these private sector organizations must handle the personal information of the public and their employees, and establishes rules regarding the collection and disclosure of this information. An organization that contravenes PIPA can be sued by affected individuals for “damages for any actual harm suffered.”4
- BC’s Freedom of Information and Protection of Privacy Act (FOIPPA) applies to BC public bodies and organizations that provide services to these public bodies. FOIPPA creates rules for the collection, use, disclosure, and storage of personal information in a public body’s custody or control. It also stipulates that certain violations are finable offences.5
- Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) creates rules for the collection, use, and disclosure of personal information by federally regulated private sector organizations in BC or by BC private sector organizations that have clients in other Canadian jurisdictions.6
Disclosing information—too much, too quickly, or just enough?
Based on complaints made to CPABC concerning alleged breaches of confidentiality, CPAs appear to be at greatest risk when they’re asked to make rushed decisions—for example, during unexpected conversations or as a deadline approaches. In such cases, confidential information may be divulged without proper consideration being given first. For example, one CPABC member discussed a client’s account status during an impromptu conversation with the client’s banker without first obtaining the client’s consent. As a result of this conversation, the client had difficulty obtaining bank financing. The client subsequently complained to CPABC, and an investigation was launched. Ultimately, CPABC’s Investigation Committee issued a Determination and Recommendation, to which the member agreed.
It can get especially complicated when registrants are asked by law enforcement agencies to provide confidential information concerning their clients, or when a registrant wants to report suspected illegal activities in the absence of a legislated whistleblower regime. In such cases, before sharing confidential information, it may be appropriate to seek legal counsel to determine how best to satisfy the legal requirements of law enforcement agencies while adhering to the confidentiality provisions of the CPA Code.
In addition, under applicable federal legislation, an accountant must report certain financial transactions to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) when they engage in “triggering activities,” as specified under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. These activities generally involve client assets and include:
- Receiving or paying funds, except payments received for professional accounting services;
- Purchasing or selling securities, real property, business assets, or business entities;
- Transferring funds or securities by any means; or
- Giving instructions on behalf of anyone regarding these activities.
Mishandling and misusing information
Some confidentiality complaints made to CPABC have alleged the mishandling of information and documentation, while others have alleged the intentional misuse of proprietary information. The following examples are based on real-life situations, although some details have been altered to preserve confidentiality:7
- In two cases, practitioners left their former firms with the intention of setting up their own practices. In each case, the practitioner misused the client list of their former firm to solicit new business for themselves.
- A CPA candidate used a former employer’s Excel and Word templates and sample employee policy manuals to develop new, nearly identical versions for their new employer.
- A member working as a chief financial officer shared confidential corporate information with a prospective investor without the authorization of the company’s board of directors.
- A firm transferred physical client files between its head office and its branch offices elsewhere in BC. Although transported in a locked truck, the files were visible to passersby and, on several occasions, left unattended overnight.
- A firm placed confidential documents in a communal bin destined for shredding. Before the bin was picked up, every tenant in the same building had access to its contents.
Penalties assessed through CPABC’s investigation and disciplinary process vary depending on the unique circumstances of each case, and may include fines and the costs of the investigation (which often exceed the fines). In serious cases, the Investigation Committee may refer the matter to CPABC’s Disciplinary Committee, which may find that suspension or cancellation of membership is appropriate under the circumstances.
Maintaining confidential information—practical considerations
In our July/August 2019 article, we outlined some ways to help secure your business records. Many of these tips apply for maintaining confidentiality, and the following list identifies control measures that organizations should implement to protect physical and electronic data:
- Setting the tone at the top: Employees often adopt similar attitudes to those displayed by management. Therefore, the “tone at the top” must be one that emphasizes the importance of maintaining and promoting strong business and confidentiality controls.
- Controlling access: For electronic files, it is important that access be controlled using passwords, firewalls, and/or encryption. This is especially true if the information is saved on physical storage devices such as USB drives, or is being shared using smartphones or other devices. Of course, effective protection of electronic files must be supported by an effective approach to cybersecurity overall. For physical files, access should be controlled using physical locks and other similar security measures.
- Delivering and disposing of documents confidentially: Even during the pandemic, many businesses are dealing with physical paperwork on a regular basis. If physical documents must be delivered, you should use a trusted courier or delivery service with its own security and confidentiality policies. The same goes for disposal—if you’re using a subcontractor for this service rather than shredding paperwork on-site, you must be judicious in the hiring process. For digital documents, use encryption and password protection when sharing files with external recipients, and implement a file retention policy to ensure that you dispose of digital files correctly and in a timely manner.
- Implementing protocols for remote work: As the pandemic has shown us, special care needs to be taken when employees work remotely. Be sure to set up a security policy that covers file access, sharing, and disposal for those working off-site.
- Ensuring adequate training for staff: An employee or subcontractor’s ignorance can pose a significant risk to your organization’s data security. Employees and subcontractors should be trained on and kept up to speed about your organization’s policies, procedures, and technology.
- Communicating with clients: If you’re a practitioner, make sure that your clients are made aware of any third-party software you use to process or store their data. For example, if your software providers track keystrokes or store data outside of Canada, you should inform your clients, as each client has their own privacy concerns and risk tolerance.
Need guidance on confidentiality matters?
The guidance in the CPA Code is designed to help you understand how the rules should be applied. CPABC’s professional standards advisors are also here to help. You can consult them for confidential guidance to ensure that you stay compliant with the CPA Code when navigating difficult situations. Contact our advisors:
- By telephone: 1-800-663-2677 (toll-free).
This article was originally published in the November/December 2021 issue of CPABC in Focus.
“Registrants,” as used in the CPABC Code of Professional Conduct
, refers to members, students (candidates in the CPA Professional Education Program), and registered firms. The CPA Code does not apply to students enrolled in the CPA preparatory courses.
This permission also applies to associates and employees of the registrant.
PIPA, Part 12, Section 57(1).
FOIPPA, Part 6, Section 74.1. Maximum fines are $2,000 for individuals, $25,000 for partnerships or individuals who are service providers, and $500,000 for corporations.
PIPEDA, Part 1, Division 2, Section 11 (2). In 2020, the federal government introduced Bill C-11 to reform federal privacy legislation. However, since the bill, entitled An Act to Enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to Make Consequential and Related Amendments to Other Acts,
did not pass before the 2021 election, it will need to be reintroduced.