Doesn’t the Confidentiality Rule Prevent Me from Responding to a Courtesy Letter? Practitioners are required by Rule 302 in the CPABC Code of Professional Conduct (the Code) to send and respond to a courtesy letter. Sometimes, predecessors are concerned that they might be prohibited from disclosing the reasons for terminating the client relationship. We refer you to Rule 208 in the Code, Confidentiality of information, where you are permitted to disclose information for the purpose of Rule 302 and other circumstances:
A registrant shall not disclose any confidential information concerning the affairs of any client, former client, employer or former employer except when:
- properly acting in the course of carrying out professional duties;
- such information should properly be disclosed for purposes of Rules 101, 211 or 302 or under the Act or bylaws;
- such information is required to be disclosed by order of lawful authority or, in the proper exercise of their duties, by the Board, or a committee, officer or other agent of CPABC;
- justified in order to defend the registrant or any associates or employees of the registrant against any lawsuit or other legal proceeding or against alleged professional misconduct or in any legal proceeding for recovery of unpaid professional fees and disbursements, but only to the extent necessary for such purpose; or
- the client, former client, employer or former employer, as the case may be, has provided consent to such disclosure.
A registrant shall not use confidential information of any client, former client, employer or former employer, as the case may be, obtained in the course of professional work for such client or employer:
- for the advantage of the registrant;
- for the advantage of a third party; or
- to the disadvantage of such client or employer without the consent of the client, former client, employer or former employer.
A registrant shall:
- take appropriate measures to maintain and protect confidential information of any client, former client, employer or former employer, as the case may be and to ensure that access to such information by another person is limited to those with legitimate purpose to access the information; and
- obtain the written agreement of any such person to carefully and faithfully preserve the confidentiality of any such information and not to make use of such information other than as shall be required in the performance of appropriate professional services.
The term “registrant” is used throughout the Code and means a designated member, registered CPA firm, a professional accounting corporation, or a student.
The additional guidance to Rule 208 are as follows:
- The duty to keep a client's affairs confidential should not be confused with the legal concept of privilege. The duty of confidentiality precludes the disclosure of a client's affairs without the knowledge and consent of the client. The duty of confidentiality to clients and former clients does not expire with time. As confidential information becomes dated, the duty may be of less practical concern to a client, but the duty continues.
The duty of confidentiality also includes establishing, maintaining and upholding appropriate policies and processes to protect confidential information. Such policies and processes include limiting access to the information and implementing appropriate measures to address a situation when the duty of confidentiality has been breached.
- The duty of confidentiality does not excuse a registrant from complying with a legal requirement to disclose the information. However, the courts have held that a registrant faced with a subpoena or other request to disclose information should be aware of the registrant’s obligation to bring to the attention of the court or other authority the registrant’s duty of confidentiality to the client. If there is doubt as to the legitimacy or scope of a claim for disclosure, legal advice should be sought. Ultimately, in a dispute, a court will determine, based on the facts, whether the confidentiality of client information should be maintained.
- A registrant will not be in contravention of any provision governing confidentiality by reason of obtaining legal advice with respect to the duty of confidentiality, nor will discussing a possible claim in confidence with an insurer constitute a breach of the duty of confidentiality.
- One of the underlying issues when dealing with conflicts of interest is controlling the degree to which persons in a firm share client confidences. (See also Rule 210.) Rule 208 prohibits the improper use of confidential client information, but does not restrain its disclosure within a firm. Registrants may find they are in a position of conflict due to the general legal presumption that the knowledge of one person in a firm is shared with or attributed to others in the firm.
The legal presumption that knowledge is shared within a firm may be rebutted if the firm can demonstrate that effective institutional mechanisms are in place to limit the sharing of confidential information within the firm.
This basis of sharing information within a firm recognizes that different persons in a firm have different needs for information in order to properly fulfil their responsibilities. For example:
- an assurance provider must have information on all aspects of a client’s affairs that might affect the assurance provider’s opinion on the financial statements;
- a tax practitioner, in the course of preparing or reviewing an income tax return, must have information on all aspects of a client’s affairs that might affect the income tax return;
- a forensic accountant undertaking an investigation of a client’s affairs might only require information relating to the subject of the inquiry; or
- a member who is providing a professional opinion on a matter may wish to seek the advice of another person in the firm.
- Where appropriate, registrants should also inform clients and potential clients that the use of institutional mechanisms, which safeguard their confidential information, necessarily means that a registrant serving a particular client may not be aware of information that is confidential to another client, which would assist the registrant’s client and advance that client’s interest.
- Registrants are reminded that the use of electronic communications and storage media may require the use of additional precautions to protect confidential information, such as password, firewall and back up protection. In addition, the use of “cloud” or other off-shore computing and storage may increase security requirements as well as concerns related to access to information that is provided by anti-terrorism legislation in some jurisdictions. Registrants should be particularly aware of these concerns. It may be prudent to provide appropriate disclosure of information related to storage and security policies to clients and other affected parties.