The right balance

Risk management

Image credit: © Istockphotos/mbolina

 

Ruth Cook explains the points to consider in order to properly weigh up the risks associated with disclosing information to third parties

Key Points 

What is the issue? 

There are a number of situations in which a practitioner may be asked either to release information to a third party or to give consent for their client to do so. 

What does it mean to me? 

In order to manage risk, it is almost always essential to seek some basic information about the request and the intended recipient(s) and weigh up the risks. 

What can I take away? 

In all decisions, it is fundamental to comply with any legal, regulatory, professional and ethical obligations. Then there is likely to be a need for judgement taking into account the practitioner’s own or firm’s risk and the reason for, and risks associated with, the request in order to settle on a measured response based on the circumstances.

There are a number of situations in which a practitioner may be asked either to release information to a third party or to give consent for their client to do so. Their first impulse, especially if the request comes from a current client, is to want to be helpful and provide the information or consent to its disclosure as quickly and efficiently as possible.

However, in order to manage risk, it is almost always essential to seek some basic information about the request and the intended recipient(s) and weigh up the risks. Having done so, a decision can be made as to whether those risks can be / how they should be managed using the tools available.

The purpose of this article is to explain the points to consider in order to properly weigh up the risks and to suggest possible ways of managing or mitigating those risks. There is often a balance to be struck – the bigger the risk (in terms of size or likelihood), the stronger the protection needed. In many cases, this will need to be balanced with the practicalities of obtaining the ‘ideal’ protection. 

Key information to establish

About the request

  • What is the source of the request and is the requestor acting on their own behalf or someone else’s?
  • What is the reason for the request and how will the information be used by the recipient? Understanding this is crucial to the risk assessment and subsequent decision on the level of protection needed in order to manage the associated risks.
  • Who will be releasing the information and how will it be released? Is the client seeking permission to release the information (maybe as required under the practitioner’s terms of business) or will the practitioner be directly involved in providing the information to the third party?
  • Will the information be sent to recipients individually or accessed via a data room or similar?
  • Will the recipient want to onward disclose the information to other parties, e.g. advisers or insurers? It may be appropriate to limit disclosure permission or require further protection.

This information will help to establish whether there is a legal or professional obligation to disclose and what risks are involved. It’s worth bearing in mind that the requestor may not be the only, or even the main, party using the information. For example, investigating accountants doing buy side due diligence often approach other advisers direct but the main risk will be in respect of their client’s use of the information.

About the information

  • What is the nature of the information the adviser is being asked to provide?
    • Tax computations/HMRC correspondence: These may belong to the client – if so they must normally be released;
    • Copies of past advice provided to the client: Consider how much protection is already built into the advice. Is there a link back to the engagement letter and term? Is it clear who the information was prepared for? Is the purpose clear? Is there a statement that it cannot be relied upon by anyone other than the client? Is there any explicit restriction on it being passed on?
    • Answers to specific questions related to past services or further explanations in the form of a direct discussion with the recipient and / or their advisers: In this case, answers should be limited to explanations in respect of past services and not amount to the creation of new advice addressed to the third party. If ‘new information’ is required (e.g. an update in respect of developments since the original advice was provided), this should be prepared as a new piece of advice addressed to the client and released to the third party with appropriate protection.
  • Will/could the information include any of the following?
    • Client confidential information: Even if there are no explicit clauses in the engagement letter or terms of business, tax professionals have an obligation of confidentiality to their clients. It is also likely that the engagement letter and terms of business will include obligations to keep a client’s information confidential. The terms may include limited permission for the practitioner to disclose but if not covered, formal consent may be needed.
    • Third party confidential information: Consider whether the information is subject to a confidentiality agreement or other restriction on onward disclosure. If so, consent from the relevant third party may be needed.
    • Personal data or sensitive personal data: Obligations in respect of personal data will be covered by relevant data protection legislation. Understanding this becomes even more crucial if the information includes sensitive personal data. It’s also possible that the engagement letter or other contractual terms will include further restrictions. The details of GDPR or equivalent are beyond the scope of this article but crucial to consider.

Key factors to consider

See the box above. In all decisions, it is fundamental to comply with any legal, regulatory, professional and ethical obligations. Then there is likely to be a need for judgement taking into account the practitioner’s own or firm’s risk and the reason for, and risks associated with, the request in order to settle on a measured response based on the circumstances. 

Key tools available to help manage risk

Not all of these will be possible or practical in all cases:  

  • A non-reliance or hold harmless letter addressed to the recipient and signed by them. The letter would normally either require that no onward disclosure be made or allow limited permission for onward disclosure (e.g. to legal advisers). This would be the preferred approach in higher risk situations and might include an indemnity against third party claims;
  • In the case of access to information via an electronic data room or similar, a ‘click through’ acceptance of non-reliance terms included as part of a data room access or other online or electronic access method (effectively an electronic version of the non-reliance letter referred to above);
  • A notice addressed to the third party or stating the terms upon which the information is released, including limitations on scope, that the advice was prepared with only the client’s interests in mind, that it may not apply in all circumstances, and confirmation that no responsibility or liability is accepted. This approach may be appropriate in situations where circumstances prevent a signed non-reliance or hold harmless letter from being obtained;
  • The above information appended as a notice or caveat in the information being released;
  • Any disclaimers included in the original information. This may be sufficient if the information already includes clear disclaimers and the associated risks are considered to be low;
  • An indemnity from the client in respect of any possible claim by the third party. This may be appropriate where the client has a strong interest in the information being provided to the third party but, for whatever reason, adequate protection cannot be obtained from the third party. This is sometimes included in standard terms of business, so may already be in place;
  • Decline to provide the information or limit the amount of information disclosed. This may be appropriate if a request is excessive, inappropriate or if providing the information is commercially impractical.

Managing appropriately

On the basis of the information gathered, consider any constraints on what can be done, weigh up the risks and consider how they can be managed appropriately:

  • First, consider any legal obligations to disclose or not to disclose or any conditions which must be complied with.
  • Next, consider any professional and contractual obligations to the client or third parties, including the need to seek consent or permission prior to agreeing to release the information requested. The client consent letter should set out clearly what will be disclosed so that there is no misunderstanding. Acceptance should also be sought that the client will not hold the practitioner responsible for any consequences arising as a result of the disclosure of the information (see below).  
  • Then think about the risk of liability or claim arising and an appropriate, measured response:
    • Client – a claim might arise as a result of any unintended consequences following the release of information; this can be managed as part of a client consent letter (as referred to above);
    • Requester or direct user – see tools above;
    • Other users – e.g. insurers. If the requestor seeks permission to onward disclose the information, consider which of the key tools available are most appropriate to manage the additional risk. If the risk is high, separate hold harmless arrangements may be appropriate;
    • Other third parties – consider who else might get access to the information and which of the key tools available can help to manage the risk;
    • Loss of control as a result of onward disclosure – any parties receiving the information as a result of onward disclosure by the recipient will have no direct obligations to the practitioner. Once control of distribution is lost, any disclaimers built into the information released are the main protection. If wide disclosure is contemplated, seeking an indemnity from the client or the initial recipient may be appropriate.

The terms of a practitioner’s professional indemnity cover are beyond the scope of this article, but it would be wise to check whether there are any special terms relating to release of information to third parties.