Standard 5.4 on Protecting Client Confidences
Standard
Consistent with their ethical and legal responsibilities, a legal aid organization and its lawyers must protect information relating to representation of a client and information relating to the prospective representation of an applicant. They have an obligation to take reasonable steps to prevent inadvertent or unauthorized disclosure and inadvertent or unauthorized access to such information and should have policies in place to respond to a breach of security, including informing clients, funders and individuals impacted by the breach.
Commentary
General Considerations
The attorney-client relationship depends upon the free and candid flow of information between client and practitioner. This will occur only if clients are certain that the information they provide will be held confidential, consistent with the applicable rules of professional conduct and any exceptions thereto. The organization must make certain that all personnel understand and abide by lawyers' ethical obligation to protect client information. See Standard 3.10, on Efficient Use of Technology, for important information related to preserving client confidentiality and personally identifiable information collected actively or passively by legal aid organizations and the tools they use.
Specific Considerations
Intake. The responsibility to ensure confidentiality begins at intake. Persons who are seeking representation are entitled to the same level of protection as are former clients regarding confidentiality of communications. The organization's responsibility to protect information from disclosure does not diminish because an applicant is not accepted as a client.
Applicants for service must be guaranteed a private interview, whether it is conducted in person, online, or by phone. Interviews need to be conducted in a setting where the information provided by the applicant cannot be overheard by persons who are not with the organization and where notes from the interview as well as documents provided by the applicant are not visible to anyone other than appropriate organization personnel. This is a special consideration for employees working remotely. The identity of each applicant and information supplied in support of the application should be protected from improper disclosure to third parties, including other applicants for service or other clients of the organization.
Authorized disclosure. The organization's governing body, practitioners, and staff need to be familiar with the ethical rules in its jurisdiction regarding the authorized disclosure of confidential information and what information is deemed to be protected. When the organization uses technology tools to collect Personally Identifiable Information (PII) as defined by law, the organization must make sure that information is protected according to law, industry standards, and best practices and is not available to outside parties. Information relating to the representation cannot be disclosed unless the client gives informed consent, the disclosure is implicitly authorized in order to carry out the representation, or the disclosure is permitted in exceptions set out in the ethical rule. Any technology tool that the organization requires the client to use in the course of representation should be vetted by the organization. See Standard 3.10, On Efficient Use of Technology, for more guidance on protecting client data.
Disclosure of confidential information is often essential as part of representation of a client. Client approval of a particular course of action implicitly may authorize the disclosure of information to courts or other tribunals, opposing counsel, or other third parties in order to carry out the representation. If the data will be used for evaluation, the client should be advised about that use in the retainer or application tool. When particularly sensitive information is involved, the practitioner should explicitly discuss the disclosure with the client and should obtain informed consent before disclosing the information.
Risks of unauthorized disclosure. The organization and its practitioners need to be particularly sensitive to the risks of unauthorized or inadvertent disclosure and unauthorized access to information relating to the representation of clients and must make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to it.The first risk involves inadvertent disclosure of confidential information. Such disclosure can occur when practitioners or other staff engage in casual conversations inside and outside the organization's office. Information about applicants and clients should never be discussed among the organization's staff when there may be other applicants for service, clients of the organization, or non-organization personnel present. Hardcopy documents containing confidential information should not be left where they can be seen by anyone other than the appropriate staff, and confidential client information should not be displayed on computer screens that are visible to persons who should not have access to the information. Employees accessing case management systems, email, and other communications on their personal devices present another opportunity for unauthorized disclosure. Organizations must have technology policies advising employees how to adequately protect client data on their personal devices and how to respond in the event of a breach.
Confidential client information can also be inadvertently disclosed when intake records or materials from case files, including the attorney's work product, such as drafts of confidential memoranda and other documents, are disposed of improperly. The organization should shred paper records that contain confidential information when disposing of them. Organizations should make certain that electronic records that contain confidential information are removed from computer hard drives, storage drives, onsite and remote servers, and other devices, including cloud-based storage, when the organization disposes of the storage system(s) and/or any subscription service(s).
Another risk to client confidences arises when judges, opposing counsel, or community partners seek information about the legal services that are provided to a particular client, or about the basis on which a client was found to be eligible to receive help from the organization. The organization should take appropriate steps to protect client information from such disclosure, including challenging the request in court and, if necessary, on appeal.
Requests for confidential information by funding sources. Tension may occur between the legitimate interest of funding sources to account for the proper expenditure of funds and the need for organizations to protect the information relating to the representation of their clients. Organizations should be careful not to reveal confidential information to a funding source, unless the organization is required by law to disclose the specific information requested by the funding source.
In 1977, the ABA Standing Committee on Ethics and Professional Responsibility interpreted the Model Code of Professional Responsibility to prohibit a legal aid lawyer from allowing "inspectors from outside the agency to examine files relating to client matters, when the files contain confidences and secrets within the meaning of DR 4‑101, in the absence of the client's understanding consent and waiver after full disclosure." Subsequently, however, the ABA adopted revisions to the Model Rule of Professional Conduct 1.6(b)(6) to state that a "... lawyer may reveal information relating to the representation of a client to the extent the lawyer reasonably believes necessary ... to comply with other law or a court order."Most states have adopted some variation of Model Rule 1.6. Some states' ethics opinions interpret their rules of professional responsibility to incorporate the "other law" exception.
While the rule may not require client consent to such disclosures, where organizations are operating under a jurisdiction's ethics rules that are based on Model Rule 1.6(b)(6), or where ethical opinions permit disclosure based on other law, they should inform clients at the outset of the representation that confidential information may be disclosed to a funder if the law requires it. The organization should be careful not to disclose more information than is specifically required by law and should resist disclosing information that could potentially compromise the client's representation without the client's consent.
Ultimately, the scope of the protection for information relating to the representation of a client is a matter of federal and state law, as well as jurisdictional ethical rules. Organizations and their practitioners should be familiar with the relevant state and federal law and ethics requirements, as well as any other law that is applicable, and they should examine them carefully to determine what, if any, information may be disclosed to a funding source without client consent. In some instances, federal or state laws mandating disclosure of client information may conflict with ethical rules or other laws. In those instances, organizations should make every effort to negotiate with funding sources over disclosures that may violate ethical rules or other laws, to protect both the clients involved and the organization's resources. In some instances, the organization may have to seek opinions from the jurisdiction's ethics bodies or courts in order to resolve the issue.
Use of interpreters.Special confidentiality concerns arise when working with applicants and clients who are deaf or hard of hearing or prefer to use a language other than English and who require the services of interpreters who are not organization employees.The organization should be aware of the potential impact on confidentiality when a third-party acts as an interpreter in a communication between an applicant or client and the organization. The organization should use the services of a professional or qualified volunteer interpreter who is responsible to the organization unless it is a serious emergency and harm will come to the client. The organization should ensure that all such interpreters are aware of the responsibility to protect from disclosure any information communicated between the applicant or client and the organization.
The organization should discourage the use of third-party interpreters who are friends or family members or nonprofessional volunteers from client communities. Not only does such a situation potentially jeopardize the attorney-client privilege between the applicant and the practitioner, but it also potentially compromises the accuracy and quality of the interpretation. However, there may be circumstances where the client or applicant insists that such a person be used, or there is an emergency and no professional interpreter is immediately available. In such a situation, the organization should impress upon the interpreter the need to keep the communication confidential.
Translation tools that crowdsource translation or interpretation to untrained or unqualified translators or interpreters, or rely primarily on machine translation, should not be adapted as the main way to accommodate language needs due to their inefficacy in communicating in the legal domain. See Standard 5.7 on Implementing Language Justice for more information about translators, interpreters, and machine translation/interpretation.