This is an excerpt of Steinecke Maciura LeBlanc’s “Governance for Regulators” handbook. To view additional sections of the handbook, click here.
Board and committee members are required to keep all information obtained through the regulator confidential, unless an exception applies. This duty is not limited to personal information. For example, policy proposals in early development are to be kept confidential until they are ready to be made public. Similarly financial, human resources and other operational information must be kept confidential until made public through official channels. This approach greatly reduces the burden on Board and committee members to figure out whether any one piece of information should be kept “confidential”. The rule is less difficult to apply: do not disclose any information unless an exception applies.
There are a number of reasons for this rule including:
- For most regulators, it is a statutory requirement enforced by a significant penalty (e.g., a large fine);
- Much of the information is highly sensitive, especially personal information about practitioners;
- Disclosure through proper channels of communication helps ensure that the information is presented accurately and consistently;
- Disclosure through proper channels helps avoid attempts to inappropriately influence Board and committee members as they release the information privately;
- Disclosure through proper channels helps avoid the perception of special treatment if some people receive the information before others; and
- Disclosure through proper channels helps reduce any temptation by Board and committee members to misuse the information (e.g., for their personal benefit).
The duty of confidentiality applies to disclosure within the organization, not just disclosure to persons external to the regulator. For example, a committee member disclosing information to a Board member for no regulatory reason is not only inappropriate, it could even taint the Board member in their future activities (e.g., if they sit on a discipline panel dealing with the matter). The “need-to-know” rule applies.
Of course, there are exceptions to the duty of confidentiality. Those exceptions vary slightly from regulator to regulator, so it is important to check the provisions. However, there is an almost universal exception permitting disclosure where necessary to perform regulatory functions. For example, in order to investigate a complaint, the regulator has to interview witnesses and obtain relevant documents. Doing so invariably discloses the existence of the investigation into the practitioner. A second, almost universal, exception is where the information has already been made public by the regulator. The last phrase is important. For example, if a committee member learns that a practitioner is facing criminal charges, those charges are a matter of public record. However, until the charges are made public by the regulator, say at a discipline hearing, the fact that the regulator is aware of them is not public and the committee member cannot disclose knowing of their existence. Typically the disclosure of information by the regulator is done by the staff of the regulator so as to prevent inadvertent inappropriate disclosure by Board or committee members who may not be as familiar with the rules.
It is sometimes challenging for new Board and committee members to appreciate the relationship between the high duty of confidentiality on their part and the increasing expectation of transparency by the regulator. Transparency involves the systemic disclosure of information by the regulator in order to further the public interest and to demonstrate that the regulator is acting effectively within its mandate. The information selected for disclosure under transparency principles is carefully and consistently chosen because it allows the public to make informed choices (e.g., the discipline history of practitioners) and to observe key regulatory activities in action (e.g., public discipline hearings; published reasons for decision). Inconsistent or unilateral disclosure of regulatory information by individual Board and committee members does not well serve the transparency goals of the regulator.
Where a Board or committee member accidentally discloses confidential information, it is important that the regulator’s privacy officer (often the CEO) is informed immediately. That permits the regulator to take prompt measures to reduce the risk of dissemination of the information and to warn (and apologize to) affected individuals so that they can prepare themselves for any repercussions. A Board or committee member keeping the “slip” secret aggravates the harm that can result. Undoubtedly there will be a review of the circumstances of the confidentiality breach with a resultant revision of policies and procedures.
Many regulators request that Board and committee members sign an acknowledgement and undertaking reinforcing their confidentiality obligations.
Ernie Eager frequently engages in banter with colleague practitioners. One such exchange involves sharing the most embarrassing situation in which they have found themselves. Ernie shares an anonymous story about a young practitioner who was video-conferencing with a client from his parent’s home when his mother walked up behind him and kissed him on top of his head. Ernie intimated that this incident was part of a much longer complaint Ernie reviewed for the regulator. Unbeknownst to Ernie, one of the attendees knew of this incident, including the name of the practitioner. As a result, Ernie’s colleagues have just learned that the now identified practitioner is the subject of a complaint. Ernie asks the colleagues to keep the information confidential, but fails to notify the privacy officer for the regulator. The disclosure gets back to the practitioner under investigation who raises an “abuse of process” defence to the complaint and insists that Ernie should be charged with the provincial offence for breaching confidentiality. Ernie is removed from the complaints committee panel dealing with the complaint.
Board and committee members must treat all information learned through the regulator with exacting discretion.