The PwC Fallout: The Case for Confidentiality Agreements & Codes of Conduct

The recent events involving Big Four accounting firm PwC have highlighted the need for organisations to revisit existing governance arrangements. Senate Estimates, together with extensive media reporting and statements from PwC’s Chief Executive Partner, have drawn attention to numerous apparent failures of governance at the top level of PwC’s leadership, with the consequences of these alleged failures ranging from the potential for reduced Government work to a complete existential crisis (to quote former Prime Minister Malcom Turnbull). At this stage, it appears that one of the numerous alleged governance shortcomings of PwC was its failure to respect confidentiality agreements to which it as an organisation, as well as its individual partners, were a party, and to adhere to its own code of conduct.

PwC’s alleged conduct illustrates that a deeper understanding and appreciation of why confidentiality agreements and codes of conduct were in place, together with the consequences of non-compliance with those frameworks, was required.

Confidentiality Agreements

Confidentiality Agreements are known in many guises – non-disclosure agreements, proprietary data agreements, confidential disclosure agreements. At its heart, however, the purpose of a confidentiality agreement is to protect specific information, for a particular purpose, at a particular time or for a specific duration.

Commercially sensitive information that an organisation wants to protect to retain its competitive advantage is commonly protected by confidentiality arrangements. These could include agreements between the organisation and:

• third parties, that are designed to ring-fence the purpose for which an organisation’s information can be used, including who can access sit and to whom it can be disclosed;
• employees who may have access to trade secrets, proprietary information and strategic and business plans; and
• employees who may have access to sensitive client information that has been provided to the organisation for a specific purpose, and which cannot be used on another matter, for the benefit of the organisation or, critically, for the benefit of another client.

A commonly overlooked but vital element of confidentiality agreements is what happens once the confidential information in question has been provided. Key features to consider including in confidentiality agreements are:

• what happens to the information once the purpose for which it was provided has been served;
• clear guidelines and processes in place for whether the information should be destroyed (and by what method), returned to the originator or retained, including for how long and in what form;
• a user-friendly and practical register that tracks who has accessed the information and where it is disclosed; and
• a process for quickly and effectively amending the terms of the agreement to both facilitate the ultimate purpose and to protect the information; including by expanding the purpose for which the information may be used, increasing the pool of people who can access the information and by having in place a mechanism by which the originator can quickly call for the return of the information if an actual or potential risk of misuse arises.

The importance of confidentiality agreements in protecting sensitive information cannot be understated given the potential consequences of a breach may be a reduction in an organisation’s ability to carry on its business. Well formulated and clear agreements also help to set expectations of employees. When a confidentiality agreement clearly outlines what information is protected, why it is protected and what the consequences of breach are, then employees are under no illusions as to the importance of protecting the trade secrets and sensitive information of the organisation, and, importantly, of its clients.

Codes of Conduct

Briefly, codes of conduct typically establish the values and ethics of an organisation, and what minimum standards of behaviour are expected of employees in order that their conduct is aligned with those values. Codes of conduct cannot account for every nuanced situation; nor do they override applicable laws and regulations. Rather they are a common set of expectations or standards that are used to promote the fair and responsible conduct of business.

Codes of conduct generally include expectations regarding how employees interact with each other, with customers and clients, and with the organisation’s leadership team. An important consideration, therefore, is that if your organisation’s code of conduct contains a value or responsibility that places importance on the use of confidential information (this may come under the auspices of discretion, conflicts of interest, client interaction or use of client or company materials), then your confidentiality regime must enable this, and you must ensure your employees are aware of that regime and properly educated in to perform their work within its four corners.

Ensuring & measuring effectiveness

Testing, measuring and improving is one of the most important aspects of governance. Without measuring the effectiveness of systems, policies and processes, including whether they are broadly understood and respected by those who are expected to operate within them, the impact of governance structures may be significantly reduced. Organisations need to be asking whether the people who work within governance frameworks understand and respect them. Policies that promote understanding and compliance by being appropriately tailored to staff and the type of work they do is fundamentally important. Further, when it comes to governance, the drafting of structures, processes and policies that reflect the applicable laws and regulations, the legal risks and the potential opportunities facing the organisation is important, but it is also critical that the policies are widely promoted so staff know they exist, with education provided to staff that highlights (i) the outcome the specific governance structure is designed to achieve; and (ii) what staff need to do to comply. It cannot simply be a case of “because the law says so”: buy-in, understanding and compliance from employees is more easily achieved and effective when employees clearly understand and accept:

• what it is a policy is designed to achieve, whether it is to leverage an opportunity, minimise a risk, protect the organisation, or in many cases, protect individual staff members themselves; and
• what the consequences of policy non-compliance are, and what these consequences of non-compliance might mean for the organisation’s ongoing ability to conduct its business.

What should I do now?

If those at PwC’s top table apparently did not understand or respect the obligations imposed on them by confidentiality agreements to which they were subject, how could PwC expect its staff to?

That being the case, you should now be asking yourself whether your business:

• Has a clear and simple confidentiality policy which is understood by staff and which includes processes around the destruction, return or retention of material;
• Has a repository of confidentiality agreements – maintained by your-inhouse legal team – that people are encouraged to access and check as appropriate to determine whether there are any limitations or conditions on the use of certain information;
• Provides specialised training for staff on the different types of information your organisation is seeking to protect, including why it is sensitive and the consequences of it getting out into the marketplace;
• Regularly and objectively reviews and tests the effectiveness of the confidentiality regime, most importantly, including whether staff understand and apply it;
• Has a code of conduct with standards of behaviour that are underpinned by complementary governance arrangements that enable compliance;
• Has a culture where staff, especially executive staff, understand why there are minimum standards of behaviour and are motivated to comply with them, for their own best interests and in the best interests of their colleagues and stakeholders; and
• Has recently tested and measured the levels of understanding and effectiveness of its confidentiality regimes and codes of conduct.

If the answer is no to any of the above questions: take action now.