Anonymisation and Chinese walls

A whole new approach to information barriers may be required, which may or may not include anonymisation strategies. Until that happens, the benefits of enforcing a hard-line anonymisation policy may no longer outweigh the costs. By Catherine Flutsch, Bird & Bird

Many firms have a policy of anonymising know-how prior to its submission to the firm’s know-how system. Anonymisation is the process of removing information that may identify the parties involved or any other commercially sensitive data. There are no hard and fast rules about how to anonymise know-how because what constitutes sensitive and/or identifying information varies depending on the parties and sectors involved and the matter type. For example, for specialists, parties could be identified by what might otherwise be an innocuous combination of deal type and sector.

Some firms allow lawyers and authors to decide, on a case-by-case basis, whether anonymisation is necessary or appropriate. Some firms have hard-line policies requiring all know-how to be fully anonymised prior to submission. The usual reason given for this is that a hard-line anonymisation policy is part of a broader strategy to create strong information barriers, or as they were more commonly known, Chinese walls.

Knowledge managers know that a carefully enforced hard-line anonymisation policy (or indeed any anonymisation policy) will often act as a barrier to know-how submission. Busy lawyers do not want to take the time or the responsibility to anonymise know-how. Most firms with hard-line policies believe that the benefits of being able to demonstrate strong Chinese walls outweigh the costs of not having all the latest know-how available to their lawyers on their system.

In 2006, new rules were included in the Solicitors Practice Rules 1990 that recognise, for the first time, the role of information barriers in certain conflict situations. The Confidentiality and Disclosure Guidance Explanatory Notes (the Explanatory Notes) set out criteria that, together, may be appropriate to demonstrate the adequacy of an information barrier.

For the purposes of information barriers, we must assume that all electronic sources of information may contain confidential information. Such sources include: e-mail; document-management systems, including matter and shared drives; intranets, including partner intranets; client-relationship management systems; a firm’s know-how system; time-recording software; and, the financial/accounting systems.

In the Explanatory Notes, among the criteria that together might demonstrate the adequacy of an information barrier, there are only three that directly relate to information held or distributed on computer.

Criteria 45(f) requires that only members of a restricted group have access to documents containing confidential information. Consequently, even the complete anonymisation of documents in a firm’s know-how system would not, of itself, meet this criterion given the remaining sources of electronic information available within a firm.

Criterion 45(h) states that confidential information on computer systems must be protected by the use of separate computer networks or through use of password protection or ‘similar means’. Again, even complete anonymisation would not, on its own, satisfy this requirement.

Criterion 45 (n) requires that the firm must implement a system for the opening of post, receipt of faxes and distribution of e-mail, which would ensure that confidential information is not disclosed to anyone outside the restricted group. This criterion is not directly relevant to know-how systems

Consequently, even a hard-line anonymisation policy, on its own, would not meet any of the criteria relating to electronic sources of information. Further, even the most sanitised of information barriers may not be sufficient in certain conflict situations. Collins J concluded that: “…I cannot see, even with a firm [that size], that any effective barriers could be put in place given the very large numbers of people concerned even on the two matters in relation to which I have details of the personnel involved…it seems to me that…Chinese walls would not be perceived to be – perception here is very important – sufficient.”1

A hard-line policy together with policies that addressed each source of electronic information might go some way toward meeting the criteria relating to information held or distributed on computer. However, these criteria represent only a fraction of the criteria listed in the Explanatory Notes, which address issues such as associate supervision, undertakings, the physical separation of a restricted group of lawyers, etc. A whole new approach may be needed to information barriers, which may or may not include an anonymisation policy. Until that happens, the new rules mean that the benefits of enforcing a hard-line anonymisation policy may no longer outweigh the costs. ?

Reference
1. Marks and Spencer plc v Freshfields Bruckhaus Deringer [2004] All ER 773