Regulators safeguard highly confidential information in two respects. The first is within the administration of their own operations where there is typically a significant duty of confidentiality except when a carefully crafted public interest exception applies. The second is in ensuring that registrants strictly maintain the confidentiality of client information, again with rare and usually precise exceptions.
The US case involving Reality Winner is causing reflection on the proper balance between the duty of confidentiality and the public interest in whistleblowing. Reality Winner “was sentenced to 63 months in prison — the longest sentence ever imposed against a civilian for leaking information to the media.” https://www.cbsnews.com/news/reality-winner-espionage-act-60-minutes-2022-07-24/ The sentence has been described as disproportional given that she was revealing information about Russian interference in the election process that the President, the apparent beneficiary of the interference, was minimizing. Ms. Winner stated that her motivation for doing so was patriotic.
While the information protected by regulators does not usually involve state secrets, some analogies can still be made. While most privacy breaches involve either carelessness or self-centred motivations, some registrants raise whistleblower defences for their breach of confidentiality: Mulligan v Ontario Civilian Police Commission, 2020 ONSC 2031, http://canlii.ca/t/j6fm9. In addition, confidentiality provisions are justified solely on the basis of a compelling public interest in keeping the information private. There have also been concerns raised, especially during the pandemic, that confidentiality expectations have been used to “muzzle” registrants who are conscientiously trying to raise awareness about policies and processes affecting health and, even, the life and death of members of the public: https://www.ctvnews.ca/w5/did-politics-muzzle-a-doctor-who-spoke-out-about-the-ontario-government-s-covid-19-response-1.5833284.
Some of the exceptions to the duty of confidentiality involve disclosure where there is concern about significant harm to individuals. Some of these exceptions are statutory (e.g., reporting where a child is in need of protection) and some are created by case law (e.g., Smith v. Jones, 1999 CanLII 674 (SCC), [1999] 1 SCR 455, https://canlii.ca/t/1fqp9 – where a solicitor was concerned that their client in a criminal case posed a continuing threat to the public). However, there has been little discussion of whether there should be a broader whistleblower exception for regulators and registrants. These issues might arise in the cases currently being processed by regulators relating to public statements made by some registrants during the pandemic.
It will be difficult to develop a principled and consistent approach to the issue. There is legitimate concern about allowing individual regulatory staff or registrants to make personal judgments as to what otherwise confidential and sensitive information should be made public. However, the potentially arbitrary application of confidentiality obligations can also cause harm to society. In the interim, regulators might consider developing internal whistleblower procedures so that there is a mechanism to review potentially over-restrictive interpretations of confidentiality provisions. Regulators can also encourage similar mechanisms in their registrants’ work environments. It is also likely that such countervailing public interest considerations are already being taken into account when screening complaints and imposing sanctions at discipline.