The Information Commissioner’s Office (ICO) has released a warning to the legal profession after a recent increase in breaches of the Data Protection Act. After reports of 15 incidents in the last three months, the Information Commissioner, Christopher Graham, has voiced his concerns that solicitors and barristers are not putting in place adequate data protection and confidentiality systems.
Lawyers are legally responsible for the information held on or about clients. Anyone found to be in breach of data protection laws can face fines of up to £500,000 where the breach could cause substantial damage or distress to the persons involved. Due to the often sensitive nature of the information held by legal practitioners, potential breaches are high risk and may meet the threshold for financial penalty.
Beyond data protection laws:
Keeping your clients’ personal information protected and confidential is not only a statutory obligation, but is also a professional duty imposed by the SRA Code of Conduct. All eyes are now going to be on law firms and so it is absolutely vital that you ensure your confidentiality and data protection policies are implemented and operating effectively.
Only keep client papers and data for as long as necessary. Once safe to do so, dispose of files confidentially.
Any files or folders that are taken out of the office should be kept securely. Be sensible- don’t leave client files in your car overnight and lock them away when they are not in use.
Take only relevant and essential information out of the office. Minimising the information that you take out of the office will reduce the risk of losing everything.
Is it possible to go paperless? Using password protected or encrypted computers and memory sticks will mean that information will be kept secure even if it is lost or stolen.
Beware unencrypted/password protected storage devices.
Ensure all anti-virus software is up-to-date.
Consider when you send confidential information by email whether the information needs to be encrypted or password protected.
Always check the recipient’s details before you send correspondence. Whether it be via e-mail or letter, checking that contact details and addresses are correct will help to avoid unnecessary data breaches.
If you are disposing of an old computer, or other device, ensure that all of the information held on the device is permanently deleted. Check that internal and external hard drives are completely clear before disposal.
If your firm breaches data protection laws or confidentiality duties, it is your COLP’s responsibility to report these failures to the SRA (and ICO in the case of a Data Protection Act breach) and enter them onto your internal breach register. If any patterns arise you should consider whether there is a lack of knowledge in the firm which could be addressed with training. You should review your confidentiality and data protection policies periodically and update them when necessary.
More information can be found at the following:
If you have any other queries regarding your statutory or professional obligations, contact us at firstname.lastname@example.org!