Data protection is a fast-developing area of law and one carries an increasing risk for all organisations, including law firms.
Last year 167 law firms were investigated by the Information Commissioner’s Office (‘ICO’) for potential data breaches, leading to the ICO issued a warning to lawyers to keep their client’s personal information secure. The ICO said:
“The number of breaches reported by barristers and solicitors … is troubling. It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach.”
Lawyers collect and hold vast quantities of personal information about their clients, employees and other individuals that they have dealings with. This information must be ‘processed’ in accordance with the Data Protection Act 1998, (‘the DPA’). It’s important to appreciate that that DPA doesn’t only apply to personal information held electronically-it also applies, in many circumstances, to paper.
Advances in technology, resulting in the widespread use of internet and the proliferation of portable digital media, such as laptops, tablets, and smart phones has enabled information to be collected, used and disseminated on an unprecedented scale. This has brought great benefits but has also increased the risk of information being misused, lost, stolen or destroyed.
The aim of the DPA is to protect people’ privacy by controlling how businesses use the personal information they have obtained about those people. It does so by requiring compliance with eight data protection principles.
One of these principles is that personal data must be protected against unauthorised access, accidental loss, theft, destruction or damage. The DPA requires data controllers to have in place both appropriate technical and organisational security measures to prevent any of these happening.
But the requirements of the DPA go beyond the way information is stored or transmitted; it relates to the security of every aspect of the processing of personal data. This means that law firms should put in place security measures to ensure that:
- Only authorised people can access, alter, disclose or destroy personal data
- Those people only act within the scope of their authority; and
- If personal data is accidentally lost, altered or destroyed, it can be recovered to prevent any damage or distress to the individuals concerned.
Recently it emerged that a solicitor, who had taken paper files out of the office, had dropped some documents from those files in a street on her way home. These documents included a doctor’s report, a mental health and psychiatric report and other correspondence from medical professionals and identified a number of individuals involved.
This unfortunate incident meant that the solicitor’s employer was in breach of the DPA. The ICO carried out an investigation, which concluded that staff had not been given sufficient training about the importance of data protection.
This led to the solicitor’s employers taking “appropriate disciplinary action”, introducing mandatory data protection training for staff, amending their data protection policy and putting in place a new home-working policy which included guidance for staff on the security of paper documents.
There are a number of tools available to the ICO for breaches the DPA. The most serious of these is the issue of a monetary penalty notice, (fine) of up to £500,000. (This will increase to 5% of turnover when the European Data Protection Regulation comes into force).
In addition to a fine from the ICO, as the result of a recent Court of Appeal’s decision, there’s now the possibility of being sued by those individuals who’s personal information has been compromised.
This means that the risk to law firms of suffering significant financial and reputational damage as the result of a breach of the DPA have never been higher.
That risk needs to be managed. As a first step, it’s essential that all staff, whether they be support staff, lawyers or Partners should have effective training to raise their awareness of the importance of data protection and what this means in practice.
In addition someone senior in the firm should be responsible for ensuring that the right physical and technical security measures are in place, backed up by robust policies and procedures. Finally, firms need to be ready to respond to any breach of security swiftly and effectively.
Robert Wassall
Director, Azon Consulting
1 May 2015