*/
Do we need protection from data protection? asks David Taylor as he warns barristers of their duties under the Data Protection Act 1988 .
Barristers and their chambers can no longer be complacent about their duties under the Data Protection Act 1998 (DPA), and fines of up to £500,000 are now within the power of the Information Commissioner’s Office (ICO). Worse still: if you fight your corner in court, then unlimited fines and up to five years in prison are added to the armoury. If that weren’t incentive enough to keep your data safe, many breaches of the act are also criminal offences of strict liability.
There’s no doubt that we’ve enjoyed a honeymoon period while the ICO gave us all time to come to grips with our responsibilities under the act. This period of grace is now over, and 2011 saw action taken against barristers for what many might see as “blameless” breaches. One barrister left a case containing her papers on a train, and another had her papers stolen from a locked car. In November 2011, a QC had her unencrypted laptop stolen from her locked home - and only avoided a fine because the relevant breach occurred in 2010, before the ICO received its new powers.
All three were issued with undertakings from the ICO to improve their security measures. Although fines were avoided, damage to reputation is always very difficult to value. The Bar Council clearly recognises that practices must change, and the new and improved BARMARK standard due for launch in April puts a far greater emphasis on DPA compliance. Much of the personal data held by counsel is sensitive personal data, so the stakes are high.
In other sectors, fines of between £60,000 and £130,000 have been issued for breaches such as the loss of an unencrypted laptop, an email sent to the incorrect recipient, and a letter inadvertently collected from a shared printer and posted to the wrong recipient.
Individual barristers
For the individual barrister, the steps required to minimise your liability are straightforward.
Notification (registration) with the ICO is a legal requirement. The ICO has made notification easy with the template ‘N812 - Individual barrister’, and this will suffice for most. The two greatest risks of breach are loss of personal data and distribution of data to unauthorised persons.
You should assess the potential consequences of a breach by considering the sensitivity of the personal data you’re handling, and implement protective measures accordingly. Sensitive personal data (for example, your client’s social worker’s report) would warrant much greater security than their name and address, and the following steps should be in place:
When you no longer need to hold onto personal data
You cannot keep a client’s personal data indefinitely or, indeed, longer than necessary. You should have a system for deciding when data is destroyed or archived. When an electronic device comes to the end of its life, you must have all of the data securely destroyed. There are software products which can do this, but the best option is to use a company which will provide a certificate of secure destruction.
You are responsible for others’ actions
As the data controller, you’re entirely responsible for the personal data that you process - and which others (eg clerks) process on your behalf. So make sure everybody fully understands their responsibilities.
Chambers
Chambers have many of the same risks and responsibilities as the individual barrister, but with additional hazards.
Notification for chambers is more complex and depends on their administrative or commercial structure. For those chambers with the traditional model of a self-employed senior clerk taking a commission, the clerk is the data controller. However, the majority of chambers now employ all their staff, in which case the head of chambers is the data controller. Other business models may differ. The ICO website has a very helpful document: “The Data Protection Act 1998 Notification of Barristers’ Chambers”, which explains in detail which notification version applies to you.
Common notification errors are:
Governance
Make sure you have a robust information governance policy, and that everyone has read and understands it; the same goes for your data-breach and privacy policies. These documents form the foundation for data-protection training.
It is essential to have data processing contracts with any data processors you use (the most common would be an external accountant used for payroll). In the event of a breach, the ICO will prosecute you, not the accountant, even if it’s their fault! The data processing contract is a legal requirement under the act and provides you with, inter alia, warranties and guarantees should the data processor fail to comply.
IT
Avoiding common errors
Email and fax policies are critically important, and you should ensure that staff never stray from them:
Human resources
Human resources is a veritable rats’ nest of potential breaches!
Summary
The consequences of not complying with the act may be daunting, but making the necessary changes needn’t be. Having the appropriate systems in place (and following them) provides good mitigation when mistakes do happen.
David Taylor, Data Protection Consultancy Ltd.
There’s no doubt that we’ve enjoyed a honeymoon period while the ICO gave us all time to come to grips with our responsibilities under the act. This period of grace is now over, and 2011 saw action taken against barristers for what many might see as “blameless” breaches. One barrister left a case containing her papers on a train, and another had her papers stolen from a locked car. In November 2011, a QC had her unencrypted laptop stolen from her locked home - and only avoided a fine because the relevant breach occurred in 2010, before the ICO received its new powers.
All three were issued with undertakings from the ICO to improve their security measures. Although fines were avoided, damage to reputation is always very difficult to value. The Bar Council clearly recognises that practices must change, and the new and improved BARMARK standard due for launch in April puts a far greater emphasis on DPA compliance. Much of the personal data held by counsel is sensitive personal data, so the stakes are high.
In other sectors, fines of between £60,000 and £130,000 have been issued for breaches such as the loss of an unencrypted laptop, an email sent to the incorrect recipient, and a letter inadvertently collected from a shared printer and posted to the wrong recipient.
Individual barristers
For the individual barrister, the steps required to minimise your liability are straightforward.
Notification (registration) with the ICO is a legal requirement. The ICO has made notification easy with the template ‘N812 - Individual barrister’, and this will suffice for most. The two greatest risks of breach are loss of personal data and distribution of data to unauthorised persons.
You should assess the potential consequences of a breach by considering the sensitivity of the personal data you’re handling, and implement protective measures accordingly. Sensitive personal data (for example, your client’s social worker’s report) would warrant much greater security than their name and address, and the following steps should be in place:
When you no longer need to hold onto personal data
You cannot keep a client’s personal data indefinitely or, indeed, longer than necessary. You should have a system for deciding when data is destroyed or archived. When an electronic device comes to the end of its life, you must have all of the data securely destroyed. There are software products which can do this, but the best option is to use a company which will provide a certificate of secure destruction.
You are responsible for others’ actions
As the data controller, you’re entirely responsible for the personal data that you process - and which others (eg clerks) process on your behalf. So make sure everybody fully understands their responsibilities.
Chambers
Chambers have many of the same risks and responsibilities as the individual barrister, but with additional hazards.
Notification for chambers is more complex and depends on their administrative or commercial structure. For those chambers with the traditional model of a self-employed senior clerk taking a commission, the clerk is the data controller. However, the majority of chambers now employ all their staff, in which case the head of chambers is the data controller. Other business models may differ. The ICO website has a very helpful document: “The Data Protection Act 1998 Notification of Barristers’ Chambers”, which explains in detail which notification version applies to you.
Common notification errors are:
Governance
Make sure you have a robust information governance policy, and that everyone has read and understands it; the same goes for your data-breach and privacy policies. These documents form the foundation for data-protection training.
It is essential to have data processing contracts with any data processors you use (the most common would be an external accountant used for payroll). In the event of a breach, the ICO will prosecute you, not the accountant, even if it’s their fault! The data processing contract is a legal requirement under the act and provides you with, inter alia, warranties and guarantees should the data processor fail to comply.
IT
Avoiding common errors
Email and fax policies are critically important, and you should ensure that staff never stray from them:
Human resources
Human resources is a veritable rats’ nest of potential breaches!
Summary
The consequences of not complying with the act may be daunting, but making the necessary changes needn’t be. Having the appropriate systems in place (and following them) provides good mitigation when mistakes do happen.
David Taylor, Data Protection Consultancy Ltd.
Do we need protection from data protection? asks David Taylor as he warns barristers of their duties under the Data Protection Act 1988.
Barristers and their chambers can no longer be complacent about their duties under the Data Protection Act 1998 (DPA), and fines of up to £500,000 are now within the power of the Information Commissioner’s Office (ICO). Worse still: if you fight your corner in court, then unlimited fines and up to five years in prison are added to the armoury. If that weren’t incentive enough to keep your data safe, many breaches of the act are also criminal offences of strict liability.
The new Bar Council earnings report presents a collective challenge for the self-employed Bar, remote hearings are changing and Bar Conference is back next month
Launch of the Institute of Neurotechnology and Law
Paul Magrath of ICLR recalls the chequered history of law reporting prior to the 1865 establishment of a Council of Law Reporting
Leading drug, alcohol and DNA testing laboratory, AlphaBiolabs, has made a £500 donation to North West charity Child Concern as part of its Giving Back campaign
Gail Evans, Technical Trainer at AlphaBiolabs, examines the latest trends in illicit drug use as seen in the laboratory, from designer drugs to ‘unexpected’ substances in a donor’s sample
Louise Crush explores the value you can measure in monetary terms alongside the many non-tangible benefits to working with a financial adviser
By Professor Jo Delahunty KC, Kate Brunner KC and Dr Ann Olivarius KC (Hon) OBE
The ‘non-party political’ employment silk advising Labour talks to Stephanie Hayward about employer failure to tackle workplace sexual harassment and the urgent need to reinvent whistleblowing culture
From Parliamentary standards to barrister standards – Kathryn Stone OBE, Chair of the Bar’s regulator, talks to Anthony Inglese CB about roots, respect and reviews
Jessica Foster reviews State Trials and Error – fundraising and showcasing the musical and theatrical talent within the legal profession
Alex Goodman KC on why our electoral laws need an urgent upgrade – they were not designed to address the corruption of popular opinion by AI and deepfakes