Do we need protection from data protection?

Do we need protection from data protection? asks David Taylor as he warns barristers of their duties under the Data Protection Act 1988.

Barristers and their chambers can no longer be complacent about their duties under the Data Protection Act 1998 (DPA), and fines of up to £500,000 are now within the power of the Information Commissioner’s Office (ICO). Worse still: if you fight your corner in court, then unlimited fines and up to five years in prison are added to the armoury. If that weren’t incentive enough to keep your data safe, many breaches of the act are also criminal offences of strict liability.


There’s no doubt that we’ve enjoyed a honeymoon period while the ICO gave us all time to come to grips with our responsibilities under the act. This period of grace is now over, and 2011 saw action taken against barristers for what many might see as “blameless” breaches. One barrister left a case containing her papers on a train, and another had her papers stolen from a locked car. In November 2011, a QC had her unencrypted laptop stolen from her locked home - and only avoided a fine because the relevant breach occurred in 2010, before the ICO received its new powers.

All three were issued with undertakings from the ICO to improve their security measures. Although fines were avoided, damage to reputation is always very difficult to value. The Bar Council clearly recognises that practices must change, and the new and improved BARMARK standard due for launch in April puts a far greater emphasis on DPA compliance. Much of the personal data held by counsel is sensitive personal data, so the stakes are high.

In other sectors, fines of between £60,000 and £130,000 have been issued for breaches such as the loss of an unencrypted laptop, an email sent to the incorrect recipient, and a letter inadvertently collected from a shared printer and posted to the wrong recipient.

Individual barristers

For the individual barrister, the steps required to minimise your liability are straightforward.

Notification (registration) with the ICO is a legal requirement. The ICO has made notification easy with the template ‘N812 - Individual barrister’, and this will suffice for most.  The two greatest risks of breach are loss of personal data and distribution of data to unauthorised persons.

You should assess the potential consequences of a breach by considering the sensitivity of the personal data you’re handling, and implement protective measures accordingly. Sensitive personal data (for example, your client’s social worker’s report) would warrant much greater security than their name and address, and the following steps should be in place:

  • Papers should always be transported in a locked case. This year, a social worker narrowly avoided a fine when their unlocked briefcase, containing client notes, was stolen.
  • Papers stored at home should ideally be held in a locked filing cabinet.
  • Briefs should never be left on view in your car. They should be transported in the boot and removed when you leave the vehicle.
  • When it comes to portable electronic devices (such as laptops, smartphones, datasticks and external drives), you should encrypt all data held on them. This may be difficult with some smartphones, so make sure they’re PIN-protected and that voicemail is also only accessible by PIN.
  • Email should ideally be by secure email. If this isn’t available, consider other secure options because the security of standard email can be questionable.
  • All paper files should either be returned to the original sender or securely destroyed by shredding.
  • Digital data stored on computers, external storage devices and smart phones must also be securely deleted.

When you no longer need to hold onto personal data

You cannot keep a client’s personal data indefinitely or, indeed, longer than necessary. You should have a system for deciding when data is destroyed or archived. When an electronic device comes to the end of its life, you must have all of the data securely destroyed. There are software products which can do this, but the best option is to use a company which will provide a certificate of secure destruction.

You are responsible for others’ actions

As the data controller, you’re entirely responsible for the personal data that you process - and which others (eg clerks) process on your behalf. So make sure everybody fully understands their responsibilities.

Chambers

Chambers have many of the same risks and responsibilities as the individual barrister, but with additional hazards.

Notification for chambers is more complex and depends on their administrative or commercial structure. For those chambers with the traditional model of a self-employed senior clerk taking a commission, the clerk is the data controller. However, the majority of chambers now employ all their staff, in which case the head of chambers is the data controller. Other business models may differ. The ICO website has a very helpful document: “The Data Protection Act 1998 Notification of Barristers’ Chambers”, which explains in detail which notification version applies to you.

Common notification errors are:

  • Not notifying for CCTV (if you have recording CCTV). You are also required to have clear signs warning those who may be recorded.
  • Not notifying for education if you run CPD accredited seminars.
  • Chambers which are limited often erroneously notify for legal purposes, when this is the function of the barrister rather than the chambers.


Governance

Make sure you have a robust information governance policy, and that everyone has read and understands it; the same goes for your data-breach and privacy policies. These documents form the foundation for data-protection training.

It is essential to have data processing contracts with any data processors you use (the most common would be an external accountant used for payroll). In the event of a breach, the ICO will prosecute you, not the accountant, even if it’s their fault! The data processing contract is a legal requirement under the act and provides you with, inter alia, warranties and guarantees should the data processor fail to comply.


IT

  • The same IT security measures are required as for the barrister. In addition, ensure that staff passwords are changed regularly, that they are strong and that they are not shared.
  • Ask your IT support company for a review of your physical security, backup systems and antivirus systems.
  • Make sure your website has a privacy notice and that it fully meets the requirements.
  • If you have shared PCs for barristers’ use, documents must not be stored locally where another user may access them. Everyone should have their own login.


Avoiding common errors

Email and fax policies are critically important, and you should ensure that staff never stray from them:

  • Using email groups and auto-select for selecting recipients is an absolute no-no: this is how emails get sent to the wrong recipient.
  • Either reply to the original email, or select from the address book. Then double-check it!
  • Never use ‘reply all’, as you have no idea if there is a blind copy in the group.
  • Regular data-protection training sessions are vital. A quick 20- to 30-minute refresher course every quarter is all it takes to keep brains engaged and to nip poor practice in the bud.
  • Be very careful when using shared printers. It’s easy to accidently pick up an extra sheet and post it to the incorrect recipient, or place it in the wrong brief. This mistake cost Powys Council £130,000 in December 2011.
  • Review your building’s security.
  • It is unacceptable to have paperwork or computer displays visible to the public at reception.
  • Make sure your website has a privacy policy. If you use cookies, they must not identify specific visitors. The use of insecure webforms is also a risk you may wish to reconsider.


Human resources

Human resources is a veritable rats’ nest of potential breaches!

  • Only the HR manager should have access to staff files.
  • Remember, sickness records are sensitive personal data and must be kept more securely, and only accessible on a needs-must basis.
  • Equality-monitoring forms must be anonymous.


Summary

The consequences of not complying with the act may be daunting, but making the necessary changes needn’t be. Having the appropriate systems in place (and following them) provides good mitigation when mistakes do happen.

David Taylor, Data Protection Consultancy Ltd.

Category: