*/
Do we need protection from data protection? asks David Taylor as he warns barristers of their duties under the Data Protection Act 1988 .
Barristers and their chambers can no longer be complacent about their duties under the Data Protection Act 1998 (DPA), and fines of up to £500,000 are now within the power of the Information Commissioner’s Office (ICO). Worse still: if you fight your corner in court, then unlimited fines and up to five years in prison are added to the armoury. If that weren’t incentive enough to keep your data safe, many breaches of the act are also criminal offences of strict liability.
There’s no doubt that we’ve enjoyed a honeymoon period while the ICO gave us all time to come to grips with our responsibilities under the act. This period of grace is now over, and 2011 saw action taken against barristers for what many might see as “blameless” breaches. One barrister left a case containing her papers on a train, and another had her papers stolen from a locked car. In November 2011, a QC had her unencrypted laptop stolen from her locked home - and only avoided a fine because the relevant breach occurred in 2010, before the ICO received its new powers.
All three were issued with undertakings from the ICO to improve their security measures. Although fines were avoided, damage to reputation is always very difficult to value. The Bar Council clearly recognises that practices must change, and the new and improved BARMARK standard due for launch in April puts a far greater emphasis on DPA compliance. Much of the personal data held by counsel is sensitive personal data, so the stakes are high.
In other sectors, fines of between £60,000 and £130,000 have been issued for breaches such as the loss of an unencrypted laptop, an email sent to the incorrect recipient, and a letter inadvertently collected from a shared printer and posted to the wrong recipient.
Individual barristers
For the individual barrister, the steps required to minimise your liability are straightforward.
Notification (registration) with the ICO is a legal requirement. The ICO has made notification easy with the template ‘N812 - Individual barrister’, and this will suffice for most. The two greatest risks of breach are loss of personal data and distribution of data to unauthorised persons.
You should assess the potential consequences of a breach by considering the sensitivity of the personal data you’re handling, and implement protective measures accordingly. Sensitive personal data (for example, your client’s social worker’s report) would warrant much greater security than their name and address, and the following steps should be in place:
When you no longer need to hold onto personal data
You cannot keep a client’s personal data indefinitely or, indeed, longer than necessary. You should have a system for deciding when data is destroyed or archived. When an electronic device comes to the end of its life, you must have all of the data securely destroyed. There are software products which can do this, but the best option is to use a company which will provide a certificate of secure destruction.
You are responsible for others’ actions
As the data controller, you’re entirely responsible for the personal data that you process - and which others (eg clerks) process on your behalf. So make sure everybody fully understands their responsibilities.
Chambers
Chambers have many of the same risks and responsibilities as the individual barrister, but with additional hazards.
Notification for chambers is more complex and depends on their administrative or commercial structure. For those chambers with the traditional model of a self-employed senior clerk taking a commission, the clerk is the data controller. However, the majority of chambers now employ all their staff, in which case the head of chambers is the data controller. Other business models may differ. The ICO website has a very helpful document: “The Data Protection Act 1998 Notification of Barristers’ Chambers”, which explains in detail which notification version applies to you.
Common notification errors are:
Governance
Make sure you have a robust information governance policy, and that everyone has read and understands it; the same goes for your data-breach and privacy policies. These documents form the foundation for data-protection training.
It is essential to have data processing contracts with any data processors you use (the most common would be an external accountant used for payroll). In the event of a breach, the ICO will prosecute you, not the accountant, even if it’s their fault! The data processing contract is a legal requirement under the act and provides you with, inter alia, warranties and guarantees should the data processor fail to comply.
IT
Avoiding common errors
Email and fax policies are critically important, and you should ensure that staff never stray from them:
Human resources
Human resources is a veritable rats’ nest of potential breaches!
Summary
The consequences of not complying with the act may be daunting, but making the necessary changes needn’t be. Having the appropriate systems in place (and following them) provides good mitigation when mistakes do happen.
David Taylor, Data Protection Consultancy Ltd.
There’s no doubt that we’ve enjoyed a honeymoon period while the ICO gave us all time to come to grips with our responsibilities under the act. This period of grace is now over, and 2011 saw action taken against barristers for what many might see as “blameless” breaches. One barrister left a case containing her papers on a train, and another had her papers stolen from a locked car. In November 2011, a QC had her unencrypted laptop stolen from her locked home - and only avoided a fine because the relevant breach occurred in 2010, before the ICO received its new powers.
All three were issued with undertakings from the ICO to improve their security measures. Although fines were avoided, damage to reputation is always very difficult to value. The Bar Council clearly recognises that practices must change, and the new and improved BARMARK standard due for launch in April puts a far greater emphasis on DPA compliance. Much of the personal data held by counsel is sensitive personal data, so the stakes are high.
In other sectors, fines of between £60,000 and £130,000 have been issued for breaches such as the loss of an unencrypted laptop, an email sent to the incorrect recipient, and a letter inadvertently collected from a shared printer and posted to the wrong recipient.
Individual barristers
For the individual barrister, the steps required to minimise your liability are straightforward.
Notification (registration) with the ICO is a legal requirement. The ICO has made notification easy with the template ‘N812 - Individual barrister’, and this will suffice for most. The two greatest risks of breach are loss of personal data and distribution of data to unauthorised persons.
You should assess the potential consequences of a breach by considering the sensitivity of the personal data you’re handling, and implement protective measures accordingly. Sensitive personal data (for example, your client’s social worker’s report) would warrant much greater security than their name and address, and the following steps should be in place:
When you no longer need to hold onto personal data
You cannot keep a client’s personal data indefinitely or, indeed, longer than necessary. You should have a system for deciding when data is destroyed or archived. When an electronic device comes to the end of its life, you must have all of the data securely destroyed. There are software products which can do this, but the best option is to use a company which will provide a certificate of secure destruction.
You are responsible for others’ actions
As the data controller, you’re entirely responsible for the personal data that you process - and which others (eg clerks) process on your behalf. So make sure everybody fully understands their responsibilities.
Chambers
Chambers have many of the same risks and responsibilities as the individual barrister, but with additional hazards.
Notification for chambers is more complex and depends on their administrative or commercial structure. For those chambers with the traditional model of a self-employed senior clerk taking a commission, the clerk is the data controller. However, the majority of chambers now employ all their staff, in which case the head of chambers is the data controller. Other business models may differ. The ICO website has a very helpful document: “The Data Protection Act 1998 Notification of Barristers’ Chambers”, which explains in detail which notification version applies to you.
Common notification errors are:
Governance
Make sure you have a robust information governance policy, and that everyone has read and understands it; the same goes for your data-breach and privacy policies. These documents form the foundation for data-protection training.
It is essential to have data processing contracts with any data processors you use (the most common would be an external accountant used for payroll). In the event of a breach, the ICO will prosecute you, not the accountant, even if it’s their fault! The data processing contract is a legal requirement under the act and provides you with, inter alia, warranties and guarantees should the data processor fail to comply.
IT
Avoiding common errors
Email and fax policies are critically important, and you should ensure that staff never stray from them:
Human resources
Human resources is a veritable rats’ nest of potential breaches!
Summary
The consequences of not complying with the act may be daunting, but making the necessary changes needn’t be. Having the appropriate systems in place (and following them) provides good mitigation when mistakes do happen.
David Taylor, Data Protection Consultancy Ltd.
Do we need protection from data protection? asks David Taylor as he warns barristers of their duties under the Data Protection Act 1988.
Barristers and their chambers can no longer be complacent about their duties under the Data Protection Act 1998 (DPA), and fines of up to £500,000 are now within the power of the Information Commissioner’s Office (ICO). Worse still: if you fight your corner in court, then unlimited fines and up to five years in prison are added to the armoury. If that weren’t incentive enough to keep your data safe, many breaches of the act are also criminal offences of strict liability.
Sam Townend KC explains the Bar Council’s efforts towards ensuring a bright future for the profession
Giovanni D’Avola explores the issue of over-citation of unreported cases and the ‘added value’ elements of a law report
Louise Crush explores the key points and opportunities for tax efficiency
Westgate Wealth Management Ltd is a Partner Practice of FTSE 100 company St. James’s Place – one of the top UK Wealth Management firms. We offer a holistic service of distinct quality, integrity, and excellence with the aim to build a professional and valuable relationship with our clients, helping to provide them with security now, prosperity in the future and the highest standard of service in all of our dealings.
Is now the time to review your financial position, having reached a career milestone? asks Louise Crush
If you were to host a dinner party with 10 guests, and you asked them to explain what financial planning is and how it differs to financial advice, you’d receive 10 different answers. The variety of answers highlights the ongoing need to clarify and promote the value of financial planning.
On the 50th anniversary of the pub bombings, even now it is still unresolved. Chris Mullin, the journalist and former MP who led the campaign leading to the release of the Birmingham Six, looks back at events
Most of us like to think we would risk our career in order to meet our ethical obligations, so why have so many lawyers failed to hold the line? asks Flora Page
If your current practice environment is bringing you down, seek a new one. However daunting the change, it will be worth it, says Anon Barrister
One year on and the Court of Appeal fails to quash convictions after receiving evidence of racism in the jury room, and there are still no revisions to the Equal Treatment Bench Book , says Keir Monteith KC
A cultural life and times