Panic spread through a recent virtual seminar when the organisers realised that a barrister attending had decided to join the event while simultaneously undertaking a client conference. This member of the Bar had joined the Microsoft Teams call without muting their microphone and, despite the warnings and shouts being directed towards this individual, continued to discuss their privileged instructions for the entire seminar to hear.

While this was a clearly avoidable personal data breach (and an issue which the Bar Standards Board would likely investigate) it represents a serious example of a mistake that might occur more often in the world of virtual home working. It is not uncommon for an email containing personal data to be sent to the wrong email address; and with an increasing number of virtual hearings the scope for data breaches has increased.

So what are requirements if a data breach occurs? If you send an email to the ‘wrong clerks’, are you required to notify the Information Commissioner immediately or is there some scope for discretion? This article sets out the five considerations for when you are concerned that there has been a personal data breach.

1: Has there actually been a personal data breach?

Not every misdirected email constitutes a breach. Consider whether any personal data has in fact been lost. Anonymisation and/or pseudonymisation is encouraged exactly because there is always a potential for information to be lost or stolen. Anonymised information is defined within the General Data Protection Regulation (GDPR), at Recital 26, as ‘…information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable’. The GDPR does not apply to anonymised information. Therefore, if the misdirected email, or lost memory-stick, only contains anonymised data then there is no need to act.

Pseudonymisation is defined within the GDPR, at Article 4(5), as ‘the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable individual’. Unlike anonymisation, pseudonymisation techniques will not exempt a controller from the duties contained within the GDPR. However, if the process of pseudonymisation requires additional information that remains secure then loss does not necessarily result in a personal data breach. For example, if de-pseudonymisation requires a hard-copy list which associates identification numbers to personal details, and the single copy of the list is in a locked filing cabinet, then no personal data has been lost. This will be a matter of fact and degree.

2: Can the data breach be contained?

If personal data has been lost or stolen, you must first determine the extent of the breach. This will include assessing what personal data has been lost and the reason for the breach. So far as is possible, you must then limit the dissemination of the personal data.

In the most simple example, a misdirected email, it is possible that the email could be recalled, or that the person to whom it was addressed could be asked to delete the email before reading. If you are confident that the breach has been contained, and that there is not a ‘risk to the rights and freedoms of the individual’, then there is no need to take any further steps.

It is ‘risk’ that is the trigger for notification. Risk should be assessed in accordance with the likelihood and severity of the impact on the individual (see: GDPR, Recitals 75 and 76). Therefore, if you are content that the lost personal data can be retrieved, or safely deleted, then there is no need to report this breach to either the Information Commissioner or the individual impacted.

3: When do I need to notify the Information Commissioners Office (ICO)?

Notification to the ICO is required if there is ‘a risk to the rights and freedoms of individuals’. Consider the type of breach; the nature, sensitivity and volume of person data; the ease in which the individuals could be identified; and the severity of consequences for the individuals. An accidental breach which results in the loss of a single person’s home address is unlikely, without more, to result in a risk to the rights or freedoms of an individual. Whereas a loss of financial information, for multiple clients, following a targeted cyberattack, represents a risk which would trigger notification.

If you are required to report a data breach then you must notify the ICO within 72 hours of the time at which you become aware of the breach. The ICO website provides a form for reporting a personal data breach, and directions to submit the form online.

The ICO also provides a self-assessment tool and a telephone helpline to provide advice on whether a notification is required. Please do not think that a declaration to the ICO is going to be met with immediate punishment. When you consider the enforcement action that has been conducted by the ICO, since GDPR, monetary penalties have only been issued to limited or incorporated companies. Further, the notification form includes, as a ‘reason for report’, an option: ‘I do not consider the incident meets the threshold to report, however I want you to be aware.’ If you have made a mistake, which requires a declaration, sanction is far from inevitable.

4: When do I need to notify an individual?

Communication of a breach to an individual is only triggered where it is likely to result in a ‘high’ risk to their rights and freedoms. The same considerations will apply as for notification to the ICO; however, as data controllers, barristers are likely to be in possession of ‘particularly sensitive’ personal data, the loss of which would create a ‘significant risk’ to an individual’s rights and freedoms (see: GDPR, Recital 51). You must consider whether there is any special characteristic of the individual which renders them particularly vulnerable. A misdirected email containing a person’s home address could be a catastrophic breach if the individual is subject of a physical threat by another. In that instance there is a clear duty to notify the individual as soon as possible.

5: You must record the breach

Regardless as to whether a breach requires notification, Article 33(5) of the GDPR requires a data controller to record a data breach: ‘The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.’

Barristers are registered as individuals with the ICO, therefore, it is a personal duty, rather than a requirement of Chambers, to ensure that personal data breaches are recorded.

Digital home working may mean that the days of leaving a paper brief on the train home are a thing of the past. However, failing to take practical advice for secure home working, or a lack of consideration or care in relation to cybersecurity, means that a data breach remains a real problem for those at the Bar. The Bar Council has provided detailed guidance on the steps to take when there has been a breach. Barristers must be aware of their duties if personal data is lost whether through accident or from a cyberattack.