To what am I alluding? The following is a true story. A barrister went away on holiday, leaving her home in the care of two plumbers who were fitting a new boiler. She stressed the need for them to secure the premises and set the alarm when they had finished work. When she returned from holiday, her purse and laptop were missing.
Unfortunately, the laptop contained highly sensitive information about people she was representing and it had insufficient technical security to protect such information. This resulted - in this instance - in an undertaking given to the Information Commissioner’s Office (ICO) rather than a penalty (‘the list’). However, there is no guarantee that the ICO will continue to be satisfied with an undertaking. Just to put the matter in sobering perspective, the maximum penalty for the worst cases is currently £500,000, and the Bar Mutual Indemnity Fund (BMIF) has indicated that its policy does not automatically cover such penalties. In other words, you literally cannot afford to ignore this.
What do you need to know? Let me start with the basics:
- Data Protection comes from statute, unsurprisingly known as the Data Protection Act 1998;
- If you have personal information (known as “personal data” in the Act) about individuals relating to your work on your computer, you control this information. For the purposes of the Act, you are known as a “data controller”. Your Chambers is NOT the data controller. Merely backing up personal data still does not make the Chambers a data controller. Remember it is your responsibility to register yourself as a data controller with the Information Commissioner;
- Some information is particularly sensitive – information about health, religion, sexual orientation, criminal offences (and some other things) are so classified;
- Data controllers are required to process data in compliance with the Act. The Act sets out 8 Principles. Most relevant for this article about security is the 7th. It requires that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”;
- You should also be aware of the 8th Principle. “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”. Please use service providers in the EEA where you can.
All very interesting, you will say, but what do you actually have to do? Your Bar Council IT panel has drafted “Guidelines on Information Security” which is a splendid read if you have time. Since most of you don’t have the time, I will summarise its “Recommendations”:
- Remember that all sorts of electronic gadgets store personal information – desk top computers, iPADs (another name for a computer); laptops; standalone hard drives; smart phones, PDAs, USB memory sticks – in fact every device that could hold personal information.
- Ensure (a) you know where these devices are – it’s easy to forget where you put your USB stick; (b) keep them secure – for instance, don’t leave these devices in cars overnight (burglars like garages as well as flats/houses) and lock them away securely if you are going away; (c) don’t leave these devices in a public place (except, of course, a locked courtroom); (d) best of all, ensure that the data you carry is encrypted (see below); and (e) try to keep computer screens from being overlooked – letting the world see your clients’ private and very personal information is not commensurate with lawful processing.
- Think electronic security measures. The DPA covers accidental loss or destruction of data. You should load anti-virus, anti-spyware and firewall software. If you are not on a Chambers network, ensure you load operating system updates when offered.
- Equally, try to avoid downloading “malware” (variously known as viruses, Trojan horses, worms etc), whose sole purpose in life is to seek and destroy or wreak havoc with the data you are holding. So don’t download attachments or programs from sources you don’t know and trust.
- At the very least ensure you use a secure password on your computer to prevent easy access. Optimal passwords are (a) 9 characters long (b) made up of numbers and upper and lower case letters. Hot tip: try your initials/your birthdate/your initials in upper case - easy to remember and not obvious to your average hacker. Change this regularly. Equally, try to have a different password for different devices.
- Get used to using encryption software; this is not Star Wars futuristic stuff. It exists now. Indeed, professional clients (e.g. the Government) may have already mandated the use of encryption software. This is what the Information Commissioner recommends.
- Try to use “whole disk encryption software”. This means that all of your data held on your computer’s storage device (hard drive) is rendered unintelligible to those who try to download it. This is not achieved by password protection. Nor is it achieved by a security dongle (the device which generates a seemingly random number to allow you access to your Chambers network). The hard drive can still be removed, inserted in another computer and the contents reproduced.
- Whilst most of you will have your own laptop/desktops, it is quite conceivable that you may email work home (e.g. editing an opinion) and then store it on the home computer. You still remain responsible for this data. You then need to apply “folder encryption” – i.e. you secure your own, rather than family, folders. This should include the User Profile folder.
- On the subject of email, note that this is a potentially insecure communication method for sensitive information. You should agree what encryption to use with your client – and, at the risk of stating the obvious, don’t send your solicitor the decryption password in the same email as the encrypted attachment!
- Ensure that any emails sent to your mobile phone, smartphone or PDA are password protected and if appropriate, encrypted.
- Wi-Fi hotspots are now omnipresent. Public access points are generally not secure and encrypted. If you can log on, so can everyone else, who can then mind your business for you. Seek a secure network access point, and if you have a wireless network at home, make sure it too is secure.
- Make sure any device, code or password for emergency recovery of encrypted data is secure.
- Back up your work-in-progress and lock away your back up media.
- Talking of storage, the latest fad is “cloud computing”. Nothing to do with fluffy things in the sky. Roughly speaking “it’s a one million kilometre subsea fibre optic leviathan connecting 2.2 billion people to each other and to 200 million terabytes of data stored on 44 million servers, consuming 1.5% of the world’s electricity,” (The Times). Increasingly, service providers will offer to store your data for you somewhere in this cloud. Obviously, you have no idea where. Bearing in mind what I have said, this should give rise to some concerns. If you are dealing with a cloud service provider make sure you have sufficient safeguards in matters of confidentiality, security, reliability, availability and data deletion procedures.
- Shred (cross shredding) or otherwise dispose securely of unwanted CDs and wipe (IT geeks word for total erasure and no, a kitchen cloth won’t do) or remove disk drives when you dispose of your computer. Please note: merely deleting files is inadequate as is overwriting and reformatting.
- Those of you who are now hooked on Data Protection should also note that “personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes”. (DPA 5th Principle). As a barrister, it may be quite justifiable to keep data for seven, twelve or even fifteen years depending on the circumstances but please occasionally review what you are holding and delete what you don’t need.
- Much of this will seem obvious. Many of you probably use some or all of these devices already. As I said at the beginning of this article, we have written it as a reminder as to best practice, to try to explain simply some new or unfamiliar concepts - and to try to avoid any of you having to deal with the ICO.
Next month, information security for physical materials.
Graham Cunningham, Hardwicke Chambers, with contributions from Iain Mitchell QC, Clive Freedman and Jacqueline Reid of the Bar Council IT Panel