*/
In the second part of his feature on information security, Graham Cunningham looks at the guidelines regarding physical material.
Last month, I wrote about your responsibilities under the Data Protection Act 1998 (DPA 1998), concerning electronic processing of personal information. It was designed for your protection and, most especially to avoid you having to give undertakings to the Information Commissioner or pay fines. This month, I want to concentrate on physical material; ie, the paper in the lever arch files that makes up the average brief. Generally speaking, the sort of physical material you get in the average brief does not come within DPA 1998.
The Act, however, does cover manual files where these have been structured in such a way that personal information in them can readily be found without searching. It is then your obligation to treat this information as if it was held in electronic format. If you (or your clerks) do receive briefs in electronic format or you decide to scan physical material and manipulate it, then technically you are processing data and fall within DPA 1998.
That said, you are not absolved from all responsibilities. This is your client’s confidential information and has to be treated as such. Physical confidential information is much wider than the ambit of DPA 1998. The Act is essentially concerned with protecting the privacy of living individuals; confidential information covers everything from written information about individuals to inventions to marketing information and so on.
What to do with confidential information
Your IT Panel would like to restate formally what to do with confidential information:
If you do government or government agency work, you need to comply with the Attorney General’s guidelines on information security to be found at: www.tsol.gov.uk/PanelCounsel/security.htm.
Secure disposal
It is a requirement of DPA 1998 that personal data should not be retained for longer than is required. However, this may be seven years or longer for case files. Accordingly, the retention of personal data should be reviewed regularly. The retention of precedents, pleadings, advices and documents that have been used in open court, from which personal data have been removed by anonymising, is not a breach of DPA 1998.
Chambers should have procedures in place for the secure disposal of confidential material and electronic media (eg, the cross-cut shredding of papers and CD-ROMs) and hard drives.
Barristers who wish to dispose of any computer or electronic media upon which confidential material has been stored must ensure the material is effectively destroyed or wiped using a recognised method to put the data beyond recovery. Merely deleting the files, single-pass overwriting, or reformatting the disk is insufficient. Physical destruction or the use of specialist deletion and overwriting software is necessary.
Further information
This completes the IT Panel’s summary on how to treat both electronically processed and written information. It would be happy to answer queries from barristers.
Please contact Alexandra McHenry (AMcHenry@BarCouncil.org.uk).
Rule 702 of the Code of Conduct states:
“Whether or not the relation of counsel and client continues a barrister must preserve the confidentiality of the lay client’s affairs and must not without the prior consent of the lay client or as permitted by law lend or reveal the contents of the papers in any instructions to or communicate to any third person (other than another barrister, a pupil, in the case of a Registered European Lawyer, the person with whom he is acting in conjunction for the purposes of paragraph 5(3) of the Registered European Lawyers Rules or any other person who needs to know it for the performance of their duties) information which has been entrusted to him in confidence or use such information to the lay client’s detriment or to his own or another client’s advantage.”
Graham Cunningham, with contributions from Iain Mitchell QC, Clive Freedman and Jacqueline Reid of the Bar Council IT Panel
The Act, however, does cover manual files where these have been structured in such a way that personal information in them can readily be found without searching. It is then your obligation to treat this information as if it was held in electronic format. If you (or your clerks) do receive briefs in electronic format or you decide to scan physical material and manipulate it, then technically you are processing data and fall within DPA 1998.
That said, you are not absolved from all responsibilities. This is your client’s confidential information and has to be treated as such. Physical confidential information is much wider than the ambit of DPA 1998. The Act is essentially concerned with protecting the privacy of living individuals; confidential information covers everything from written information about individuals to inventions to marketing information and so on.
What to do with confidential information
Your IT Panel would like to restate formally what to do with confidential information:
If you do government or government agency work, you need to comply with the Attorney General’s guidelines on information security to be found at: www.tsol.gov.uk/PanelCounsel/security.htm.
Secure disposal
It is a requirement of DPA 1998 that personal data should not be retained for longer than is required. However, this may be seven years or longer for case files. Accordingly, the retention of personal data should be reviewed regularly. The retention of precedents, pleadings, advices and documents that have been used in open court, from which personal data have been removed by anonymising, is not a breach of DPA 1998.
Chambers should have procedures in place for the secure disposal of confidential material and electronic media (eg, the cross-cut shredding of papers and CD-ROMs) and hard drives.
Barristers who wish to dispose of any computer or electronic media upon which confidential material has been stored must ensure the material is effectively destroyed or wiped using a recognised method to put the data beyond recovery. Merely deleting the files, single-pass overwriting, or reformatting the disk is insufficient. Physical destruction or the use of specialist deletion and overwriting software is necessary.
Further information
This completes the IT Panel’s summary on how to treat both electronically processed and written information. It would be happy to answer queries from barristers.
Please contact Alexandra McHenry (AMcHenry@BarCouncil.org.uk).
Rule 702 of the Code of Conduct states:
“Whether or not the relation of counsel and client continues a barrister must preserve the confidentiality of the lay client’s affairs and must not without the prior consent of the lay client or as permitted by law lend or reveal the contents of the papers in any instructions to or communicate to any third person (other than another barrister, a pupil, in the case of a Registered European Lawyer, the person with whom he is acting in conjunction for the purposes of paragraph 5(3) of the Registered European Lawyers Rules or any other person who needs to know it for the performance of their duties) information which has been entrusted to him in confidence or use such information to the lay client’s detriment or to his own or another client’s advantage.”
Graham Cunningham, with contributions from Iain Mitchell QC, Clive Freedman and Jacqueline Reid of the Bar Council IT Panel
In the second part of his feature on information security, Graham Cunningham looks at the guidelines regarding physical material.
Last month, I wrote about your responsibilities under the Data Protection Act 1998 (DPA 1998), concerning electronic processing of personal information. It was designed for your protection and, most especially to avoid you having to give undertakings to the Information Commissioner or pay fines. This month, I want to concentrate on physical material; ie, the paper in the lever arch files that makes up the average brief. Generally speaking, the sort of physical material you get in the average brief does not come within DPA 1998.
Sam Townend KC explains the Bar Council’s efforts towards ensuring a bright future for the profession
Giovanni D’Avola explores the issue of over-citation of unreported cases and the ‘added value’ elements of a law report
Louise Crush explores the key points and opportunities for tax efficiency
Westgate Wealth Management Ltd is a Partner Practice of FTSE 100 company St. James’s Place – one of the top UK Wealth Management firms. We offer a holistic service of distinct quality, integrity, and excellence with the aim to build a professional and valuable relationship with our clients, helping to provide them with security now, prosperity in the future and the highest standard of service in all of our dealings.
Is now the time to review your financial position, having reached a career milestone? asks Louise Crush
If you were to host a dinner party with 10 guests, and you asked them to explain what financial planning is and how it differs to financial advice, you’d receive 10 different answers. The variety of answers highlights the ongoing need to clarify and promote the value of financial planning.
Most of us like to think we would risk our career in order to meet our ethical obligations, so why have so many lawyers failed to hold the line? asks Flora Page
If your current practice environment is bringing you down, seek a new one. However daunting the change, it will be worth it, says Anon Barrister
Creating advocacy opportunities for juniors is now the expectation but not always easy to put into effect. Tom Mitcheson KC distils developing best practice from the Patents Court initiative already bearing fruit
Sam Townend KC explains the Bar Council’s efforts towards ensuring a bright future for the profession
The long-running fee-paid judicial pensions saga continues. The current cut-off date for giving notice of election to join FPJPS is 31 March 2024, and that date now gives rise to a serious problem, warns HH John Platt
