The Cabinet has always been concerned with security issues. Lord Kitchener remarked that it was no good telling Cabinet Ministers military secrets as they would go home and tell their wives – except for Lloyd George, who would go home and tell someone else’s wife. 95 years later, the Cabinet Office is more concerned about laptops than laps.
The current passion for security was triggered in November 2007 by the revelation that HMRC had lost two CDs containing personal information about 25 million named individuals. Gordon Brown reacted like any good politician and asked the Cabinet Office to conduct a review. Like any good reviewing body, the Cabinet Office issued guidelines to Departments which hastened to implement and adapt them. The guidelines were intended to cover everyone who dealt with data, including service providers. Each Department started issuing its own Guidelines, and the Bar found itself at the end of a number of different versions.
The approach of the Bar
The Bar has always handled sensitive data ranging from public interest immunity, family and child abuse cases and national security issues of varying degrees of sensitivity. Common sense, reinforced by the Codes of Conduct have ensured that such material is held securely. In extreme cases, counsel are provided with safes, dedicated and encrypted laptops, fax machines, photocopiers and even escorts to and from court. How each such case will be handled will continue to be determined by the instructing Departmental solicitor in discussion, where necessary, with counsel. Such material will be formally classified as either Confidential, Secret or Top Secret.
The draft Guidelines
The problem arises with everyday material outside these sensitive areas – such as details of bank accounts and names and addresses of victims of fraud; details of sexual assaults which would cause distress if they became public; or medical and other personal records. To deal with these concerns, the government has drafted Guidelines on Information Security and Government Work (“the Guidelines”). They apply to barristers doing work for government departments and agencies, and can – or will soon be – found on the Treasury Solicitors and Bar Council websites.
Many requirements are self-evident and represent best practice. However, some backwoodsmen have been heard muttering and no doubt louder (and ruder) noises will be heard. The short answer is if you don’t like it, don’t do the work: return the brief. Barristers have always been under an obligation to conduct the preparation of a case according to instructions. It is a breach of professional conduct to accept a brief with the intention of not complying with your solicitor’s express instructions. The Guidelines are here. If you do government work, learn to live with them.
Dealing with extreme demands
In fact, the position could have been worse. To deal with the Cabinet Office concerns, different Departments came up with different requirements. The more extreme demands made independent practice a nightmare at best, and for some, virtually impossible. Barristers were to keep all papers not in immediate use inside lockable wooden or metal cabinets and keep the key on their person at all times. Laptops not in use would have to be locked up unless secured with a Kensington cable. When transported in the UK, laptops should be disguised by being carried in rucksacks and sports bags. Laptops could not be taken abroad. Home desktops should not be used for work. Some individuals even started demanding that every counsel’s room in chambers should have separate locks.
To deal with this morass, the previous Chairman set up a Working Committee chaired by Tony Shaw QC and containing representatives of the Bar Council, the Bar Council’s IT Panel, the Criminal Bar Association, and civil practitioners. It was assisted by David Hobart, the Chief Executive of the Bar Council. The Committee met with representatives of the CPS, the Treasury Solicitors Department, BIS and HMRC. The current Codes of Conduct and Bar Standards Board recommendations were trawled and merged into something like a coherent form, to which were added those requirements which were clearly non-negotiable in the light of Cabinet Office strictures. Over a long drawn-out process, the worst of the proposed provisions were diluted or removed.
There can be no doubt that many will feel that the final Guidelines (see panel boxes) will impose excessive burdens on barristers. They certainly impose burdens, and the IT illiterate will doubtless regard those burdens as excessive. However, following the widely publicised government data losses, some tightening of procedures was inevitable and unavoidable. There was no realistic prospect of persuading government agencies that the Guidelines should be relaxed. What we have is, we hope, a workable model. The alternative was to dig our heels in, accept nothing, and have worse restrictions imposed on us unilaterally.
In any event, other bodies require measures to be taken in respect of all work, not merely government work. The Data Protection Act requires that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” The Information Commissioner recommends encryption of laptops and removable storage devices and is empowered to impose a fine of up to £500,000 for serious deliberate or negligent non-compliance with the Data Protection Principles. The Bar Standards Board also observes that any barrister who loses portable devices on which unprotected information is stored could face disciplinary action.
One common question raised is why are all papers treated as Restricted by default. The Restricted and Protect categories include material the accidental release of which may cause substantial distress to individuals, breach proper undertakings to maintain the confidence of information provided by third parties, or prejudice the investigation of or facilitate the commission of crime. But much material would not distress anyone, breach any undertaking or facilitate any crime. However, there is no quick way of dividing material to distinguish between the sensitive and the not so sensitive. Appointing sensitivity monitors alongside disclosure and case progression officers would add an expensive administrative layer where things will get delayed and still go wrong. Applying one default standard was the simplest solution. Thus, the material to which the Guidelines refers and to which this article relates is all Restricted material, whether or not it is actually marked Restricted or Protect, and includes documents created by counsel.
The most important of the new restrictions for individuals is the requirement to ensure that wherever practicable all laptops and all portable storage devices are encrypted to acceptable standards. The relevant standard is FIPS140-2. FIPS stands for Federal Information Processing Standard, a US government computer security standard. A list of validated software programs can be found on http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2009.htm. Encryption is necessary as a precaution against theft, as the Windows password is insecure. For example it can be by-passed by removing the hard drive from the computer and using it in another computer. Encryption of the whole hard drive is required, but in practice this is easier than encrypting particular folders. Where chambers IT support exists, it is simpler to leave encryption to them. However, where chambers lacks such support, you must take care, particularly as many freeware encryption programs do not meet government minimum standards, or are complicated to set up. For example, one popular freeware program, Truecrypt, is not currently validated to the required level or included on the approved list. Fortunately, there are a few relatively easy to install, easy to use and well supported commercial programs. It is for individuals to make their own choice, but consider Becrypt Disk Protect, PGP Whole Disk Encryption and Secuware C4K. PGP has an Apple Mac version, and Secuware will also encrypt netbooks. All cost around £85 to £95 per machine, but Secuware has just concluded a deal with Bar Council Member Services which cuts the cost of its product significantly while offering lifetime support (see www.barcouncil.org.uk/memberservices/MemberBenefits/ITServices). Whatever you do, before you start encrypting, install the latest updates (you should already be doing that automatically), and back up everything vital onto a separate storage system. If you do not, and things go wrong, you have no one to blame but yourself. Also bear in mind that many modern encryption systems will not operate in an old (ie pre-XP) Windows environment.
A wider application?
Although the Guidelines do not apply to information provided to barristers by other clients, or by the government to other parties in litigation, such as defendants in criminal cases, the Bar Council have requested barristers to bear them in mind when dealing with material emanating from a government source.
Tony Shaw QC, Remuneration Committee, and Clive Freedman, IT Panel. For further information on the Securedis Members offer for Secuware products, please refer to the advert opposite or call 0845 658 7009 for anything related to encryption or general data security matters.
Requirements for individuals doing government work
Most restrictions amount to common sense or good practice:
- don’t leave papers open and lying around
- don’t work on papers where you can be overlooked in public
- transport papers safely; don't leave them in a car overnight
- restrict electronic storage to a minimum
- use CJSM for e-mails
- report any data loss promptly
- dispose of material safely by cross-shredding hard copy and securely deleting electronic material – mere deletion is inadequate: use a secure deletion tool (such as Eraser - http://eraser.heidi.ie/).
- ensure that wherever practicable all laptops and all portable storage devices are encrypted to acceptable standards (see further p 30).
Requirements for chambers with barristers doing government work
Where individuals undertake government work, requirements for chambers include these points:
- consider signing up for secure CJSM emails
- establish an information risk policy setting out how to safeguard information in chambers: the Guidelines can be adopted, but chambers may be required to disclose the policy for the purposes of an annual audit
- have systems in place for the secure disposal of restricted material and procedures for reporting loss of data
- maintain a log of all computers used by counsel for storing or working on restricted material, recording the type, model and serial number of each such computer (other than dedicated thin-client terminals or similar workstations provided by chambers), together with the details of anti-virus, anti-spyware, encryption or other security software installed.