It only takes a moment. An over-hasty click of a mouse. A piece of paper that does not get shredded. Data protection breaches are a constant risk for members of the Bar, and, sadly for some, that risk can become an embarrassing reality.
In March this year the Information Commissioner fined a barrister £1,000 for a data protection breach. In a redacted penalty notice (with the identity of the barrister concealed) the facts of the case seem to encapsulate the perils that can befall people in an age of cloud computing and ubiquitous internet connectivity. A solicitor informed the barrister’s chambers that confidential documents written by the barrister were publicly accessible on the internet. It turned out that barrister’s husband had decided to back up 725 documents prior to a software update for the computer that the files inhabited. In backing up the files he had inadvertently made some of the documents publicly accessible. Six of the documents were highly confidential and pertained to proceedings in the Court of Protection.
The Commissioner decided that the barrister had failed to put in place appropriate technical measurers and that the breach was sufficiently serious to warrant a fine, which was £1,000. As the Commissioner noted, the case had mitigating factors, which was reflected in the modesty of the fine. When considering the level of some of the fines meted out (one thinks of the truly huge £400,000 fine issued to TalkTalk in April 2016), it acts a useful reminder as to what the consequences of a data breach can be, consequences, that, as I will explain further on, will become more serious next year.
A disciplinary matter
Data breaches are not only a matter for the Information Commissioner: they are also a disciplinary matter. Core Duty 6, Rule C5 and Rule C15.5 of the Bar Standards Board (BSB) Handbook require barristers to preserve the confidentiality of a client’s affairs. Any barrister who does not adhere to this by, for example, allowing other people to see confidential material, losing portable devices on which unprotected information is stored, or not disposing of client papers securely could face disciplinary action. A recent example of a barrister falling foul of this duty was in March this year when the BSB issued a fine of £750 to a barrister who had been disposing of documents that contained confidential and sensitive information in household refuse sacks.
Barristers are data controllers
Data breaches at the Bar are hardly new and, given that we do not live in a perfect world, they will probably carry on happening. However, there is a great deal that barristers and chambers can do to improve things. One of the first things to recognise is that barristers are ‘data controllers’ under the Data Protection Act 1998 (‘the Act’). This might sound absurdly obvious to most readers but there is still a staggering level of ignorance about the status of barristers (and indeed chambers) under the DPA 1998 and what the consequences of that entail. I was told by a barrister I know that when she first came to the Bar (which was a recent event), the Information Commissioner’s Office (ICO) wrote to her telling her that she needed to be registered as a data controller under the Act. Unsure as to where she exactly stood she spoke to her chambers’ director, who had worked at the Bar for almost 30 years. The director told her: ‘Oh, you don't need to worry about that. There’s no need to register.’ Unconvinced, she contacted the ICOwhich – as one would expect – told her that she did need to register and that failure to do so could be a criminal offence.
That a chambers’ director could provide such wrong advice in this day and age is worrying in the extreme. One very much hopes that such ignorance is rare. The fact is that all self-employed barristers need to register as data controllers and that in addition to that they have to make sure that they abide by the terms of the Act, with its data protection principles and, most relevant in the cases of breaches, the requirement that they undertake appropriate technical measures to prevent unlawful or unauthorised data processing (Pt I, Sch 1 of the Act). Also, a barristers’ chambers (the administration and business, as opposed to the barristers) needs to register as a data controller as well, although the employees of the chambers currently do not. There is a distinction to be made between an ‘old-style’ chambers where the senior clerk is self-employed and a ‘new-style’ chambers where the senior clerk (and/or chambers director) is an employee of either the chambers or the head of chambers. Regardless of how a chambers is configured, some kind of registration will be required. The ICO provides a comprehensive guide on the subject on its website so there can be little excuse not to get this right (ico.org.uk).
Pigeon-holes and other security issues
Registration with the ICO aside, there are other issues that chambers need to deal with if they want to avoid data breaches. Chief among those issues is the continued use of pigeon-holes. The layout of the traditional chambers is extremely familiar to all of us. There is a clerks’ room(s) and within or near those rooms there are the pigeon-holes, each one bearing the name of the relevant barrister, and containing fee notes, invoices, post, and – most crucially – briefs. Given the sensitivity of the information contained in pigeon-holes, it still seems odd that in some chambers there are few, if any, steps to provide this area with added security. Frequently unsupervised, they provide low-hanging fruit for an opportunist intruder. Then there is the broader problem of the huge amounts of paperwork that barristers either have or produce. Unless properly and securely filed it also presents a potential data breach hazard.
Forthcoming regulations are more punitive
All of this will matter more next year; on 25 May 2018 the General Data Protection Regulation will come into force, and it replaces the existing Act entirely. Much of its terminology and logic will seem familiar to aficionados of the Act. There are, however, profound differences. For instance, there is now the obligation to report a data breach within 72 hours of it occurring where it is likely to result in a risk to the rights and freedoms of individuals. If that risk is high, there is also a requirement to contact the individuals concerned (which might mean a client). The Information Commissioner will also no longer be constrained by the current cap on fines (£500,000); the new Regulation allows – in the very worst cases – fines up to €20m or 4% of global turnover, whichever is greater. The upshot is that the data protection regime is shortly about to get a great deal more serious and a great deal more punitive. What should chambers do?
Chambers policy: The first and most logical thing (something that I would imagine that most chambers have already done) is to have some form of data protection policy and to publicise that policy to members. The BSB has issued guidance on confidentiality, and that would certainly be a good starting-point. There are a raft of practical technical tips that can be applied (see boxes), and they do not involve huge amounts of money and effort.
Buy a personal shredder: A very simple, very obvious, and low-tech tip: one can get a pretty decent shredder these days for around £30. Opt for cross-cut rather than strip-cut for greater security. Some of a barrister’s legal documents will obviously need to be retained for – among other things – public access cases, but if there are documents in a barrister’s possession that contain personal and/or sensitive personal information and those documents are not required any more, shredding would seem an eminently sensibly proposition. (The barrister fined for putting documents in refuse sacks could have bought a top-of-the range shredder, capable of shredding 20 sheets of paper at once, for less than half of the fine imposed!)
Lock the door: If you don’t have one already, buy and use a lock for your chambers room/study door. A decent door lock can be bought for between £15-20 and is not hard to install. If you would rather have someone do it for you, locksmiths are usually good value and very quick.
Achieving peace of mind
Given the harm that can be done to a professional reputation by a publicised data protection breach, these steps seem a small price to pay for peace of mind.
More guidance from the Bar Council IT Panel can be found at bit.ly/2iL44mP. See in particular Data protection: notification – the obligation to register at bit.ly/2sPkCRJ
forewarned is forearmed: key challenges
The Bar Council takes issues of data protection and information security very seriously. They go hand in hand with the issue of client confidentiality which is a cornerstone of any barrister’s practice.
This article rightly emphasises the existence and increasing visibility of the Information Commissioner’s Office (ICO) which is quite prepared to levy fines for breaches of data protection laws. The author points to one recent and unfortunate incident, where backing up of a family member’s files resulted in inadvertent publication of these on the Internet. The fine was modest – but no barrister wants to part with £1,000. The available level of penalties will increase when the General Data Protection Regulation (GDPR) comes into force in May 2018. These penalties are not covered by Bar Mutual.
1. Know your responsibilities under the law
- Responsibilities are currently contained in the Data Protection Act 1998 (the Act), but next year it will be the GDPR.
- Every barrister is a data controller ie responsible for processing legally any ‘personal data’ that comes into their possession (any data that relates to an identifiable living person, eg name and address). ‘Sensitive personal data’, eg physical and mental health, racial or ethnic origins, is given even greater protection.
- Personal data has to be processed in accordance with the eight ‘data protection principles’ set out in Sch 1 of the Act eg data has to be processed fairly and not held for longer than is necessary.
- Every data controller has to register with the ICO. Each barrister should ensure that he or she has completed the form which identifies the uses to which ‘personal data’ will be put.
2. Make information security a priority: a win-win
This benefits both your practice and your clients. Client awareness of this issue is increasing. No one wants to lose clients and lax practices cause loss of data and exposure to penalties. It’s embarrassing to call up all those clients to let them know that you have exposed them to identity theft risks and possibly worse. Losing papers is bad enough, but consider the impact of losing all of your clients’ data: past and present.
3. How to be secure!
- Passwords: Help yourself by using a password that no one could guess, to prevent access to your computer. It does not have to be exclamation marks, numbers and upper/lower case variations; ‘dog-likes-walks’ is as good as any. Change this every few months.
- Security software: Install anti-virus, anti-spyware and firewall software. And, keep that software up-to-date. A well-organised chambers should be able to download this for its members.
- Make it unrecognisable! The ICO recommends encryption software. This renders incomprehensible any data held on your computer. This is in addition to passwords – which can be bypassed by removing the disk storage. Ensure this meets standards recognised by your client eg the government.
- System updates: Try to ensure that your operating system is current (including updates), even though it is tempting to do so only when you change computers. The recent NHS hacking scandal arose because someone was using the outdated, unsupported XP operating system.
- Suspicious emails: Look out for suspicious emails from people you do not recognise asking you to open attachments. Don’t do so. Forward them to your IT manager for inspection.
- Back up your information: If you are the victim of a virus which wipes all your data, at least you can download this back-up without having to explain to your clients that everything they have entrusted to you has disappeared.
key challenges (continued)
4. Is your head in the clouds?
Historically, back-up might have been limited to a memory stick. More recently, chambers backed up data onto its own central computers, giving a measure of security. Nowadays, chambers can store your data with providers of data storage, known as cloud service providers. Any individual barrister can do this though; you don’t need chambers to do so. Cloud storage can be provided by these service providers anywhere in the world.
But… be aware. The Act says that you cannot transfer data to other countries that do not have adequate data protection. That means you should ensure that any cloud service provider storing your data locates its computers either in the EEA or provides adequate protection to EEA standards. There are other considerations too; make sure that there are safeguards built into your contract concerning confidentiality, security, reliability, availability and data deletion.
5. Where is your data actually going?
This concerns where you are sending your data, not where you are storing it. Emails containing personal data (in the text or attachments) cross the world but many destinations do not have EEA standards of data protection. Even obvious places (eg the USA) do not provide sufficient protection – the ECJ has stated that the ‘Safe Harbor’ principles cannot be relied upon, although it has not yet ruled on the newer ‘Privacy Shield’. You may need to resort to encryption if emails are travelling farther afield than the EEA. Note also that the ubiquitous wi-fi hotspot is probably unsecured: a hacker’s dream.
6. Organise your files
It is much easier to manage your client information if it is organised. Ensure that the client files you keep on computer are easy to find. This saves time generally and also means that should you receive a ‘subject access request’ from a client or a witness – data protection speak for ‘tell me what you are holding about me’ – the relevant information is easier to find. It’s also easier to see what you have got and get rid of old files that you no longer need to keep – such as all those emails that go back 15 or more years!
7. The end of the day
At some point, you will want to buy a new computer; something lighter, more powerful, better screen, larger storage. But don’t forget the data on the old computer. Never give a computer away without removing client data. Putting it in the computer recycle bin is not sufficient. You need to have it professionally wiped clean – or if is faulty, destroy the hard disk. And, as the article observes, just as putting manual files in the refuse sack rightly attracts the opprobrium of the BSB, the same applies to the electronic version.