Student placements: confidentiality and data protection issues

The Bar is making increasing efforts to provide school students with the opportunity to have some experience of our working lives, with a view to encouraging them to consider the possibility of a career as a barrister. Many readers will have supported these initiatives by offering work experience placements in chambers.

There are, however, some serious legal and ethical considerations that the Ethics Committee would suggest you consider before offering such a placement to a student; particularly one under the age of 18. We have issued a new guidance note to highlight these, which you can find on the new Ethics and Practice Hub website, alongside our general guidance on mini-pupils, here.

One set of problems relates to a barrister’s duty to keep the affairs of each client confidential (Core Duty 6). As we point out in our note, it is doubtful that a student under the age of 18 can be bound by duties of confidence; even if he or she has signed a ‘confidentiality undertaking’. Absent very specific client agreement, therefore, a student under the age of 18 should not be allowed to see or hear about any material which remains confidential to the client.

It is also very doubtful that allowing a student (or in fact any mini-pupil) to see or hear about a document disclosed under legal compulsion by another party to litigation is ‘use for the purpose of the proceedings in which it will have been disclosed’, within CPR 31.22 (or similar). It is our view that the contents of those documents cannot therefore be shown to or discussed with a student/mini-pupil, at least until they have been read to or by a public court.

And then there is the question of data protection. As data controllers, barristers will also owe duties under the Data Protection Act 1998 – and not only in relation to their clients. If data is capable of being related to any other identifiable person, then fair processing obligations are owed to them too.

"It is doubtful that a student under the age of 18 can be bound by duties of confidence; even if he or she has signed a ‘confidentiality undertaking’"

A barrister’s case papers are, of course, very likely to include personal data which relates, identifiably, to persons other than the client. This could be an opposing party, a witness or potential witness; indeed any person. Disclosure of such data to a student or mini-pupil will almost certainly involve ‘processing’ of that data, and the conditions for fair processing will be very difficult to meet in circumstances where personal data will be passed to an under 18-year-old, and effectively impossible where it amounts to ‘sensitive personal data’.

Against this background, the only safe advice we can give is that under-18s cannot be allowed to see case papers unless these are restricted to publicly available materials, including those that have been read to or by a court, or materials obtained from and relating only to the client (with the client’s specific agreement).

Documents disclosed under legal compulsion by other parties must not be given to the student at all unless they have become public. It will be obvious from this that sharing papers for appeal hearings, and attendance at those hearings, is much less likely to cause problems than other types of work.

Finally, we caution barristers not to imagine that these difficulties can simply be avoided by anonymising documents. The able and enthusiastic students whom the Bar is most keen to attract will often be able to work out to which individuals anonymised documents refer; barristers should avoid that risk altogether.

Contributor Stephen Kenny QC, Bar Council Ethics Committee

Travelling ethically: are you keeping your clients’ data secure?

With increasing importance placed on border security worldwide, the very real risk of being asked to hand over or unencrypt one’s laptop, mobile phone or other electronic device may come as no surprise. But for legal professionals who are carrying data confidential to their client, this presents a dilemma which is fundamentally ethical in nature.

Notwithstanding the resulting breach by the lawyer of legal professional privilege, the US in particular exercises far-reaching powers at border control to take, copy and retain information including all the contents of hard drives, as well as to require the traveller to reveal all encryption keys. It is a sobering reality that one’s status as a legal professional is not always sufficient to protect the client data you carry from such exposure. Corrupt border officials have also been known to require ‘taxes’ – legitimate or otherwise – for bringing your device into the country, without payment of which your device could be confiscated.

Dealing with the foreign border authority will look different in each situation, and if you are going to be carrying confidential client data, you should research prior to your travels how you can exercise professional privilege at a particular border crossing.

It is better to be aware of these possibilities and prepare for your travels accordingly. As a barrister you consider your core duty of confidentiality to your clients (BSB Handbook, CD6, rC15.5) on a day-to day-basis, but translating this into travel advice might be a new consideration. The IT Panel’s new ‘Advice for those travelling’ note seeks to assist you in doing just that, and avoid inadvertent breaches arising from your travels.

It is important to identify the pieces of technology which carry particular risk. Will you be taking a USB flash drive for work? This needs to be satisfactorily encrypted, and stored carefully to avoid being lost or stolen. How are you going to charge your devices? You should use your own USB charger, and be particularly careful about charging from another device – it is possible for a compromised computer to in turn compromise your own device.

Computers belonging to others must be used with the utmost care, and internet cafes should be treated as fully compromised. Entering your credentials is another area of high risk – use of a password on any system carries the risk that the password could be stored or used. This is something to be mindful of even when not travelling - web browsers (eg Google Chrome, Safari, Internet Explorer) are often set to store your credentials for later use. It is a good idea to learn where to find and alter these settings.

In any case, it is good practice to minimise the confidential data held on your devices while travelling, especially where you are confident that you can rely on secure remote working. Secure remote working involves a number of considerations to think about before you travel – see the IT Panel’s note for more details.

In all of your travels, you should plan for the reasonable possibility of becoming – at least temporarily – separated from your device(s), and the possibility of their being accessed. The financial impact of lost or stolen devices are one thing – but the impact of a data security breach is a breach of your ethical duties, and should be your primary consideration.

Contributor Melanie Mylvaganam, policy analyst: legal affairs, practice & ethics