This month, a senior barrister was fined £1,000 when highly sensitive client information relating to family court proceedings was accidentally uploaded online, becoming easily accessible to the public via search engines.
The Information Commissioner’s Office stated that six of the files contained ‘confidential and highly sensitive’ information relating to people who were involved in proceedings in the Court of Protection and the Family Court.
Steve Eckersley, head of enforcement at the ICO told the Law Society Gazette: “People put their trust in lawyers to look after their data – that trust is hard won and easily lost.
“This barrister, for no good reason, overlooked her responsibility to protect her clients’ confidential and highly sensitive information. It is hard to imagine the distress this could have caused to the people involved – even if the worst never happened, this barrister exposed her clients to unnecessary worry and upset.”
Data has become ubiquitous in the life of a legal professional and this is likely to increase, especially as Artificial Intelligence (AI) begins to make its impact across the sector. Several solicitors have faced prosecution for breaching data protection rules, so it is imperative that all members of staff within a firm understand their compliance obligations when managing client data.
The Information Commissioner can, in certain circumstances, impose financial penalties of up to £500,000 on law firms that breach the Data Protection Act. Although this can be a crushing financial blow, the loss of client confidence can do untold damage to a firm’s reputation. Clients often seek legal advice at an incredibly vulnerable time in their lives and they place enormous faith in their solicitor to keep the details of their matter confidential. To protect the reputation of your legal practice, not only must you take your regulatory compliance regarding data protection seriously, it is good practice to document your processes and have them available for clients to see.
The eight principles of the Data Protection Act 1998
Under the Data Protection Act 1998, any person or organisation that handles personal data must comply with the following eight principles:
1. personal data must be processed fairly and lawfully
2. personal data must be obtained only for specified and lawful purposes
3. personal data collected must be adequate, relevant and not excessive
4. personal data must be accurate and kept up to date
5. personal data must not be kept for longer than necessary
6. personal data must be processed in accordance with the rights of data subjects
7. there must be measures against unauthorised or unlawful processing of personal data
8. there must be adequate protection for personal data transferred outside the EEA
It is crucial that everyone who handles client data understands these 8 principles and that processes are in place to ensure ongoing compliance.
Should your law firm have a written data protection policy?
Although a written data protection policy is not a compulsory under the Data Protection Act 1998, it is recommended for the following reasons:
• all staff will have a go-to reference explaining how to comply with the requirements of the Act
• methods for managing compliance of the eight principles will be streamlined across the firm
• clients can quickly be referred to the policy should they become concerned their data has been compromised
• it provides evidence of the data protection policies and procedures in place should the firm become subject to an investigation by the Information Commissioner
The Law Society also deems it good practice for a law firm to appoint someone to be in overall charge of data protection compliance.
In summary
The penalties for failing to comply with the Data Protection Act 1998 can be severe, in both financial and reputation damage. If your firm does become subject to a complaint from the public, the Information Commissioner’s complaints handling process provides an opportunity to put right any mistakes before formal action is taken. If the matter is not corrected, an investigation may be launched.
As always, prevention is better than the cure. As information becomes more widespread in the legal world, more attention must be paid to data protection compliance to ensure ongoing client safety, firm reputation and ultimately the managing partners’ peace of mind.
Make An Enquiry Now
We have been helping legal professionals with professional disciplinary and regulatory hearings for over 20 years. If you have any questions relating to complying with the Data Protection Act 1998, please call us 0151 909 2380 or complete a Free Online Enquiry and I will soon be in touch.