*/
Do we need protection from data protection? asks David Taylor as he warns barristers of their duties under the Data Protection Act 1988 .
Barristers and their chambers can no longer be complacent about their duties under the Data Protection Act 1998 (DPA), and fines of up to £500,000 are now within the power of the Information Commissioner’s Office (ICO). Worse still: if you fight your corner in court, then unlimited fines and up to five years in prison are added to the armoury. If that weren’t incentive enough to keep your data safe, many breaches of the act are also criminal offences of strict liability.
There’s no doubt that we’ve enjoyed a honeymoon period while the ICO gave us all time to come to grips with our responsibilities under the act. This period of grace is now over, and 2011 saw action taken against barristers for what many might see as “blameless” breaches. One barrister left a case containing her papers on a train, and another had her papers stolen from a locked car. In November 2011, a QC had her unencrypted laptop stolen from her locked home - and only avoided a fine because the relevant breach occurred in 2010, before the ICO received its new powers.
All three were issued with undertakings from the ICO to improve their security measures. Although fines were avoided, damage to reputation is always very difficult to value. The Bar Council clearly recognises that practices must change, and the new and improved BARMARK standard due for launch in April puts a far greater emphasis on DPA compliance. Much of the personal data held by counsel is sensitive personal data, so the stakes are high.
In other sectors, fines of between £60,000 and £130,000 have been issued for breaches such as the loss of an unencrypted laptop, an email sent to the incorrect recipient, and a letter inadvertently collected from a shared printer and posted to the wrong recipient.
Individual barristers
For the individual barrister, the steps required to minimise your liability are straightforward.
Notification (registration) with the ICO is a legal requirement. The ICO has made notification easy with the template ‘N812 - Individual barrister’, and this will suffice for most. The two greatest risks of breach are loss of personal data and distribution of data to unauthorised persons.
You should assess the potential consequences of a breach by considering the sensitivity of the personal data you’re handling, and implement protective measures accordingly. Sensitive personal data (for example, your client’s social worker’s report) would warrant much greater security than their name and address, and the following steps should be in place:
When you no longer need to hold onto personal data
You cannot keep a client’s personal data indefinitely or, indeed, longer than necessary. You should have a system for deciding when data is destroyed or archived. When an electronic device comes to the end of its life, you must have all of the data securely destroyed. There are software products which can do this, but the best option is to use a company which will provide a certificate of secure destruction.
You are responsible for others’ actions
As the data controller, you’re entirely responsible for the personal data that you process - and which others (eg clerks) process on your behalf. So make sure everybody fully understands their responsibilities.
Chambers
Chambers have many of the same risks and responsibilities as the individual barrister, but with additional hazards.
Notification for chambers is more complex and depends on their administrative or commercial structure. For those chambers with the traditional model of a self-employed senior clerk taking a commission, the clerk is the data controller. However, the majority of chambers now employ all their staff, in which case the head of chambers is the data controller. Other business models may differ. The ICO website has a very helpful document: “The Data Protection Act 1998 Notification of Barristers’ Chambers”, which explains in detail which notification version applies to you.
Common notification errors are:
Governance
Make sure you have a robust information governance policy, and that everyone has read and understands it; the same goes for your data-breach and privacy policies. These documents form the foundation for data-protection training.
It is essential to have data processing contracts with any data processors you use (the most common would be an external accountant used for payroll). In the event of a breach, the ICO will prosecute you, not the accountant, even if it’s their fault! The data processing contract is a legal requirement under the act and provides you with, inter alia, warranties and guarantees should the data processor fail to comply.
IT
Avoiding common errors
Email and fax policies are critically important, and you should ensure that staff never stray from them:
Human resources
Human resources is a veritable rats’ nest of potential breaches!
Summary
The consequences of not complying with the act may be daunting, but making the necessary changes needn’t be. Having the appropriate systems in place (and following them) provides good mitigation when mistakes do happen.
David Taylor, Data Protection Consultancy Ltd.
There’s no doubt that we’ve enjoyed a honeymoon period while the ICO gave us all time to come to grips with our responsibilities under the act. This period of grace is now over, and 2011 saw action taken against barristers for what many might see as “blameless” breaches. One barrister left a case containing her papers on a train, and another had her papers stolen from a locked car. In November 2011, a QC had her unencrypted laptop stolen from her locked home - and only avoided a fine because the relevant breach occurred in 2010, before the ICO received its new powers.
All three were issued with undertakings from the ICO to improve their security measures. Although fines were avoided, damage to reputation is always very difficult to value. The Bar Council clearly recognises that practices must change, and the new and improved BARMARK standard due for launch in April puts a far greater emphasis on DPA compliance. Much of the personal data held by counsel is sensitive personal data, so the stakes are high.
In other sectors, fines of between £60,000 and £130,000 have been issued for breaches such as the loss of an unencrypted laptop, an email sent to the incorrect recipient, and a letter inadvertently collected from a shared printer and posted to the wrong recipient.
Individual barristers
For the individual barrister, the steps required to minimise your liability are straightforward.
Notification (registration) with the ICO is a legal requirement. The ICO has made notification easy with the template ‘N812 - Individual barrister’, and this will suffice for most. The two greatest risks of breach are loss of personal data and distribution of data to unauthorised persons.
You should assess the potential consequences of a breach by considering the sensitivity of the personal data you’re handling, and implement protective measures accordingly. Sensitive personal data (for example, your client’s social worker’s report) would warrant much greater security than their name and address, and the following steps should be in place:
When you no longer need to hold onto personal data
You cannot keep a client’s personal data indefinitely or, indeed, longer than necessary. You should have a system for deciding when data is destroyed or archived. When an electronic device comes to the end of its life, you must have all of the data securely destroyed. There are software products which can do this, but the best option is to use a company which will provide a certificate of secure destruction.
You are responsible for others’ actions
As the data controller, you’re entirely responsible for the personal data that you process - and which others (eg clerks) process on your behalf. So make sure everybody fully understands their responsibilities.
Chambers
Chambers have many of the same risks and responsibilities as the individual barrister, but with additional hazards.
Notification for chambers is more complex and depends on their administrative or commercial structure. For those chambers with the traditional model of a self-employed senior clerk taking a commission, the clerk is the data controller. However, the majority of chambers now employ all their staff, in which case the head of chambers is the data controller. Other business models may differ. The ICO website has a very helpful document: “The Data Protection Act 1998 Notification of Barristers’ Chambers”, which explains in detail which notification version applies to you.
Common notification errors are:
Governance
Make sure you have a robust information governance policy, and that everyone has read and understands it; the same goes for your data-breach and privacy policies. These documents form the foundation for data-protection training.
It is essential to have data processing contracts with any data processors you use (the most common would be an external accountant used for payroll). In the event of a breach, the ICO will prosecute you, not the accountant, even if it’s their fault! The data processing contract is a legal requirement under the act and provides you with, inter alia, warranties and guarantees should the data processor fail to comply.
IT
Avoiding common errors
Email and fax policies are critically important, and you should ensure that staff never stray from them:
Human resources
Human resources is a veritable rats’ nest of potential breaches!
Summary
The consequences of not complying with the act may be daunting, but making the necessary changes needn’t be. Having the appropriate systems in place (and following them) provides good mitigation when mistakes do happen.
David Taylor, Data Protection Consultancy Ltd.
Do we need protection from data protection? asks David Taylor as he warns barristers of their duties under the Data Protection Act 1988.
Barristers and their chambers can no longer be complacent about their duties under the Data Protection Act 1998 (DPA), and fines of up to £500,000 are now within the power of the Information Commissioner’s Office (ICO). Worse still: if you fight your corner in court, then unlimited fines and up to five years in prison are added to the armoury. If that weren’t incentive enough to keep your data safe, many breaches of the act are also criminal offences of strict liability.
The beginning of the legal year offers the opportunity for a renewed commitment to justice and the rule of law both at home and abroad
By Louise Crush of Westgate Wealth Management sets out the key steps to your dream property
A centre of excellence for youth justice, the Youth Justice Legal Centre provides specialist training, an advice line and a membership programme
By Kem Kemal of Henry Dannell
By Ashley Friday of AlphaBiolabs
Providing bespoke mortgage and protection solutions for barristers
Joanna Hardy-Susskind speaks to those walking away from the criminal Bar
From a traumatic formative education to exceptional criminal silk – Laurie-Anne Power KC talks about her path to the Bar, pursuit of equality and speaking out against discrimination (not just during Black History Month)
Yasmin Ilhan explains the Law Commission’s proposals for a quicker, easier and more effective contempt of court regime
Irresponsible use of AI can lead to serious and embarrassing consequences. Sam Thomas briefs barristers on the five key risks and how to avoid them
James Onalaja concludes his two-part opinion series