According to the UK data regulator, the ICO can issue a penalty of up to £500,000 for a serious breach of the Data Protection Act provided the incident had the potential to cause substantial damage or substantial distress to affected individuals.
In most cases, the ICO says these penalties are issued to companies or public authorities, but barristers and solicitors are generally classed as data controllers in their own right and are therefore legally responsible for the personal information they process.
Over the last three months, 15 incidents involving members of the legal profession have been reported to the ICO. The information handled by barristers and solicitors is often very sensitive, which means that the damage caused by a data breach could meet the statutory threshold for issuing a financial penalty.
The data regulator notes that legal professionals will also often carry around large quantities of information in folders or files when taking them to or from court, and may store them at home. This can increase the risk of a data breach.
Christopher Graham, the Information Commissioner, said that the number of breaches reported by barristers and solicitors may not seem that high, but given the sensitive information they handle, and the fact that it is often held in paper files rather than secured by any sort of encryption, that number is troubling.
“It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach,” he said, adding that the ICO has published some top tips to help barristers and solicitors look after the personal information they handle. These measures, he says, will set them on the road to compliance and help them get the basics right.
Barrister and solicitor tips from the ICO include:
Keep paper records secure. Do not leave files in your car overnight and do lock information away when it is not in use.
Consider data minimisation techniques in order to ensure that you are only carrying information that is essential to the task in hand.
Where possible, store personal information on an encrypted memory stick or portable device – if the information is properly encrypted it will be virtually impossible to access it, even if the device is lost or stolen.
When sending personal information by email consider whether the information needs to be encrypted or password protected. Avoid the pitfalls of auto-complete by double-checking to make sure the email address you are sending the information to is correct.
Only keep information for as long as is necessary. You must delete or dispose of information securely if you no longer need it.
If you are disposing of an old computer, or other device, make sure all of the information held on the device is permanently deleted before disposal.
The ICO says it is currently working with The Bar Council to update the information security guidance provided to Barristers in England and Wales.
The ICO Web site includes further guidance on the security measures that should be in place when handling personal information. The regulator has also published a blog explaining the importance of encryption and the options available to barristers and solicitors who need to encrypt their data.
Commenting on the ICO’s advice, Paul Doble, director at mail and parcels firm DX, said that it is a worrying sign when the Information Commissioner publicly warns lawyers to improve their data protection efforts, but one that is evidently needed.
“According to our research, 29 per cent of legal professionals have experienced an incident in which data security has been compromised in the last 12 months as a result of physical documents, and the same proportion as a result of email,” he said.
Doble went on to say that the legal profession must ensure it has the necessary measures in place to stop these instances occurring. For physical documents, this means lawyers taking personal responsibility when they are in possession of such documents, and due diligence when it comes to appointing third party suppliers to transport these sensitive documents.
“Documents need to be transported in a secure manner by vetted professionals. Similarly, all electronic information needs to be encrypted to an acceptable standard – including emails – to ensure information isn’t put in the hands of someone it shouldn’t be. Secure, encrypted email services can take away the risk associated with emails being sent to the wrong person – something that 55 per cent of legal professionals have experienced,” he said.
“With irreparable reputational damage – not to mention significant fines for individual lawyers – at stake, this isn’t something that lawyers can afford to ignore,” he added.
Charges are not expensive. Practices with up to:
- 8 email addresses £399 per year
- 15 email addresses £ 599 per year
- 35 email addresses £ 899 per year
- 50 email addresses £ 1599 per year
For companies with more than this, please contact us as you may prefer to have your own email encryption gateway deployed within your own IT infrastructure.