The Information Commissioner’s Office (ICO) is warning barristers and solicitors to keep personal information – and in particular paper files – secure. The advice follows a number of data breaches reported to the ICO involving the legal profession.
The ICO can serve a monetary penalty of up to £500,000 for a serious breach of the Data Protection Act provided the incident had the potential to cause substantial damage or substantial distress to affected individuals.
In most cases, these penalties are issued to companies or public authorities. However, barristers and solicitors are generally classed as data controllers in their own right and are, therefore, legally responsible for the personal information they process.
The information handled by barristers and solicitors is often very sensitive. This means that the damage caused by a data breach could meet the statutory threshold for issuing a financial penalty.
Also, legal professionals will often carry around large quantities of information in folders or files when transporting that information to or from court, and may also store those folders or files at home. This can increase the risk of a data breach.
In the last three months, 15 incidents involving members of the legal profession have been reported to the ICO.
Information Commissioner Christopher Graham said: “The number of breaches reported by barristers and solicitors may not seem that high but, given the sensitive nature of the information they handle and the fact that it’s often held in paper files rather than secured by any sort of encryption, that number is troubling. It’s important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach.”
Tips for barristers and solicitors
The ICO has published the following ‘top tips’ to help barristers and solicitors keep the personal information they handle secure:
*Keep paper records secure. Do not leave files in your car overnight and do lock information away when it’s not in use
*Consider data minimisation techniques in order to ensure that you are only carrying information that’s essential to the task in hand
*Where possible, store personal information on an encrypted memory stick or portable device. If the information is properly encrypted it will be virtually impossible to access, even if the device should be lost or stolen
*When sending personal information via e-mail consider whether the information needs to be encrypted or password protected. Avoid the pitfalls of auto-complete by double checking to make sure the e-mail address you are sending the information to is correct
*Only keep information for as long as is necessary. You must delete or dispose of information securely if you no longer need it
*If you are disposing of an old computer or other device, make sure all of the information held on the device is permanently deleted before disposal
The ICO is currently working with The Bar Council to update the Information Security Guidance provided to barristers in England and Wales.
The ICO’s website includes further guidance on security measures that should be in place when handling personal information.
In addition, the ICO has published a blog explaining the importance of encryption and the options available to barristers and solicitors who need to secure their data.