10 Apr 2018
The prospect of a hefty fine always concentrates the minds of lawyers but it is rare for them, rather than their clients, to be the potential recipients. The General Data Protection Regulations (GDPR) will change all that from 25 May 2018.
Any business, including chambers and any individual barrister, which processes personal data on those residing in the EU must comply with the GDPR. A failure to do so can result in enforcement action by the Information Commissioner’s Office (ICO), including hefty fines, and even prosecution. Processing data includes doing almost anything with personal data, including its collection and storage. There have been a raft of articles written on the terms and obligations imposed by the GDPR and this doesn’t seek to add to the generality.
For a barristers’ chambers, holding highly confidential information on clients, adversaries and commercially sensitive deals, the need for securing that information and ensuring that individual barristers do so is of paramount importance not only on the grounds of simple security but for reputational reasons too.
Cyber-attacks on lawyers are a growing concern. In 2016 there was the reported loss of 7 million pounds of client money to cybercrime. Confidential information is often shared in un-encrypted emails between law firms and between barristers and solicitors and risks being stolen and ransomed back to firms or sold to third parties to be used in crimes such as insider trading. ICO figures from the first quarter of 2016 show the legal and justice sectors reporting the fourth highest number of data security breaches. Cyber criminals target lawyers precisely because of the nature of the documentation they hold which will often include identification documents and financial details. It is important to bear in mind that chambers, just like any other business, can be the victim of a cyber-crime. Likewise, they can find themselves liable to ICO enforcement action for their failure to prevent it. Many chambers and law firms will not have the resources available to financial institutions to tackle the issue. What they can’t do, however, is simply ignore the problem.
The Bar Council has been at the forefront of seeking to assist barristers and chambers in their preparedness for GDPR implementation. Although the Bar Council’s utterances have the appearance of guidance, they come with the expressed assertion that they are exactly not that and that ‘neither the Bar Standards Board, nor bodies regulating data protection and information security, nor the Legal Ombudsman is bound’… by the very view they express!
As noted by the Bar Council, as a result of the provision of various IT functions, including network provision, internet, email and file storage facilities, many barristers’ chambers will fall within the definition of being a data processor and will have obligations under Articles 28 to 33 GDPR.
The challenges
Chambers have often operated by negotiating contracts on a case by case basis to meet a chamber’s need and without necessarily taking into account the need to meet a clearly defined regulatory obligation. That now has to change with the implementation of GDPR. GDPR demands that individual barristers and chambers take proactive action to ensure that systems are in place that meets the onerous requirements of GDPR.
The challenge is to devise policies, processes and solutions which meet the requirements of GDPR. Systems innovation and security should be at the heart of that. As many others have advised, the starting point has to be a chambers wide audit followed by an individual assessment, by individual barristers, of what tasks and functions they are performing and whether they engage the GDPR and, if so, how to adapt them to meet the obligations. Fundamental to an understanding of the imposed obligations is an awareness that an individual barrister can be both a data processor and controller as too can be their chambers.
The security obligation
Articles 24, 28, 29 and 32 set out a number of obligations concerning the maintenance and confidentiality of data—and they warrant special attention. It is entirely predictable that fines for breaches of these regulations will be at the top end of the scale given the harm that can flow from their breach.
Article 24 provides that data controllers, which will often be individual barristers and chambers through the provision of collective IT facilities, must implement appropriate technical and organisational measures to ensure and be able to demonstrate that data processing is performed in accordance with the Regulations and must be reviewed and updated where necessary. It is sobering to note that the Bar Council’s non-advice sets out (at paragraph 124) that as well as bearing personal responsibility for their own processing, an individual barrister may also be held personally responsible for a failure by Chamber’s staff to adopt proper precautions, including IT support staff, in their role as a data processor of the personal data for which the barrister is a data controller.
As always, the level of precautions required depends on the circumstances, and those circumstances include the probability and risk of the severity of the harm which will be caused by data breach. Bar Council guidance on information security is unfortunately not an approved code of conduct under GDPR, but is perhaps the minimum standard that should be adopted by individual barristers and chambers.
Real problems clearly arise in relation to the security of data stored in the cloud, stored overseas or stored on shared drives. The problem is that barristers and chambers may only use providers whose terms contain obligations only to process personal data on documented instructions from the controller and to delete personal data after the end of the provision of services.
Obviously, many ISPs do analyse personal data for the purpose of targeted advertising and do so by unilaterally imposing conditions of service which allow this. However, you as a data controller or processor don’t have the liberty of hiding behind such unilaterally imposed terms, so barristers and chambers should be alert to how material is stored and accessed by any third party internet or storage provider. This will require you to become familiar with the terms of service offered rather than simply continuing to ‘tick the box’ to show that you agree to those terms.
Important clauses will also need to be introduced via the chamber’s constitution permitting the recovery or deletion of data from any barrister who holds that data on their leaving chambers. Those systems need to take account of the fact that access and checking may require chambers to delve into data which is itself highly confidential.
The way forward
No one said GDPR was going to be easy. Barristers and chambers must ensure all are properly trained and aware of their responsibilities and duties when handling data and that includes staff and third party contractors. The way forward may be that a chambers employs a person with the sole task of monitoring and stress testing systems to ensure compliance—as the consequences of not doing so could be extreme.
