The Information Commissioner’s Office (ICO) has “sounded the alarm” to the legal profession regarding breaches of the Data Protection Act 1998 (DPA). In a press release today it says it is
warning barristers and solicitors to keep personal information secure, especially paper files. This follows a number of data breaches reported to the ICO involving the legal profession
Fifteen incidents (which, of course, are not in themselves, breaches of the DPA) involving members of the legal profession have been reported to the ICO in the last three months, and the release goes on to point out that
The information handled by barristers and solicitors is often very sensitive. This means that the damage caused by a data breach could meet the statutory threshold for issuing a financial penalty. Legal professionals will also often carry around large quantities of information in folders or files when taking them to or from court, and may store them at home. This can increase the risk of a data breach
This of course is shorthand for what enforcement of the DPA really entails. Solicitors and barristers will often be data controllers pursuant to section 1(1) of the DPA (but not always – in-house lawyers are employees, and their employer will generally be the relevant data controller) and as such they will have an obligation under section 4(4) DPA to comply with the data protection principles of Schedule One. The seventh principle requires a data controller to take
Appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
and this is what the ICO refers to (or should refer to) when it talks about a “data breach”: a data security incident (such as loss of files) might occur as a result of a seventh principle breach, but, equally, it might not (I blogged at length on this distinction previously).
Nonetheless, the ICO will often give a shot across the bows of a particular group or industry, prior to taking formal enforcement action, such as the serving of monetary penalty notices, to a maximum of £500,000. The likelihood of any individual barrister or solicitor or any but the very largest firms getting such a large penalty is very very low (the ICO’s own rules state that he must take into account the impact on a data controller of a penalty). That said, all lawyers would do well to check their compliance with the DPA, and with their information security obligations.