IT Panel Blog: Losing your client's documents

20 April 2017

It's a bad hair day. You have left your court papers on the train. You open your laptop to find them electronically, hoping to find a friendly print shop to print them out. You open a seemingly innocuous email and lo and behold a virus infects all your computer hard drive including your client's data. You cannot access it. Client confidentiality blown to pieces.

What should you do if you lose papers or end up compromising a client's rights to secure data?

Remember your overriding obligations.

These are:

(a)  Barristers are required to protect the confidentiality of a client's affairs (BSB Handbook CD6, rC15.5). Therefore, try to avoid leaving files or computers on trains or in taxis.

(b)  In respect of client affairs held on your computer, you (not chambers) have to comply with the Data Protection Act 1998(DPA) Principles for processing client data ( here).

(c)   You should be aware of Principle 7 in particular. You have to take appropriate technical and organisational measures against the loss or damage to clients' personal data. Each barrister owns his or her computer and is considered thecontroller of the data on it; chambers merely processes your data and is not generally responsible for it ascontroller.You should treat clients' data as securely as you would a significant sum of your own money. Using passwords to get into your computer and encryption of your data on the device generally will provide some protection.

(d)  That said, chambers must inform its barristers if there has been a security breach and data held and processed by it on behalf of its members has been disclosed.

Reporting data losses

You need to note that:

(a)  There is currently no general duty to report the loss of electronically processed data to the Information Commissioner's Office (ICO). However, the ICO expects to be told of serious cases of loss. It has powers to fine up to £500,000 for serious breaches (increasing to 20 million Euros from May 2018). You will have read about some of these in the newspapers. A recent case concerned HCA, the health company, which was fined £200,000 for breach of the Principle 7 - you can read it here.

(b)  You should seriously consider whether to report losses to your client, where relevant, opposing parties, the BSB and the ICO. Such action will mitigate any penalty which you might incur. Also consider informing the police and insurance companies (e.g. BMIF) and chambers.

(c)   Things will change in May 2018 when the General Data Protection Regulation (GDPR) comes into force. Significant breaches of data security have to be reported to the ICO no later than 72 hours after the breach has occurred - see Article 33. The affected client (or former client, opposing party etc.) should also be informed where major breaches have occurred - see Article 34.

(d)  You may have to report yourself (or indeed another barrister) under BSB rules C65.7 or rC66.

(e)  Check whether your chambers' has an Incident Response Plan (IRP). If it does not it may be best to create one so that should the worst happen, everyone can refer to the plan and take appropriate actions with minimum delay. The Annex to our general guidance on this subject sets out a draft IRP. We discuss this in more detail in the General Guidance itself (see paras 12 onwards).

Prevention

Prevention is always better than cure. Consider the following:

(a)  Be aware of what data you are holding and where and how it is stored;

(b)  Delete/remove to secure storage case files that are no longer current (the 5th Principle requires this anyway);

(c)   Ensure your data is stored and can be sent securely;

(d)  Take care of weak points in your computer systems e.g. portable storage "sticks" are easily lost;

(e)  If you think there are "holes" in chambers' security, inform your head of chambers or IT manager (many chambers will have internal IT policies);

(f)   Ensure that there is a chambers' plan for dealing with data security breaches.

Click here to read the IT Panel's document in full.

Written by members of the Bar Council's IT Panel.