Law firms as data controllers

Law firms are data controllers in relation to the personal data they hold for their employees and clients, including information about any individuals involved in the client matter. This guide will deal mainly with the relationship that law firms have with their clients, who are data subjects.

The data controller can be an individual (for example, a sole practitioner or an advocate) but is generally a corporate entity such as the partnership or LLP. All data controllers are required to register with the Information Commissioner’s Office (ICO) and all data controllers are required to pay an annual Data Protection Fee.

The level of fee will depend on which tier your organisation fits into:

• Tier 1 – micro organisations – identified as having a maximum turnover of £632,000 for the financial year or no more than 10 members of staff - the fee is £40 (or £35 if you pay by direct debit).
• Tier 2 – small and medium organisations – identified as having a maximum turnover of £36 million for the financial year or no more than 250 members of staff – the fee is £60 (£55 if you pay by direct debit).
• Tier 3 – large organisations – if your organisation does not fall into the above categories then the fee is £2,900 (£2,895 if you pay by direct debit).

Failing to pay the fee/the correct level could result in the ICO taking enforcement action, including imposing an administrative fine of up to £4,350.

 If you have a data protection officer (DPO) you must also tell the ICO the name of that person.  

Data Controller (Art 4(7))
The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data.

Data Subject (Art 4(1))
An identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Processor (Art 4(8))
A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

Employees of a law firm process personal data on behalf of the data controller but are not, as an individual, a data controller or a data processor. 
Processing data covers the gathering, storing, accessing, sharing and deleting of personal data. It is a very broad term.

Processing (Art 4(2))
Any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction.

Not sure if your firm is already registered with the ICO?

 
What counts as personal data?

Personal data is information stored digitally or in an organised paper file from which an individual can be identified or is identifiable. It includes information that can be identified as relating to an individual which is used to inform a decision that you might take about an individual. It can includes: 

• Name
• Contact details
• Biographical information
• Photographic images
• CCTV footage
• Passport number and copies of passport
• Personal bank account details
• Meeting notes where personal matters are discussed

Personal data (Art 4(1))
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Information about clients which are corporate entities is not regulated by the GDPR, although information about their employees is.

Special category data

There is a sub-category of personal data called special category data (previously known as sensitive personal data) which includes the following:

• Data revealing racial or ethnic origin
• Data revealing political opinions
• Data revealing religious or philosophical beliefs
• Data revealing trade union membership
• The processing of genetic data, biometric data for the purpose of uniquely identifying a natural person
• Data concerning health, including physical or mental health of an individual and the provision of health services
• Data concerning a natural person's sex life or sexual orientation

Criminal conviction and offence data is dealt with separately under the UK GDPR. This includes the alleged commission of offences or proceedings for an offence which includes disposal and sentence. The provisions and restrictions are essentially the same but are mainly found in the Data Protection Act 2018. In this guide when special category data is referred to, it will include criminal conviction and offence data.