Data protection crackdown: do you comply?

On 12 August this year the Information Commissioner’s Office announced a crackdown on solicitors and other professionals who fail to comply with the Data Protection Act 1998. How will you fare when the Information Commissioner comes knocking?

Many of us have been asked questions about the Act in the context of advising a client. But what would you say if your client asked you what measures you or your firm has taken to comply with the Act? Would you be able to say with confidence that you have a notification or a data protection policy in place? The findings of the Information Commissioner’s survey in August this year indicate that many solicitors would not – UK-wide, as many as 3,000 law firms have failed to notify.

Despite the solicitor’s duty of confidentiality to clients, the fact remains that in no way are solicitors exempt from the requirements of the Act or from the consequences of failure to comply. If a solicitor is not compliant with the Act, at best this could result in embarrassment when the client does ask what you do to comply with data protection regulations, and potentially investigation by the Information Commissioner, fines and at worst imprisonment.

The sensitive nature of the work carried out by many solicitors means that compared to other professionals there is arguably greater reason for solicitors to take care when dealing with personal data. In turn this also means that the consequences of failure to comply could be more severe.

This article is intended to offer practical advice to assist solicitors in complying with the Act.

You, the controller

Before looking at the steps necessary to comply, it is worth clarifying some of the terminology. The Act applies to “personal data”, which is any data from which a living individual can be identified. A common misconception is that there needs to be an element of secrecy or confidentiality before information becomes personal data. This is not the case: even a single phone number or email address is personal data if an individual can be identified from it. Another point to note is that the primary obligations in the Act apply to the “data controller”, who is the person that determines the manner and purpose for which the personal data is used. You are therefore a data controller if you have discretion as to how personal data is used and are not acting on the instructions of a third party. All solicitors will be acting as data controllers when taking instructions directly from clients.

What do data controllers need to do to comply with the Act? The three golden rules of data protection are: Notify, Comply and Ratify.

Step 1: Notify

The purpose of notification is to allow the Information Commissioner to maintain a register of data controllers accessible to the public. A notification should contain the following information:

• the name and address of the data controller;
• the type of personal data being processed and who that personal data relates to;
• a description of the purposes of the data processing;
• who will receive the data; and
• if applicable, the territories outside the European Economic Area to which the data might be sent. (The Act contains a list of countries in the European Economic Area – it is worth having a look at this as it is not all European countries.)

The rationale behind notification is transparency – before making a disclosure of personal data to a data controller, members of the public should be able to consult this register to see what use will be made of their information by a particular data controller.

It is an offence to process personal data if you have not submitted a notification, subject to certain exceptions. These relate to the processing of personal data for the purposes of staff administration, advertising, marketing and public relations, and maintaining accounts and records. Whilst many businesses do fall into this category, the nature of a solicitor’s business is that personal data is processed for purposes other than the exempt purposes and so it is difficult to see any circumstances where a law firm would be exempt from notification. 

You have fallen at the first hurdle if you haven’t notified. As the Information Commissioner keeps a list of notifications, this is the easiest way for him to check whether data protection is on your radar. Indeed, the Information Commissioner’s starting point in the “crackdown” against solicitors is to contact each of the firms that have failed to notify.

The number of solicitors who have not made notifications is all the more surprising given the ease of doing so. It costs a flat fee of £35 to make a notification (renewable annually). The notification form is easily accessible on the Information Commissioner’s website (www.dataprotection.gov.uk) and can either be completed online or printed off and returned.

However, as is outlined below, there is much more to compliance with data protection than simply submitting a notification, and notification will not protect you from the risks of failing to comply with other aspects of the Act.

Compliance: the eight principles

Compliance with the Act revolves around eight principles. In summary, these are:

• fair and lawful processing;
• processing only for specific purposes;
• keeping data adequate, relevant and not excessive for the purpose processed;
• keeping data accurate and up to date;
• not keeping data for longer than is necessary for its purpose;
• processing in accordance with the rights of data subjects;
• secure processing; and
• restrictions on transfers outside the European Economic Area.

Whilst it is not possible in this article to explore every angle of compliance with the Act, the list below aims to set out concisely some particular compliance considerations for solicitors:

1. Fair and lawful processing

Data should be processed only with the consent of the data subject, unless the processing is necessary for performance of a contract to which the data subject is a party (and other more particular exceptions). In most circumstances law firms should not need specific consent from clients given that a contract for services is being performed. However, as increasing numbers of law firms are now forming databases of clients and target clients for marketing purposes, the consent requirement should not be overlooked. A good place for obtaining the required consent is in the client letter of engagement.

2. Specific purposes

Client data should only be processed for the purpose specified, being the performance of services by the solicitor. This is also a matter of professional conduct and so in this respect data protection should not be an area of additional risk for most solicitors.

3. Adequate, relevant and not excessive for the purpose

This causes an interesting conundrum for solicitors as often advice is sought and information given by a client before the nature of the problem is clear. We have all been in the situation when we think a problem is clear and the real problem turns out to be something from the left field. Therefore how can we be sure that the client information we keep is not excessive? Although the Commissioner has not given a specific answer on this point, I would suggest that the retention by solicitors of personal data not directly in point is usually not excessive as the purpose of giving the data is to allow the solicitor to assess the extent and nature of the problem. Having said that, where client information is clearly never going to be relevant, it should not be retained.

4. Accurate and up to date

The nature of a solicitor’s work requires accurate and up to date information when it is in use. However contact details can quickly become out of date. This can be embarrassing: for example, reminders or marketing communications are sent to previous clients. It is therefore good practice to update client contact details on a regular basis to ensure that confidential correspondence is not sent to an old address.

5. Not keeping longer than necessary

Prescriptive time periods normally determine the length of time for which solicitors maintain files. Audit procedures should be in place to ensure that files are not maintained for longer than the relevant prescriptive periods.

6. Rights of data subjects

The rights of data subjects include the right to make access requests to data held. It is important to note that this extends not only to information held on files but also any information held within the firm relating to that client.

7. Security measures

This is an area where many businesses inadvertently fall foul of the Act. Again confidentiality dictates that solicitors must keep files secure. However, this requirement extends to ensuring that any third parties responsible for processing data on your behalf are contractually bound by security requirements. This means that third parties ranging from IT maintenance providers to file archiving and destruction contractors to local agents should give contractual undertakings in relation to security before being given access to personal data.

8. No transfers outside EEA

There are restrictions on passing personal data outside the European Economic Area. This issue may arise when instructing overseas agents. If circumstances arise where overseas agents may be instructed, the specific consent of your client should be obtained before passing any personal data and the rules on transfers examined in more detail.    

The above considerations are a good starting point for assessing compliance with the Data Protection Act. You should also be aware of the various regulations and guidelines derived from the Act relating to areas such as employee data and electronic marketing. The Information Commissioner’s website is an excellent source of information and provides updates on the latest regulations.

Once you have evaluated your compliance, the final step is ratification.

Ratify: policing compliance

A very common mistake is failure to ratify compliance arrangements internally within a firm. This can mean that even the best-thought-out policies can be sidelined and ignored by staff. It is important to encourage a compliance culture within a firm, whatever the size – a good way of doing this is to allocate particular responsibilities to a variety of staff. An effective way of reinforcing the message is to develop and distribute a data protection policy document setting out the most important compliance points and then periodically review compliance. A data protection policy is also a good way to demonstrate compliance to reassure clients.

Going forward

Whilst data protection compliance may seem intimidating, much of it is common sense. Generally the Information Commissioner encourages an interactive approach and is likely to take less severe action where a firm has a notification and a data protection policy in place, as this demonstrates intent to comply.