Warning for law firm employees who move with client records
Law firm partners and employees who “jump ship” and remove client papers without permission could end up with a criminal record, in addition to contractual sanctions, a committee of the Law Society of Scotland has warned.
The Society’s Technology Subcommittee has highlighted the recent case of James Pickles, formerly a paralegal with Jordan’s Solicitors in Dewsbury, Yorkshire. Mr Pickles was prosecuted for illegally taking from his employers the sensitive personal information of over 100 people before leaving for a rival firm. Contained in six emails Mr Pickles sent in the weeks before he left his firm, the information included workload lists, file notes and template documents but also contained sensitive personal data relating to individuals involved in ongoing legal proceedings.
Mr Pickles was prosecuted under section 55 of the Data Protection Act 1998 and at Bradford and Keighley Magistrates Court on 9 September he was fined £300, and ordered to pay a £30 victim surcharge along with £438.63 prosecution costs.
Paul Motion, convener of the Technology Subcommittee, commented: ”There is renewed activity in the legal employment market place and of course mergers of firms happen on a regular basis. Data protection considerations ought to be uppermost in the minds of all those involved.
"Members of the profession considering a move need to realise that individual personal data is legally protected and it can’t be processed unless there is a proper legal basis for doing so, with an especially high threshold in relation to ‘sensitive’ personal date. Normally this will entail obtaining the previous employer’s consent in advance or obtaining the consent of individual clients. Simply taking files or secretly copying data, or even getting someone else to copy files for you, without your former employer’s knowledge is very risky.”
Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the 1998 Act. On summary conviction there is a potential fine of £5,000 and if prosecuted on indictment the fine is unlimited. A conviction could also put a solicitor's practising certificate at risk.
Mr Motion, a partner in bto solicitors, added that law firms themselves were "not entirely immune from risk", even where they were the victim of unauthorised data removal and report the matter to the ICO.
"All data controllers including law firms are required to take appropriate technical and security measures to prevent the loss and unauthorised processing of personal data", he said. "The Information Commissioner may scrutinise this aspect as part of an investigation into data theft by a former partner or employee. The maximum fine for not having proper security in place is £500,000. Members of the profession will need to be able to show the ICO that they had suitable policies and technical measures in place, in order to ensure that the ICO’s attention remains focused where it ought to be – on the person who unlawfully removed the data.”