The loss of data whether it is through hacking, leaving briefcases, unencrypted laptops or USB sticks on the train (which even MI5 and MI6 can do) ? can have huge ramifications. Outcome (7.5) requires all law firms to comply with data protection legislation. Firms should register with the Information Commissioner, have in place a data protection policy and regularly update all members of staff in connection with good practice on the security of personal information.
[col1]A Scottish advocate breached the Data Protection Act after failing to encrypt a laptop containing sensitive personal data about individuals involved in eight court cases that she had been working on. The laptop was stolen from the home of Ruth Crawford QC in 2009 when she was away on holiday. The breach was only reported to the ICO on 30th August 2011 when the last case relating to information held on the laptop was concluded.
Although in this case the Information Commissioner’s Office was unable to serve a financial penalty as it took place before 6th April 2010, it should act as a warning to all legal practitioners that failure to protect personal information is not just about a potential penalty of up to ?500,000 ? it could affect their careers too. If personal data is not properly safeguarded, it can seriously jeopardise the important work the firm carries out, damage its reputation and prosperity and compromise the safety of individuals.
Firms should also be in a position to respond to any breach of security swiftly and effectively. All breaches have to be reported to the Information Commissioner’s Office as soon as possible.
Since gaining new powers in 2010, the Information Commissioner’s Office has already levied penalties of hundreds of thousands of pounds for breaches of data protection laws. And law firms are not immune.
There have been numerous cases concerning lost memory sticks and back-up tapes that were unencrypted. Data controllers must ensure that there are appropriate policies in place to protect any personal information both inside (including clients and/or third parties being able to identify clients from file labels) and outside the office and that relevant staff are fully trained on how to follow them.
To comply with Principle 7 of the Data Protection Act, firms need to have adequate physical and technical security, backed up by robust policies and procedures to prevent the personal data they hold being accidentally or deliberately compromised.
Staff should be aware of what they can and cannot do with the personal information they handle and what they can and cannot say in relation to sensitive client information in public. There is also the danger of someone trying to trick staff into disclosing information or changing an address. All staff who handle personal information need to know that it is a criminal offence to give out personal information without the data subject’s consent.