Snippets from our data protection webinar
At our recent data protection webinar, we were joined by Dr Janis Wong, Policy Advisor – Data and Technology Law, The Law Society and Maria McGann, Group Manager, Cross Economy Engagement Team and Neil Ryan, Senior Policy Officer, Cross Economy Engagement team at the Information Commissioner’s Office (ICO) to discuss risks and challenges law firms face in protecting data.
The fundamentals of data protection seem to have been overshadowed by the rise of artificial intelligence (AI).
As the legal profession increasingly relies on technology and AI for business operations, compliance with the spirit of the data protection principles sets a framework for good data protection practices.
Legislation around protecting data is constantly evolving with the Data (Use and Access) Bill[1] being introduced in the House of Lords on 23 October 2024 and seeks to modify certain data safeguards to stimulate the UK economy and enhance public services, particularly for the NHS and the police force, by improving data access and usage.
By far the two most frequently reported types of personal data breaches reported to the ICO, not just within the legal sector but across all industries, arise from emails being sent to incorrect recipients, often the content contains sensitive data regarding children matters, and phishing emails when individuals click on malicious links or attachments.
Article 34 of the General Data Protection Regulation[2] (GDPR) provides that you must report any breach that may pose a risk to an individual’s rights and freedoms. Reporting a breach to law enforcement, the Solicitors Regulation Authority and insurers does not absolve an organisation’s obligation to make a report to the ICO.
Each breach reported is considered by the ICO, who will take mitigating factors into account. If the ICO is satisfied that an organisation has dealt with a breach appropriately and has implemented measures to prevent similar incidents arising again, there should be no further action taken. However, every breach is different and will be assessed on a case-by-case basis.
To minimise the risk of personal data breaches often caused by human error, ensure staff are sufficiently trained and are able to identify suspicious emails, make sure that software and systems are kept up to date, emails are sent securely and, if applicable, consider disabling autofill settings to minimise the risk of emails being sent to incorrect recipients. Adopting a "four eyes" approach, by having two people review sensitive information before it is sent can further enhance data protection.
The current top three issues that the public enquires about or files complaints to the ICO are:
Each subject access request should be assessed on its own merits, even if you have received multiple requests and you feel you have provided the information being requested. All the personal data held on a client file that falls within the scope of the subject access request should be provided.
Having appropriate procedures in place for managing data retention for all the data held will assist with handling SARs. The procedures should include understanding what data you hold, why it is being held, how long it should be retained for and the processes for managing this.
If a client requests access to all the personal data you hold on them, you must deal with the request even if it may take a long time to collate the information, unless the request is obviously disproportionate or involves excessive costs. You should ask the client to clarify the time periods over which they are requesting the data if it is not clear.
If you are considering redacting or withholding any information, then you will need to refer to the legislation to see if an applicable exemption applies. Exemptions such as legal professional privilege may apply, however such exemptions cannot be relied upon in their entirety and will depend on the exact circumstances of each matter.
Best practice is to provide the requested information because that is the cornerstone of the fundamental rights in the axis. It is really important that you get that right and be as helpful as you can.
Follow the ICO guidance on SARs and any exemptions that may apply. If a complaint is made by the client and the ICO potentially needs to ask you about it, if you have followed the guidance and you are confident in your decision, you have documented your decisions that will be extremely helpful for the ICO when dealing with the complaint as it evidences the decisions you have made and why.
It may seem on occasion that the SAR process is being abused by clients and may be used in contemplation for a complaint or claim. The reasons behind the request for personal data should not matter as clients are entitled to exercise their rights to request access to their personal data. What you need to consider is that there is going to be a reason behind the request and a very common reason is going to be that an individual may be unhappy in some shape or form, they may want that information to use to it to support any complaint or to at least consider it.
Follow the guidance on the ICO and Law Society website about how to deal with those types of requests and consider whether they might be excessive, or involve disproportionate efforts, as it is appreciated that there will be occasions when people are being unreasonable making their requests.
Requests for metadata also need to be considered, if the data has been deleted during the course of the business or in accordance with retention guidelines then that may not need to be considered. However, good record management comes into play here as any data deleted to prevent disclosure is a criminal offence under the Data Protection Act 2018[3].
With regards to data sharing the core message really is that data protection legislation is an enabler for data sharing. It's there to protect those who are vulnerable including the safeguarding of children. It is important to remember that data protection facilitates data sharing rather than hindering it. The ICO's guidance clarifies this point and outlines how data sharing agreements can help law firms comply with the legislation and address contractual liability.
If you are transferring data to a third country that is not covered by UK adequacy regulations, then you must have an appropriate safeguard in place (for example, data protection clauses such as the ICO’s International Data Transfer Agreement) after having undertaken a Transfer Risk Assessment.
If you are transferring data within the same corporate group, then you can rely on Binding Corporate Rules (BCRs) and the UK BCR addendum (introduced in December 2023[4]) can be added to existing EU BCRs before the documentation is submitted to the ICO for prompt approval. This process is simple, and relatively straight forward and there is useful guidance about international transfers available on the ICO website.
In closing, the key to effective data protection is by implementing robust risk management and training measures including corporate governance structures and policies, controls and procedures which are regularly reviewed to test that they are current and effective. Cultivating a risk aware culture particularly around protecting data will minimise exposure to complaints and data breaches, particularly those reported to the ICO.
The ICO and Law Society offers a range practical advice and guidance on managing data protection risk:
