Information Commissioner warns lawyers of data breaches

The Information Commissioner's Office (ICO) is warning barristers and solicitors to keep personal information secure following a number of reported data breaches.

Fifteen incidents involving members of the legal profession have been reported to the ICO in the past three months. The sensitive information handled by barristers and solicitors means that the damage caused by a data breach could meet the statutory threshold for issuing a financial penalty.

Information Commissioner, Christopher Graham, said: "The number of breaches reported by barristers and solicitors may not seem that high, but given the sensitive information they handle, and the fact that it is often held in paper files rather than secured by any sort of encryption, that number is troubling."

Graham continued: "It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach."

The ICO can serve a monetary penalty of up to £500,000 for a serious breach of the Data Protection Act provided the incident had the potential to cause substantial damage or substantial distress to affected individuals.

Barristers and solicitors are generally classed as data controllers and are therefore legally responsible for the personal information they process.

"We have published some top tips to help barristers and solicitors look after the personal information they handle. These measures will set them on the road to compliance and help them get the basics right," said Graham.

Best practice

The ICO has published its top tips to help barristers and solicitors keep the personal information they handle secure.

• Keep paper records secure. Do not leave files in your car overnight and do lock information away when it is not in use.

• Consider data minimisation techniques in order to ensure that you are only carrying information that is essential to the task in hand.

• Where possible, store personal information on an encrypted memory stick or portable device. If the information is properly encrypted it will be virtually impossible to access it, even if the device is lost or stolen.

• When sending personal information by email consider whether the information needs to be encrypted or password protected. Avoid the pitfalls of auto-complete by double checking to make sure the email address you are sending the information to is correct.

• Only keep information for as long as is necessary. You must delete or dispose of information securely if you no longer need it.

• If you are disposing of an old computer, or other device, make sure all of the information held on the device is permanently deleted before disposal.

The ICO is currently working with The Bar Council to update the Information Security Guidance provided to Barristers in England and Wales.

Jacqueline Reid, chair of the Bar Council's Information Technology Panel told SJ: "The Bar Council has published guidelines on Information Security for a number of years directly to the profession, on its website and promoted good practice through articles in Counsel magazine. The Bar Council keeps those guidelines under regular review to take account of technical and practical developments. Currently, the Bar Council is revising its guidelines to take account of such developments and is working with the ICO in that respect."

Tweet your comments about this interview @SJ_Weekly