![Eleanor Clarke - 029[8]](https://d1d8vslyhr7rdg.cloudfront.net/Pictures/274x183/1/5/1/120151_eleanorclarke0298_527574_crop.jpg)
Although lawyers are excellent at providing compliance advice to their clients, they can be slow to implement data protection procedures in their own firms. Peter Carey considers the most common areas of non-compliance for law firms
The Law Society's forthcoming Data Protection Handbook contains a chapter on law firm compliance by Cinzia Biondi of Birmingham firm Wragge & Co. In it, she suggests that 'perhaps it is because law firms and solicitors are so heavily regulated in any event that there is a perceived attitude of "we are probably complying anyway"'. She goes on to say that 'there are certain peculiarities about the way law firms are set up and the way in which legal services are delivered that can make data protection compliance quite complicated'.
Law firms must comply with the personal data processing requirements in the Data Protection Act 1998 (DPA), which was passed to implement the provisions of the European Data Protection Directive (95/46/EC).
In conducting data protection compliance reviews for law firms, I have discovered that the following areas often merit close examination:
- Client information: It is clear that a law firm must comply with the usual data protection requirements in respect of client data - examples include using data only for the purposes for which those data are acquired (second data protection principle), ensuring the security of data (seventh data protection principle) and destroying obsolete data (fifth data protection principle).
The 'fair processing' obligations, in schedule 1, part II of the DPA, additionally require that certain information must be supplied at the point of data collection, or as soon as practicable thereafter - the identity of the business, the purposes for processing and 'any other information to enable the processing to be fair'.
The purposes for which a law firm collects client data include performing money laundering checks, the provision of legal advice and the marketing of its own legal services. Recently, a European diktat has indicated that informing individuals on whom businesses collect personal data of the fact that the individuals can access those data at will (section 7 of the DPA allows this right of 'subject access') is a necessary part of the 'fair collection' notice.
Given that the 'fair collection' information should ideally be provided in permanent form, law firms may consider that the most logical place to provide the information is in their standard rule 15 letter.
- Outsourcing: Certain requirements arise out of the relationship that exists between the law firm and the organisations to which it outsources aspects of personal data processing - examples include payroll companies (staff data), Web site hosts (electronic data collection), and confidential waste management agents (client and staff data). Significantly, unlike the law firm itself, a third-party data processor does not fall within the class of persons that are regulated by the DPA.
The DPA renders outsourcing arrangements unlawful unless certain formalities are present. First, the contract between the law firm and the outsourcing company must be in writing; second, the contract must contain certain minimum obligations on the outsourcee, namely an obligation to process personal data only on the instructions of the law firm and to take security measures equivalent to those imposed in the law firm under the seventh data protection principle (see below).
New contracts with data processors should contain, at the very least, these minimum requirements. Older contracts should be amended to incorporate the required provisions.
- Direct marketing by e-mail: The law on e-mail marketing changed on 11 December 2003. By virtue of the Privacy & Electronic Communications (EC Directive) Regulations 2003, it is now, subject to one exception, unlawful to send marketing e-mails without having obtained prior opt-in consent from the intended recipient.
The exception, where it is still possible to send marketing e-mails with opt-out consent, applies where the law firm obtained the electronic contact details directly from the intended recipient in the context of the sale of a product or service, it uses the details to market similar products and services, and it gives an opt-out (or unsubscribe) facility in each and every electronic marketing communication.
Law firms should be aware that the mere sending of 'e-mail updates' to clients and prospective clients constitutes 'direct marketing' and is subject to the new restrictions. Law firms may consider that the most logical place to obtain consent for marketing is in the rule 15 letter.
- Security: The seventh data protection principle in the DPA requires UK businesses to take 'appropriate technical and organisational measures' to ensure the security of the personal data they process.
A survey conducted by a private detective agency in late 2002 showed that law firms are generally 'very poor' at implementing appropriate data security procedures.
Common breaches of the seventh principle include leaving files on desks after hours, leaving computers on standby, failing to employ adequate backup procedures and discarding non-shredded paper waste through traditional waste collection procedures.
- Notification: It is a legal requirement of all businesses in the UK to register (or notify) with the UK data protection regulator - this can be done on-line at www.dataprotection.gov.uk. Although there are some limited exemptions from the registration requirement, law firms are unable to benefit from them.
When registering, law firms must state the purposes for which they process personal data (there are 33 to choose from, one of which is 'processing for the purpose of providing legal services') and must indicate whether they transfer data outside the European Economic Area. Using personal data in any business in a manner which is incompatible with the register entry is a criminal offence.
Peter Carey is a consultant and head of the data protection team at City firm Charles Russell and author of Data Protection Handbook, to be published by Law Society Publishing in July. It can be ordered direct from Marston Book Services, tel: 01235 465 656
More from Law
-
NewsA new kind of ‘thing’: digital assets bill introduced
Property (Digital Assets etc) Bill will mean that digital holdings including cryptocurrency, non-fungible tokens and carbon credits can be considered as personal property.
-
-
NewsNew York court picks Scots law for shareholder dispute
Judge backs presumption that law of place of incorporation should apply.
Partnership
Charity Explorer provides a reputable reference tool for solicitors, will-writers and their clients who want to leave a legacy or charitable gift.
Visit Charity Explorer
Whether you are looking for legal expert witnesses, legal training/CPD providers, international law firms, administration of estates, legal software suppliers, barristers chambers or any other general legal service, the Legal Services Directory will provide a suitable option.
Visit Legal Services Directory
No comments yet