Adkirk Law

GDPR Policy

General Data Protection Regulations – Will apply from the 25th May 2018

General policy of General Data Protection Regulations

“…Under the GDPR a consumer has the right to work with us and then be forgotten, never to be hassled again where there is no legitimate reason to process their information…”

Potential consequences for breach of the General Data Protection Regulation 2016

  • 20 million euros or 4% turnover fine
  • SRA investigation for unprofessional conduct
  • Criminal sanctions are available personally where employees, wilfully or negligently, are responsible for data breaches.
  • Suspension/withdrawal of the right to process personal data by the ICO
  • Loss of confidence in the integrity of the business’s systems and procedures
  • Irreparable damage to the business’s reputation

Golden Rules

  • Treat personal data with respect.
  • Keep it secure
  • Beware of Subject Access Request (SAR)
  • Check if you are not sure

Information Currently Held

  • We should document what personal data we hold, where it came from, and who we share it with
  • With regard to a legal file there is a distinction between personal data, and the client’s file data. However, as we have professional obligations to store data for at least 6 years after a matter has completed e.g. for insurance purposes it will also be necessary to retain the personal data.
  • The distinction is to limit who the personal data can be accessed by. If a file is archived then the “file” will not be on public view and ordinarily cannot be accessed by everybody in the firm. A file should be archived as soon as it has been concluded, the bill has been paid, the accounts ledger is zero, and any monies due to the client have been returned. This reduces the risk of any data breaches occurring.
  • We may need an information audit across the firm which is not limited to personal data on clients, employees, and third parties you interact with in the course of the business. This will provide an assessment of whether we are following good data protection practice. The ICO can be requested to conduct an audit and there is no charge.
  • We should review our current Privacy Notice on a regular basis to ensure that it remains up to date and accurately reflects how we use a client’s personal data. Updates can be placed on the website.
  • We have to notify clients/employees of our storage and data retention policies and time frames, and that individuals have a right to complain to the ICO if they think that there is a problem with the way we are holding their data.

When Does Data Protection Law Apply?

It applies when a business is processing personal information to an identified or identifiable living individuals

Consents

  • There must be a clear affirmative act by the client indicating their acceptance of the proposed processing of their personal data. This is set out in the Privacy Notice which will be sent with the Client Care Letter. Declaration A signed by the client will confirm receipt of the Privacy Notice.
  • Specific opt-in consents should be obtained from clients for using their data for marketing purposes. You can send a client legal bulletin information provided that you give them the option to opt-out
  • Once consents have been received they should be registered in the Client Data Register.

Personal Data can include:

Personal data is covered by a new definition “Biometric Data” which is any personal data relating to the physical, psychological, or behavioral characteristics of an individual which allows their unique identification.

It includes:

Name
Address
Bank Account details
Credit card details
Date of birth
Email address*
Correspondence from the client containing personal data
Medical records
Client notes
Digital recordings
Documents
IP Address
CCTV information
Criminal Record
Other info e.g. Supports Brexit

*We are not authorised to disclose a client’s email address to a third party without their consent. Many email addresses do not provide an identity to a third party e.g. abc@google.com. However if an individual is identifiable from the email address e.g. martin.jones@companyltd.com then displaying it to third parties reveals that they have had dealing with this firm in the past. For some organisations (e.g. political parties, or organisations that deal with specifically sensitive issues) this may be a serious breach of privacy. The individuals can complain to the information commissioner who has power to issue enforcement notices, or they may seek compensation under s13 of the Data Protection Act 2018 for any contravention which causes them damage.

A staff member of a company sent a blind carbon copy (‘’bcc”) email to 90 participants. The staff member then erroneously sent a correction by entering the participant’s email addresses into the “to” field instead of the “bcc”. As a result the recipients of the email could therefore see the email addresses of all the other recipients – a security breach. Many of the email addresses contained the full names of the participants. The company was reported to the ICO as the identity of the participant had been disclosed to third parties without consent. The company was fined £200,000 as details of possible victims of non-recent child sexual abuse were distributed.

How Can Data Be Processed?

By keeping on laptops/pc’s/iPad’s
Paper in a filing system
Intend to record in a filing system
USB memory Sticks
DRD- RW drives
CD and DVD disks
Media player hard drives
Portable external hard drives

Methods of processing personal data

Marketing database
Employee records
Handwritten notes on job application if put on a file
Information received from a client
Jottings in your notebook are not processing unless you intend to put into a filing system
Outlook contacts
Info in your mobile phone if in connection with work
Information displayed on a white board which can be viewed by third parties
Files in view around the office which have the names of clients on the outside front cover

Moral is “Any information stored about anyone is covered by data protection law”

What if I am given a business card. What information can I process?

There is implicit consent to add the information in the card to Outlook.

You should include a note to record the fact that the information was provided from a
business card that was given to you.

However, you cannot include information which you were also verbally told e.g. they support Manchester Unit and have 3 daughters, unless you have specific consent, or it is necessary for work.

Can you put names, job titles and contact details of a client on your firm’s marketing database?

This is not allowed unless you have specific consent to opt-in

In 2017 Morrisons Supermarket deliberately sent 130,000 emails to customers who had previously opted out of receiving marketing relating to their Morrisons More Card. They were fined £10,500

Can you send client legal bulletin information?

  • Yes, as long as you give them the option to opt-out

What data can you process lawfully?

Where express consent has been given, or it is necessary for:

  • Performance of a contract to which the data subject is a party
  • Compliance with a legal obligation to which the controller is subject
  • To protect the vital interests of the data subject or someone else
  • Performance of a task carried out in the public interest or in the exercise of official authority
  • “Legitimate interests pursued by controller or third party” except where such interest are overridden by interests of the data subject

If personal data is recorded in Outlook and it changes what should you do?

Where express consent has been given, or it is necessary for:

  • The information should be updated
  • You should correct any errors

Sensitive personal data which cannot be processed without specific consent

*Unless in connection with employment, social security, occupational health assessment or in connection with legal action.

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union memberships
  • Genetic and biometric data
  • Health, sex life or sexual orientation

What can you use information about a client for the purpose of a matter including date of birth, salary and contact details?

  • Conflict checks
  • Relevant information for Counsel
  • To send relevant information to the lawyers for the other party
  • However you should only use/review information about a client who you are acting for and not search the office database to look at other files of that client or any other client unless you are authorized to do so. This can constitute an offence under the GDPR regulations,

What information can an employer reveal by way of disclosure that is necessary for example an employment dispute?

  • You can reveal sensitive personal data only if it is necessary for the litigation
  • You cannot send complete HR records unless they are “truly necessary”
  • Information which is irrelevant to the litigation must be redacted and/or anonymized (in a way that they clearly cannot be recognised)
  • You must make sure that the information is not given to somebody who might not keep the information confidential e.g. countries outside Europe.

You read in the press that a business has a certain problem. Can you call them to suggest that you can help resolve it?

  • No, if the business is a sole trader or traditional partnership you must have prior consent to call, fax, and text or email them under PECR. Such businesses are classed as individuals. Only if contacting individuals on a company or LLP email address is permitted and provided the recipient has not already asked you not to contact them. Always check the suppression list.

You read in the press that an individual has a legal problem. Can you call them to suggest that you can help resolve it?

  • No
  • Outcome 8(3) of the SRA Code provides that:

“you do not make unsolicited approaches in person or by telephone to members of the public in order to publicise your firm or in-house practice or another business;”

Data Minimisation

Data held about an individual must:

  • Only be relevant and not excessive
  • Must not be held longer than necessary
  • Must be deleted when you no longer have sufficient interest in keeping it e.g. CV’s if job not offered
  • A person has a right to be forgotten unless under legal obligation, contractual obligation or legitimate interest in which case the data would be retained but not further processing would take place.

Security of Data

A data protection breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise”. If the data is unavailable, for example when it has been encrypted by ransomware, or accidentally lost or destroyed – e.g whilst working on a client matter, data is stored on a desktop PC and it’s hard drive is corrupted and the data has not been backed up so is then unable to be backed up, so unable to be restored when the hard drive is replaced.

It includes but is not limited to:

(1) Hacking by a cyber attack
(2) Loss of theft of devices or equipment on which personal data is stores
(3) Deceit
(4) Disasters at business premises e.g. fire or flood

Scenario – off to a meeting

  • It is better to take a laptop which is password protected and encrypted instead of a paper file. If you are leaving a laptop/pc on a desk it should be locked by using the Ctrl-Alt-Delete function.

Any documents (maybe in the case that there is no local internet access e.g. on a train) on the desktop should be password protected. All documents should stored with IT Farm so that they are not on the computer desktop, and have to be
accessed with IT Farm by internet connection by inserting a name and password. We may introduce a second level of security by a password being sent to an individual’s mobile which then has to be used to access the IT Farm website.

Scenario – On a train and want a cup of tea

  • Do not leave a laptop at a table – take it with you

Scenario – Talking by mobile on a train

  • Take the call and explain that you are in a public place and avoid referring to anything confidential

Scenario – Using a Laptop on a train

  • Consider using a privacy screen

Scenario – Laptop taken home

  • Do not leave in boot of car
  • Do not leave it open where other members of your family can access it
  • You should put it somewhere secure and make sure that it is locked
  • Make sure home Wi-Fi is secure
  • When using Public Wi-Fi make sure it is secure

Scenario – Files on Reception / In meeting rooms

  • Do not leave files on reception so that they can be viewed by third parties
  • Do not leave client’s files in meeting rooms which can be viewed by other clients
  • Do not leave files visible in bags so third parties can see the identity of clients you act for
  • Do not leave any files which contain the client details on the file which can be seen by third parties
  • Do not use any whiteboards which can be seen by third parties containing client data

Scenario – Accidentally sending confidential documents to a client

  • Be extremely careful to ensure that no documents of other clients are accidentally posted or emailed to a client
  • Do not send emails to the incorrect client. Use can use the option in outlook to delay the email before it is sent to mitigate any immediate errors.

Encryption

  • Make sure all data encrypted
  • Secure all devices including printers

Use of Mobiles – Security of Data

  • We need to protect our firm from mobile hackers as they would be able to access personal data of clients which may include their name, address, email address, etc…together with personal information contained in emails. The outlook software on mobiles often contains a mirror image of the information contained on the office laptop/in the cloud software.
  • We need to ensure that any mobiles used for business can be remotely wiped, locked, and if possible, located in the event that they are lost, or reported missing.
  • We are considering whether certain app’s on mobiles should be blacklisted

ICO Advice for Lawyers:

  • Reduce use of paper files
  • Keep paper records secure
  • Only carry information that is essential
  • Store personal information in digital form
  • When emailing sensitive information, double check email address.
  • Do not leave in a car
  • Make sure a laptop is always kept secure
  • In an office do not leave papers on desk overnight/laptop on a desk not password protected where they can be read e.g. by the office cleaner
  • Do not let any third parties/temporary staff/work experience near your desk to be able to read documents
  • Make sure any data strip/portable hard drive is encrypted/password protected

Password Protection

  • Use a password that cannot be easily guessed
  • Use different passwords for different things
  • Change them regularly
  • Do not disclose it to anyone else
  • The password “Igpli1999” [I’m going to party like it’s 1999] could take 8 months to crack
  • Do not write it down or save it electronically anywhere
  • If you are away from your PC, you should lock it by using the Ctrl-Alt-Delete function

Do not talk to somebody about a confidential matter until you are sure they are who they claim to be

  • You might decide to terminate an incoming call, and then call them directly at their office number
  • If you get a call from someone claiming to be a colleague in another office asking for information on a matter check the staff list and email them or call them on a listed number

Stolen Data

  • If you are offered information from a client that might have been stolen, the client might have committed offences.
  • You might have to seek an order from the court as to whether they can be allowed in evidence or returned
  • You could be committing data protection offences
  • You could be liable in tort
  • You might have to withdraw from the case

What if there is a breach of Security?

  • NoYou must immediately notify the Data Protection Officer (“DPO”) – Linda Kirk
  • He will then notify the ICO within 72 hours if there has been a breach of security which is likely to result in a risk to rights and freedoms of individuals (e.g. discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage) and/or receive appropriate advice how to deal with the breach. Simply sending an email to an incorrect address which is not highly detrimental to a client (i.e. the content) does not require notification to the ICO.

If there has been any breach of security notify the DPO and he will then decide a course of action notify the ICO, or e.g. simply request to a third party to delete the information, and confirmation that it has been done will be sufficient.

  • It may also be necessary to notify clients if the information disclosed will result in a high risk to the rights and freedoms of individuals – The DPO will make that decision
  • It may be necessary to notify insurers
  • The duty to report any actual or suspected data protection breach applies applies to everybody working for the firm. Failure to do so can result in disciplinary action. The DPO must be immediately notified.
  • A central register of any data protection breaches will be maintained

Subject Access Request

  • Anyone can ask the firm:
    • (a) Confirmation as to whether or not personal data concerning (them) is being processed
    • (b) Where that is the case, access to the personal data. The data provided must be in a format that allows for easy use with another controller. It will usually be a simple once page summary of personal information held. There are no
      obligations as to what format a general file is to be provided to a client or requested third party e.g. another law firm.
    • Requests can be made verbally and do not have in writing or reference DPA, GDPR or subject access request.
    • (1) A copy of information held and only about them and not third parties without a third party’s consent. This does not include the entire file.
    • (2) We also have to justify why you are holding it, who we have shared it with, and how long you plan to keep it e.g. it may still be necessary to keep information about a spent criminal conviction for insurance purposes.
    • (3) We can refuse or charge for requests that are manifestly unfounded or excessive
    • (4)If a request is refused, the individual will be informed by the DPO why, and that they have the right to complain to the ICO, and consider a judicial remedy. The Privacy Notice sent with the client care letter provides details of the complaints procedure.
  • Be very careful what you email, or make notes about an employee, job applicant, barrister, expert etc…
  • Be careful what you put in an appraisal report for someone who you have supervised

Confidential job references

  • People cannot make you give them a copy of a confidential reference
  • However, they may get them from the recipient
  • It is better to discuss matters by telephone, or refuse to give a reference

The right to be forgotten

The right to be forgotten is also known as Data Erasure. It entitles an employee, or client to have their personal data erased, for further dissemination of the data to be disseminated, and potentially have third parties ceasing to process the data.

For example, it may be requested by a leaving employee to delete all personal data. However, the right is not absolute and:

  • If a member of staff leaves us, we may still need to keep records for Tax and NI purposes
  • In case a Tribunal Claim is brought against us we may be able to keep the records for a period of time

The 6 Data Protection Principles

1 Processes lawfully, fairly and in a transparent manner
2 Collected for specific, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes
3 Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
4 Accurate and, where necessary, kept up to date
5 Kept no longer than necessary
6 Appropriate security including protection against unauthorized, or unlawful processing and accidental loss, destruction or damage
7 Accountability for documenting policies, measures and controls, process procedures to demonstrate we are compliant.

Rights under GDPR

1 The right to be informed
2 The right of access
3 The right to rectification
4 The right to erasure
5 The right to restrict processing
6 The right to restrict data portability
7 The right to object
8 Rights in relation to automated decision making and profiling

Vicarious liability for data breaches

In October 2018 the Court of Appeal decided that Morrisons were vicariously liable for the malicious criminal conduct of its IT Auditor who deliberately accessed Morrison’s database and posted online the personal data of 100,000 employees names, addresses, gender, date of birth, phone numbers (home and mobile), national insurance numbers, bank sort codes and account numbers, and salary details. Morrisons now have to pay compensation to the employees. The case will now be taken to the Supreme Court.

Summary

1 A client’s identity, and personal data must be kept confidential
2 Electronic data must be kept confidential by the use of passwords for laptops, PC’s, Ipads etc…and mobiles, together with encryption where possible
3 Whilst the use of in the cloud storage such as IT Farm has encryption when using on a public network, ideally you should connect to your own 4G / 5G network rather than a public network. e.g. Starbucks it is still possible for a third party to “set up” their own network in a coffee bar by creating a false network with a name similar to the e.g. “starbucksnetwork” that you may log on to with no password required. Always check the identity of the network with the host and enquire whether a password is required. Hackers can eavesdrop, intercept and alter traffic between two devices.
4 Linda Kirk is the Data Protection Office – Any data breach must be immediately reported to him
5 If you have any client data on your mobile or you are unable to locate your phone, you must inform the Data Protection Officer immediately so that it can be deactivated remotely. Any online accounts accessed through the device must have their passwords changed immediately e.g. IT Farm, Ochresoft, etc….
6 Never allow applications or files to be installed from unknown sources particularly smartphones/tablets

Testimonials