Data protection for law firms
Wednesday 13 July
12pm
Data
Protection
Act
1998
Privacy and
Electronic
Communications
Regulations
2003
Freedom of
Information
Act 2000
Environmental
Information
Regulations
2004
What is “personal data”?
“…data which relate to a living individual who can
be identified –
(a)from those data, or
(b)from those data and other information which
is in the possession of, or is likely to come
into the possession of, the data controller”
Legal
requirement
when
processing
electronically
Costs £35 per
year
Virtually all
law firms will
need to
register
Registration
ico.org.uk/for-organisations/register
!
Risks in the legal sector
4%
In 2015/16,
of all data
security incidents reported
to the ICO related to
solicitors and barristers.
That’s
Legal sector data security breaches by
type in 2015/16
75 out of 1895.
Loss or theft of paperwork
Data posted or faxed to incorrect
recipient
This was a slight decrease of
4%
Insecure webpage (including hacking)
on the previous year.
Data sent by email to incorrect recipient
Loss or theft of unencrypted device
The two main data security issues
affecting the legal profession are:
Loss and theft of paperwork
(27% of incidents in
2015/16)
Data being posted or faxed to
The incorrect recipient (17%
of incidents in 2015/16)
Failure to redact data
Insecure disposal of paperwork
Information uploaded to webpage
Insecure disposal of hardware
Verbal disclosure
0
5
10
15
20
25
Incidents by data type
Basic personal identifiers
The information held
by legal professionals
is often very
sensitive; therefore
the damage caused
by data security
incidents is often
substantial and could
meet the threshold
for issuing a financial
penalty.
Health / Clinical data
Financial details
Criminal records/ endorsements
Social care data
Employment details
Education records
Unknown
0
5
10
15
20
25
These issues are reflective of the fact that information handled by legal
professionals is often held in paper files rather than secured by encryption. Legal
professionals will often carry around large quantities of information in folders of file
when taking them to or from court, and may store them at home. This can increase
the risk of a data breach.
Steps you can take
•
Encrypt electronic devices
•
Adequate physical security
•
Data minimisation
•
Clear policies and procedures
•
Appropriate training
•
Effective access control
Data Protection self assessment toolkit
ico.org.uk/for-organisations/improve-your
practices/data-protection-self-assessment toolkit
Data Protection self assessment toolkit
ico.org.uk/for-organisations/improve-your
practices/data-protection-self-assessment toolkit
Advisory Visits
ICO guidance
Keep in touch
Helpline: 0303 123 1113
Subscribe to our e-newsletter at www.ico.org.uk
or find us on…
@ICOnews