- Site Tools
- Print page
- Email page
- Page alert
Data Protection Act - Is Your Chambers Complying? IT Panel Article 2005
This advice is intended to alert Chambers to the need to be registered under the Data Protection Act and to give basic guidance as to the requirements. It should not be taken as definitive advice applicable to every circumstance and Chambers are strongly urged to seek expert advice in areas of doubt.
notIficatIon
It is not only individual members of chambers who use a computer in their practice (or have agents or employees who use one on their behalf e.g. Chambers support staff) who have an obligation to notify (register) as a data controller with the Information Commissioner. The Head of Chambers is responsible for ensuring that Chambers has notified that it is a data controller.
How this is done depends on how your Chambers administration is structured and managed. The notification should be made in the correct legal title by which Chambers is known. If your Chambers is operated as a limited company then that company should notify. If the Chambers operates as an unincorporated association, then the Head of Chambers can notify in the name of the unincorporated association, in the name by which Chambers is known to the public, e.g. Chambers of Charles Brown or in their own name, with an indication that the notification is in respect of their position as Head of Chambers.
There are exemptions from notification for "not for profit organisations" and/or where very limited processing occurs in core business purposes only i.e. staff administration, advertising and accounts and records. If Chambers are likely to undertake processing which exceeds the limitations of these exempt purposes, they should notify. If Chambers are uncertain as to their position they can seek guidance from the Registration/Notification Helpline of the Information Commissioner's office on telephone: 01625 545 740 or by email: data@notification.demon.co.uk (note that this is not a secure form of communication).
Even if exempt from notification Chambers can still decide to notify voluntarily. In such cases the following statement will appear on the Register entry:
"This data controller also processes personal data which is exempt from notification"
Given the duties and activities associated with the role of Head of Chambers, this may also involve an expansion of the reported processing beyond the "standard" entry for barristers. Care should be taken to ensure that the Head of Chambers' notification reflects such additional processing by the inclusion of relevant additional purposes, data subjects, data classes, recipients and transfers.
Failure to notify is a strict Liability Offence
In a recent prosecution, a solicitor was fined £3,150 and ordered to pay costs for failing to notify.
However, even if exempt from notification this does not mean that the data are exempt from the remaining provisions of the Act. The Head of Chambers is also responsible for ensuring that Chambers' data processing complies with the Data Protection legislation. Individual members of Chambers are, of course, responsible for their own data processing.
It is not possible in this short article to give comprehensive guidance on the steps necessary for compliance.
However, Chambers should be aware of the Data Protection Principles. In summary these require that data must be:
1. fairly and lawfully processed
2. processed for limited purposes
3. adequate, relevant and not excessive
4. accurate and up to date
5. not kept longer than necessary
6. processed in accordance with the individual's rights
7. secure
8. not transferred to countries outside European Economic areaunless that country has adequate protection for the individual.
Each of the Data Protection Principles must be complied with. Even the briefest consideration demonstrates that compliance raises the issues of (at least) confidentiality, data retention and deletion strategies, disclosure of data, accuracy of data recording and physical security of data.
The activities which are carried out in a set of Chambers and which may involve data processing which must be carried out in compliance with the Data Protection Act and the Data Protection Principles include the following:
(a) professional work (the responsibility for this processing will be that of the individual barristers);
(b) management of instructions and fee collection;
(c) client management;
(d) marketing and promotional activities;
(e) recruitment and management of staff, and personnel records;
(f) accounts and payroll;
(g) recruitment of pupils;
(h) mini-pupillages;
(i) suppliers;
(j) complaint handling;
(k) general management of Chambers.
The following link will take you to the guidance on the Information Commissioner's website concerning when and how barristers' chambers are required to notify the Information Commissioner. Click here to view the link.
