IT Panel Blog: Data retention and cyber risks - what you need to know

9 February 2017

Hands up, those of you who are hoarders! Pretty much everyone when it comes to emails? Maybe the same when it comes to client files on your own or chambers' computers? Barristers are first rate lawyers and advocates but possibly not the world's greatest administrators.

Hoarding is, in some cases, inevitable. The BSB Handbook, for example, requires public access case papers to be kept for 7 years (rC129), or six years for licensed access (rC141). Individual barristers may also decide for their own reasons that they wish to retain computerised client information after they have finished a particular case. We set out the pros and cons of keeping such client information in our new  Data Retention Policy.

Why is hoarding such a problem? Two thoughts. Firstly, after the recent US Presidential campaign, everyone must now be aware of cyberattacks - criminals hacking into computers to obtain information. You are responsible for the security of your own client information whether it is held on chambers computers or your own. You also need to remember that there are many insecure places where information can be transmitted and received with little or no security making it vulnerable to access by unwanted third parties (e.g. Wi-Fi hotspots). Secondly, client information will remain on your computer hard drive if you decide to dispose of the computer unless you take proper steps to delete it. You could also simply lose your computer or have it stolen together with all the client information you have kept.

Why does it matter? Firstly, leaks of client information are potentially professionally embarrassing. You have to tell your clients (past and present) that you have lost their information. Future clients may think twice before briefing you. Further, all this is time consuming and costly.

Secondly, all barristers have obligations under the Data Protection Act 1998 ("DPA") to report "lost" (in its widest sense) personal information the Information Commissioner's Office ("ICO"). The ICO can impose financial penalties of up to £500,000 under the DPA for contravention of the data protection principles (see below). This will increase to €20 million under the General Data Protection Regulation (GDPR); compliance with which is mandatory after May 2018 - there is sadly no Brexit escape!

Are you legally obliged to dispose of client information at some point in time? The DPA regulates the processing of "personal data" - information about living persons. It would be very unusual if your case files did not contain personal data. Every barrister will be registered with the ICO for DPA purposes. The DPA states that personal data should be processed in accordance with eight Principles. The 5th Principle requires that you should not keep personal data longer than necessary for the purpose for which it is processed. The ICO publishes guidelines as to how this Principle should operate (see para 6 of the policy). 

So what do you do in practice to comply with this principle? We set out suggestions to assist chambers to deal with the retention of personal information (para 20) and to assist individual barristers to meet their statutory obligations (para 21).

Conclusions?

  1. It is best practice to have a written data retention policy which might include a reasoned and documented decision to retain old computerised files;

  2. Any risk of a penalty levied by the ICO for loss of personal information will probably be reduced if you have such a policy in place;

  3. Prevention is better than cure; either securely delete your old case files which you genuinely don't need or archive them securely where they are unlikely to be hacked into or inadvertently "lost";

  4. Ensure that your files held on your computer and/or in chambers' computers are encrypted and password protected;

  5. Don't rely on automated destruction of files held - i.e. don't think that the "delete" button rids of your files forever. It doesn't;

  6. Look at the Bar Council's related guidance: Guidelines on information Security and Email Guidelines for the Bar and the BSB's  Public Access Guidance for Barristers;

  7. Remember the obligation to self-report (and indeed, if you become aware of it, report another barrister to the BSB if your (or their) failure to keep data secure amounts to "serious misconduct" (rC65.7, rC66).

Written by members of the Bar Council's IT Panel