Well folks, all good things have to come to an end. Overthe last ten or so issues of Bar Talk, we have dissected theGeneral Data Protection Regulation (GDPR) to try to simplify thesubject of data protection and the issues that arise from it. Thereis an Introduction and a series of "Chapters", adopting the veryobviously appropriate metaphor for the Bar, of the scenes of aplay.

This is Chapter 10, the last Chapter in this series. We hope youfound the previous Chapters useful, and, of course, we are certainyou will have found them an absolute joy to read! If you now feel atinge of disappointment, don't worry! We will be back when the newUK Data Protection Act arrives, to tell you what the Britishlegislators have made of the GDPR.

By way of reminder, we have written: an Introduction (theProgramme) [  here], Chapter 1, (the Players) [  here], Chapter 2 (Roles of Principal Members of the Cast- the Data Controller) [  here]; Chapter 3 (A Continuation of the Data Controller'srole) [  here]; Chapter 4 (Further data protection principles withwhich the Data Controller has to comply) [  here] ; Chapter 5 (Roles of Principal Members of the Cast- the Data Subject) [  here]; Chapter 6 (Roles of the principal members of theCast - the Data Processor [  here]; Chapter 7 (The Melodrama Part 1 -What happens whenit all goes wrong) [  here]; Chapter 8 (the Melodrama Part 2 - How much couldit cost you to get it wrong) [ here]; Chapter 9 (International Transfers of Data) [ here].

Now it is time for the Epilogue; a summary of the scenes playedout over the last nine Bar Talks. The intention is to home in onsome of the most important requirements that you need to understandand adopt to comply with the GDPR. We will do this by a series ofquestions and answers, with references to the relevant Chapterswhere you will obtain more detailed information (numbers inbrackets).

What role do I play?

As a practising barrister, you will be a "Data Controller"(2,3,4) for data protection purposes. You will almost certainly behandling ("processing" in the GDPR jargon) personal information("Personal Data" in GDPR speak (1)) about individuals ("DataSubjects") on a daily basis. It is you who decides the purposes forwhich the Personal Data are to be used and how this is achieved.Hence you are a "controller" of that Personal Data.

"Processing" has a very wide ambit indeed (1) and covers justabout everything you can do electronically. You should rememberthat processing Personal Data in hard copy files is also covered(1), provided that the file is structured in such a way that thesecan be obtained easily from the files.

While we are familiar with the idea that our case files areconfidential, some Personal Data is super-sensitive ("SpecialCategories" in GDPR terms) and you need to handle that withparticular care. This includes such matters as physical and mentalhealth - see (1) for the others.

Do I have any other part to play or responsibility toexercise?

You may also be a "Data Processor" (1)(6). For example, yourChambers may ask you to handle recruitment of a new staff member,pupil or tenant. Chambers is the Data Controller; you areprocessing Personal Data about applicants on Chambers' behalf.Please see those two Chapters which set out the position on DataProcessors.

Also, remember that you personally may be engaging DataProcessors. These may be internal: Chambers' staff, full-timepupils, mini pupils and work experience pupils. They will be yourData Processors but you are responsible for their compliance withdata protection law. Your Chambers' Data Protection Policy shouldcover the issue of Bringing Your Own Device, where a pupil uses hisown computer to do your work. Ensure they don't let the cat out ofthe privacy bag!

Secondly, you may want to recruit external Data Processors. Themost obvious are organisations which will store your data for you,known as "cloud service providers". Ensure that they have theirstorage devices located within the EU or another location withacceptable data processing standards (see (9) for the reasons).    

In all cases the obligations of Data Processors must be set outin a contract (see 6). This includes Chambers (or the Head ofChambers) , barristers when acting as Data Processors, devils,pupils, mini-pupils, IT consultants, email service providers, cloudstorage providers, and other service providers. 

Do I have to register with anyone to process PersonalData?

Under the old UK Data Protection Act (DPA), yes. And you had todeclare the (very) general purposes for which you processedPersonal Data. The Bar had a standard purposes template. Under thenew GDPR regime, the primary emphasis is on telling Data Subjectswho you are and what you are about, rather than registration with acentral authority.  So much for the good news. The bad news isthat it is likely that there will still be a fee for processingdata and that for some, it will increase from its present £35 to£55 (assuming you pay by direct debit). If Chambers is turning overmore than £36M or has more than 250 staff then it goes up to £2895(on the same assumption).

What general obligations should I be awareof?

You have to process Personal Data in line with a number ofPrinciples. These have been in place since the DPA came into forcebut have been expanded or restated in the GDPR under Article 5. Wewill not repeat them in detail here but simply refer you to them in(2)(3)(4).

What is far more important is how you should now act in yourdaily practising lives. A non-exclusive list includes:

(a)   You are required to be"accountable" for your Personal Data processing i.e. if called uponyou have todemonstrate that you have complied with the data protectionPrinciples (2). Under the DPA you merely had to comply. 

(b)  You and your Chambers should now have a DataProtection Policy. It would be wise to ensure one is in placebefore the new Data Protection Act arrives. Please read it andadhere to its provisions. If there is any ICO investigation it willhelp to persuade the ICO that this new and more onerous dataprotection regime is being taken seriously. 

(c)   This policy should set out retention periods forPersonal Data i.e. how long do Chambers and Chambers' membersintend to keep Personal Data. There is no fixed answer to this; itdepends on which legal areas comprise Chambers' members' practice.If there are a number of different practice areas, differentperiods of retention may legitimately be chosen. If an individualdecides to deviate from a standard Chambers' policy, this should berecorded and for ease of reference a copy should be kept byChambers as well as by the individual together with the generalChambers policy. You may find it easier simply to place a privacynotice on your page of your Chambers website. In all cases, thereasons for choosing a particular period should bestated. 

(d)  Adopt a new way of thinking. Get rid of all yourunwanted hardcopy files; purge your computer of those thousandsof oldemails that you have hoarded in case they might beuseful. Remove all of your old cases fromyour PC. If you want to keep precedents like pleadings, orders andopinions, then you can, but you have to anonymise them by removingthe Personal Data- try Find and Replace on Microsoft Word (and itsequivalent for other programs). If they are in PDF format, you willhave to redact the Personal Data or convert them into Word formatand then dispose of the PDF. It's a good idea to store theseseparately in a new folder called e.g. Precedents. Oh, and don'tkeep newcases on your PC longer than is strictly necessary. The next paragraph details the possible legitimate groundsfor keeping files at least until about a year after the end of thelimitation period.  You may wish to move closed cases to asecure (offline) archive ready to be deleted when the timecomes. 

The only reasons to keep files after the case is finished willusually be the following legitimate interests (i) handling possiblecomplaints,  (ii) payment issues, (iii) regulatory reasons, e.g. money laundering, (iv) appeals (although for civil casesthis will usually be known before a case is considered 'closed'),(v) the Personal Data is needed for a related case, (vi) conflictchecks; however, that limited subset of data can be kept on theChambers' system - it's usually the clerks that check, after all.The 'legitimate interests' basis does not apply to Personal Data inthe Special Categories, retention of which data beyond a reasonableperiod after the expiry of the limitation period requires explicitconsent, and if the retention of the data is otherwise particularlydamaging to an individual you may have to undertake an individualassessment of the justification for retention. 

(e)   If you wish to retain some documents for aspecified purpose - then you will need to think carefully about thelegitimate basis for why you are keeping them and whether you canjustify retaining them with all the PersonalData and still comply with the requirement for data minimisation.It is difficult to see how you could do this but if you think youhave a justifiable reason make sure that the reason andjustification is recorded. 

(f)    Compliance with (c) and (d) will mean youhave complied with several important data protection Principleswithout really thinking too hard about them. You will have keptPersonal Data to a minimum by deleting it or anonymising it and bykeeping a record of your decisions you are accountable for thedecision, and the reasons for the processing aretransparent. 

(g)  For the future, store emails and files in a way whichwill make it easier for you to delete them when the time fordeletion arrives.  Best practice is to create separatesub-folders for each case and a separate set of folders for oldcases and precedents. 

(h)  Turn your PC into Fort Knox - impossible to get into,should you accidentally leave it on the train. That means (i) use astrong password and encrypt all mobile devices including laptops(your laptop should already be encrypted but if not and you arerunning Windows 10, try Bit Locker which you will conveniently findon your PC). The password does not have to be the usual "uppercase-lower case-numbers-unusual symbol" formula which you willpromptly forget. Unusual but easily recalled wording will do e.g."dog-likes-bones", (ii) keep a separate email account  forprofessional Bar activity - you can then delete professional emailsbut leave personal ones, (iii) consider encrypting the data on yourdesktop PC - then nobody can read it, (iv) ensure you haveanti-virus software loaded and keep it updated, (v) keep yourfirewall turned on, (vi) implement all operating system updates andupgrades that are offered, particularly if they refer toimplementing security protection.  

(i)    Exercise caution. Someone, somewhere maysend you an innocent-looking email which will not be captured byanti-virus software. It might be a purported invoice or a requestto update a computer program you run or reply to a survey or apurported message from your bank or a solicitor or colleague askingyou to look at correspondence, and it may appear to have been sentto you by one of your contacts. If it does not look right,don't open any attachment or click on any link in the email.If you have an IT manager, send it to him/her for verification, oropen it on a device which does not matter (e.g. a personalsmartphone which is not linked to Chambers). 

(j)    Record keeping; a good idea in any eventfor all the decisions you make about your policies. More willprobably not be generally required unless there are more than 250employees. However, if you are processing "Special Categories" dataor criminal convictions/offences you are required to keep specificrecords (see Arts. 9 and 10). Details of what is required are inArt.30.

How should I behave towards solicitors, clients andothers?

(a)   So much for internal organisational matters.Now, how do you deal with lay and professional clients and others?The most basic and important Principle (the 1stPrinciple in the DPA and in GDPR Art.5) is that as a DataController, you are required to process Personal Data "lawfully,fairly and transparently" - known as the "Lawfulness Principle"(2). 

At its most basic, this means ensuring that you have a lawfulbasis, or permission, for processing Personal Data. The DPAprovided that such permission could be assumed in a number ofcircumstances - see DPA Schedule 2, and Schedule 3 where "sensitivedata", (now known as "Special Categories" data) was concerned(2). 

Most obviously, this arises where the individual has givenspecific consent to use his/her Personal Data ("actual and informedconsent") - Art. 6(1)(a) We dealt extensively with how youshould handle this aspect in (2). Please re-read this. 

(b)  However, explicit consent is not required(and may be hard to get if the Data Subject is someone other thanyour client) if your processing falls under one of the otherprovisions i.e. Arts 6(1) (b) - (f). 

For example: 

(i)You need to process Personal Data for the purposes of"legitimate interests" you are pursuing. As a barrister, your"legitimate interests" will be to provide legal advice andassistance to your client.

(ii) You are processing Special Categories data, for the"establishment, exercise or defence" of legal claims.

(c) The other main part of the Lawfulness Principle is that youhave to act "transparently". This is not rocket science. It simplymeans you have to be open about who you are and what you are doing.Subject to some important exceptions, you must promptly notify DataSubjects, including third parties such as witnesses on the otherside, that you are processing their Personal Data and provide along list of associated information. But you don't need tonotify them if you are legally obliged to keep the Personal Dataconfidential (e.g. because of the Bar Code of Conduct), it isprivileged or if the provision of the information about yourprocessing is impossible or would involve a disproportionate effort-or quite simply, if they already have all this information -unlikely but possible. 

(d) A lot of detail has to be provided to Data Subjects (3)under the "transparency" obligation. The GDPR breaks this down intotwo responsibilities (i) information to be provided to the DataSubject, assuming the Personal Data is obtained from that person(ii) information to be provided to the Data Subject if the PersonalData has NOT been obtained from that Data Subject (see Arts. 13 and14). It is likely that the detail will be presented as standardinformation with you filling in gaps e.g. in order to provide legalservices to clients, to deal with complaints, for regulatorypurposes (such as money-laundering records), and so forth.

(e) A word about the reasons you are holding someone's PersonalData. The Purpose Limitation Principle (DPA Principle 2 and GDPRsecond principle in Art. 5) requires such data to be held forspecified, explicit and legitimate reasons. As we have said, you nolonger register with the ICO in general terms; you account for whatyou are doing in specific terms. Watch out! You cannot simplyinvent more purposes that go beyond the purposes which you have setout in your notifications to Data Subjects. 

I have complied with all the Principles; do DataSubjects still have any recourse to me?

Getting all your data protection ducks in a row is not the endof the story. Chapter 5 looks at the rights of Data Subjects. Werefer you back to this Chapter in the event that a Data Subjectapproaches you with a request about his or her Personal Data. Youhave a limited time in which to respond to these requests - onemonth, down from the original 40 days.

In summary, this could include a request:

(a)   to know whether you are processing his or herPersonal Data, and if so what;

(b)  to rectify inaccurate Personal Data or, complete it ifit is incomplete;

(c)   to be "forgotten" - this applies only in certaincircumstances (see 5);

(d)  to restrict processing e.g. if a Data Subject makes anallegation that Personal Data is inaccurate;

(e)   to object to continued processing;

(f)    for all Personal Data to be ported toanother Data Controller.  

We mention these in the context of a roundup of the variousissues that may come to affect you. Please look at (5) if you wantmore detail. 

I have made a fool of myself……..I have lost mycomputer……….what now?

You are off to a head start if you have already implemented thesecurity measures we have suggested above. But apart from thosecomfort factors, you may have obligations to tell different peoplewhat has happened.

You are obliged to tell:

  • the ICO, unless the individuals in your data are unlikely to beseriously compromised

  • Data Subjects, where there is a high risk that their rights andfreedoms are put at risk

  • your Data Controller, if you are a Data Processor.

You may also need to tell:

  • your Chambers (partly so that they can assist you, partlybecause this should be part of their Data Protection Policy andpartly so that any remedial steps can be taken)

  • the BSB - if a loss might be considered as seriousmisconduct

  • the police/insurers. 

Please look at (7). In the case of the ICO there are very shorttime limits within which you have to report a loss of PersonalData, however this arises. Worse, you may have to provideinformation about the loss to the ICO. Most barristers have verybusy lives; reporting to the ICO is a serious distraction.Reporting a data loss to your clients or Data Subjects is somethingyou really want to avoid - as we said in the Introduction [ here], how embarrassing is that? You can avoid doing this - butlook at (7) to see how!

You or your Chambers should have in place a Data Breach ResponsePlan so that you are ready to take the necessary steps promptly inthe event of a data breach occurring. There is one set out in theRiliance pack which is available free to barristers who register athttps://riliance.co.uk/barristers-gdpr#overlay-context=barristers-gdpr

Finally, the Bar Council has a detailed guidance document onData Security and what steps to take if the worst happens [ here]. 

What can the ICO do to me if I do lose all mydata?

Please have a look at (8). We won't rub your noses in it butthere are potentially some fairly massive fines that the ICO canlevy. And they have all sorts of investigative and correctivepowers. This is not however an on-the-spot fine. The ICO willinvestigate what has happened and take all relevant factors intoaccount. Look at Art. 83 GDPR - a lot of the measures we havesuggested you take, will count in your favour if you haveimplemented them, and will, correspondingly, reduce the level ofany fine. 

I do a lot of cross border work…..what risks should I beaware of?

Remember: it is "Personal Data" that is the worry. There arestrict limitations on the transfer of Personal Data to thirdcountries which you must comply with. If you are working acrossborders in the EU areas, there will be no concern, as each MemberState has to abide by EU data protection standards. The EuropeanCommission approves other countries against a series of criteriaand details are on the EU website. Some organisations in the UScurrently operate under an EU-USA Privacy Shield for companies thatsign up to this (please check the list of companies). However,there is no guarantee that a foreign government will not want tosee the data especially if you are involved in high profileextradition proceedings. Please be aware of the risks to yourclients. For transfers to other countries, transfers will only bepossible if you have referred to the intention to transfer to thatcountry in your notification to the Data Subject, and you eitherhave the consent of the Data Subject or the transfer of personaldata is necessary for the establishment, exercise or defence oflegal claims, or one of the other derogations applies. Chapter 9will assist you. 

Conclusion

That is all from us at the moment. We hope it has been useful.If you have any questions on any aspect of what we have written,please look at the Ethics Hub first - there is much more specificguidance there. If that doesn't answer your question, address it tothe IT Panel and we will endeavour to answer it. Who knows, perhapswe will receive so many questions that more blogs will bejustified!

Bar Council IT Panel