This is the first of two articles about the issues practitioners need to consider when working digitally.
I begin by dealing with the boring stuff: data protection for criminal defence lawyers; but the next article will be more practical and discuss hardware, software and techniques to help lawyers work without paper.
The fact is that nearly all, if not all, correspondence and/or case material sent to or sent by a criminal defence practitioner will relate in an obvious way to a living individual who will be capable of being identified. As such, the correspondence and/or case material will be deemed "personal data?. The question then is: what implications, if any, does this have for the practitioner?
Solicitors are obviously subject to professional rules of conduct and a failure to meet the appropriate standard can result in censure, a fine and ultimately removal from the Roll. In the context of data protection, the most relevant obligations are that:(1) solicitors must keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents; (2) any individual who is advising a client makes that client aware of all information material to that retainer of which the individual has personal knowledge; and (3) solicitors must have in place effective systems and controls to enable them to identify risks to client confidentiality and to mitigate those risks.
The Data Protection Act 1988 (DPA) regulates the processing of information about individuals and solicitors must comply or risk committing a criminal offence.
Personal data. "Personal data? means data which relates to a living individual who can be identified either (1) from that data, or (2) from that data and other information which is in a solicitor?s possession, or is likely to come into the solicitor?s possession, and includes any expression of opinion about the individual and any indication of the solicitor?s intentions or those of any other person in respect of the individual.
Sensitive personal data. "Sensitive personal data? is defined by the DPA as information consisting of a person?s racial or ethnic origin; political opinions; religious beliefs or other beliefs of a similar nature; membership of any trade union; physical or mental health or condition; sexual life; commission or alleged commission of any offence, including details of any proceedings concerning any offence committed or alleged to have been committed by him, the disposal of such proceedings, and the sentence of any court in such proceedings.
The DPA obliges solicitors to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of, or damage to, personal data.
In practice, there is no "one size fits all? solution to meeting this obligation, and a solicitor?s approach needs to be "risk based?. First, the solicitor needs to assess the risks posed by personal and/or restricted data being accessed without authorisation and /or accidentally lost, destroyed or damaged. Then the solicitor needs to put in place "appropriate? measures to control any of the identified risks that cannot be eliminated.
The DPA also requires that no personal data shall be transferred to a country or territory outside the European Economic Area (which encompasses the European Union along with Iceland, Liechtenstein and Norway) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. This has obvious implications for those who make use of cloud-based services, and who correspond by email.
A solicitor should consider all of the following to determine the appropriateness of his/her security measures: implementation cost; technological developments; the nature of the data (note that sensitive personal data will merit particular attention); and harm that might result from unauthorised or unlawful processing or from accidental loss, destruction and damage to the data.
Solicitors must also take reasonable steps to ensure the reliability of any employees who have access to personal data.
Portable and mobile devices used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using encryption software.
Encrypting files helps protect them by disguising the data, preventing any inadvertent or unauthorised access. Standards are always evolving, but the Information Commissioner?s current recommendation is that any solution which is implemented meets "the current standard such as the recommended FIPS 140-2 (cryptographic modules, software and hardware) and FIPS-197.?
FIPS stands for federal information processing standards. FIPS 140-2 is a US government computer security standard used to accredit products that implement cryptography and only applies to specific products that have been validated. FIPS-197 is a reference to the FIPS advanced encryption standard (commonly referred to as AES).
In my next article I will set out the practical ways you can meet the above obligations, and also how you can set yourself to work effectively in a paperless (or more accurately a paper-lite) environment.