The Information Commissioner's Office explains how a worrying level of data breaches in the legal sector highlights the need to keep personal information secure

There can be little doubt that the legal profession handles some of the most sensitive personal information available. Whether it’s details of people’s criminal history, their health, or their financial situation, the average advocate or solicitor will be handling important information, the loss of which would clearly cause substantial damage and distress to those affected.

With the Information Commissioner’s Office (ICO) able to issue significant fines for the worst data breaches, and the reputational damage of a breach often carrying even greater weight, it is clearly important that legal professionals make sure they are following established good practice to keep people’s details secure.

It may come as a surprise, but members of the Bar reported more data breaches during the

last three months than central government or the police. The majority of these could have been prevented by taking a few simple steps. More often than not, the breaches we see relate to simple mistakes caused by either a lack of training, or a failure to have adequate policies and procedures in place to keep people’s information safe.

The BYOD imperative

Perhaps one of the most significant recent developments in the way people access personal information can be found in the trend known as Bring Your Own Device (BYOD). BYOD is the term for employees using their personal smartphone, laptop or tablet to access and use personal information for work.

While there are many advantages to letting staff use their own devices, including ease of access and the flexibility it affords employees to work outside the office, an ICO survey carried out last year showed that fewer than three in 10 employers are providing staff with guidance on how to keep personal information secure when using their own devices. This lack of guidance is potentially undermining many organisations’ attempts to keep personal information safe, and creating situations where employers may be unaware that a data breach has even occurred.

To tackle this problem, law firms must have a BYOD policy in place which clearly explains the personal information that employees can and can’t process on personal devices. It should also ensure that adequate measures are in place to keep the information secure, including the use of strong passwords and a suitable remote wipe facility which will delete the information from the device if it is lost or stolen. You can find further information on this topic in the BYOD guidance available on the ICO website (

If you regularly use portable devices, such as work laptops or memory sticks, to transport sensitive information between the office and the courtroom, you must make sure the information is encrypted. If the device is encrypted and is later lost or stolen, then no matter who finds it, the information will remain secure.

Treat paper the same way

The same levels of security should be applied to paper records. Before taking paper records out of the office, consideration should be given as to whether a more secure means of transporting the information could be used instead. If papers containing personal information do have to be taken out, make sure you only take the information you actually need and store the documents in a secure bag or suitcase.

While we discourage organisations from sending sensitive personal information by fax, we recognise that you may be asked to send papers in this way. But there are still steps you can take to keep people’s information secure.

Check the fax number and ring ahead to make sure that the person receiving the fax is there to collect the information at the other end. You should also ask the recipient to confirm receipt. A similar approach can be adopted with emails, with due care and attention being given to the entering of email addresses. If the content is particularly sensitive, you should also consider encrypting or password protecting the file for an additional layer of security.

Of course, all these solutions will only be effective if staff have received adequate training and there are clear data protection policies and procedures in place for them to follow. So if you are updating your policies and procedures, make sure staff are given training and adequate support on how to follow them. If you are a sole practitioner, make sure you take the same precautions on each occasion so that keeping personal information secure is built into your daily routine.

Many of the steps outlined in this article take little time, and cost relatively little to put into practice; however they can save you having to pay a fine of up to £500,000 for a serious breach of the Data Protection Act. So why not take a step back, look at your own compliance with the Act, and see whether you could be doing more to keep the sensitive personal information you use secure.

The Author
Ken Macdonald is Assistant Commissioner for Scotland and Northern Ireland at the Information Commissioner’s Office
Share this article
Add To Favorites