Internet Newsletter for Lawyers, November/December 2004, by Delia Venables

Internet Newsletter for Lawyers November/December 2004, by Delia Venables

Lawyers - are they Data Protection Compliant?
by Peter Carey

According to the Financial Times, data protection law is due to cost British businesses £7.5 billion, making it the most expensive 'red tape' ever to emerge from Europe. Law firms and barristers, in the same way as any other businesses, must adhere to the personal data processing requirements in the Data Protection Act 1998 ('DPA'), which was passed to implement the provisions of the European Data Protection Directive (95/46/EC). In an extra complication, which has arisen since the FT produced its startling figure, law firms and barristers must now also comply with the Privacy & Electronic Communications (EC Directive) Regulations 2003 – a measure which restricts the use of email for marketing purposes, and obliges certain information to be supplied on organisations' websites.
With the Information Commissioner hot on the heels of law firms (several prosecutions are currently in the pipeline) lawyers must do more to ensure that compliance 'at home' is a priority. This article sets out some of the areas that, in my experience of conducting data protection compliance reviews (audits) for law firms, represent the most common breaches of data protection law.
Information that must be supplied to clients
It is clear that a law firm must comply with the usual data protection requirements in respect of client data - examples include using data only for the purposes for which those data are acquired (Second Data Protection Principle), ensuring the security of data (Seventh Data Protection Principle) and destroying obsolete data (Fifth Data Protection Principle).
The 'fair processing' obligations, in Schedule 1, Part II of the DPA, additionally require that certain information must be supplied at the point of data collection, or as soon as practicable thereafter: the identity of the business, the purposes for processing and 'any other information to enable the processing to be fair.' The purposes for which a law firm collects client data include performing money laundering checks, the provision of legal advice and the marketing of its own legal services. Earlier this year, a European diktat indicated that informing individuals on whom businesses collect personal data of the fact that the individuals generally have the right to see copies of those data (section 7 of the DPA allows this right of 'subject access') is a necessary part of the 'fair collection' notice.
Given that the 'fair collection' information should ideally be provided in permanent form, law firms may consider that the most logical place to provide the information is in their standard Rule 15 letter. The precise content of the data protection notice that should be given to clients depends entirely on what the law firm expects to do with personal data collected. One aspect of data processing that firms often forget is the use of client data for marketing purposes.
Outsourcing
Certain requirements arise out of the relationship that exists between the law firm and the organisations to whom it outsources aspects of personal data processing, such as payroll companies (staff data), website hosts (electronic data collection), and confidential waste management agents (client and staff data). Significantly, unlike the law firm itself, a third party data processor does not fall within the class of 'persons' that are regulated by the DPA.
The DPA renders outsourcing arrangements unlawful unless certain formalities are present - first, the contract between the law firm and the outsourcing company must be in writing; second, the contract must contain certain minimum obligations on the outsourcee, namely an obligation to process personal data only on the instructions of the law firm and to take security measures equivalent to those imposed in the law firm under the Seventh Data Protection Principle (see below).
New contracts with data processors should contain, at the very least, these minimum requirements. Older contracts should be amended to incorporate the required provisions. Law firms should check that their arrangements with barristers comply with the above requirements.
Direct marketing by email
The law on email marketing changed in December 2003. By virtue of the Privacy & Electronic Communications (EC Directive) Regulations 2003, it is now, subject to one exception, unlawful to send marketing emails without having obtained prior opt-in consent from the intended recipient of the emails. The exception, where it is still possible to send marketing emails with opt-out consent, applies where the law firm obtained the electronic contact details directly from the intended recipient in the context of the sale of a product or service, it uses the details to market its own similar products and services, and it gives an opt-out (or 'unsubscribe') facility in each email.
Law firms should be aware that the mere sending of 'email updates' to clients and prospective clients constitutes 'direct marketing' and is subject to the new restrictions. In many cases, the most logical place to obtain consent for marketing may be in the Rule 15 letter. Using the above exemption from the 2003 Regulations law firms should be able to legitimise their marketing activities client by simply obtaining opt-out consent. Failure to comply with the requirements of the exemption will necessitate the obtaining of opt-in consent before undertaking electronic marketing.
Security
The Seventh Data Protection Principle requires UK businesses to take 'appropriate technical and organisational measures' to ensure the security of the personal data that they process. A survey conducted by a private detective agency in late 2002 showed that law firms are generally 'very poor' at implementing these.
Common breaches of the Seventh Principle include leaving files on desks after hours, leaving computers on standby, failing to employ adequate backup procedures and discarding non-shredded paper waste through traditional waste collection procedures.
Notification
It is a legal requirement of all businesses in the UK to register (or 'notify') with the UK data protection regulator (the Information Commissioner) - this can be done online at www.informationcommissioner.gov.uk. Although there are some limited exemptions from the registration requirement, law firms and barristers are unable to benefit from the exemptions.
When registering, law firms must state the purposes for which they process personal data (there are 33 to choose from, one of which is 'processing for the purpose of providing legal services') and must indicate whether they transfer data outside the European Economic Area. Using personal data in any business in a manner which is incompatible with the register entry is a criminal offence.
Peter Carey is Consultant Solicitor to Charles Russell, author of 'Data Protection - a practical guide to UK and EU law' (Oxford University Press) and editor of Privacy & Data Protection Journal, www.privacydataprotection.co.uk. He is running a one-day course for law firm practice managers and compliance officers 'Data protection compliance for Law Firms' in London on 20^th January 2005, see www.privacydataprotection.co.uk/training.
Email webv@privacydataprotection.co.uk.

Back to Contents.