The UK's privacy watchdog has fired a warning to barristers and solicitors following a spate of data protection breaches by legal professionals.
In a blog post, the ICO wrote that 15 incidents involving legal professionals breaching the Data Protection Act (DPA) have been reported in the last three months.
A serious breach of the DPA can see barristers and solicitors individually fined up to £500,000 - the same maximum penalty that can be applied to companies and public authorities. According to the ICO, it can be served following a breach provided that the incident "had the potential to cause substantial damage or substantial distress to affected individuals".
The DPA classes barristers and solicitors as data controllers in their own right, meaning they are legally responsible for any personal information they process, which is often of a highly sensitive nature.
Amplified risk
The risk of a data breach is greater for legal professionals due to their tendency to carry around large quantities of information between court and at home, which can increase the risk of a data breach.
Information Commissioner Christopher Graham said: "The number of breaches reported by barristers and solicitors may not seem that high, but given the sensitive information they handle, and the fact that it is often held in paper files rather than secured by any sort of encryption, that number is troubling.
"It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach.
"We have published some top tips to help barristers and solicitors look after the personal information they handle. These measures will set them on the road to compliance and help them get the basics right."
Top tips
The ICO has published a series of "top tips" for legal professionals to make sure any personal information they handle is kept secure. They are:
- Keep paper records secure. Do not leave files in your car overnight and do lock information away when it is not in use.
- Consider data minimisation techniques in order to ensure that you are only carrying information that is essential to the task in hand.
- Where possible, store personal information on an encrypted memory stick or portable device. If the information is properly encrypted it will be virtually impossible to access it, even if the device is lost or stolen.
- When sending personal information by email consider whether the information needs to be encrypted or password protected. Avoid the pitfalls of auto-complete by double checking to make sure the email address you are sending the information to is correct.
- Only keep information for as long as is necessary. You must delete or dispose of information securely if you no longer need it.
- If you are disposing of an old computer, or other device, make sure all of the information held on the device is permanently deleted before disposal.
