ICO warns legal profession over data security after multiple breaches

The Information Commissioner’s Office has fired a warning to barristers and solicitors over data security, after receiving reports of 15 incidents involving members of the legal profession in the last three months alone.

The watchdog said: “The information handled by barristers and solicitors is often very sensitive. This means that the damage caused by a data breach could meet the statutory threshold for issuing a financial penalty.

“Legal professionals will also often carry around large quantities of information in folders or files when taking them to or from court, and may store them at home. This can increase the risk of a data breach.”

The ICO issued a number of ‘top tips’ for lawyers on data security. They are to:

  • Keep paper records secure. “Do not leave files in your car overnight and do lock information away when it is not in use.”
  • Consider data minimisation techniques “in order to ensure that you are only carrying information that is essential to the task in hand”.
  • Where possible, store personal information on an encrypted memory stick or portable device. “If the information is properly encrypted it will be virtually impossible to access it, even if the device is lost or stolen.”
  • When sending personal information by email consider whether the information needs to be encrypted or password protected. “Avoid the pitfalls of auto-complete by double checking to make sure the email address you are sending the information to is correct.”
  • Only keep information for as long as is necessary. “You must delete or dispose of information securely if you no longer need it.”
  • If disposing of an old computer, or other device, make sure all of the information held on the device is permanently deleted before disposal.

The Information Commissioner, Christopher Graham, said: “The number of breaches reported by barristers and solicitors may not seem that high, but given the sensitive information they handle, and the fact that it is often held in paper files rather than secured by any sort of encryption, that number is troubling.

“It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach.”

The ICO added that it was working with the Bar Council to update the information security guidance provided to barristers in England and Wales.

The first monetary penalty for a serious breach of the Data Protection Act levied by the Commissioner after receiving new powers in April 2010 was against Hertfordshire County Council.

The £100,000 fine was imposed in November 2010 after two incidents where the authority's childcare litigation unit accidentally sent faxes containing highly sensitive personal information to the wrong recipients.