Data Protection and Information Security

Information is an essential resource for our business. Processing data is fundamental to the work of the company yet we are increasingly vulnerable to the risk of loss, damage or destruction of important data through theft, malicious intent or accident. This risk is growing as computers and the internet are increasingly used to process and transmit confidential client, business and employee information. The following protocols are intended to ensure the safeguarding of this data, whether manually or electronically generated.

The practice holds various categories of data e.g. client, employment, health, financial.

The data is held in the following ways:

  • on the company’s premises in either manual or electronic format
  • taken from the company’s premises e.g. to Court, to a meeting, home
  • shared with others e.g. by mail, email with clients, other solicitors, suppliers

The company is required to comply with a variety of legislation, regulations, orders and codes of practice relating to Data Protection and Information Security. The principle requirements are contained within the General data Protection Regulations 2018 and the SRA Code of Conduct 2007, but updating legislation will be included and followed by all at the practice.
Any failure to comply with current legislation and regulatory requirements may constitute a criminal offence and/or lead to professional disciplinary measures.

The COLP has overall responsibility for the maintenance and security of the company’s premises.

The COLP has overall responsibility and training for the IT system.

The company is registered with the Information Commissioner for all necessary activities under the Data Protection Act.

It is the responsibility of the COLP to ensure all staff are aware of their obligations under data protection law and are provided with any update as to how they are required to support the practice in ensuring compliance.

The company is required to observe the principles that underlie data protection legislation, namely that all data covered by the legislation (which includes not only computer data but also personal data held within a filing system) is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate
  • Not kept longer than necessary
  • Processed in accordance with the data subject’s rights
  • Secure
  • Not transferred to countries without adequate protection

All staff will receive training on Data Protection and Information Security as part of the induction process. Ongoing training will take place for all staff as and when required.

The company’s Data Protection and Information Security Policies and Procedures are directed towards preventing, detecting and responding to threats to the categories of information held by the company on its own behalf and on behalf of others.

Securing Information on the Premises

Building

All staff are provided with keys to enter and exit the premises. It is the responsibility of each member of staff to safeguard keys and equipment to enable access and to keep the premises secure.

Visitors to the building should report through the intercom who will notify the member of staff who the visitor wishes to see. A member of staff should escort the visitor to the meeting room and back to entry door when the meeting has ended.

Staff are encouraged to challenge unescorted visitors.

Out of Hours

Staff working on the premises out of office hours should ensure that there is no access to the building by unauthorised personnel.

Staff should not arrange appointments after hours if they are to be in the building alone

The last member of staff on the premises should ensure that all windows and doors are securely locked before leaving the building.

Working Area

Fee Earners are responsible for the security and confidentiality of files and documents relating to the cases that have been assigned to them.

Papers, files and other documents should not be left on display, particularly when there are visitors or contractors in the building.

Confidential office or client papers should be shredded. All paper to be shredded should be placed in designated boxes. These boxes of papers will be securely shredded off-site.

Computers should be set to lock-out when left unattended

Each member of staff is responsible for ensuring that his/her working area is secure before leaving the premises at the end of the day. This will entail:

  • Storing files and documents away safely
  • Locking appropriate cupboards, filing cabinets and drawers
  • Shutting and locking windows and lowering blinds where appropriate
  • Shutting down all equipment

IT Security on the premises

Each member of staff is provided with access to a computer, which is linked via a cable to the other computers.

Each member of staff is provided with a User ID and is asked to choose a password comprising a minimum of 8 characters to include at least one capital letter and one numeric character. Passwords are to be changed every 90 days. Our IT system prompts staff to change their passwords regularly. Passwords provide the individual with a log-on to the network. A password is personal and confidential and should not be divulged to anyone else other than the director who will keep a record. Staff should be aware that activity on the network can be traced through the user ID and password, should it be considered necessary. If a password is released to another person (e.g. in the absence of the usual employee), the usual employee should subsequently change the password as soon as possible.

Any software stored on an individual computer’s hard drive must not be altered.

No documents should be stored on the computer’s hard drive

No external devices e.g. Flash drives, CDs, phones, MP3 players, cameras are to be used in conjunction with any computer without permission from a director.

Secure drives are provided on the network in order to safeguard data that is particularly sensitive. Access to data held on these secure drives is available to Directors.

IT support is provided by our trusted independent IT support. Any concerns or problems concerning computer use should be brought initially to the attention of the COLP. The COLP will refer issues to external IT support as appropriate.

Each network is provided with a Firewall, and hosted Anti-Virus and Anti-Spam protection. In addition anti-virus software is installed on individual computers.

All computer systems and applications are regularly updated.

A backup is taken daily of the computer system. This happens automatically as part of our IT system. The backup is arranged by out external IT support.

The COLP maintains records of all computer hardware, peripherals and software licences.

Administrator rights are granted to the COLP only.

All defunct IT equipment must be disposed of securely in accordance with the COLP’s instructions.

Sharing and Transferring Information Securely

Staff should keep all information confidential from anyone not within the firm. Confidentiality is an important part of the business. All staff must follow the SRA Code of Conduct on relation to obligations regarding confidentiality. The COLP can assist with any queries staff may have about confidentialty, specifically in what circumstances that information may be made available to others.

Information concerning clients will be processed in accordance with the principles of the Data Protection legislation and our SRA obligations and code of conduct.

A considerable amount of the company’s business is now carried out by e-mail.

All members of staff are provided with an email address and each person is responsible for the emails sent from that address.

Sharing permissions for diaries should be granted only between the Fee Earner and Director and vice-versa and not extended to other members of staff without express permission from the Director.

Monitoring

It is the policy of the company to monitor communications of all types coming into and leaving the company, as well as within the company. This is necessary for a variety of reasons e.g. to ensure the effective and secure operation of equipment; to maintain or repair equipment; to intervene if necessary in the absence of a member of staff; to ensure that the company complies with legislation in respect of discrimination, harassment, defamation and downloading of inappropriate images.

Employees are referred to the section below concerning the provision of personal data and sensitive personal data.

Personal Data relating to Employees

Personal Data is held on all Employees and the Director in manual and electronic formats.

Employee records may include:

  • Information gathered about an employee during recruitment
  • Details of terms of employment
  • Payroll, tax and National Insurance information
  • Job details and Performance information
  • Health records
  • Absence records, including holiday records
  • Details of any disciplinary investigations and proceedings
  • Training records
  • Contact Names and Addresses
  • Any correspondence with the company

The data is processed in accordance with the Data Protection principles.

The information is held securely by the COLP.

Personnel Files may not be removed from the office.

Information on Employees will not be exchanged by email, except in very limited circumstances and only if the document containing the information is password protected.

Employees who need to provide the company with personal information should send it in an envelope addressed to the Director and marked Strictly Private and Confidential.

Correspondence concerning Personal Data sent by the Director to employees will be sent in an envelope marked Strictly Private and Confidential and is to be opened by the employee only.

Employees - Sensitive Personal Data

Sensitive personal data includes information about the health of employees and information about personal circumstances.

Employees who need to provide the company with sensitive personal information should address it to the Director in an envelope marked Strictly Private and Confidential. This information will only be disclosed by the Director in a limited way e.g. for payroll purposes, to enable the Director to make decisions concerning staffing.

Correspondence concerning Sensitive Personal Data sent by the Director to employees will be sent in an envelope marked Strictly Private and Confidential and is to be opened by the employee only.

Sensitive personal data will not be collected about an employee except where a specific need for this information has been identified e.g. in the event that an employee’s job performance is obviously affected or to prevent against discrimination.

If the company decides it needs to collect medical information about an employee, this will be done in accordance with the Access to Medical Reports Act 1988 which requires the company to obtain written permission from the employee in advance.

The company requires all employees to comply with current data protection legislation in relation to information about other staff.

Requests in relation to Personal Information

Under current data protection legislation, individuals whose personal data is held by an organization have various rights in relation to the information held about them.

These rights include:

  • The right of access
  • The right to be informed
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object to direct marketing activities

If an employee, client or any other individual requests access to information held about them by the company, please refer this request to the COLP as the information may be protected by legal professional privilege or confidentiality and should not be revealed. Only the COLP is authorized to make decisions about how to deal with any data request. The COLP will deal with any request and respond within one calendar month.

A detailed Privacy Policy for the firm is published on the firm’s website.

Breaches of Data Protection and Information Security Policy

Employees should be aware that, in accordance with the terms of their conditions of employment, breaches of this policy and procedures will normally be a disciplinary matter and will be dealt with under the terms of the Disciplinary Procedure.

A data breach is any breach of security leading to the accidental or unlawful destruction, loss alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

If any suspected or actual data breach occurs, it must be reported to the COLP immediately.

Information Commissioner’s Office

The COLP is under a duty to report certain types of data breaches to the Information Commissioners Office (ICO). Any data breach that is likely to result in any risk to people’s rights and freedoms will need to be reported to the ICO. If such risks are unlikely, no report will be necessary to the ICO.

Data Subject(s)

If a report is made to the ICO, the COLP will then consider whether it is necessary to make any report to the affected data subject(s). This is necessary where the data breach is likely to result in a high risk to the rights and freedoms of individuals. The threshold for reporting any data breach to data subject(s) is higher than for notifying the ICO. The COLP will assess the severity of the potential or actual impact on individuals as a result of the breach and the likelihood of this occurring. If the COLP considers that the impact of the breach is more severe, or the likelihood of the consequences is greater, the risk will be higher.

Records

The COLP will keep records of all data breaches, notifications to the ICO and any data subjects, together with details of the decision-making and justification for his actions.

Timescales

Any reports made to the ICO and/or any data subject(s) will normally be made within 72 hours of the COLP becoming aware of the breach.

Consequential Actions

The COLP will also consider whether any data breach should be reported to third parties, such as the police, insurers, professional bodies, or bank or credit card companies. Such third parties are likely to be notified if notification may help to reduce the risk of financial loss to individuals.