Data protection for criminal defence lawyers

Obligations under the Solicitors Code of Conduct

Solicitors are subject to professional rules of conduct, and a failure to meet the appropriate standard can result in censure, a fine and ultimately removal from the Roll. In the context of data protection, the most relevant obligations are that:

  • Solicitors must keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents;
  • Any individual who is advising a client makes that client aware of all information material to that retainer of which the individual has personal knowledge;
  • Solicitors have in place effective systems and controls to enable them to identify risks to client confidentiality and to mitigate those risks.
Scroll to element

Obligations under the DPA

Processing personal data is fundamental to the work of a solicitor. The Data Protection Act 1998 (DPA) regulates the processing of information relating to individuals and solicitors must comply or risk committing a criminal offence.

Meaning of personal data

Personal Data

“Personal data” means data which relate to a living individual who can be identified either:

  • From those data, or
  • From those data and other information which is in a solicitor’s possession, or is likely to come into the solicitor’s possession, and includes any expression of opinion about the individual and any indication of the solicitor’s intentions or those of any other person in respect of the individual.

Sensitive Personal Data

“Sensitive personal data” is defined by the DPA as information consisting of a person’s:

  1. Racial or ethnic origin;
  2. Political opinions;
  3. Religious beliefs or other beliefs of a similar nature;
  4. Membership of any trade union;
  5. Physical or mental health or condition;
  6. Sexual life;
  7. Commission or alleged commission of any offence, including details of:
    1. Any proceedings for any offence committed or alleged to have been committed by him;
    2. The disposal of such proceedings;
    3. The sentence of any court in such proceeding.

Obligation to take appropriate security measure

The seventh data protection principle requires data controllers to take appropriate technical and organisational measures against:

  • Unauthorised or unlawful processing of personal data,
  • Accidental loss or destruction of, or damage to, personal data.

Determining the appropriateness of your security measures

There is no “one size fits all”.

A solicitor’s approach needs to be “risk based”:

  1. First, the solicitor needs to assess the risks posed by personal and /or restricted data being:
    1. Accessed without authorisation; and / or
    2. Accidentally lost, destroyed or damaged.
  2. Then the solicitor needs to put in place “appropriate” measures to control any of the identified risks that cannot be eliminated.

A solicitor should consider all of the following to determine the appropriateness of his/her security measures:

  • Implementation cost;
  • Technological developments;
  • The nature of the data: note that sensitive personal data will merit particular attention;
  • Harm that might result from unauthorised or unlawful processing or from accidental loss destruction and damage to the data.

Solicitors must also take reasonable steps to ensure the reliability of any employees who have access to personal data.

Consider and put in place “appropriate” measures to control the risks that cannot be eliminated

Data Protection Balancing Act

 

The eighth data protection principle states that personal data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The EEA encompasses the European Union (EU) along with Iceland, Liechtenstein and Norway. EU findings of adequacy have been made in respect of Switzerland, Hungary and (partially) Canada. ‘Safe Harbor’ arrangements with individual companies in the United States (US) have been in operation since 2000. The scheme is enforced by the US Federal Trade Commission.

Encryption

The ICO recommends that portable and mobile devices used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using encryption software.

Encrypting files helps protect them should physical security measures fail and can also protect data in transit, (e.g. via email and over the Internet).

Encryption software disguises data, preventing any inadvertent or unauthorised access.

Standards are always evolving, but the ICO’s current recommendation is that any solution which is implemented meets “the current standard such as the recommended FIPS 140-2 (cryptographic modules, software and hardware) and FIPS – 197”:

  • “FIPS 140-2” is a US government computer security standard used to accredit products that implement cryptography and only applies to specific products that have been validated;
  • “FIPS-197” is a reference to the FIPS Advanced Encryption Standard (“AES”).

Information flows from / to criminal defence practitioner

Nearly all, if not all, correspondence and / or case material sent to or sent by a criminal defence practitioner will relate in an obvious way to a living individual (normally the client and / or alleged victim(s)), who will be capable of being identified. As such, under the DPA it will be deemed “personal data”.

Party

Document Sent by solicitor to party

Document received by solicitor from party

Description

Personal Sensitive

Description

Personal Sensitive
Client Correspondence detailing privileged advice, confirmation of instructions, next milestones (court hearings etc). Will identify the client by name and address. Correspondence including clients name and address, antecedent information, instructions on allegations and privileged communications. May include contact details for potential defence witnesses.

Proof of evidence containing antecedent details, instructions in relation to the allegations and comments on the prosecution evidence. Will identify client by name and probably address. May include contact details for potential defence witnesses. Statements, proofs of evidence and comments on prosecution case. May include client’s name and address, antecedent information, contact details of potential witnesses.

Copies of used prosecution evidence, which will normally include a witnesses name (but not address – this will have either been redacted or ) Signed authorities in relation to banks, medical records etc. Will contain the client’s name and address

Copies of unused material – this will normally include individual names of witnesses and defendants, but most contact details will have been redacted.

Police Correspondence – will identify the client by name and current venue (e.g. police station, court, etc). May include details of the current status of the investigation. May potentially identify the allegation Interview tapes – will contact details of the clients name, address and date of birth. Will normally refer to witnesses by name.

Custody records – will identify client (and potentially co-suspects) by name, date of birth and address. May contain details of medical examination and other personal information. May contain contact details for relatives, legal representative, etc.

CPS Correspondence – will identify the client by name and possibly address (for example when discussion bail). Likely to identify the stage of proceedings, and may contain details of allegation. Correspondence – will identify client by name and possibly address. Likely to identify the stage of the proceedings and venue and may contain details of allegation.

Defence Statement – will contain the client’s name and identify venue of the proceedings. Likely to contain details of the allegation, the client’s defence and details of witnesses, including contact details Initial details of case – will identify the client by name and probably date of birth and address. Will contain details of the charges faced and at least in outline form details of the allegation. Likely to contain names of prosecution witnesses, though not their addresses.

Witness statements and exhibits served under s9. Will contain witnesses names but unlikely to include details of their addresses. May name client by name and address. Prosecution evidence – most likely to identify the client by name and possibly date of birth and address. Will contain names of prosecution witnesses, though not normally their addresses. Likely to name victim and may include other personal information such as medical history, results of post mortem, etc.

Expert reports. May name witnesses by name and address, and may contain personal information, for example post mortem details of alleged victim, medical history, client’s antecedents, etc Non-sensitive unused material disclosure schedules – will identify client by name and possibly address. Likely to contain names of witnesses although normally other contact details are redacted.

Defence jury bundles – likely to identify the client by name and possibly date of birth and address. May contain names of witnesses, though not normally their addresses. Likely to name victim and may include other personal information. Unused material – likely to identify client by name and possibly address. Likely to contain names of witnesses although normally other contact details are redacted.

Counsel Correspondence, Brief and notes – will name client by name and identify stage of proceedings. Likely to contain privileged information, including instructions in in relation to the offence. May identify names and contact details of witnesses Correspondence – will name client by name and identify stage of proceedings. Likely to contain privileged information, including instructions in in relation to the offence. May identify names and contact details of witnesses

Prosecution Evidence – as with CPS Advice – will name client by name and identify stage of proceedings. Likely to contain privileged information, including instructions in in relation to the offence. May identify names and contact details of witnesses

Unused material – as with CPS
Proofs of evidence and clients instructions – as with Client
Non-sensitive unused material schedules – as with CPS
Court (Magistrates’ Court, Crown Court, Appeal Court) Correspondence– will identify the client by name and current venue. May potentially identify the allegation. May include details of client’s name. Correspondence – will identify the client by name and current venue. May potentially identify the allegation.

Applications for bail. Will identify client by name, address and date of birth. May include details of allegation and names and contacts of witnesses, proposed sureties. May also include other personal antecedent information.
Defence Statements – as with CPS
Solicitor Agent Correspondence – as with counsel Correspondence – as with counsel

Doctor / Hospital Correspondence – will identify client by name and possibly date of birth and address. May include details of personal medical history Correspondence – will identify client by name, possibly by date of birth and address. May include details of personal medical history

Signed authority – will include details of clients name, address, date of birth and possibly national insurance number Medical report – will identify client by name, possibly by date of birth and address. May include details of personal medical history

Medical records will identify client by name, possibly by date of birth and address. May include details of personal medical history

New solicitor Correspondence and most likely entire client file. Will certainly identify client by name. Correspondence – will identify client by name. Likely to identify stage of proceedings. May contain details of client instructions.

Previous solicitors Correspondence Correspondence

Signed authority

Co-Defendant’s solicitors Correspondence – likely to identify both clients by name Likely to identify stage of proceedings. Correspondence – likely to identify both clients by name Likely to identify stage of proceedings.

Defence Statement – as with CPS
Witness statements and exhibits served under s9 – as with CPS
Securities / Sureties Correspondence – will identify client by name. Likely to identify stage of proceedings. Correspondence – will identify client by name. Likely to identify stage of proceedings.

Witness (factual and expert) Correspondence – will identify client by name. Likely to identify stage of proceedings. May identify details of allegation. May identify contact details of potential witnesses. Correspondence – will identify client by name. Likely to identify stage of proceedings. May identify details of allegation. May identify contact details of potential witnesses.

Copies of prosecution evidence – as with CPS
Legal Services Commission Correspondence – will identify client by name. Likely to identify stage of proceedings. Correspondence will identify client by name. Likely to identify stage of proceedings.

Claims for payment – will identify client by name. Likely to identify stage of proceedings.

Applications for prior authority, which may include client’s instructions, extracts from prosecution evidence, proofs of evidence, defence witness statements, etc.