Obligations under the Solicitors Code of Conduct
Solicitors are subject to professional rules of conduct, and a failure to meet the appropriate standard can result in censure, a fine and ultimately removal from the Roll. In the context of data protection, the most relevant obligations are that:
- Solicitors must keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents;
- Any individual who is advising a client makes that client aware of all information material to that retainer of which the individual has personal knowledge;
- Solicitors have in place effective systems and controls to enable them to identify risks to client confidentiality and to mitigate those risks.
Obligations under the DPA
Processing personal data is fundamental to the work of a solicitor. The Data Protection Act 1998 (DPA) regulates the processing of information relating to individuals and solicitors must comply or risk committing a criminal offence.
Meaning of personal data
Personal Data
“Personal data” means data which relate to a living individual who can be identified either:
- From those data, or
- From those data and other information which is in a solicitor’s possession, or is likely to come into the solicitor’s possession, and includes any expression of opinion about the individual and any indication of the solicitor’s intentions or those of any other person in respect of the individual.
Sensitive Personal Data
“Sensitive personal data” is defined by the DPA as information consisting of a person’s:
- Racial or ethnic origin;
- Political opinions;
- Religious beliefs or other beliefs of a similar nature;
- Membership of any trade union;
- Physical or mental health or condition;
- Sexual life;
- Commission or alleged commission of any offence, including details of:
- Any proceedings for any offence committed or alleged to have been committed by him;
- The disposal of such proceedings;
- The sentence of any court in such proceeding.
Obligation to take appropriate security measure
The seventh data protection principle requires data controllers to take appropriate technical and organisational measures against:
- Unauthorised or unlawful processing of personal data,
- Accidental loss or destruction of, or damage to, personal data.
Determining the appropriateness of your security measures
There is no “one size fits all”.
A solicitor’s approach needs to be “risk based”:
- First, the solicitor needs to assess the risks posed by personal and /or restricted data being:
- Accessed without authorisation; and / or
- Accidentally lost, destroyed or damaged.
- Then the solicitor needs to put in place “appropriate” measures to control any of the identified risks that cannot be eliminated.
A solicitor should consider all of the following to determine the appropriateness of his/her security measures:
- Implementation cost;
- Technological developments;
- The nature of the data: note that sensitive personal data will merit particular attention;
- Harm that might result from unauthorised or unlawful processing or from accidental loss destruction and damage to the data.
Solicitors must also take reasonable steps to ensure the reliability of any employees who have access to personal data.
The eighth data protection principle states that personal data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The EEA encompasses the European Union (EU) along with Iceland, Liechtenstein and Norway. EU findings of adequacy have been made in respect of Switzerland, Hungary and (partially) Canada. ‘Safe Harbor’ arrangements with individual companies in the United States (US) have been in operation since 2000. The scheme is enforced by the US Federal Trade Commission.
Encryption
The ICO recommends that portable and mobile devices used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using encryption software.
Encrypting files helps protect them should physical security measures fail and can also protect data in transit, (e.g. via email and over the Internet).
Encryption software disguises data, preventing any inadvertent or unauthorised access.
Standards are always evolving, but the ICO’s current recommendation is that any solution which is implemented meets “the current standard such as the recommended FIPS 140-2 (cryptographic modules, software and hardware) and FIPS – 197”:
- “FIPS 140-2” is a US government computer security standard used to accredit products that implement cryptography and only applies to specific products that have been validated;
- “FIPS-197” is a reference to the FIPS Advanced Encryption Standard (“AES”).
Information flows from / to criminal defence practitioner
Nearly all, if not all, correspondence and / or case material sent to or sent by a criminal defence practitioner will relate in an obvious way to a living individual (normally the client and / or alleged victim(s)), who will be capable of being identified. As such, under the DPA it will be deemed “personal data”.
Party |
Document Sent by solicitor to party |
Document received by solicitor from party |
||||
Description |
Personal | Sensitive |
Description |
Personal | Sensitive | |
Client | Correspondence detailing privileged advice, confirmation of instructions, next milestones (court hearings etc). Will identify the client by name and address. | ☒ | ☒ | Correspondence including clients name and address, antecedent information, instructions on allegations and privileged communications. May include contact details for potential defence witnesses. |
☒ |
☒ |
Proof of evidence containing antecedent details, instructions in relation to the allegations and comments on the prosecution evidence. Will identify client by name and probably address. May include contact details for potential defence witnesses. | ☒ | ☒ | Statements, proofs of evidence and comments on prosecution case. May include client’s name and address, antecedent information, contact details of potential witnesses. |
☒ |
☒ |
|
Copies of used prosecution evidence, which will normally include a witnesses name (but not address – this will have either been redacted or ) | ☒ | ☒ | Signed authorities in relation to banks, medical records etc. Will contain the client’s name and address |
☒ |
☒ |
|
Copies of unused material – this will normally include individual names of witnesses and defendants, but most contact details will have been redacted. | ☒ | ☒ |
☒ |
☒ |
||
Police | Correspondence – will identify the client by name and current venue (e.g. police station, court, etc). May include details of the current status of the investigation. May potentially identify the allegation | ☒ | ☒ | Interview tapes – will contact details of the clients name, address and date of birth. Will normally refer to witnesses by name. |
☒ |
☒ |
☒ | ☒ | Custody records – will identify client (and potentially co-suspects) by name, date of birth and address. May contain details of medical examination and other personal information. May contain contact details for relatives, legal representative, etc. |
☒ |
☒ |
||
CPS | Correspondence – will identify the client by name and possibly address (for example when discussion bail). Likely to identify the stage of proceedings, and may contain details of allegation. | ☒ | ☒ | Correspondence – will identify client by name and possibly address. Likely to identify the stage of the proceedings and venue and may contain details of allegation. |
☒ |
☒ |
Defence Statement – will contain the client’s name and identify venue of the proceedings. Likely to contain details of the allegation, the client’s defence and details of witnesses, including contact details | ☒ | ☒ | Initial details of case – will identify the client by name and probably date of birth and address. Will contain details of the charges faced and at least in outline form details of the allegation. Likely to contain names of prosecution witnesses, though not their addresses. |
☒ |
☒ |
|
Witness statements and exhibits served under s9. Will contain witnesses names but unlikely to include details of their addresses. May name client by name and address. | ☒ | ☒ | Prosecution evidence – most likely to identify the client by name and possibly date of birth and address. Will contain names of prosecution witnesses, though not normally their addresses. Likely to name victim and may include other personal information such as medical history, results of post mortem, etc. |
☒ |
☒ |
|
Expert reports. May name witnesses by name and address, and may contain personal information, for example post mortem details of alleged victim, medical history, client’s antecedents, etc | ☒ | ☒ | Non-sensitive unused material disclosure schedules – will identify client by name and possibly address. Likely to contain names of witnesses although normally other contact details are redacted. |
☒ |
☒ |
|
Defence jury bundles – likely to identify the client by name and possibly date of birth and address. May contain names of witnesses, though not normally their addresses. Likely to name victim and may include other personal information. | ☒ | ☒ | Unused material – likely to identify client by name and possibly address. Likely to contain names of witnesses although normally other contact details are redacted. |
☒ |
☒ |
|
Counsel | Correspondence, Brief and notes – will name client by name and identify stage of proceedings. Likely to contain privileged information, including instructions in in relation to the offence. May identify names and contact details of witnesses | ☒ | ☒ | Correspondence – will name client by name and identify stage of proceedings. Likely to contain privileged information, including instructions in in relation to the offence. May identify names and contact details of witnesses |
☒ |
☒ |
Prosecution Evidence – as with CPS | ☒ | ☒ | Advice – will name client by name and identify stage of proceedings. Likely to contain privileged information, including instructions in in relation to the offence. May identify names and contact details of witnesses |
☒ |
☒ |
|
Unused material – as with CPS | ☒ | ☒ | ||||
Proofs of evidence and clients instructions – as with Client | ☒ | ☒ | ||||
Non-sensitive unused material schedules – as with CPS | ☒ | ☒ | ||||
Court (Magistrates’ Court, Crown Court, Appeal Court) | Correspondence– will identify the client by name and current venue. May potentially identify the allegation. May include details of client’s name. | ☒ | ☒ | Correspondence – will identify the client by name and current venue. May potentially identify the allegation. |
☒ |
☒ |
Applications for bail. Will identify client by name, address and date of birth. May include details of allegation and names and contacts of witnesses, proposed sureties. May also include other personal antecedent information. | ☒ | ☒ | ||||
Defence Statements – as with CPS | ☒ | ☒ | ||||
Solicitor Agent | Correspondence – as with counsel | ☒ | ☒ | Correspondence – as with counsel |
☒ |
☒ |
Doctor / Hospital | Correspondence – will identify client by name and possibly date of birth and address. May include details of personal medical history | ☒ | ☒ | Correspondence – will identify client by name, possibly by date of birth and address. May include details of personal medical history |
☒ |
☒ |
Signed authority – will include details of clients name, address, date of birth and possibly national insurance number | ☒ | ☒ | Medical report – will identify client by name, possibly by date of birth and address. May include details of personal medical history |
☒ |
☒ |
|
Medical records will identify client by name, possibly by date of birth and address. May include details of personal medical history |
☒ |
☒ |
||||
New solicitor | Correspondence and most likely entire client file. Will certainly identify client by name. | ☒ | ☒ | Correspondence – will identify client by name. Likely to identify stage of proceedings. May contain details of client instructions. |
☒ |
☒ |
Previous solicitors | Correspondence | ☒ | ☒ | Correspondence |
☒ |
☒ |
Signed authority | ☒ | ☒ |
☒ |
☒ |
||
Co-Defendant’s solicitors | Correspondence – likely to identify both clients by name Likely to identify stage of proceedings. | ☒ | ☒ | Correspondence – likely to identify both clients by name Likely to identify stage of proceedings. |
☒ |
☒ |
Defence Statement – as with CPS | ☒ | ☒ | ||||
Witness statements and exhibits served under s9 – as with CPS | ☒ | ☒ | ||||
Securities / Sureties | Correspondence – will identify client by name. Likely to identify stage of proceedings. | ☒ | ☒ | Correspondence – will identify client by name. Likely to identify stage of proceedings. |
☒ |
☒ |
Witness (factual and expert) | Correspondence – will identify client by name. Likely to identify stage of proceedings. May identify details of allegation. May identify contact details of potential witnesses. | ☒ | ☒ | Correspondence – will identify client by name. Likely to identify stage of proceedings. May identify details of allegation. May identify contact details of potential witnesses. |
☒ |
☒ |
Copies of prosecution evidence – as with CPS | ☒ | ☒ | ||||
Legal Services Commission | Correspondence – will identify client by name. Likely to identify stage of proceedings. | ☒ | ☒ | Correspondence will identify client by name. Likely to identify stage of proceedings. |
☒ |
☒ |
Claims for payment – will identify client by name. Likely to identify stage of proceedings. | ☒ | ☒ |
☒ |
☒ |
||
Applications for prior authority, which may include client’s instructions, extracts from prosecution evidence, proofs of evidence, defence witness statements, etc. | ☒ | ☐ |
☒ |
☒ |