Practical GDPR tips for barristers

Old court building

Date

I recently presented at a GDPR and Cybercrime training session for a wonderful group of Fee Earners, who are members of a Barristers Chambers. During training I was asked some very interesting questions and as a group these issues were openly discussed. I was so impressed with the healthy discussions, I thought I would share some of the scenarios and the suggested solutions.

Scenario one

Article 5(1)(f) of the GDPR requires that personal data shall be:

“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”

Very often barristers will take a bundle to Court containing evidence, case management paperwork (e.g. application forms and directions), statements, expert reports and documents relating to a case. Unless the court has specifically directed otherwise, a bundle will normally be contained in one A4 size ring binder or lever arch file limited to no more than 350 sheets of A4 paper.

The file is usually transported by hand by Counsel to the hearing. Quite often Counsel will travel by train and the file is usually kept in a bag and needs to be placed in the luggage compartment quite a way from the reserved seat they have been allocated, especially on a busy train. How can Counsel protect that bag and the contents in this situation?

There are various options you may want to consider:

  • If there is no option but to take a court bundle in a paper file (which will inevitably contain personal data), book a seat with extra leg room, these seats are allocated directly next to the luggage compartments. That way the bag is your view all the time.

  • Ensure the bag is lockable – should the worst happen, and it is stolen, you are protecting the contents as far as you can.

  • Consider taking an electronic copy of the bundle, perhaps on an encrypted USB stick which is password protected for access.

Scenario two

Article 5(1)(a) of the GDPR requires that personal data shall be:

“processed lawfully, fairly and in a transparent manner in relation to individuals”

Privacy notices describe all the privacy information that you make available or provide to individuals when you collect information about them. They help with building confidence with individuals in what you are doing with their personal information. Privacy notices should include:

  • who you are;

  • what you are going to do with their information; and

  • who it will be shared with.

Very often a barrister will have their own ICO number, however, they rarely have a website on which to publish a privacy policy. In practice if they do receive a Subject Access Request from an individual exercising their rights, this will normally be coordinated through Chambers.

The question was asked whether the privacy notice of the chambers could be updated to publish all individual barrister ICO numbers, provide individuals with details of the processing and how to request a SAR and how the Chambers will deal with it?

I have to say this is a very practical approach given most Barristers use Chambers for their administrative duties. Provided you have covered the points listed above and detailed any data sharing activity you may conduct, practically this may be useful way of managing data privacy and ensuring obligatory time limits are met.

Scenario three

The accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.

One of the ways you can demonstrate compliance is to record your assessment of risks in relation to data security and your processes to mitigate that risk. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.

Often Barristers are asked to take on students for work experience for college or sixth form students looking to work in the legal field. The question posed was whether the same obligations imposed on employees are applicable to someone who is onsite for work experience?

Whether the individual is a work experience student, a casual member of staff, an employed Clerk or a Barrister, there should be no distinction. The obligation to ensure they have understood the importance of keeping data subject information safe/confidential and what to do if a data breach has occurred applies to everyone.

Ensure you have carried out adequate due diligence on the work experience student, and consider a confidentiality agreement. Allocate enough time during induction for the student to digest and understand your data privacy policies and procedures and most of all don’t forget to mention in the privacy notice that data is shared with work experience students.

Get in touch

See how Teal can help with your data protection needs. Alternatively, contact our experts today for advice.

More
articles

Testimonial from Right Legal
"We have been using Teal to support our compliance frameworks, and every aspect of our experience with them has been fantastic. From the training to the audits, and especially the ‘Ask Teal’ helpline, nothing is too much trouble, and you get quick support from some of the industry’s best compliance experts. Just having them there to support our continued growth takes a huge weight off my mind. Highly recommend to firms of all size and structure!"
Get in touch
Testimonial from Constantine Law
"We rely on Teal Compliance to provide responsive, practical compliance services to Constantine Law (we do not have an in-house compliance officer/function). I would encourage all solicitor firms without their own resource to engage with Teal: they know what they are doing and they provide peace of mind regarding day-to-day compliance matters as well as responses to unforeseen (tricky) compliance matters. They have become an indispensable partner to Constantine Law in our growth journey."
Get in touch
Testimonial from Streathers Solicitors
"We have worked with Teal for several years. They have provided us with AML training and also helped us put together our firm-wide AML risk assessment and our updated AML policy, along with assisting us with various issues as and when they arose. We have always found them to be very helpful, friendly, responsive and knowledgeable, and are happy to recommend them."
Get in touch
Testimonial from Streathers Solicitors
"We have had a relationship with Teal for a number of years and they have provided a valuable resource to our compliance team. Teal combine the delivery of a personal and friendly service with city level expertise."
Get in touch
Previous slide
Next slide