I recently presented at a GDPR and Cybercrime training session for a wonderful group of Fee Earners, who are members of a Barristers Chambers. During training I was asked some very interesting questions and as a group these issues were openly discussed. I was so impressed with the healthy discussions, I thought I would share some of the scenarios and the suggested solutions.
Article 5(1)(f) of the GDPR requires that personal data shall be:
“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”
Very often barristers will take a bundle to Court containing evidence, case management paperwork (e.g. application forms and directions), statements, expert reports and documents relating to a case. Unless the court has specifically directed otherwise, a bundle will normally be contained in one A4 size ring binder or lever arch file limited to no more than 350 sheets of A4 paper.
The file is usually transported by hand by Counsel to the hearing. Quite often Counsel will travel by train and the file is usually kept in a bag and needs to be placed in the luggage compartment quite a way from the reserved seat they have been allocated, especially on a busy train. How can Counsel protect that bag and the contents in this situation?
There are various options you may want to consider:
If there is no option but to take a court bundle in a paper file (which will inevitably contain personal data), book a seat with extra leg room, these seats are allocated directly next to the luggage compartments. That way the bag is your view all the time.
Ensure the bag is lockable – should the worst happen, and it is stolen, you are protecting the contents as far as you can.
Consider taking an electronic copy of the bundle, perhaps on an encrypted USB stick which is password protected for access.
Article 5(1)(a) of the GDPR requires that personal data shall be:
“processed lawfully, fairly and in a transparent manner in relation to individuals”
Privacy notices describe all the privacy information that you make available or provide to individuals when you collect information about them. They help with building confidence with individuals in what you are doing with their personal information. Privacy notices should include:
who you are;
what you are going to do with their information; and
who it will be shared with.
The question was asked whether the privacy notice of the chambers could be updated to publish all individual barrister ICO numbers, provide individuals with details of the processing and how to request a SAR and how the Chambers will deal with it?
I have to say this is a very practical approach given most Barristers use Chambers for their administrative duties. Provided you have covered the points listed above and detailed any data sharing activity you may conduct, practically this may be useful way of managing data privacy and ensuring obligatory time limits are met.
The accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.
One of the ways you can demonstrate compliance is to record your assessment of risks in relation to data security and your processes to mitigate that risk. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
Often Barristers are asked to take on students for work experience for college or sixth form students looking to work in the legal field. The question posed was whether the same obligations imposed on employees are applicable to someone who is onsite for work experience?
Whether the individual is a work experience student, a casual member of staff, an employed Clerk or a Barrister, there should be no distinction. The obligation to ensure they have understood the importance of keeping data subject information safe/confidential and what to do if a data breach has occurred applies to everyone.
Ensure you have carried out adequate due diligence on the work experience student, and consider a confidentiality agreement. Allocate enough time during induction for the student to digest and understand your data privacy policies and procedures and most of all don’t forget to mention in the privacy notice that data is shared with work experience students.