Rely on the most comprehensive, up-to-date legal content designed and curated by lawyers for lawyers
Work faster and smarter to improve your drafting productivity without increasing risk
Accelerate the creation and use of high quality and trusted legal documents and forms
Streamline how you manage your legal business with proven tools and processes
Manage risk and compliance in your organisation to reduce your risk profile
Stay up to date and informed with insights from our trusted experts, news and information sources
Access the best content in the industry, effortlessly — confident that your news is trustworthy and up to date.
With over 30 practice areas, we have all bases covered. Find out how we can help
Our trusted tax intelligence solutions, highly-regarded exam training and education materials help guide and tutor Tax professionals
Regulatory, business information and analytics solutions that help professionals make better decisions
A leading provider of software platforms for professional services firms
In-depth analysis, commentary and practical information to help you protect your business
LexisNexis Blogs shed light on topics affecting the legal profession and the issues you're facing
Legal professionals trust us to help navigate change. Find out how we help ensure they exceed expectations
Lex Chat is a LexisNexis current affairs podcast sharing insights on topics for the legal profession
Printer Friendly Version
What are the concerns surrounding the safety of lawyers’ data?
The concept of confidentiality is at the core of the solicitor-client relationship and protected as a concept in law and also through regulatory controls. This is dependent on lawyers’ data being secure. The challenge that many lawyers now face is the need to reconcile the safety of data, and the connection of this with confidentiality duties, with modern storage and communication methods which are increasingly computer-based rather than the paper-based. The use of electronic solutions means that there are a number of third parties with access to lawyers’ data and this increases risks to both the lawyers and their clients that data will not be secure or may become subject to the right of seizure from government agencies.
What are the particular concerns surrounding lawyers’ data posed by the rise of cloud computing and increased electronic transfer?
Cloud computing and electronic transfer methods place increased pressure on solicitors in respect of their duty to keep client matters confidential. The Solicitors Regulation Authority (SRA) is a risk-based regulator and has identified high impact risks in its Risk Regulatory Index and Risk Outlook documentation.
Outsourcing and the use of cloud computing and cloud providers were identified as high-level risks in the SRA Risk Outlook of Autumn 2013. While these are not prohibited activities, the SRA has said that it will expect law firms to manage the challenges that this creates in respect of the protection of client confidentiality.
The regulator published a regulatory guide, “Silver linings: Cloud computing, law firms and risk” in November 2013 to assist lawyers.
Suggestions for good practice include undertaking due diligence exercises on the service provider both before a contract is agreed and during the period of the agreement. In addition the SRA Code of Conduct specifies that the firm must enter into a contractual agreement with the provider to enable the SRA access to this third party to inspect data if necessary.
The cloud system must also comply with the Data Protection Act 1998 so that, for example, there must be a written contract between the law firm and the provider and restrictions on sending data outside the European Economic Area must be observed. This is crucial—not only does breach of legislation have an impact on lawyers in terms of their relationship with the SRA, they also must understand that some jurisdictions have surveillance and other laws which would place confidential information at risk of disclosure.
How do other jurisdictions fare in their protection of lawyers’ data?
The CCBE report looks at the extent to which lawyers’ data throughout Europe is (in its words) “susceptible to governmental access, and the rules and conditions surrounding such access”. The report notes that there are “very strong similarities” in how countries treat the regulation of the protection of data. In particular, the CCBE says that, in most countries, the “universal value of the protection of lawyers’ data” is recognised.
According to the report: “In some jurisdictions, however, this protection is viewed, however, as being a defence counsel privilege. These countries also provide for generic rules for lawyers acting outside the scope of a defence counsel, based on the human right of privacy. Furthermore, in most countries, there is specific legal protection for wider professional secrets, which also serves to cover lawyers acting outside the capacity of defence counsel. In other jurisdictions, the conceptual starting point is a general legal professional privilege which covers all communications relating to all legal advice between lawyer and client, of which criminal defence work or (for example) advice on a corporate merger, would be regarded as particular instances of the general principle”.
Are there particular areas of concern in relation to the safety of data?
The SRA’s style of regulation is risk-based so that risks must be identified and managed by regulated individuals and entities. Risks relating to data security have been identified so that breach of confidentiality is seen as a “risk level 1” event or, in other words, a risk which is likely to have a detrimental effect on the client concerned. The SRA Handbook contains an outcome requiring that firms must have effective systems and controls in place to identify risks to confidentiality and to mitigate those risks.
On-site storage of confidential information is increasingly being replaced by off-site solutions and also through cloud providers. The risk is that a third party may create an environment in which client confidentiality is placed at risk. The SRA has produced Risk Guidance to explain how it considers firms can manage this effectively.
Particular risks arise where a disreputable outsource provider is used, data is not stored safely with suitable encryption standards, and where storage in off-site jurisdictions places the data at risk of seizure etc. Regardless of methods of storage used, the responsibility for the safety of the data and compliance with duties owed to the clients, remains with the lawyer.
How do you see this area developing? Are reforms in the pipeline?
In terms of the lawyers’ relationship with the SRA, the developments of electronic communications and storage continue to be seen as a risk to regulatory compliance which must be managed. The SRA will expect to see that law firms have identified potential risks and can demonstrate an appropriate response including initial assessment, agreement on appropriate safety measures, and ongoing monitoring of both the provider and the law relating to data storage. In turn, it seems highly likely that the SRA will continue to monitor developments and assess its regulatory response to ensure that appropriate drafted requirements protect consumers of legal services.
By Tracey Calvert, Director at Oakalls Consultancy (Interviewed by Jon Robins).
The views expressed by our Legal Analysis interviewees are not necessarily those of the proprietor.
First published on Lexis®PSL.
0330 161 1234