What Data Protection can mean in practice

You certainly do!  You’re right, of course, in saying that a foremost obligation under the Data Protection Act 1998 is to register your firm with the Information Commissioner, as a data controller.  Sadly, despite the fact that this obligation has been around for a long time, it is believed that fewer than half of solicitors firms’ have complied.  It’s very simple – all you need is to give basic details of the firm, and of the types of data held and the processing techniques employed.  The form’s a great deal simpler than it used to be, and the annual fee is only £35.

 

All data controllers are subject to the eight principles of data protection, which are that data must

 

So you need to think through all sorts of areas of the firm’s operations to see how they comply, such as what your policies are on password protecting data held on your computer network, or when you routinely destroy data.  Just about every area of your work will involve data of some sort, and you need to think through how the principles will apply.

 

 

Well, one thing is that all the partners and staff should know what to do if you get what is called a ‘subject access request’, or ‘SAR’, that is to say a formal request from a client (or another third party, such as a member of staff) to see what data you hold on them.  You should have someone (of sufficient seniority and who has had suitable training) appointed as the person to whom any such requests are passed for action, and no-one else should interfere, or attempt to mollify the client by giving them part information.

 

They should, because you are obliged to tell them.  Everyone whose data you are going to hold or deal with should be told what sort of data you are going to be dealing with, and what use(s) you are going to be making of them.  Mostly, of course, that will be to carry out their instructions, but you are also likely to use them for other reasons, like marketing.  All this is best set out right at the start of a matter, in your rule 15 letter.

 

Oh no, it’s not!  The legislation can apply to paper records as well.  It used to be thought that it applied to all such records.  I remember a chum of mine telling me that his firm had an SAR from a member of staff asking all sorts of obscure questions.  They thought they had to comply with the request fully, and it took about two days’ worth of work to assemble the different bits of paper from all over the place.  Fortunately, however, there has since been a Court of Appeal case, Durant v FSA, which held that a request need only be complied with insofar as it affected data held in a structured filing system, which more or less equates to a paper equivalent of a computer record.  You’ve still got to be careful if you get such an SAR, but you may well be able to refuse it in such circumstances.

 

That’s right.  We talked about the Codes of Practice which the Commissioner has issued. There’s more to it than that, though.  For instance, what about your website?

 

 

If I remember rightly, you have a very good section for each department, giving the names, ages and descriptions of all your fee earners, together with a photo of them.  That’s all data to which the legislation applies, so two things need to be done.  Firstly, the staff need to have been made aware of your proposals to do what you have done.  Secondly, you need to consider the position of the firm with regard to any third party to whom you have outsourced the data.

 

Yes, but I wouldn’t mind betting that you didn’t set it up yourselves, and you don’t keep it up yourselves.  You used a web designer, and a webmaster.  They may be one and the same, but my point is the same anyway.  You have to make sure that your relationship with them complies with the legislation.  That means you have to have a written agreement with them, and they have to accept an obligation to provide an appropriate level of security for all data you provide to them.

 

 

It certainly can do.  If you use a direct marketing company to send out brochures or flyers, for instance, then you obviously have to give them the names of the clients or prospects you are sending them to.  Or you might use a bureau for payrolling purposes.  The same applies to each of them.

 

 

It depends.  There are four possible ways of doing it legally (though all will have to include the contract terms mentioned above).  Firstly, there is no problem if the country to which you are exporting the data is in the EEA, which is any EU country, Iceland, Liechtenstein and Norway.  Secondly, it could be to a country which has been approved by the EU as one which has sufficiently rigorous data protection laws of its own.  The only approved countries at the moment are Argentina, Canada, Guernsey, the Isle of Man and Switzerland.

 

The third applies to some American companies.  If they have signed up to the US Department of Commerce’s “Safe Harbor” agreement then that’s alright.  You can find a list of those companies by following links through to that Department’s website from the Information Commissioner’s site.  Those companies have in effect agreed to provide equivalent standards of data control.

 

Lastly, you can simply enter into an agreement with a company in any country, if the agreement itself is sufficiently rigid.  The Information Commissioner’s website has models of various forms of contract which could be adapted for such purposes.  So if, for instance, you wanted to outsource some work to a call centre in India, you could do it by means of such an agreement – provided you were suitably satisfied that the company you were dealing with was sufficiently reliable and wouldn’t, by its breach, put you in breach of your own obligations.

 

 

Provided you remember your obligations to them, no.  But remember that those obligations include telling them the purposes for which you are going to use the data.  So, going back to your rule 15 letter, you should tell the clients that you may transfer the data to third parties who will process those data on your behalf.

 

Yes, it can.  What is messy, however, is whether the client has to give active consent to such use.  It depends whether your use is for a ‘legitimate interest’ of your firm (assuming your client’s rights are not being prejudiced).  If it is, and if you acquired the data in the normal course of your instructions, then it may well be that you can use the data if the client does not positively opt out, i.e. tell you to desist or, in the jargon, ‘unsubscribe.  So, if you are sending out a newsletter to all clients, and you have told them up front that you may use their data for such purposes, then you should be OK so long as they don’t ask you to stop sending it.

 

 

Again, I’m afraid, it depends.  If you are acting completely cold, e.g. you have bought a list of e-mail addresses, then you will need to check with the supplier of the list that all of those listed have previously consented to being sent marketing material for services of a nature similar to that which you are going to supply.  Or, if you get data from someone in the course of negotiating with them, and want to follow that up, you can do so only if you are then offering similar services and the prospect did not, either originally or at any later time, decline to accept the materials.  The important thing is that you have to provide, each time, an easy and free way for them to unsubscribe.  That’s why you see all the tick boxes you refer to.

 

 

You could well be.  If you use a member of the Direct Marketing Authority, then they will have to apply that body’s Code of Practice, which includes obligations to comply with all the above.  It also means that they will check with the various Preference Services, which maintain lists of people who have registered a wish not to receive marketing materials by mail, e-mail or telephone. 

 

And, talking of Codes of Practice, don’t forget that the Law Society Code prevents cold calling by telephone of private clients.  You should make sure that any company you employ agrees to abide by that.

 

 

Yes, there is.  The Consumer Protection (Distance Selling) Regulations 2000 (SI 2000/2034) may well apply.  I haven’t got the time to go into those in detail now, but suffice it to say that if they do apply, you will have a lot of hoops to jump through with regard to such things as early supply of information to the client before any obligation is undertaken by him.  Oh! – don’t forget the possible money laundering implications as well, depending on whether the service you are supplying is “regulated” or not.

 

 

Tell that to Mr. Ralph Donner, the solicitor who was fined £3,150 by Bolton Magistrates in March 2005 for failure to register as a data controller!  And also tell that to the Information Commissioner, who stated at a recent conference that he was seeking wider powers of enforcement, including the right to enter premises without consent, in order to check whether the legislation is being complied with.  Just think what fun your professional colleagues would have if you were the one hauled up before the Court.  That would be a good way to start the New Year, wouldn’t it!

 

Simon Young