How we use client information

Using personal information for a specific purpose

 All information received from our clients (and indeed personal data about colleagues and job applicants) must be handled fairly. Our standard retainers include a privacy statement which provides information to clients about us and how we will use their information i.e. in connection with the provision of legal services. Staff must not use the information for any other purpose unless provided for in this manual or with the prior approval of key contact / owner for this area. For example, staff must not:

access client information held in another part of the business out of curiosity or for other non-work purposes; or
use client contact information to market something which is not our own legal services or products.

If consent is needed for using personal data in a new way we should obtain specific agreement rather than, for example, relying upon silence or pre-ticked boxes.

We’re delighted when staff take the initiative to develop a marketing event or idea but please speak to our key contact / owner for this area before using client data for a promotion. There are specific legal requirements which we need to comply with including under the GDPR and the Privacy and Electronic Communications Regulations.

Depending upon how it is proposed that personal data is to be used in a new project and in particular in new IT systems our Information Officer may decide to prepare a formal Data Protection Impact Assessments (such assessments will be required by law for all new projects which involve potentially high data protection risks from 25 May 2018). We maintain an information audit and data mapping report which should be updated when we make use of personal information in a new way. Therefore staff should always speak to the key contact / owner for this area in the early planning stages of new projects which involve use of business data. We can then review implications and whether an impact assessment is needed.

Maintaining accurate up to date records

Staff must amend out of date or inaccurate information which we are currently working with as soon as possible. For example, if we are told of a new home address for the client or that we have incorrectly recorded something in an attendance note then this must be updated on our system straight away. This does not mean that historic records should be altered however. On the contrary, we should retain an intact record of previous activity e.g. that at the outset of a matter the client lived at another address to which correspondence was sent. It should be clear however that such records are historic.

Under the GDPR individuals have certain rights in relation to amending / destroying potentially inaccurate information and compensation can also be claimed where damage is suffered. If you receive a request to amend or erase personal information or a request for compensation then please contact the key contact / owner for this area straight away.

Storing only the information about individuals which we need

Information about living individuals which we gather and store should be relevant to the work we are undertaking and should not be excessive for our client’s needs. If it is clear that we no longer require information gathered about a certain individual then we should only retain the minimum necessary to keep an audit trail of what we have done. See below for details of our retention policy i.e. how long we will generally store client papers for.

Information about colleagues, team members and job applicants

It should be noted that the requirements summarised above apply equally to personal data (i.e. information about an identifiable individual) relating to colleagues or job applicants.

Keeping a record of what we have done

Staff are required to keep an accurate record of all of our work in respect of a client matter and such records must be accessible electronically. This includes writing up notes on telephone calls and meetings as soon as possible after they take place. It is particularly important that a record of an activity or issue is made as soon as possible where our being able to evidence that activity or issue is of particular importance. For example, binding oral agreements upon which we will seek to rely or any statement which could bind or otherwise commit our business must be recorded very carefully.

It should be clear from each file what has happened and what stage the matter is at if the lawyer dealing is suddenly away from the office. Electronic records should be named and stored in such a way as to be easily retrievable, even by those not familiar with the matter. It should be clear whether an electronic document is in a final format i.e. whether a document has been sent or is in draft.

Staff are encouraged to be vigilant in ensuring that electronic matter records are only stored long term in the appropriate place. Be careful not to retain copies of client information indefinitely in other places on our system such as outlook (which should be subject to periodic clear outs) or personal drives and never on a personal device. Otherwise we risk compromising the Act in that our automated destruction processes will not cover these documents.

Retention policy: matter archiving and destruction

We retain client files for a certain period of time in case of a negligence claim or other subsequent query or issue arising in a client matter. However, under the GDPR we cannot keep information about an identifiable living individual indefinitely. It is also good practice to not keep information which we no longer need. Staff are therefore required to follow this policy on retaining and destroying client files.

At the end of a client matter we must explain to the client how long their information or other assets will be stored for and return any original documents or other property belonging to the client. Original documentation or other assets should not be destroyed without informed client consent. If you cannot contact the client and believe that an item should be destroyed then please speak to our key contact / owner for this area. If we are storing documents such as deeds or a will for the client then this should be highlighted to the client. Otherwise, we will destroy client files in accordance with our file retention policy:

where applicable, we will retain trust files and documentation for as long as the trust is active and, in the case of trust administration files, to the end of the trust plus 6 years;
retain other client matter paper files for a period of 8 years;
retain other electronic matter files for a period of 8 years.

After these periods the relevant files will be destroyed.

We have selected these timescales with reference to Law Society guidance on this subject. They are intended to help minimise the risk that we do not have access to key information in the event of the client requiring this to protect their legal position, a ‘date of knowledge’ negligence claim against us or a tax enquiry or another issue arising. Being able to demonstrate the work undertaken to further or protect our client’s legal standing or rights can be of fundamental importance both to the client and to our business. We consider that we are permitted to simply store records in this way for the purposes of bringing or defending future legal claims and to protect our legitimate business interests including in defending negligence claims and demonstrating our activities if necessary to our regulators. That being said, our clients’ information is not stored for this period for any other purpose and this should be borne in mind in limiting the use of the files in archive. Clients are informed of this policy at the outset of their matter in our standard terms privacy notice together with information of any charges made for storage.

For the avoidance of doubt, all documentation and records relating to money laundering checks must be retained for at least 5 years under the Money Laundering regulations. In addition, we typically retain a very small amount of client information (i.e. name and address) within our conflicts of interest database in order to comply with the solicitors’ professional rules on conflicts (which are legal requirements in that they constitute subordinate legislation).

As a business we are also subject to certain obligations to retain or destroy certain data in respect of health and safety, finances and recruitment processes (among other things). Please refer to the appropriate policies in these areas for further information and seek guidance from your line manager / our COLP if you are unsure.

Subject access requests and data protection complaints

Like any other business, we are required to provide an individual with access to the personal data (i.e. information about them as an identifiable living individual) which we hold in respect of that person following a written request to do so made in accordance with the GDPR. Generally speaking, as of 25 May 2018 we are no longer able to charge for such access (guidance can be sought as to exceptions from our key contact / owner for this area).

Subject access requests should be addressed to our key contact / owner for this area. If you receive such a request then this must be passed to our key contact / owner for this area straight away. This is because ordinarily we have a statutory deadline for complying with the request of one month. Extensions are possible in certain circumstances but you should not place any reliance upon the availability of an extension until our key contact in this area has advised on this. Please bear in mind that these requests need not refer specifically to the GDPR or be termed a ‘subject access request’ or similar in order to give rise to an obligation and a deadline. Staff should look out for any request by any individual for information which we hold about them and if in any doubt should discuss this with our key contact / owner for this area. Our key contact / owner for this area will liaise with you to establish whether the request is a subject access request under data protection law and;

confirm that the individual is who they say they are;
gather the information sought (you may be required to take the lead in this respect);
assess what information can be provided, which will include consideration of the exemptions under the Act and whether anything needs to be redacted from the documentation (e.g. because it contains confidential information about another person); and seek external advice on our duties if necessary.

In some circumstances we may hold information on behalf of a client which relates to another individual who asks us to supply them with a copy of that information. For example, in a dispute resolution matter our client may have provided us with personal data concerning their opponent and that opponent may wish to see this information. Though we will consider each case on its facts typically we would object to such a request on grounds of confidentiality and potentially privilege. We should however do all we can to assist our client in complying with any subject access request made to them about information which we hold within the appropriate timescales. Please liaise with our key contact / owner for this area in cases such as this straight away.

Other rights under the GDPR

In addition to the right to access information, the GDPR also gives individuals a number of other rights and powers over their data. You will perhaps rarely come across an individual looking to exercise any of these rights but do look out for any situation in which an individual is making a request of this sort. Speak to your line manager and Data Protection / Information Officer (or if you haven’t got one, your Compliance Officer for Legal Practice ‘COLP’) for advice. Other rights under the GDPR include:

the right ‘to be forgotten’, in certain circumstances and subject to certain exceptions, allows individuals to insist that an organisation erase their personal data;
the right of ‘portability’ which allows an individual to request certain information in certain circumstances in an electronic format which can easily be taken with them to another organization;
the right to claim compensation as a result of a failure to comply with the GDPR.

Any complaint by an individual about how we are using their personal information should be referred to our key contact / owner for this area.

Information security

We have ethical and legal obligations to keep the information which we work with safe. In order to do this it is vital that our staff follow good practice inside and outside of the office. We are primarily concerned in this document with information relating to a client matter but bear in mind that other business information (i.e. concerning recruitment or finances) should also be kept confidential.

We set out below standards which must be met by staff when working with confidential information. If you are working on a high-profile matter, information about children, a matter which impacts upon national security or with other sensitive information; then obviously greater vigilance should be applied. If working with government bodies or departments we must adhere to the appropriate standards expected of us. Information might otherwise be ‘sensitive’ where, for example, it relates to the commission or alleged commission of an offence or any proceedings for an offence, a child, a victim of an offence, a witness who may be at risk of violence if their identity is exposed, transgender information, information about a listed company which could materially impact share price or is ‘sensitive personal data’ i.e. information which concerns an individual’s race or ethnic origin, political opinions, religious beliefs or similar, trade union membership, health condition, sex life, genetic data or biometric data. If you are not sure if the steps you are taking to protect the information is adequate then please speak to our key contact for this area.

As well as following the requirements set out below, staff should ensure that they are familiar with our acceptable use policy for using business resources.

Information security in general

Staff should ensure that all confidential papers and electronic devices are locked away at the end of each day. Don’t leave papers on your desk, at a printer, on a fax machine or in meeting rooms. During the working day staff should be conscious that there may be visitors to the office who could see papers which are left out. Staff should also lock their screen when the computer is not in use.

When disposing of confidential papers staff must ensure that this is done in a secure way i.e. by using one of our secure confidential waste bins / by shredding it.

When you pick a password staff should follow best practice which includes ensuring that:

it is at least 8 characters long and uses a combination of words, numbers, symbols and both upper and lower case letters;
they do not use a password which might easily be guessed such as ‘Password1’, ‘Hello2U!’, ‘qwerty’, ‘123456’ or their name, username, vehicle registration, date of birth or a family member’s name;
the password is not written down and left in the office, particularly not on a post-it note on the computer or a similar location;
they do not share their password (or any other account details such as username etc);
they do not use the same password for work as for personal devices or accounts.

Staff should be conscious that all businesses and solicitors firms especially can be targeted by thieves, hackers and fraudsters who may attempt to enter the offices physically. Visitors to the offices should be accompanied by staff at all times while in the office (rather than the meeting areas). If you do think that a visitor may be in the offices unaccompanied without a visitor badge staff are encouraged to politely enquire if an individual is being looked after. The exception is if you have any concerns whatsoever as to whether it would be safe to do so in which case you should speak with a line manager instead.

If meeting clients in a reception area care should be taken to ensure that confidential information is not inadvertently shared with other individuals present in the reception area. Quick discussions or the seeking of a signature can easily become more involved and a meeting room should be made use of if available.

You must never store your login details to any of our systems / browsers using a cookie or autofill function or similar. For example, if accessing any of our systems from a web browser never click ‘Remember me’ or similar. Otherwise you risk another user being able to gain immediate access to our system simply by gaining access to the same device which you have used. This is especially important where you are using a device which may be used by others. If this does occur in error then you must inform our Information Officer immediately.

Verifying a caller’s identity

When receiving telephone calls on client matters you should be satisfied of the identity of the caller before discussing any details. If you cannot readily and confidently identify the caller from their voice ask for two pieces of information which the individual in question would have access to but others would not. This might typically include our reference number and a piece of personal information such as date of birth or similar. Be particularly cautious if you are working on a high-profile matters (which will always include cases relating to high-profile individuals) or with information which is sensitive or could be used to pursue a fraud. If you cannot be sure who you are speaking with, consider looking up the organisation’s contact details separately on the internet and calling the person back on a separate landline which you have obtained from a source other than the caller.

Securing our correspondence

When addressing confidential information to another person it should be marked so as to make it clear that it is private and confidential e.g. ‘Strictly private & confidential’.

Staff should not send very large volumes of personal information or any very sensitive information by normal post unless it is contained on an encrypted device supplied by us.

Confidential information should be encrypted even if you are using a courier to transport the device in question. Seek guidance from our Information Officer before sending very large quantities of confidential information externally.

Email correspondence remains the communication method of choice for most clients. When sending email staff should ensure that they:

only use a work email account for work correspondence. Documents and correspondence relating to work should not pass through a personal email account such as Yahoo or Gmail;
double check the addressee(s) before sending;
encrypt at the very least sensitive information or large volumes of personal information. A basic level of encryption is available simply by password protecting documents in MS Word / Excel (2007 or later file formats only) but where available secure document repositories approved by the firm is preferable;
look out for generic email addresses which may have more than one recipient accessing the email;
use the blind carbon copy (‘BCC’) field if you are sending an email to a large number of recipients who have not consented to their email address being shared with others.

In high-profile matters or where sensitive information or information which could be used to pursue a fraud is concerned consider not sending the information by email at all even if encrypted. If in any doubt, speak to our Information Officer and our IT specialists.

Please be very careful if you are using a fax machine to send confidential information. If you have to use a fax machine then use a covering sheet to make clear that the communication is confidential and for the addressee only. Double check that the number has been inputted correctly before sending. If you are sending a fax to an environment used by individuals other than the intended recipient then consider asking that person to wait for the fax at the other end (though this would not be necessary if sending it into a secure professional environment such as another solicitor’s firm).

Receiving unsolicited email attachments and links

Staff should be wary following receipt of an email which contains an attachment or links which they were not expecting to receive. Emails can be used to transmit viruses to our network or as a means of taking over a computer or network. Clicking on links and downloading attachments can potentially result in a virus being transmitted so caution should be exercised. If you know the sender but the attachment or link is unexpected or there is something else which is unusual about the communication, contact the person to check that they did in fact send the item. Look out for possible warning signs that the communication may be malicious such as emails which contain:

unusual sender email address or subject line;
questionable offers / offers which appear too good to be true;
misspellings, very poor grammar or emails which are otherwise unprofessional in their appearance;
a request for money or banking information of any kind;
a communication that the security of your computer or finances are at risk and require you to download a particular attachment or click on a particular link to resolve the problem;
pressure to make an urgent decision;
attachments which end in “.exe” or with the letter “m” or are a zip file;

Bear in mind that the wording or image used for a link will in an email will not necessarily correlate to where the link takes you. For example, a hyperlink with the words blogs.com could be taking you to smith.com if it is from an untrustworthy source. You can right click and copy and paste the link to see where it will actually take you (though you should still be confident that the website is genuine before proceeding to it).

Bear in mind also that email accounts can be hacked or spoofed and so the fact that an email appears to come from a certain company or organisation does not necessarily mean that that is where it is from. Fraudsters have been known to research law firm organisation structure charts online to establish reporting lines and then send an email from a senior individual’s email address requesting that another staff member transfer a large sum of money to a bank account. Speak to your colleagues to confirm large transfers of money to new bank account details particularly if there is anything unusual about the request or the email footer or language used is different etc.

Information security on the go

Staff should not transport any confidential information (i.e. all client related work) on any electronic device such as a USB, CD or DVD without ensuring that it is encrypted and has been supplied by our firm. We shall ensure that all new work laptops and devices such as USBs are encrypted. Please contact your line manager if you think that you may have a device which is not encrypted.

Staff should try to minimise the need to take hard copy papers out of the office. It is better to access our matters electronically via remote login or on an encrypted business laptop. Do not, however, use third party applications such as Dropbox or a Google docs or email unless the platform and the accounts used have been authorised for business use by the firm (it may be possible to enhance the standard security on these platforms). If you do need to take confidential papers such as a client file (or part of it) out of the office then this must be carried in a locked bag. While this will not deter a determined thief it will prevent accidental disclosure of our client’s information in the event that the file gets lost. Lawyers have been subject to regulatory investigation and action by the ICO for losing a file on the way home which was not locked away. Such action will also prevent disclosure of any information on the file cover such as a client’s name or address or the type of matter in which we are instructed.

Staff should keep all work devices and papers with them at all times while travelling. Staff should not take work papers or devices to social events or leave them in a car overnight. Try to keep laptops out of sight where practicable.

We ask staff to try to avoid discussing client matters out of the office or working on client matters in public places wherever possible. It is very easy for a conversation to be overheard or for a client’s file to be overseen. It is safer to avoid doing this. If you need to work on confidential client matters in a public place use encrypted electronic devices supplied by us only and be very careful to ensure that nobody can see your screen. Avoid using public devices such as a computer in an internet café.

Working at home

If working at home you should take care to ensure that the same standards of security are met as when in the office. You should therefore clear and lock papers away when they are not in use. Confidential waste should be shredded and brought back into the office for this purpose if necessary.

If you access work matters using a personal computer or other device please ensure that you do not store your passwords or any other work information on that device. You should log out of the network when not using it particularly if using a shared computer. Your internet connection should be secured with a password. Your password for connecting to the internet should be in keeping with the guidance set out above and must not be the default password provided by the internet service provider (these have been known to leak on the internet). You should avoid downloading work information to your personal device.

Our banking information

At the appropriate stage in a client’s transaction staff may provide clients with details of our client account in order to pay money into this in connection with their legal matter. Otherwise, staff must not give out any banking information. Any enquiries purportedly from our bank or otherwise made in connection with our banking information should be referred immediately to our COFA. We need to ascertain that the individual seeking information from us is genuine and ensure that certain security information is never provided. We have set procedures for doing this.

Fraudsters have been known to target law firms with success using very sophisticated and convincing scams to pretend that they are genuinely from a law firm’s bank. In some cases they have ‘spoofed’ genuine banking telephone numbers and obtained information about a firm’s banking transactions and the name of the person at the bank with whom they ordinarily work. This has then been used to convince the individual on the phone at the firm that they are talking with the bank and to release certain security information. Alternatively staff might be asked to go online to authorise ‘test payments’ which are actually for significant sums of money. Firms have lost millions of pounds through such scams. You cannot trust that an individual is from where they say they are even if phone numbers or email addresses correspond correctly.

The SRA have publicised the following guidance (which we shall follow) from the City of London’s National Fraud Bureau (NFIB) for those looking to protect themselves from such scams, including:

if you receive a call from someone claiming to be from your bank relating to your accounts, end the call. Our COFA will return the call but always from a separate phone line and make use of the known general switchboard for the bank rather than on the number provided by the caller (be wary in particular of mobile telephone numbers);
do not share passwords or any other login details;
do not give any details relating to the business or its employees to anyone that you do not know or trust;
do not install any software from an external source without seeking reliable expert advice;
do not allow external parties to remotely access computers or engage in remote virus scanning or payment tests.

Banks will never ask for full passwords or keys or account related details over the phone and we will therefore never provide this over the phone.

Our clients’ banking information

Similarly, great care should be taken to ensure that all communications from clients as regards their banking details are genuine. The SRA has publicised a case in which a fraudster hacked into a client’s personal email, emailed the law firm with new banking information and then stole the proceeds of a conveyancing transaction once the firm sent the monies to the wrong account. Where banking information is likely to be required this should ideally be obtained from the client during a face-to-face meeting. If you receive a communication from the client asking you to send client monies to a new bank account then you must speak to the client to confirm this. You should double check the client’s banking details before sending large sums of money for the first time. Be especially cautious if the bank is based overseas as this makes it much more difficult to track and secure monies in the event of a problem. A solicitor’s practice will never have a client account overseas so never send money overseas with the intention of sending this to a the client account of a solicitor’s practice. Our standard terms and conditions stress to clients that we may require time to verify changes to banking information with them verbally in accordance with our procedure above for doing so. It also stresses that we will never change our own banking details part way through a transaction.

We will of course never disclose any information about our clients’ banking arrangements or otherwise without full client consent and following the good practice set out within our office manual for verifying who we are communicating with.

Information security breaches

The GDPR has introduced new legal duties to inform the data protection regulator (the Information Commissioner’s Office or ICO) and the individual(s) concerned of certain data breaches within very tight timescales. A data breach is defined as:

“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

So a data breach involves personal data being compromised such as:

leaving a paper client file on a train or in a cafe;
a departing member of staff taking client information with them to a new firm;
emailing personal information about a case to the wrong recipient outside of the business;
losing a device with personal data on it;
corruption of electronic data leading to the permanent loss of personal data.
If it is likely that there will be a risk to an individual’s ‘rights and freedoms’ then the firm will need to report this to the ICO within 72 hours together with some specific information detailed in the GDPR (Article 33(3)). If such a risk is unlikely, then there is no need to report it to the ICO but it would be sensible to record your reasons why. Report any possible breaches to your line manager and our Information Officer immediately and you will be guided on the need to make a report or not.

In terms of when there is a risk to ‘rights and freedoms’ think about what the impact of the breach could be for the individual concerned (if any). The sort of things which the GDPR seems to be concerned with (Recital 85) are whether there is a risk of an individual:

having their personal information irretrievably put into the public domain;
being the victim of identity theft or fraud;
otherwise suffering financial loss;
suffering damage to their reputation;
losing the professional privilege attached to an item such as legal advice;
any other significant financial or social disadvantage.
If a report to the ICO is needed, then under the GDPR the firm will typically also need to notify the individual(s) whose data has been compromised as soon as possible (this is subject to certain exceptions). This will be particularly important if someone is at risk of identity theft or some other fraud as a result of the breach as they may be able to take steps to protect themselves if they act on the breach quickly enough. If the information was properly encrypted or you can otherwise be confident from steps taken that the risk of impact has been removed then you may not be required to inform the individual under the GDPR (article 34(3)). However, even if you are not obliged under the GDPR to report something to a client consider whether doing so may be beneficial to them and consider also your broader professional duties to disclose material information to the client. Again, you will not be expected to make this decision alone and should follow the guidance of our information officer.

In practice it is the firm which will make reports to the ICO and to affected individuals. It is your duty to inform your line manager and our Information Officer of the problem immediately so that this can be done. Do not wait.

By acting quickly it is also often possible to significantly reduce the impact of a data breach i.e. the distress to the individual concerned, regulatory investigations, compensation claims and complaints etc. This should be your priority. Try to retrieve, restore or where appropriate remotely delete compromised information as soon as possible. The quicker you act the more likely you are to be able to secure the information compromised. If necessary and justified by the risks posed consider whether hiring specialists or even pursuing legal action can assist you in securing the information. Whatever your approach do not delay.

If we suspect that our banks account or banking information has been compromised then we must immediately inform our bank, the National Fraud and Cyber Crime Reporting Centre, the SRA and our professional indemnity insurers. Immediate action can help safeguard monies and limit the impact of the problem. We will not make any admission of liability or offer any settlement to any third parties without the specific consent of our insurers.

Guidance should be sought from our COLP as to whether a security breach constitutes a breach of SRA rules and so needs to be logged (and reported if ‘material’).