*/
Panic spread through a recent virtual seminar when the organisers realised that a barrister attending had decided to join the event while simultaneously undertaking a client conference. This member of the Bar had joined the Microsoft Teams call without muting their microphone and, despite the warnings and shouts being directed towards this individual, continued to discuss their privileged instructions for the entire seminar to hear.
While this was a clearly avoidable personal data breach (and an issue which the Bar Standards Board would likely investigate) it represents a serious example of a mistake that might occur more often in the world of virtual home working. It is not uncommon for an email containing personal data to be sent to the wrong email address; and with an increasing number of virtual hearings the scope for data breaches has increased.
So what are requirements if a data breach occurs? If you send an email to the ‘wrong clerks’, are you required to notify the Information Commissioner immediately or is there some scope for discretion? This article sets out the five considerations for when you are concerned that there has been a personal data breach.
Not every misdirected email constitutes a breach. Consider whether any personal data has in fact been lost. Anonymisation and/or pseudonymisation is encouraged exactly because there is always a potential for information to be lost or stolen. Anonymised information is defined within the General Data Protection Regulation (GDPR), at Recital 26, as ‘…information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable’. The GDPR does not apply to anonymised information. Therefore, if the misdirected email, or lost memory-stick, only contains anonymised data then there is no need to act.
Pseudonymisation is defined within the GDPR, at Article 4(5), as ‘the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable individual’. Unlike anonymisation, pseudonymisation techniques will not exempt a controller from the duties contained within the GDPR. However, if the process of pseudonymisation requires additional information that remains secure then loss does not necessarily result in a personal data breach. For example, if de-pseudonymisation requires a hard-copy list which associates identification numbers to personal details, and the single copy of the list is in a locked filing cabinet, then no personal data has been lost. This will be a matter of fact and degree.
If personal data has been lost or stolen, you must first determine the extent of the breach. This will include assessing what personal data has been lost and the reason for the breach. So far as is possible, you must then limit the dissemination of the personal data.
In the most simple example, a misdirected email, it is possible that the email could be recalled, or that the person to whom it was addressed could be asked to delete the email before reading. If you are confident that the breach has been contained, and that there is not a ‘risk to the rights and freedoms of the individual’, then there is no need to take any further steps.
It is ‘risk’ that is the trigger for notification. Risk should be assessed in accordance with the likelihood and severity of the impact on the individual (see: GDPR, Recitals 75 and 76). Therefore, if you are content that the lost personal data can be retrieved, or safely deleted, then there is no need to report this breach to either the Information Commissioner or the individual impacted.
Notification to the ICO is required if there is ‘a risk to the rights and freedoms of individuals’. Consider the type of breach; the nature, sensitivity and volume of person data; the ease in which the individuals could be identified; and the severity of consequences for the individuals. An accidental breach which results in the loss of a single person’s home address is unlikely, without more, to result in a risk to the rights or freedoms of an individual. Whereas a loss of financial information, for multiple clients, following a targeted cyberattack, represents a risk which would trigger notification.
If you are required to report a data breach then you must notify the ICO within 72 hours of the time at which you become aware of the breach. The ICO website provides a form for reporting a personal data breach, and directions to submit the form online.
The ICO also provides a self-assessment tool and a telephone helpline to provide advice on whether a notification is required. Please do not think that a declaration to the ICO is going to be met with immediate punishment. When you consider the enforcement action that has been conducted by the ICO, since GDPR, monetary penalties have only been issued to limited or incorporated companies. Further, the notification form includes, as a ‘reason for report’, an option: ‘I do not consider the incident meets the threshold to report, however I want you to be aware.’ If you have made a mistake, which requires a declaration, sanction is far from inevitable.
Communication of a breach to an individual is only triggered where it is likely to result in a ‘high’ risk to their rights and freedoms. The same considerations will apply as for notification to the ICO; however, as data controllers, barristers are likely to be in possession of ‘particularly sensitive’ personal data, the loss of which would create a ‘significant risk’ to an individual’s rights and freedoms (see: GDPR, Recital 51). You must consider whether there is any special characteristic of the individual which renders them particularly vulnerable. A misdirected email containing a person’s home address could be a catastrophic breach if the individual is subject of a physical threat by another. In that instance there is a clear duty to notify the individual as soon as possible.
Regardless as to whether a breach requires notification, Article 33(5) of the GDPR requires a data controller to record a data breach: ‘The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.’
Barristers are registered as individuals with the ICO, therefore, it is a personal duty, rather than a requirement of Chambers, to ensure that personal data breaches are recorded.
Digital home working may mean that the days of leaving a paper brief on the train home are a thing of the past. However, failing to take practical advice for secure home working, or a lack of consideration or care in relation to cybersecurity, means that a data breach remains a real problem for those at the Bar. The Bar Council has provided detailed guidance on the steps to take when there has been a breach. Barristers must be aware of their duties if personal data is lost whether through accident or from a cyberattack.
Panic spread through a recent virtual seminar when the organisers realised that a barrister attending had decided to join the event while simultaneously undertaking a client conference. This member of the Bar had joined the Microsoft Teams call without muting their microphone and, despite the warnings and shouts being directed towards this individual, continued to discuss their privileged instructions for the entire seminar to hear.
While this was a clearly avoidable personal data breach (and an issue which the Bar Standards Board would likely investigate) it represents a serious example of a mistake that might occur more often in the world of virtual home working. It is not uncommon for an email containing personal data to be sent to the wrong email address; and with an increasing number of virtual hearings the scope for data breaches has increased.
So what are requirements if a data breach occurs? If you send an email to the ‘wrong clerks’, are you required to notify the Information Commissioner immediately or is there some scope for discretion? This article sets out the five considerations for when you are concerned that there has been a personal data breach.
Not every misdirected email constitutes a breach. Consider whether any personal data has in fact been lost. Anonymisation and/or pseudonymisation is encouraged exactly because there is always a potential for information to be lost or stolen. Anonymised information is defined within the General Data Protection Regulation (GDPR), at Recital 26, as ‘…information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable’. The GDPR does not apply to anonymised information. Therefore, if the misdirected email, or lost memory-stick, only contains anonymised data then there is no need to act.
Pseudonymisation is defined within the GDPR, at Article 4(5), as ‘the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable individual’. Unlike anonymisation, pseudonymisation techniques will not exempt a controller from the duties contained within the GDPR. However, if the process of pseudonymisation requires additional information that remains secure then loss does not necessarily result in a personal data breach. For example, if de-pseudonymisation requires a hard-copy list which associates identification numbers to personal details, and the single copy of the list is in a locked filing cabinet, then no personal data has been lost. This will be a matter of fact and degree.
If personal data has been lost or stolen, you must first determine the extent of the breach. This will include assessing what personal data has been lost and the reason for the breach. So far as is possible, you must then limit the dissemination of the personal data.
In the most simple example, a misdirected email, it is possible that the email could be recalled, or that the person to whom it was addressed could be asked to delete the email before reading. If you are confident that the breach has been contained, and that there is not a ‘risk to the rights and freedoms of the individual’, then there is no need to take any further steps.
It is ‘risk’ that is the trigger for notification. Risk should be assessed in accordance with the likelihood and severity of the impact on the individual (see: GDPR, Recitals 75 and 76). Therefore, if you are content that the lost personal data can be retrieved, or safely deleted, then there is no need to report this breach to either the Information Commissioner or the individual impacted.
Notification to the ICO is required if there is ‘a risk to the rights and freedoms of individuals’. Consider the type of breach; the nature, sensitivity and volume of person data; the ease in which the individuals could be identified; and the severity of consequences for the individuals. An accidental breach which results in the loss of a single person’s home address is unlikely, without more, to result in a risk to the rights or freedoms of an individual. Whereas a loss of financial information, for multiple clients, following a targeted cyberattack, represents a risk which would trigger notification.
If you are required to report a data breach then you must notify the ICO within 72 hours of the time at which you become aware of the breach. The ICO website provides a form for reporting a personal data breach, and directions to submit the form online.
The ICO also provides a self-assessment tool and a telephone helpline to provide advice on whether a notification is required. Please do not think that a declaration to the ICO is going to be met with immediate punishment. When you consider the enforcement action that has been conducted by the ICO, since GDPR, monetary penalties have only been issued to limited or incorporated companies. Further, the notification form includes, as a ‘reason for report’, an option: ‘I do not consider the incident meets the threshold to report, however I want you to be aware.’ If you have made a mistake, which requires a declaration, sanction is far from inevitable.
Communication of a breach to an individual is only triggered where it is likely to result in a ‘high’ risk to their rights and freedoms. The same considerations will apply as for notification to the ICO; however, as data controllers, barristers are likely to be in possession of ‘particularly sensitive’ personal data, the loss of which would create a ‘significant risk’ to an individual’s rights and freedoms (see: GDPR, Recital 51). You must consider whether there is any special characteristic of the individual which renders them particularly vulnerable. A misdirected email containing a person’s home address could be a catastrophic breach if the individual is subject of a physical threat by another. In that instance there is a clear duty to notify the individual as soon as possible.
Regardless as to whether a breach requires notification, Article 33(5) of the GDPR requires a data controller to record a data breach: ‘The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.’
Barristers are registered as individuals with the ICO, therefore, it is a personal duty, rather than a requirement of Chambers, to ensure that personal data breaches are recorded.
Digital home working may mean that the days of leaving a paper brief on the train home are a thing of the past. However, failing to take practical advice for secure home working, or a lack of consideration or care in relation to cybersecurity, means that a data breach remains a real problem for those at the Bar. The Bar Council has provided detailed guidance on the steps to take when there has been a breach. Barristers must be aware of their duties if personal data is lost whether through accident or from a cyberattack.
Sam Townend KC explains the Bar Council’s efforts towards ensuring a bright future for the profession
Giovanni D’Avola explores the issue of over-citation of unreported cases and the ‘added value’ elements of a law report
Louise Crush explores the key points and opportunities for tax efficiency
Westgate Wealth Management Ltd is a Partner Practice of FTSE 100 company St. James’s Place – one of the top UK Wealth Management firms. We offer a holistic service of distinct quality, integrity, and excellence with the aim to build a professional and valuable relationship with our clients, helping to provide them with security now, prosperity in the future and the highest standard of service in all of our dealings.
Is now the time to review your financial position, having reached a career milestone? asks Louise Crush
If you were to host a dinner party with 10 guests, and you asked them to explain what financial planning is and how it differs to financial advice, you’d receive 10 different answers. The variety of answers highlights the ongoing need to clarify and promote the value of financial planning.
Most of us like to think we would risk our career in order to meet our ethical obligations, so why have so many lawyers failed to hold the line? asks Flora Page
If your current practice environment is bringing you down, seek a new one. However daunting the change, it will be worth it, says Anon Barrister
Creating advocacy opportunities for juniors is now the expectation but not always easy to put into effect. Tom Mitcheson KC distils developing best practice from the Patents Court initiative already bearing fruit
National courts are now running the bulk of the world’s war crimes cases and corporate prosecutions are part of this growing trend, reports Chris Stephen
Let’s hear it for the assessors, says Dame Anne Rafferty of the KC Selection Panel. And to make silk assessors’ lives a little easier when applicants come calling in May, Dame Anne fields some commonly asked questions