This practice note is the Law Society's view of good practice in this area. It is not legal advice. [Read more]
Practice notes are issued by the Law Society for the use and benefit of its members. They represent the Law Society's view of good practice in a particular area. They are not intended to be the only standard of good practice that solicitors can follow. You are not required to follow them, but doing so will make it easier to account to oversight bodies for your actions.
Practice notes are not legal advice, nor do they necessarily provide a defence to complaints of misconduct or of inadequate professional service. While care has been taken to ensure that they are accurate, up to date and useful, the Law Society will not accept any legal liability in relation to them.
For queries or comments on this practice note contact the Law Society's Practice Advice Service.
The following sections of the SRA Code are relevant to information security:
There are ten mandatory principles which apply to all those the SRA regulates and to all aspects of practice. The principles can be found in the SRA Handbook.
The principles apply to solicitors or managers of authorised bodies who are practising from an office outside the UK. They also apply if you are a lawyer-controlled body practising from an office outside the UK.
When thinking about how to meet the outcomes in chapter 7 in the Code/Handbook, you must consider the principles which apply across the Handbook including the Code. You should always bear in mind what the ten principles are and use them as your starting point when implementing the outcomes.
Outcome 7.5 requires that practices 'comply with legislation applicable to your business, including anti-money laundering and data protection legislation'.
IB 7.3 involves 'identifying and monitoring financial, operational and business continuity risks including complaints, credit risks and exposure, claims under legislation relating to matters such as data protection, IT failures and abuses, and damage to offices'.
1.1 Who should read this practice note?
Sole practitioners and all solicitors responsible for developing information security policies in practices, in-house solicitors, partners and others, including non-qualified staff, with an interest in information security.
1.2 What is the issue?
Solicitors are increasingly vulnerable to the risk of the loss, damage or destruction of important data through theft, malicious intent or accident. This risk is growing as computers and the internet are increasingly used to process and transmit confidential client and business information.
1.3 Legal and other requirements
The following legislation is relevant to information security:
2 Statutory provisions
2.1 The Data Protection Act 1998 (DPA)
The DPA contains eight data protection principles. The seventh principle in Schedule 1 of the DPA requires data controllers to take appropriate technical and organisational measures against both:
- unauthorised or unlawful processing of personal data, and
- accidental loss or destruction of, or damage to, personal data
To determine the appropriateness of security measures, you should consider all of the following:
- implementation costs
- technological developments
- the nature of the data - sensitive personal data will merit particular attention
- the harm that might result from unauthorised or unlawful processing or from accidental loss destruction and damage to the data
You should adopt a risk-based approach to compliance, giving appropriate weight to each of these factors. This is discussed in more depth in section 4 of this practice note.
You must also take reasonable steps to ensure the reliability of any employees who have access to the personal data. Special rules apply to contractors or others who process personal data on your behalf. See DPA Schedule 1 for guidance.
2.2 Regulation of Investigatory Powers Act 2000
If you monitor or store the electronic communications of fee-earners and other staff for business / security reasons you must comply with the relevant provisions of:
You should also consult Part 3 of the Information Commissioner's consolidated Employment Practices Data Protection Code. The code gives guidance for businesses on monitoring or recording emails in the workplace.
2.3 The Computer Misuse Act 1990 (CMA)
The Computer Misuse Act 1990 creates three computer misuse offences:
- s1: Unauthorised access to computer material
- s2: Unauthorised access with intent to commit or facilitate the commission of further offences
- s3: Unauthorised modification of computer material
A programme of information security awareness can help you to highlight these provisions within your firm.
3 Good practice for information security
The following good practice recommendations offer a foundation relevant to all practice sizes and types in developing their own, risk-based policies and procedures for information security.
3.1 Written policy
You should set out your information security practices in a written policy. The policy should reflect solicitors' professional and legal obligations. You should supplement this with implementation procedures. You should monitor these and review them at least annually.
You should appoint a senior member of staff to own the policy and procedures and ensure implementation.
3.3 Reliable people
You should implement and maintain effective systems to ensure the continuing reliability of all persons, including non-employees, with access to information held by the firm.
3.4 General awareness
You should ensure that all staff and contractors are aware of their duties and responsibilities under the firm's information security policy. This includes understanding how different types of information may need to be managed.
3.5 Effective systems
You should identify and invest in suitable organisational and technical systems to manage and protect the confidentiality, integrity and availability of the various types of information you hold.
4 Risk assessment
In addition to the good practice above, you may carry out a risk-based assessment of your information security requirements to develop detailed policies and procedures that will satisfy the overall objectives of the information security policy.
A risk-based approach to information security involves identifying:
- the firm's information assets
- threats to those assets, and their likelihood and impact
- ways to reduce, avoid or transfer risk
A comprehensive risk-based assessment can be a complex task, so you may need expert advice.
Where resources do not permit a comprehensive risk-based information security assessment firms may nevertheless benefit from carrying out a basic, high-level exercise. This may help to identify any areas in which their information security is particularly weak or non-existent.
5 More information
5.1 Further products and services
5.1.1 Practice Advice Line
The Law Society provides support for solicitors on a wide range of areas of practice. Practice Advice can be contacted on 020 7320 5675 from 09:00 to 17:00 on weekdays.
5.1.2 Law Society Consulting
If you require further support, Law Society Consulting can help. We offer expert and confidential support and guidance, including face-to-face consultancy on risk and compliance. Please contact us on 020 7316 5655, or email email@example.com.
Find out more about our consultancy services
5.1.3 Law Society publications
Must - A specific requirement in legislation or of a principle, rule, outcome or other mandatory provision in the SRA Handbook. You must comply, unless there are specific exemptions or defences provided for in relevant legislation or the SRA Handbook.
- Outside of a regulatory context, good practice for most situations in the Law Society's view.
- In the case of the SRA Handbook, an indicative behaviour or other non-mandatory provision (such as may be set out in notes or guidance).
These may not be the only means of complying with legislative or regulatory requirements and there may be situations where the suggested route is not the best possible route to meet the needs of your client. However, if you do not follow the suggested route, you should be able to justify to oversight bodies why the alternative approach you have taken is appropriate, either for your practice, or in the particular retainer.
May - A non-exhaustive list of options for meeting your obligations or running your practice. Which option you choose is determined by the profile of the individual practice, client or retainer. You may be required to justify why this was an appropriate option to oversight bodies.
SRA Code - SRA Code of Conduct 2011
2007 Code - Solicitors' Code of Conduct 2007
OFR - Outcomes-focused regulation
SRA - Solicitors Regulation Authority
IB -indicative behaviour