You are here:
  1. Home
  2. Support services
  3. Advice
  4. Practice notes
  5. Data protection

Data protection

Last updated: 16 June 2016

What is the issue?

  • Processing personal data is fundamental to the work of a solicitor. The Data Protection Act 1998 (DPA) regulates the processing of information relating to individuals. Solicitors must comply with the DPA. Failure to do so may constitute a criminal offence. The Information Commissioner can, in certain circumstances, also impose financial penalties of up to £500,000.
  • This practice note sets out how solicitors can comply with the Act.

To access practice notes from the 1 June 2017 you will need a My Law Society account.

Registration is free and only takes a couple of minutes. Sign up now

Legal status

This practice note is the Law Society's view of good practice in this area. It is not legal advice.

Practice notes are issued by the Law Society for the use and benefit of its members. They represent the Law Society's view of good practice in a particular area. They are not intended to be the only standard of good practice that solicitors can follow. You are not required to follow them, but doing so will make it easier to account to oversight bodies for your actions.

Practice notes are not legal advice, nor do they necessarily provide a defence to complaints of misconduct or of inadequate professional service. While care has been taken to ensure that they are accurate, up to date and useful, the Law Society will not accept any legal liability in relation to them.

For queries or comments on this practice note contact the Law Society's Practice Advice Service.

Professional conduct

The following sections of the SRA Code are relevant to this issue:

Chapter 7 - Management of your business

There are ten mandatory principles that apply to all those the SRA regulates and to all aspects of practice. The principles can be found in the SRA Handbook.

When thinking about how to meet the outcomes in chapter 7 in the Code, you must consider the principles which apply across the Handbook including the Code. You should always bear in mind what the ten principles are and use them as your starting point when implementing the outcomes.

Outcome 7.5 requires that practices 'comply with legislation applicable to your business, including anti-money laundering and data protection legislation'.

IB 7.3 involves 'identifying and monitoring financial, operational and business continuity risks including complaints, credit risks and exposure, claims under legislation relating to matters such as data protection, IT failures and abuses, and damage to offices'.

SRA Principles

There are ten mandatory principles which apply to all those the SRA regulates and to all aspects of practice. The principles can be found in the SRA Handbook.

The principles apply to solicitors or managers of authorised bodies who are practising from an office outside the UK. They also apply if you are a lawyer-controlled body practising from an office outside the UK.


Must - A specific requirement in legislation or of a principle, rule, outcome or other mandatory provision in the SRA Handbook. You must comply, unless there are specific exemptions or defences provided for in relevant legislation or the SRA Handbook.


Outside of a regulatory context, good practice for most situations in the Law Society's view.

  • In the case of the SRA Handbook, an indicative behaviour or other non-mandatory provision (such as may be set out in notes or guidance).

These may not be the only means of complying with legislative or regulatory requirements and there may be situations where the suggested route is not the best possible route to meet the needs of your client. However, if you do not follow the suggested route, you should be able to justify to oversight bodies why the alternative approach you have taken is appropriate, either for your practice, or in the particular retainer.

May - A non-exhaustive list of options for meeting your obligations or running your practice. Which option you choose is determined by the profile of the individual practice, client or retainer. You may be required to justify why this was an appropriate option to oversight bodies.

SRA Code - SRA Code of Conduct 2011

2007 Code - Solicitors’ Code of Conduct 2007

OFR - Outcomes-focused regulation

SRA - Solicitors Regulation Authority

outcome - outcome

IB -indicative behaviour

The Law Society also provides a full glossary of other terms used throughout this practice note

1 Introduction

1.1 Who should read this practice note?

Managing partners, practice managers and all staff concerned with the management and day-to-day operations of practices.

1.2 What is the issue?

Processing personal data is fundamental to the work of a solicitor. The Data Protection Act 1998 (DPA) regulates the processing of information relating to individuals. Solicitors must comply with the DPA. Failure to do so may constitute a criminal offence. The Information Commissioner can, in certain circumstances, also impose financial penalties of up to £500,000.

This practice note sets out how solicitors can comply with the Act.

2 What does the Data Protection Act cover?

You must comply with the Act if you or your staff process personal data.

'Personal data' means data which relate to a living individual who can be identified either:

  • from those data, or
  • from those data and other information which is in your possession, or is likely to come into your possession, and includes any expression of opinion about the individual and any indication of your intentions or those of any other person in respect of the individual

If in doubt you should consult the Information Commissioner's Technical Guidance on determining personal data.

3 Good practice for compliance

Practices should undertake the following activities to ensure data are adequately protected.

3.1 Appointing someone to be responsible for compliance

Firms should appoint someone with appropriate authority to take the lead on data protection. This person should:

  • familiarise themselves with the Act, guidance and relevant case law and keep abreast of changes
  • notify the Information Commissioner, keep the notification up to date and renew it annually
  • regularly 'audit' the firm's use of personal data and check compliance
  • draw up a written data protection policy and ensure that other members of staff are aware of, understand and comply with it
  • take the lead to ensure that data subject access and other legitimate DPA requests are handled in a timely manner

Larger firms are likely to appoint a specialist data protection officer who may report to a senior partner.

3.2 Notifying the Information Commissioner (IC)

The Information Commissioner oversees the DPA. You must not process personal data until you have provided the IC with both:

  1. your 'registrable details'
  2. a general description of the security measures you will take to protect personal data

Registrable details include:

  • your name and address,
  • a description of personal data
  • the purposes for which the data is being processed

This information is then entered into on the Public Register of Data Controllers. The register is available via the ICO website.

3.2.1 Notification process

You must complete a form to provide notification. You may do this in one of three ways:

  1. Complete the online form. You must print off and sign a copy.
  2. Telephone the notification helpline: 01625 545740. An advisor will assist you and the completed form will be sent to you.
  3. Postal submission. You may request a form by writing to: The Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

A two-tiered fee structure applies. If you have fewer than 250 staff you will continue to pay a fee of £35 for notification. A fee of £500 based on size and turnover applies to large data controllers.

Further information, form templates and a step-by-step guide are available at the Commissioner's website.

The Information Commissioner has issued warnings about fake data protection agencies offering to complete the notification process. Firms should be aware of the Commissioner's advice.

3.2.2 Failure to notify

Processing personal data without notifying the IC is an offence. Failure to notify may result in a fine. In 2008 there were at least three prosecutions of solicitors who did not comply.

You should note that the Information Commissioner does not have to inform you, or remind you, of this obligation.

3.3 Audit your use of personal data

You should understand the ways in which you are managing personal data. You may achieve this by creating a basic model of the personal data you are processing. The notification process will provide you with a starting point, but you should also understand and identify:

  1. The different categories of individual about whom you process personal information, for example: clients, business partners etc.
  2. Whether you receive that information directly from the individual themselves or indirectly through other people.
  3. Where the information is kept, for example: on a central data store, on local machines, in e-mail accounts etc.
  4. What is done with the data, for example: who has access to it, who it is shared with etc.

Constructing a formal model is not a requirement of the Act. However, keeping rough notes and/or diagrams that help you understand the way you use personal data may help when checking compliance with the DPA. It should also help to ensure that you haven't missed any categories of data processing from your compliance check.

3.4 Check compliance against the data protection principles

The Act sets out eight data protection principles with which you must comply. Check your data processing against each principle. (See section 4: Principles).

You should read carefully the principles and their interpretation which can be found in the DPA Schedule 1, Part I (principles) and Part II (interpretation).

3.5 A written data protection policy

A written data protection policy is not a requirement of the DPA. Drawing one up will however ensure a systematic approach to compliance. Additionally, if you have staff, it will help to inform them about their own duties under the Act.

  • A typical data protection policy should cover the following:
  • The general principles of the Act and the obligation of all members of the firm to help ensure full compliance
  • Contact details of the person/s responsible for taking the lead on compliance and the circumstances in which they should be contacted or consulted
  • Procedures for dealing with both internal and external access requests. Usually it should only be necessary for staff to recognise an access request, before passing it on to whoever is responsible for compliance.
  • Staff responsibility for personal data
  • Information security procedures - this may involve cross-referencing to an information security policy document

4 The data protection principles

There are eight principles with which you must comply under the DPA.

4.1 First principle: fair and lawful processing

The first data protection principle states that personal data shall be processed 'fairly and lawfully', and shall not be processed unless:

  • at least one of the conditions in Schedule 2 is met
  • in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met

You should therefore list all the data you process and check that conditions for schedule 2 have been met in each case, and in schedule 3 where appropriate.

4.1.1 Sensitive personal data

'Sensitive personal data' is defined as information consisting of a person's:

(a) racial or ethnic origin
(b) political opinions
(c) religious beliefs or other beliefs of a similar nature
(d) membership of any trade union
(e) physical or mental health or condition
(f) sexual life
(g) commission or alleged commission of any offence, including details of:

  • any proceedings for any offence committed or alleged to have been committed by him
  • the disposal of such proceedings
  • the sentence of any court in such proceeding

4.1.2 Other considerations

You should also consider the following in order to comply with the first principle:

  1. Have you misled anyone?
    You should look at:
    • how the data has been obtained
    • whether the person from which the information was obtained has been deceived or misled as to the purpose or purposes for which the data will be processed
  2. How you have satisfied basic information requirements?
    Consider whether you have informed the data subjects of:
    • your identity
    • the purpose or purposes for which the data are intended to be processed
    • anything else which you think is necessary in order to make the processing fair
  3. Have you complied with any additional, special, rules?
    Special rules apply to the collection and processing of personal information by e-mail etc and, in particular, unsolicited electronic marketing communications. These are covered by the Privacy and Electronic Communications (EC Directive) Regulations 2003

4.2 Second principle: processing for limited purposes

The second data protection principle states that personal data:

  1. shall be obtained only for one or more specified and lawful purposes
  2. shall not be further processed in any manner incompatible with that purpose or those purposes

The importance of 'purpose' is stated throughout the Act and reinforced most clearly in this principle. You should do the following to comply:

  1. check whether or not a purpose for obtaining the data has been specified - generally, the person concerned should have been informed of this purpose in order to comply with the first principle
  2. ensure the specified purpose is lawful

If 'further processing' does not fall within the specified purpose, you must identify whether it is compatible with the original processing of the data. If so, you may continue with further processing.

4.3 Third principle: adequate, relevant and not excessive

The third data protection principle states that, in relation to the purpose or purposes for which they are processed, personal data shall be:

  • adequate
  • relevant
  • not excessive

You should therefore check that any personal data you are holding meets these criteria.

4.4 Fourth principle: accurate and up to date

The fourth data protection principle states that personal data must be accurate and, where necessary, kept up to date.

The Act defines inaccurate data as 'incorrect or misleading as to any matter of fact.'

Inaccurate data that accurately record the information you have been given do not contravene the fourth principle if:

  • you have taken reasonable steps to ensure their accuracy - 'reasonable' depends on the purpose of the processing and
  • you include in the data any notification of inaccuracy made by the data subject

4.5 Fifth principle: not kept for longer than is necessary

The fifth data protection principle states that personal data processed for any purpose or purposes must not be kept for longer than is necessary for that purpose or those purposes.

You should set up data retention and review schedules for categories of personal data to help you to comply with this principle. After a set period of time the data should be reviewed, and destroyed when they no longer need to be retained.

4.6 Sixth principle: processed in line with subjects' rights

The sixth data protection principle requires that personal data be processed in accordance with the rights of data subjects under the Act.

The DPA gives data subjects a number of rights, the foremost of which is the right to have access to their personal data where permitted under the Act.

Data subject rights also include:

  • prevention of processing for direct marketing purposes
  • rights related to automated decision-taking
  • prevention of processing which is likely to cause damage or distress

4.7 Seventh principle: security

The seventh data protection principle requires data controllers to take appropriate technical and organisational measures against:

  1. unauthorised or unlawful processing of personal data,
  2. accidental loss or destruction of, or damage to, personal data

This principle is complemented by the obligation to inform the Information Commissioner about security measures to protect personal data (see section 3.1).

You should consider all of the following to determine the appropriateness of your security measures:

  • implementation cost
  • technological developments
  • nature of the data: note that sensitive personal data will merit particular attention
  • harm that might result from unauthorised or unlawful processing, or from accidental loss destruction and damage to the data

These factors must be balanced and a risk-based approach to compliance is appropriate.

You must also take reasonable steps to ensure the reliability of any employees who have access to personal data.

4.7.1 Data processors

Special rules apply to contractors and others who are not employees but who are processing personal data on your behalf. The Act refers to them as "data processors".

In order to comply with the seventh principle you must only use a data processor who can:

  • provide sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out
  • take 'reasonable steps' to ensure compliance with those measures

You will not be regarded as compliant with the seventh principle unless this work is carried under a contract which:

  1. is made or evidenced in writing
  2. states that the data processor is to act only on instruction from you
  3. requires the data processor to comply with obligations equivalent to those imposed on you by the seventh principle

4.8 Eighth principle: not transferred to other countries without adequate protection

The eighth data protection principle states that personal data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The EEA encompasses the European Union (EU) along with Iceland, Liechtenstein and Norway. EU findings of adequacy have been made in respect of Switzerland, Hungary and (partially) Canada. 'Safe Harbor' arrangements with individual companies in the United States (US) have been in operation since 2000. The scheme is enforced by the US Federal Trade Commission.

Following a European Court of Justice ruling in October 2015, concerning US safe harbor arrangements for data transfers between the EEA and the United States, there is now some uncertainty about such transfers. You should review the Information Commissioner's website for the latest position or consider obtaining specialist advice.

In any event, you should consult more detailed guidance if you are considering transferring personal data overseas.

5 Exceptions: manual data

If you do not use computers to process personal data you should consult the information commissioner's guidance on manual data.

See also the Information Commissioner's guidance on what constitutes personal data.

6 EU General Data Protection Regulation (GDPR)

The European Union has recently secured agreement on the text of a EU General Data Protection Regulation which will come into force in member states on 25 May 2018. Now that the text has been agreed, guidance will increasingly become available, including guidance from the Information Commissioner's Office.

You are advised to draw up a plan to familiarise yourself with the contents of the GDPR and ensure that your firm will be compliant.

7 More information

7.1 Law Society

7.1.1 Practice notes

7.1.2 Law Society publications

7.1.3 Risk and Compliance Advisory Service

If you require further support, the Risk and Compliance Advisory Service can help. We offer expert and confidential support and guidance, including face-to-face consultancy on risk and compliance. Please contact us on 0207 316 5655, or email
Find out more about our services

7.2 Statutory provisions

Data Protection Act 1998

7.3 Other

Solicitors Regulation Authority's Professional Ethics Helpline for advice on conduct issues.

Did you find what you were looking for?
What were you looking for?
Did you use the site search?

Feedback from you will help us improve out website. If you would like us to contact you please leave your contact details.

Practice Advice Service

The Practice Advice Service provides a dedicated support line for Law Society members and employees of law firms. Call us on 020 7320 5675.

> Contact the Practice Advice Service
Previous versions

Previous versions of this page are available below:


Lexcel Accreditation

The Law Society's quality mark for any practice that can demonstrate excellence in legal practice management and client care.

Lexcel > More
Group of people
Want to move in-house?

The In-house Division provides the tips and strategies you need to plan for the career you want.

Want to move in-house? > More
In-house Division annual conference 2017

Calling all in-house lawyers - attend interactive panels and workshops relevant to your industry.

In-house Division annual conference 2017 > More
Find a Solicitor
Enhance your Find a Solicitor profile

Add more information about your expertise and areas of practice to differentiate yourself.

Enhance your Find a Solicitor profile > More
My Law Society
Personalise your Law Society information

Save time with quick access to the right information. Register for My Law Society today.

Personalise your Law Society information > More