1.1 Who should read this practice note?
Sole practitioners and all solicitors responsible for developing information security policies in practices, in-house solicitors, partners and others, including non-qualified staff, with an interest in information security.
1.2 What is the issue?
Solicitors are increasingly vulnerable to the risk of the loss, damage or destruction of important data through theft, malicious intent or accident. This risk is growing as computers and the internet are increasingly used to process and transmit confidential client and business information.
1.3 Legal and other requirements
The following legislation is relevant to information security:
2 Statutory provisions
2.1 The Data Protection Act 1998 (DPA)
The DPA contains eight data protection principles. The seventh principle in Schedule 1 of the DPA requires data controllers to take appropriate technical and organisational measures against both:
- unauthorised or unlawful processing of personal data, and
- accidental loss or destruction of, or damage to, personal data
To determine the appropriateness of security measures, you should consider all of the following:
- implementation costs
- technological developments
- the nature of the data - sensitive personal data will merit particular attention
- the harm that might result from unauthorised or unlawful processing or from accidental loss destruction and damage to the data
You should adopt a risk-based approach to compliance, giving appropriate weight to each of these factors. This is discussed in more depth in section 4 of this practice note.
You must also take reasonable steps to ensure the reliability of any employees who have access to the personal data. Special rules apply to contractors or others who process personal data on your behalf. See DPA Schedule 1 for guidance.
2.2 Regulation of Investigatory Powers Act 2000
If you monitor or store the electronic communications of fee-earners and other staff for business / security reasons you must comply with the relevant provisions of:
You should also consult Part 3 of the Information Commissioner's consolidated Employment Practices Data Protection Code. The code gives guidance for businesses on monitoring or recording emails in the workplace.
2.3 The Computer Misuse Act 1990 (CMA)
The Computer Misuse Act 1990 creates three computer misuse offences:
- s1: Unauthorised access to computer material
- s2: Unauthorised access with intent to commit or facilitate the commission of further offences
- s3: Unauthorised modification of computer material
A programme of information security awareness can help you to highlight these provisions within your firm.
3 Good practice for information security
The following good practice recommendations offer a foundation relevant to all practice sizes and types in developing their own, risk-based policies and procedures for information security.
3.1 Written policy
You should set out your information security practices in a written policy. The policy should reflect solicitors' professional and legal obligations. You should supplement this with implementation procedures. You should monitor these and review them at least annually.
You should appoint a senior member of staff to own the policy and procedures and ensure implementation.
3.3 Reliable people
You should implement and maintain effective systems to ensure the continuing reliability of all persons, including non-employees, with access to information held by the firm.
3.4 General awareness
You should ensure that all staff and contractors are aware of their duties and responsibilities under the firm's information security policy. This includes understanding how different types of information may need to be managed.
3.5 Effective systems
You should identify and invest in suitable organisational and technical systems to manage and protect the confidentiality, integrity and availability of the various types of information you hold.
4 Risk assessment
In addition to the good practice above, you may carry out a risk-based assessment of your information security requirements to develop detailed policies and procedures that will satisfy the overall objectives of the information security policy.
A risk-based approach to information security involves identifying:
- the firm's information assets
- threats to those assets, and their likelihood and impact
- ways to reduce, avoid or transfer risk
A comprehensive risk-based assessment can be a complex task, so you may need expert advice.
Where resources do not permit a comprehensive risk-based information security assessment firms may nevertheless benefit from carrying out a basic, high-level exercise. This may help to identify any areas in which their information security is particularly weak or non-existent.
5 More information
5.1 Further products and services
5.1.1 Practice Advice Line
The Law Society provides support for solicitors on a wide range of areas of practice. Practice Advice can be contacted on 020 7320 5675 from 09:00 to 17:00 on weekdays.
5.1.2 Law Society Consulting
If you require further support, Law Society Consulting can help. We offer expert and confidential support and guidance, including face-to-face consultancy on risk and compliance. Please contact us on 020 7316 5655, or email firstname.lastname@example.org.
Find out more about our consultancy services
5.1.3 Law Society publications