Paul Bennett is a solicitor and professional regulation partner at law firm Bennett Briegal LLP and a member of the Regulatory Processes Committee of the Law Society. He shares his expertise and tips on working while at home.
Confidentiality should be a key focus for law firms as we all adapt to the COVID-19 era and new ways of working. A fundamental challenge will be legal professional privilege (LPP) and the professional obligation of confidentiality.
The Solicitors Regulation Authority (SRA) rules still apply and we must consider client confidentiality and LPP wherever we are working, document what we have done to assess the risks, and monitor how it is working in practice.
Working from home as most of us are, the challenges around privilege and confidentiality are different to those in the office. For example, you should ensure that housemates or family members do not take photographs or make social media posts which could compromise client confidentiality by including, for example, file names containing clients’ personal data or documents.
The example of the QC in Scotland who was subject to enforcement action by the Information Commissioner’s Office (ICO) in 2011 after her laptop was stolen from her home is a harsh reminder to all professionals that we are held to a higher standard than other sectors, in that it may not necessarily be our actions, but the actions of malignant third parties which trigger a breach. The reputational impact continues as the newspaper reports are still online and the public rebuke could be supplemented by a fine under the current rules which are more draconian.
There was a 2017 case of a barrister being fined £1,000 for having client related personal data stored on their own personal device, which was not encrypted. This highlights the current challenges of law firms allowing staff to use their own devices when working from home without enhancing security controls on their devices and ensuring the firm can remove client data when practical to do so to avoid storing it outside of its control.
Here are four basic steps you can take to make sure your people are maintaining client confidentiality as far as possible while working from home.
Your firm and your people should exercise care, review the options and, if unsure, take advice from a reliable source such as the Law Society’s Practice Advice Service or a specialist solicitor.
- Make sure your confidentiality policy is up to date. Tell your team to be confidentiality-aware and set out your expectations as a firm. Make sure your law firm leaders should lead on the standards expected of everyone.
One example could be that confidential or legally privileged material should not be shared by text or on a social platform such as Snapchat or Houseparty (via screenshots for example), and that you permit the use of an end to end encryption enable service such as WhatsApp or the lesser known Signal service which is designed with privacy in mind.
The end to end encryption protection preserving confidentiality in a risk management focused way is not able to eliminate all risk, as, for example, screen shots can be taken and misused, or the wrong recipient messaged due to human error but demonstrates the firm’s approach to confidentiality is guiding on protecting client confidentiality.
- Do a risk assessment of the working locations of your staff. For example, if people are talking on the phone or via video platforms in a shared house, are you supplying headsets to ensure calls cannot be overheard? Are your team actually using the headsets? Have you issued guidance on each video platform you are using and on guiding them to recommending your team to encourage clients to use safe platforms as well?
- It’s worth reviewing your firm’s Bring Your Own Device (BYOD) policy to ensure your approach and the technology policy might need a review to check if the technology and approach you provide for remote working are fit for purpose. What are the standards you are setting as a law firm?
- Most law firms will already have in place arrangements to protect client information for remote workers in ‘normal’ times. Now that the risk landscape has changed, those people working from home regularly for the first time will need guidance and support on confidentiality matters.
Think through the risks, document the steps taken to support your team and remind colleagues of the best practice measures they must adopt. Ensure the risks around confidentiality are minimised in the context of your client base.
It’s a good idea to provide online training on your firm’s confidentiality policy.
In summary: think about the risks, manage the risks through training and policy updates, and set the standards for the firm to follow. The measures I suggest are simple, inexpensive and not time-consuming.
It’s worth taking a few hours to look at your confidentiality policies and procedures now, to ensure that if someone makes a complaint against you to the SRA or the ICO, you have a response ready and a higher likelihood of maintaining your reputation.
Views expressed in our blogs are those of the authors and do not necessarily reflect those of the Law Society.