You are here:
  1. Home
  2. Support services
  3. Advice
  4. Practice notes
  5. Information security

Information security

11 October 2011

This content is currently under review. Learn more about our changes to practice notes

What is the issue?

  • Solicitors are increasingly vulnerable to the risk of the loss, damage or destruction of important data through theft, malicious intent or accident. This risk is growing as computers and the internet are increasingly used to process and transmit confidential client and business information.

Legal status

This practice note is the Law Society's view of good practice in this area. It is not legal advice.

Practice notes are issued by the Law Society for the use and benefit of its members. They represent the Law Society's view of good practice in a particular area. They are not intended to be the only standard of good practice that solicitors can follow. You are not required to follow them, but doing so will make it easier to account to oversight bodies for your actions.

Practice notes are not legal advice, nor do they necessarily provide a defence to complaints of misconduct or of inadequate professional service. While care has been taken to ensure that they are accurate, up to date and useful, the Law Society will not accept any legal liability in relation to them.

For queries or comments on this practice note contact the Law Society's Practice Advice Service.

Professional conduct

The following sections of the SRA Code are relevant to information security:

SRA Principles

There are ten mandatory principles which apply to all those the SRA regulates and to all aspects of practice. The principles can be found in the SRA Handbook.

The principles apply to solicitors or managers of authorised bodies who are practising from an office outside the UK. They also apply if you are a lawyer-controlled body practising from an office outside the UK.

When thinking about how to meet the outcomes in chapter 7 in the Code/Handbook, you must consider the principles which apply across the Handbook including the Code. You should always bear in mind what the ten principles are and use them as your starting point when implementing the outcomes.

Outcome 7.5 requires that practices 'comply with legislation applicable to your business, including anti-money laundering and data protection legislation'.

IB 7.3 involves 'identifying and monitoring financial, operational and business continuity risks including complaints, credit risks and exposure, claims under legislation relating to matters such as data protection, IT failures and abuses, and damage to offices'.


Must - A specific requirement in legislation or of a principle, rule, outcome or other mandatory provision in the SRA Handbook. You must comply, unless there are specific exemptions or defences provided for in relevant legislation or the SRA Handbook.

Should - Outside of a regulatory context, good practice for most situations in the Law Society's view. In the case of the SRA Handbook, an indicative behaviour or other non-mandatory provision (such as may be set out in notes or guidance).

These may not be the only means of complying with legislative or regulatory requirements and there may be situations where the suggested route is not the best possible route to meet the needs of your client. However, if you do not follow the suggested route, you should be able to justify to oversight bodies why the alternative approach you have taken is appropriate, either for your practice, or in the particular retainer.

May - A non-exhaustive list of options for meeting your obligations or running your practice. Which option you choose is determined by the profile of the individual practice, client or retainer. You may be required to justify why this was an appropriate option to oversight bodies.

SRA Code - SRA Code of Conduct 2011

2007 Code - Solicitors' Code of Conduct 2007

OFR - Outcomes-focused regulation

SRA - Solicitors Regulation Authority

IB - Indicative behaviour

The Law Society also provides a full glossary of other terms used throughout this practice note

1 Introduction

1.1 Who should read this practice note?

Sole practitioners and all solicitors responsible for developing information security policies in practices, in-house solicitors, partners and others, including non-qualified staff, with an interest in information security.

1.2 What is the issue?

Solicitors are increasingly vulnerable to the risk of the loss, damage or destruction of important data through theft, malicious intent or accident. This risk is growing as computers and the internet are increasingly used to process and transmit confidential client and business information.

1.3 Legal and other requirements

The following legislation is relevant to information security:

back to top

2 Statutory provisions

2.1 The Data Protection Act 1998 (DPA)

The DPA contains eight data protection principles. The seventh principle in Schedule 1 of the DPA requires data controllers to take appropriate technical and organisational measures against both:

  • unauthorised or unlawful processing of personal data, and
  • accidental loss or destruction of, or damage to, personal data

To determine the appropriateness of security measures, you should consider all of the following:

  • implementation costs
  • technological developments
  • the nature of the data - sensitive personal data will merit particular attention
  • the harm that might result from unauthorised or unlawful processing or from accidental loss destruction and damage to the data

You should adopt a risk-based approach to compliance, giving appropriate weight to each of these factors. This is discussed in more depth in section 4 of this practice note.

You must also take reasonable steps to ensure the reliability of any employees who have access to the personal data. Special rules apply to contractors or others who process personal data on your behalf. See DPA Schedule 1 for guidance.

2.2 Regulation of Investigatory Powers Act 2000

If you monitor or store the electronic communications of fee-earners and other staff for business / security reasons you must comply with the relevant provisions of:

You should also consult Part 3 of the Information Commissioner's consolidated Employment Practices Data Protection Code. The code gives guidance for businesses on monitoring or recording emails in the workplace.

2.3 The Computer Misuse Act 1990 (CMA)

The Computer Misuse Act 1990 creates three computer misuse offences:

  • s1: Unauthorised access to computer material
  • s2: Unauthorised access with intent to commit or facilitate the commission of further offences
  • s3: Unauthorised modification of computer material

A programme of information security awareness can help you to highlight these provisions within your firm.

back to top

3 Good practice for information security

The following good practice recommendations offer a foundation relevant to all practice sizes and types in developing their own, risk-based policies and procedures for information security.

3.1 Written policy

You should set out your information security practices in a written policy. The policy should reflect solicitors' professional and legal obligations. You should supplement this with implementation procedures. You should monitor these and review them at least annually.

3.2 Responsibility

You should appoint a senior member of staff to own the policy and procedures and ensure implementation.

3.3 Reliable people

You should implement and maintain effective systems to ensure the continuing reliability of all persons, including non-employees, with access to information held by the firm.

3.4 General awareness

You should ensure that all staff and contractors are aware of their duties and responsibilities under the firm's information security policy. This includes understanding how different types of information may need to be managed.

3.5 Effective systems

You should identify and invest in suitable organisational and technical systems to manage and protect the confidentiality, integrity and availability of the various types of information you hold.

back to top

4 Risk assessment

In addition to the good practice above, you may carry out a risk-based assessment of your information security requirements to develop detailed policies and procedures that will satisfy the overall objectives of the information security policy.

A risk-based approach to information security involves identifying:

  • the firm's information assets
  • threats to those assets, and their likelihood and impact
  • ways to reduce, avoid or transfer risk

A comprehensive risk-based assessment can be a complex task, so you may need expert advice.

Where resources do not permit a comprehensive risk-based information security assessment firms may nevertheless benefit from carrying out a basic, high-level exercise. This may help to identify any areas in which their information security is particularly weak or non-existent.

back to top

5 More information

5.1 Further products and services

5.1.1 Law Society Cybersecurity landing page

Law Society webpage with links to a range of cybersecurity materials and support.

5.1.2 Law Society Scams prevention landing page

Law Society webpage with links to a range of information about how to protect your firm from scams.

5.1.3 Practice Advice Service

The Law Society provides support for solicitors on a wide range of areas of practice. Our Practice Advice Service can be contacted on 020 7320 5675 from 09:00 to 17:00 on weekdays.

5.1.4 Risk and Compliance Advisory Service

If you require further support, the Risk and Compliance Advisory Service can help. We offer expert and confidential support and guidance, including face-to-face consultancy on risk and compliance. Please contact us on 0207 316 5655, or email
Find out more about our services

5.1.5 Law Society publications

5.1.6 Other

back to top

Did you find what you were looking for?
What were you looking for?
Did you use the site search?

Feedback from you will help us improve out website. If you would like us to contact you please leave your contact details.

Update your contact preferences

Update your details in My Law Society and tell us how you want to hear from us.

Practice Advice Service

The Practice Advice Service provides a dedicated support line for Law Society members and employees of law firms. Call us on 020 7320 5675.

> Contact the Practice Advice Service
Previous versions

Previous versions of this page are available below:


professional development centre
GDPR for managers: an introduction

New online course, GDPR for managers featuring downloadable checklists and valuable resources from the Law Society and ICO.

GDPR for managers: an introduction > More
Sole practitioner of the Year: Rachel Roche's Story

Find out the challenges sole practitioners face in running their practice with Rachel Roche, Solicitor and Managing Director, Roche Legal and the benefits & challenges of introducing technology with Joshua Lenon, Lawyer in Residence, Clio

Sole practitioner of the Year: Rachel Roche's Story > More
gears passing between people
Cyber security and fraud awareness 2019

On Tuesday 2 April 12:30 join us as we help you to understand the common methods used by hackers and the steps that you can take to make your firm safer

Cyber security and fraud awareness 2019 > More
risk and compliance
Risk and Compliance annual conference 2019: preparing for change in shifting times

Join this conference to keep up-to-date on hot topics in legal risk and compliance. Topics include: SRA Handbook updates, price transparency and cyber security.

Risk and Compliance annual conference 2019: preparing for change in shifting times > More
Anti-money laundering summer conference

Book your place and hear from industry experts on the latest developments in anti-money laundering compliance.

Anti-money laundering summer conference > More