Data protection principles and family practice
A family lawyer and the Assistant Information Commissioner explore practical data protection issues affecting family lawyers (and others)
RK: I hope that I am a reasonably competent family lawyer. I think I know my way round the Family Law (Scotland) Act 1985 and know enough to know that I need help from others when it comes to complicated corporate, trust and tax law issues. I think I am reasonably up to date with the sheriff court and Court of Session rules, and hope that I understand, and comply, with the obligations on me as an officer of the court. I have to confess, however, that I think my knowledge of the Data Protection Act 1998 (“DPA”) is woefully inadequate.
As a result of recent discussions with family law colleagues, I am at least a little relieved that I am not on my own. The nature of what we do, as family lawyers, means that we come across and make use of confidential, personal and commercially sensitive material. It was a comfort to me to discover that there is advice on hand from the Information Commissioner’s Office (ICO). In the anticipation that some of the queries that I and my colleagues have had may resonate with other family law practitioners, Dr Ken Macdonald, the Assistant Commissioner for Scotland and Northern Ireland at the ICO, agreed to provide some general information, advice and thoughts on some of the trickier issues that have cropped up.
Background: the DP principles
KM: All organisations must follow the eight data protection principles as laid out in the DPA, unless an exemption applies. These principles are:
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless – (a) at least one of the conditions in sched 2 is met; and (b) in the case of sensitive personal data, at least one of the conditions in sched 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The chance finding of documents
RK: I act for the wife in a divorce case. My client has stumbled across a bank statement relating to a bank account held by her husband which has not been disclosed by him or his agents in the context of the divorce proceedings. I am already worried about what I can (and cannot) do with this letter from the perspective of its admissibility in court. Are there any data protection issues that I should be thinking about as well? Am I going to get into difficulties if I take copies of this document, disclose those copies to anybody, and do I need to do anything in particular if I am storing this document or making use of the information contained therein?
KM: This scenario may be more to do with solicitors’ ethics than the DPA. In general circumstances, where information has been disclosed to a solicitor in error and it is clear that information is privileged and does not belong to their client, the solicitor should normally return the information. A solicitor or a solicitors’ firm (if not a sole practitioner) will be responsible under the DPA for all of the “processing” of all personal information that it carries out. “Processing” has a very wide definition in the DPA and will cover all activities including obtaining personal information or in relation to information received in error.
If the solicitor suspects a fraud is taking place (perhaps the husband is hiding assets or not being truthful to the court about the extent of his assets), or that an order of the court has not been fully complied with, he should report the matter to the appropriate authority – i.e. to the police or to the court. The DPA will not prevent the detection of illegality or inequity. The solicitor can avail of an exemption at s 29 to report the matter to the police, or s 35(2) DPA (information required for legal proceedings) to use the information in evidence. Whether the information will be allowed by the court will be determined by the rules regarding admissibility.
Disclosure to an expert
RK: I act for the husband in a divorce case. I have recovered certain documents under commission and diligence. One of those documents is a copy of my client’s wife’s tax return – it was not provided by the wife but by another haver. I need to instruct an expert in the context of the forthcoming proof. The information contained in the copy tax return is material. Are there any data protection issues that arise if I consider it necessary to provide the expert with a copy of the tax return?
KM: Normally the first principle requires the individual to be given a fair processing notice and being aware of what is happening with her information. Given that the information has been received through discovery, the solicitor could assume that the other side’s solicitor has given such a notice to their client (a solicitor is obligated to keep their client updated on those aspects of their case and to explain the discovery process), and that the client knows that her information is required for legal proceedings.
Information which is “discovered” is not covered by legal professional privilege and is given to the other side to prepare their case. Unless there are any further restrictions placed on it by a court through the discovery order regarding its use, the exemption at s 35(2) DPA allows personal information to be further disclosed when required for legal proceedings. Instructing an expert and disclosing the information which they will assess would fall under this exemption.
Using the public registers
RK: My client is one of the parties to a minute of agreement. The minute of agreement contains a lot of sensitive information. It also provides for a pension share. To implement the pension share in due course, I need to register the minute of agreement in the Books of Council & Session. My client is, understandably, anxious about her private affairs being in the public domain. Are there any provisions within the data protection legislation that would allow me to prevent the Books of Council & Session disclosing the data contained within the minute of agreement?
KM: Section 10 of the DPA provides individuals with a right to prevent processing of their personal data where it is likely to cause or is actually causing damage or distress and such is unwarranted. It is likely that entry in the Books of Council & Session is a statutory requirement, so the processing would not be unwarranted but required by law. If this is the case, consent is not required. While there may be a statutory requirement to make this information public, enquiries could be made as to whether the means by which it is made public might be restricted, i.e., not online. However, clients should be advised that what they formally or informally agree in relation to the division of their assets set out in the minute will be made publicly available.
Transporting sensitive data
RK: I need to use a laptop for work. I take it home sometimes and also up to court with me. I have some client documents stored on the hard drive. The laptop is password protected. Would there be any issues for me if it was stolen? Would it be different if, instead of keeping documents on the hard drive, I kept them on Dropbox?
KM: Principle 7 requires that “appropriate technical and organisational measures shall be taken” to protect personal information and, given the sensitive nature of legal documents, password protection alone is unlikely to be adequate. Encryption software should be installed as a matter of urgency. If it were stolen while unencrypted, the ICO might view that as being reckless. Using Dropbox presents additional issues. While storage is maintained using the advanced encryption standard, data is stored using cloud technology, which is likely to invoke the eighth DPP in terms of a transfer of data outside the EEA. The terms and conditions of Dropbox must ensure compliance with the DPA, otherwise adequacy must be assured via contract.
Since April 2010, the ICO has been able to serve civil monetary penalties of up to £500,000 where there has been a reckless breach of data protection principles. To date, the majority of such penalties have been served as a consequence of breaches of principle 7.
Assurances of compliance
RK: I act in a child case. I am due to receive documents from a third party which, I anticipate, will contain sensitive information. The company that is sending the documents on to me has asked me whether my firm can receive and store the documents “in compliance with the relevant Data Protection Legislation”. I do not know what I am supposed to do – is it anything to do with them how I store and make use of the data?
KM: The third party company has a responsibility to ensure as far as is practicable that the person to whom it discloses personal data handles those data in compliance with the DPA. Once the data are in your possession, all DPA liability in ensuring the data are stored securely, etc rests with you. Transfer of the data must be by secure method also, which means the solicitor should consider encryption software and password protection. Hard copy files need to be stored securely and kept under lock and key where necessary.
The ICO has served a monetary penalty where a data controller passed information to a third party without undertaking proper checks on policies and procedures.
RK: The ICO regulates the Data Protection Act 1998 throughout the UK and has an office in Edinburgh. The ICO has a website which contains a lot of useful information – www.ico.gov.uk – and can also provide general advice over the phone if you call the Edinburgh office on 0131 244 9001. I commend Dr Macdonald and his colleagues to you!
Rachael Kelsey is a partner in SKO Family Ltd, Edinburgh. Dr Ken Macdonald is Assistant Commissioner for Scotland and Northern Ireland at the Information Commissioner’s Office.