Documents, data and the GDPR
The General Data Protection Regulation provides an opportunity for solicitors to review their document retention policy. This article considers how to go about integrating the latter into the former
GDPR is the current “hot topic”, as the November 2017 Journal clearly evidenced. Firms are having to take a fresh look at what data they store and how it is managed and monitored. Firms of all sizes will have to get to grips with a more onerous data protection regime. One aspect of this that we, at Lockton, have received a number of queries on, is the impact of GDPR on document retention policies.
1. Have a data retention and destruction policy
Many firms will already have a document retention policy, but the chances are that, if it has not been updated for some time, it may not be quite as broad as it needs to be. The Law Society of Scotland has for some years provided guidance on the ownership and destruction of files. The data protection regime now goes somewhat further, and firms should be considering a policy that addresses data storage/retention in the round, including:
- physical files
- electronic documents
- client data held on CRM systems
- staff data held
- data stored on portable devices, and
- office equipment including telephone call recordings and data stored on copiers and printers (you should be aware that most printers and copiers will store a considerable volume of data unless wiped before selling or otherwise replacing).
2. Address your hard copy document risks
Paper is not necessarily either more or less secure than electronic data, but it must not be forgotten when you consider implementing changes in readiness for GDPR. Your paper-based data are also subject to many of the new regulations. These data also have their own particular risk issues.
Unauthorised copying of hard copy documents
These days, with the advent of quality cameras in smartphones, and email-enabled scanners, taking a sneaky copy of a document is a far less risky form of information theft.
Taking documents out of the office
There is no doubt that, for many of us, reading a hard copy document while travelling remains easier and more reliable than trying to access documents online. While portable devices, if properly set up, are encrypted and can be remotely wiped, the same cannot be said for paper files left on a train.
Loss of documents
Documents still get lost between the office and archives, and, in case of fire and flood, can be destroyed entirely.
3. Review your document retention rules
There are no hard and fast rules for client document retention, and GDPR does not alter the current framework in that regard. However, the preparation for GDPR does provide a good opportunity to review your current arrangements. Where many firms could benefit is from a re-evaluation of their procedures for identifying and managing documents/data that should now be destroyed or deleted.
Article 5 of GDPR provides:
“Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
“Personal data may be stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, or scientific, historical, or statistical purposes in accordance with article 89(1) and subject to the implementation of appropriate safeguards.”
This needs to be balanced against your need to retain information for long enough to provide material for an adequate defence in the event of a claim. The prescriptive period in Scotland for a professional indemnity claim is five years from the date that the claimant became aware (or could reasonably have become aware) of sustaining a loss (David T Morrison & Co Ltd v ICL Plastics  UKSC 48). This of course does not mean a blanket destruction date of five years from closing a file. Claims typically emerge much more quickly when emanating from litigation matters.
The Law Society of Scotland’s guidance on retention of documents (see summary opposite) – which we understand is likely to be updated in the course of 2018 – still provides a useful rule of thumb, although firms should consider their own circumstances when determining timescales for destruction. While the GDPR does forefront the rights of data subjects, as long as you can properly explain why you process the data and have set a fair retention period, the firm’s legitimate interests should be respected – assuming you have implemented sufficient measures to protect the data.
Whatever your policy determines, you should ensure that your letter of engagement explains clearly:
- who “owns” the client file, and what that means;
- how long you will retain the file, how it will be stored, and what will happen to the file after that time;
- any costs which relating to storage, retrieval and copies of (parts of) the file.
4. How to convert policy into practice?
Having a meaningful policy on data retention and destruction is one thing. Ensuring that it is implemented in practice is quite another.
Employing someone to go through file records and notifying fee earners when a data retention period has expired is costly, time-consuming and also does not guarantee that the information is acted on by a busy fee earner. An alternative approach, that electronic documents are automatically permanently deleted after the retention period has expired, is also problematic.
Complying with data destruction policies where hard copy documentation is concerned is more difficult again – thus the incentive for many firms to move to online storage.
||LSoS suggested retention period (see rules and guidance section of website: shortcut link bit.ly/2zoxnSW for more details)
|Simple debt collection
On completion, i.e. after the time for appeal has elapsed
Divorce and consistorial matters
|Five years after final completion
|Civil court cases
||Ten years after completion
|Criminal cases – life imprisonment
|Criminal cases – solemn
||For the duration of the sentence if more than three years
|Criminal cases – summary
||The papers should be retained for three years. A copy of the complaint or indictment and a copy of the legal aid certificate should be kept indefinitely
||Ten years after completion, although an executry may never be complete. Relevant documents and papers might be sent to the executor
||Ten years after the termination of the trust
||Purchase: Ten years after completion Sale: One year after completion (as defined)
||Ten years after completion
|Endowment and investment business
||Retain all files until such time as the policy in question has matured
Calum MacLean is a solicitor, formerly in private practice, and director of risk management for Lockton’s Master Policy team email: email@example.com
Please note that the purpose of this article is to provide a summary of and our thoughts on aspects of the General Data Protection Regulation. It does not contain a full analysis of the law, nor does it constitute a legal opinion or advice by Lockton Companies LLP on the law discussed. The contents of this article should not be relied upon and you must take specific legal advice on any matter that relates to this. Lockton Companies LLP accepts no responsibility for loss occasioned to any person acting or refraining from acting as a result of the material contained in this article. No part of this article may be used, reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, reading or otherwise without the prior permission of Lockton Companies LLP.
|Client due diligence files (Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017)
|Copies of documents and information to satisfy due diligence requirements, and sufficient supporting records from a transaction subject to the due diligence measures to enable the transaction to be reconstructed
||Minimum five years from the date the transaction is complete (not more than 10 years). After which must delete any personal data – unless subject of legal proceedings, or client has given consent to longer retention (reg 40)