As solicitors, we have duties, enshrined in law and in our Code of Conduct, to preserve confidentiality. Yet this appears to be breached by many in the profession on a daily basis.

We have advised several firms which have experienced multiple breaches of client data – not from hackers, or complex IT failures, but simple error by staff at all levels – partners, fee earners, ac-counts staff, and support staff. Medical records are left in taxis, letters or enclosures clipped to letters to other clients, addresses mistyped on client inception, and more besides. The Information Commissioner’s Office (ICO) statistics for data breaches in the legal sector for Q4, 2018-19, show the main causes were data emailed to the wrong recipient (26%), and data posted or faxed to the wrong recipient (24%).

Mistakes happen in the best regulated offices, and it is important not to discourage breach reporting, but firms are bound by the accountability principle in Regulation 5 of the General Data Protection Regulation (GDPR) and we are seeing the SRA investigating further even where the ICO has decided to take no further action.

Solicitors and their staff may be tempted to talk about cases in public areas, thinking that they are preserving confidentiality simply by withholding the names of individuals. The fallacy of this was exposed in the recent case of Curless v Shell International Ltd [2019] EWCA Civ 1710, a successful appeal against application of the iniquity exception to legal advice privilege, but of note for the problems caused by idle chat which was overheard by the claimant in a public house.

The European Council has published a revised draft of the e-Privacy Regulation, which includes clarification on consent, in line with GDPR and the Planet 49 judgment – see www.legalrisk.co.uk/data.

‹ Back to Publications