A barrister who kept clients' sensitive personal information on her home computer has been fined £1,000 by the Information Commissioner's Office (ICO) for failing to keep the information secure.

Information concerning up to 250 people in 725 documents, including vulnerable adults and children, was temporarily uploaded to the internet when the barrister's husband updated some software on the computer and used an online directory to back up the files.

This meant that the files were available on the internet and could be found by a simple search - some of the documents could be accessed by just searching the internet for a name. Six of the files contained highly sensitive information relating to people involved in proceedings in the Court of Protection and the Family Court.

Appropriate Technical Measures Needed

The computer that the barrister used was password protected, but the files were unencrypted. The Bar Council issued guidance to barristers in 2013 that a computer used by family members or others may also need encryption of specific files in order to stop access to these by shared users. In this case, the husband of the barrister had access to the computer via an administration account and could therefore access the barrister's files without a password.

The ICO found that the barrister had contravened the seventh principle of the Data Protection Act 1998 (DPA) by failing to take appropriate technical measures against the unauthorised or unlawful processing of personal data. Steve Eckersley, head of enforcement at the ICO issued this statement:

“People put their trust in lawyers to look after their data - that trust is hard won and easily lost. This barrister, for no good reason, overlooked her responsibility to protect her clients' confidential and highly sensitive information.”

Duty to Protect

The ICO's monetary penalty notice that was issued in this case also states that the reason it was imposing a monetary penalty was in pursuit of the Commissioner's underlying objective to promote compliance with the DPA. This is something we are seeing far more of and the current Commissioner is clearly tightening up on enforcement.

Meanwhile, The Bar Standards Board issued a fine of £750 to a barrister who left client papers in a bin bag. This action was found to breach the barrister's core duty to keep clients' information confidential.

Encrypt!

The advice for legal professionals is to ensure that clients' information is confidential. This may mean encrypting everything that contains personal information if it is stored on a home computer, particularly if other people have access.