IT Panel blog: Data protection: The introduction.

Everything in this world is now defined by letters. The letters "GDPR" may have floated into your consciousness over the last few months. What thoughts went through your mind? A new device to improve my appalling broadband speed? A progressive gene snipping tool? An updated sat-nav that stops me driving into a river on my way to a wedding? 

Well, quite honestly, it is far more interesting than any of these. Reason? It impacts on your professional life. Every day. And it impacts on your chambers. And the way they operate. Every day. So, what is it again? 

A birth announcement. After years of huffing and puffing, the European Parliament has come up with a new data protection regime. Weighing in at an impressive 173 Recitals and 99 Articles, this baby is no lightweight. In fact, when it comes to the bureaucratic side of things, it is morbidly obese at birth but is a genuine attempt to protect the rights of European individuals as securely as possible. But….. did we just hear ten thousand sighs and witness a shrugging of shoulders and a finger moving rapidly towards the delete button? Stick with us……seriously, this matters. We will explain why later on. 

A little background history. Originally, the Europeans introduced a Directive on the subject (95/46/EC for the inquisitive). In the UK, this became the Data Protection Act 1998, which we have all been following (well, should have been following…). 20 years later, there is a new Regulation, the General Data Protection Regulation - GDPR. It will apply in the UK from 25 May 2018. 

As European Law practitioners know, a Directive allows an EU Member State to implement such measures as it chooses so long as these are in line with (or better than) the Directive. A Regulation does not confer that freedom. Its provisions are implemented automatically into that State's law - except that the GDPR is the exception that proves the rule. This Regulation is odd. At certain points, it actually allows each Member State to implement its own provisions. 

A strange mixture. The rationale is that the Regulation was designed to overcome the inconsistency of implementation of the Directive across Member States. At the same time, it allows a limited flexibility to each State to add its own provisions where these do not impact the new, more robust regime as a whole.

Therefore, there is a whole new statute (and undoubtedly a goodly sprinkling of Statutory Instruments) in the making which implements the GDPR and tackles those areas where we are required to legislate for ourselves. 

This statute has now arrived in the form of the Data Protection Act 2018. Its birth weight was equally impressive to that of the GDPR- 7 Parts, 215 sections and 20 supporting schedules. As we indicated in the Introduction to the Introduction, pretty much all that you need to be concerned about in terms of personal data processing is set out in the GDPR, to which the Act makes specific reference (Part 2). Sections on Enforcement (Part 6) and the Information Commissioner and what he or she does have been expanded (Part 5); the Law Enforcement Directive (EU 2016/680) has been addressed (Part 3); and personal data processing by the Intelligence Services is specifically covered (Part 4). 

Any hope you might have entertained that Brexit would have put paid to the need for a new regime is therefore misplaced. Those of you that have European clients will have to comply with GDPR if you want to retain those clients. The Government has confirmed that the UK's decision to leave the EU will not affect the commencement of the GDPR. 

Data protection has been going for donkeys' years - why is it so important now?

Data protection law does what it says on the tin. It provides a legal regime for the protection of individuals' personal information. It is a privacy law. 

However, there is massively increasing trend in this world for people (including Governments) to be contemptuous of people's privacy. Cyberattacks are now so common that there is a serious risk that you or your chambers will suffer an attack at any time. You cannot have failed to notice a continuous stream of emails, many of them appearing to be genuinely from your bank, or a well known firm of solicitors, or even from a colleague, the sole aim of which is to get you to open an attachment whereupon you lose access to your data (as does the rest of chambers, if your network is not set up to prevent it) and a ransom may be demanded to unlock it. 

The big ones reach the press. Remember the hacking of the NHS a few months ago, where the hackers moved in via an unsupported operating system, Windows XP, and disrupted the NHS. A year ago, the telecoms company, TalkTalk, managed to "lose" millions of customer records to a hacker. In 2015 the Panamanian firm, Mossack Fonseca, suffered a leak of 11.5 million documents, some dating back to the 1970s, relating to the affairs of their clients. A week before this blog was first published, Equifax (in the US) "lost" 143 million records. Worse still - it is alleged that the Equifax hack was a State-sponsored attack. And of course, Hillary Clinton had a spot of bother in her attempts to reach the White House, caused by, allegedly, Russian hackers. 

One of the latest (so it does not stop) is British Airways allowing the personal and financial data of 380,000 customers to be compromised. Actually, British Airways is also an object lesson of how to behave under the new regime. Deal with it promptly. You can read the level of sophistication employed in this specifically targeted hacking venture athttps: //www.wired. com/story/british-airways-hack-details/.  Even more recent is the case of Starwood  - probably better known for the hotel names Marriott and Sheraton, which has suffered a data breach in respect of 500 million customers (https://www.bbc.co.uk/news/technology-46401890). And, of course, there is the November 2018 of the ICO in relation to Uber, which managed to lose personal details (names, phones numbers, email addresses) of 2.7million customers and 82,000 of its drivers. The ICO fined Uber £385,000 which is near the limit considering this was decided under the old law. 

At the other end of the scale, you, as a barrister, record personal information every day of the week; lay clients' identities, addresses, trade union activities, health status and the like. You can lose that information simply by leaving your laptop computer on the bus. Data not protected by a password? Password easy to guess? Anyone can take a look. If you are punctilious about keeping your laptop safe from theft or absent mindedness (or you have a desktop), have you ever opened a link in that seemingly innocent email only for it to shut down your system, scramble your data and then go off and infect the rest of the chambers' computers? 

Or more likely it is "ransomware" - the hacker wants money so the unfortunate NHS doctors found their screens had been "padlocked" (encrypted - a giant padlock device appeared on screen) and a demand was made for $300 bitcoin (untraceable cryptocurrency) release fee (double if not paid within 6 days). If they did not pay, all the data would remain inaccessible and lost for good.

Ah, you say, but why would a hacker target me or my chambers? What's in a dusty old inheritance tax case for them? Let one chambers' IT manager answer that: "Most virus writers send out millions of copies via spam relays hoping to hook a few suckers. They have no idea who it's going to hit (even the big NHS encryption virus hit a couple of months ago was most likely just by chance rather than targeted at the NHS)". So you and/or your chambers can be a target anytime, anywhere. 

And it does not end with technology meltdown. Do you seriously want to spend time apologising to your clients that all the information they have sent has disappeared at the hands of a hacker? And do you really want to entertain the Information Commissioner's representative to a cup of chambers' tea while you try to persuade him or her that you cannot afford a large fine just this week, as little Tarquin needs a new school uniform. Incidentally, the new GDPR has legislated for greatly increased fines - and clients can likewise sue you for greater amounts than before if their data has not been securely held. The Bar has a formidable and proud reputation which everyone works immensely hard to keep up. Do you want to lose yours? 

Thanks for the doom and gloom - what now? 

The Bar Council's IT Panel can assist with matters like this. We have completed a Guidance document for you and your Chambers to consult.   In the next few issues we will also devote a BarTalk item to an individual area of the GDPR - what was the old law and what is the new position. 

What issues will we cover? These will include:

(a)   Your (or chambers') individual obligations as the person controlling data (or "data controller" in data protection speak). A number of new concepts and responsibilities have been introduced;

(b)  Increased visibility and liability of those who might process your or chambers' data ("data processors"). These might be your own chambers (holding and processing your email or storing your files) or payroll providers (processing chambers' information);

(c)   Data protection vs client confidentiality;

(d)  The data protection principles - how have these changed;

(e)   The requirement to delete (or anonymise) personal data which you no longer need to retain, and the benefits of doing so;

(f)    Privacy Notices;

(g)  Client rights to access data held by you or chambers or to take it away or to amend it and the right to be forgotten;

(h)  Transfer of data to other countries;

(i)    Civil and criminal sanctions arising under GDPR;

We hope that dealing with this subject in bite-size chunks will assist in the digestion of a complex subject. Keep an eye out for the articles and please read and take on board what they say. Think: technical disruption; embarrassment; delays to completing work; ICO fines - not what you need. 

Bar Council IT Panel