An unnamed senior barrister specialising in family law has been fined £1000 by the Information Commissioner after files containing the details of lay clients were inadvertently uploaded to the internet.
The barrister created the documents at home on her desktop computer and organised them into files which were not encrypted. The barrister’s husband had access to the computer via an administrative account and therefore was able to access the files without a password (there is no suggestion that this occurred). This arrangement disregarded the guidance issued to the barrister in January 2013 by the Bar Council and the barrister’s Chambers advising that a computer used by family members or others may require encryption of files in order to prevent unauthorised access. In September 2015 the barrister’s husband temporarily uploaded the barrister’s files to an online directory while he updated the software on the computer. 725 of these documents became visible to an internet search engine and 15 were cached and indexed meaning that a document could be located using a keyword search. Six of these 15 documents contained confidential and highly sensitive information relating to proceedings in the Court of Protection and the Family Court. The documents were publicly available for three months until a solicitor spotted the documents online and informed the barrister.
Contravention of the Data Protection Act 1998
The Commissioner found that the barrister had failed to take appropriate measures against the unauthorised or unlawful processing of personal data in contravention of the seventh data protection principle contained in Part 1 of Schedule 1 to the Data Protection Act (DPA) 1998. The seventh data protection principle stipulates that appropriate technical measures should be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Therefore, there was an ongoing contravention of the DPA 1998 from January 2013 when the guidance was issued, until January 2016 when remedial action was taken.
Section 55A of the Data Protection Act 1998
The Commissioner considered that the conditions of serving a fine upon the barrister under S.55A of the DPA 1998 were satisfied as:
• The contravention was serious due to the number of affected individuals, the nature of the personal information and the potential consequences (S.55A (1) (a)).
• The information was confidential and highly sensitive and therefore the lay clients would experience substantial distress due to justifiable concerns that their information would be further disseminated even if those concerns did not actually materialise (S.55A (1) (b)).
• The disclosure was not deliberate, but the barrister knew or should have reasonably have known that this contravention would occur. It was obvious that the contravention would cause substantial distress to the lay clients. The barrister did not take reasonable steps to stop the contravention from occurring (S.55A (2) (3)).
The Commissioner decided that a penalty of £1000 would be appropriate as the barrister had been fully co-operative with the Commissioner’s Office and had taken full remedial action.
The case is a reminder for individuals accessing client data from home that appropriate safeguards over that data must be put into place. In this case the barrister was very lucky. The barrister was not named and the fine was very low considering the seriousness of the contravention. The decision of the Information Commissioner may have been different if the barrister had not cooperated fully or if the lay clients’ data had been misused by third parties.