The Law Society’s Code of Conduct Rule 4 sets out a general requirement of confidentiality as follows:

‘You and your firm must keep the affairs of clients and former clients confidential except where disclosure is required or permitted by law or by your client (or former client).’

During challenging economic times it is easy to forget the need to maintain a strict control and compliance regime. The emphasis upon important matters such as reducing costs, securing contracts and collecting cash means that other more routine activities can often take a back seat.
 
We have always stressed to our clients the importance of maintaining a sound control environment that operates to address the business and IT risks faced by professional practices. However, we have observed recently that measures taken by firms to cope with the recession have had the effect of removing controls from the business. Current examples that might affect client confidentiality have included the following:

• The removal of Practice Managers who have historically been responsible for ensuring compliance with professional standards and requirements, including legislation such as the Data Protection Act;
• Redundancies among back office staff, which have resulted in the loss of key segregation of duty controls in areas such as filing, purchasing and accounts;
• Cancellation of planned spending upon IT security projects or back-up facilities that will protect data;
• Reduced spending on management information that identifies possible non-compliances or security issues;
• Uncontrolled and unrestricted growth of mobile computing due to reduced expenditure on central IT resources; and
• Reduced training for staff on how to safeguard data and information.

As described above, the Solicitors’ Code of Conduct requires that client confidentiality be maintained at all times. Any failure to do this that is noted during an SRA monitoring visit could result in disciplinary action and fines.

Another complexity that must be considered on top of day-to-day data security concerns are the Government’s recently published data security guidelines known as the Security Policy Framework. The Government has explicitly stated that they expect the Framework to be applied to any organisation handling government information assets on a regular basis. This includes all government departments and other key organisations such the National Health Service and local government but, crucially, it also includes third parties in the private sector where appropriate.

It is important to note, therefore, that you do not actually need to be formally part of the public sector to be affected by the new requirements. Any private organisation that handles their data is now required to put in place compliance and assurance mechanisms to satisfy these new rules. For example, you might be affected if you hold or process names and addresses as part of a public contract. And you are expected to already be compliant.

So what does all this mean for you?

In simple terms, it means that you may have to improve or maintain your control environment at a time when the natural tendency is to do otherwise. The importance of maintaining strong controls should not be understated even when times are difficult.

It is essential to make sure you continue to address your compliance requirements, be they existing ones arising from SRA requirements or new ones that have arisen as a result of the Security Policy Framework. Failure to address these requirements could have an adverse impact upon your business activities, for example the placing of contracts, and the public perception of your company.

The Law Society published draft information security guidelines for solicitors in 2006. These aimed to assist solicitors achieve good practice in relation to general information security. While they were not formally issued, they remain a very good source of information and guidance on the steps that should be taken to protect information and data.