Poor legal records management leading to the loss of our legal heritage? Horror stories and other tales of woe…
When it comes to managing their records, whether their own business records or client files and documents, we do not really know just how good or bad the legal profession in the UK is at records management in general, and at respecting privacy and data protection in particular, in comparison to the rest of the private sector. The main source of information on data breaches, the Information Commissioner’s Annual Reports, does not include a specific “legal sector” category; institutions specialised to law are presumably lumped in with “general business” – the sector area generating the second highest rate of complaints and ICO investigations annually.
The fact that it is not singled out as a specific area of concern indicates that the legal profession can quite rightly congratulate itself on its record of handling confidential information appropriately. It should not, however, be too complacent about this, nor about its records management processes generally. The horror stories below are designed to alert institutions specialised to law and legal practitioners to situations where poor records management can adversely affect the reputation of the legal profession and may additionally mean that records documenting our legal heritage will be lost.
“Walter Ventriglia of Berkshire, who operated the will-writing company under the name Tony Edwards….also ran a Will storage business called UK Will Register which offered to store wills in a secure facility in London. The wills were actually found to be stored in the airing cupboard of his home”.
“A criminal law barrister whose case papers were found in bin bags has been fined by a Bar disciplinary tribunal, while the Information Commissioner’s Office (ICO) has fined another barrister after a software update on her home computer placed hundreds of unencrypted client documents online. Maria Masselis of Linenhall Chambers in Chester was found to have breached the core duty to keep clients’ matters confidential. The tribunal fined her £750 and said that she “improperly handled documents containing confidential and sensitive information about cases she was instructed and failed to take adequate or appropriate security measures against the disposal of such documents resulting in their discovery in the household refuse bin bags”. It was explained at the tribunal that the bin bags were discovered by a local authority outside an unoccupied property for collection on bin day. When the contents were examined, the council was able to identify that the papers originated from Ms Masselis. The matter was then referred to the Bar Standards Board. A board spokeswoman said: “Inappropriate disposal of client files breaches the core duty barristers have to treat client information confidentially. The tribunal’s decision to fine Ms Masselis £750 serves as a warning to barristers to make sure that they dispose of client files in an appropriate way.”
The Information Commissioner’s Office confirmed to Legal Futures that it did look at the case, but decided against formal enforcement action. More broadly, a spokeswoman said: “If you are responsible for looking after personal data, you must keep it secure and that includes disposing of it securely too. “Lawyers handle sensitive personal information, often belonging to people in vulnerable positions. They put their trust in lawyers to look after their data – that trust is hard won and easily lost.”
The ICO fined an unnamed female “senior” barrister after information belonging to up to 250 people, including vulnerable adults and children, was uploaded to the internet when the barrister’s husband updated software on the couple’s home computer. It came to light after a local government solicitor informed her chambers that documents containing confidential and sensitive information could be accessed online. Some 725 unencrypted documents, which were created and stored on the computer, were temporarily uploaded to an internet directory as a back-up during the software upgrade. They were visible to an internet search engine and some of the documents could be easily accessed through a simple search. Six of those files contained confidential and highly sensitive information relating to people who were involved in proceedings in the Court of Protection and the family court. Her husband quickly removed the files from the online directory and the internet service provider removed cached information from the internet the following day. Steve Eckersley, head of enforcement at the ICO said: “This barrister, for no good reason, overlooked her responsibility to protect her clients’ confidential and highly sensitive information. It is hard to imagine the distress this could have caused to the people involved – even if the worst never happened, this barrister exposed her clients to unnecessary worry and upset.””
Posted: 30 June 2015
A Freedom of Information request has revealed the number of data breaches reported to the Information Commissioner’s Office (ICO) during 2014. A total of 72 incidents came to light in which private data was mistakenly made available to the public by legal firms. The incidents included flaws within internal systems, poor processes and human error. Some of the key stats are summarised below:
- The most common source of breaches was data being mailed, faxed or emailed to the wrong recipient in error. These simple human mistakes accounted for almost a third (23) of the incidents;
- Closely following this was the loss or theft of physical paperwork. These breaches accounted for 21 of the incidents;
- Devices passing out of the control of the legal firm with unencrypted information on them was another prominent cause of breaches (11);
- Interestingly, data being hacked maliciously only accounted for one incident all year.
Paul Doble, chief sales and marketing officer at DX, an independent secure mail operator for the legal industry, comments:
“With the exception of certain civil servants, there is arguably no other profession that has quite as much responsibility for handling confidential information than the legal sector; an issue compounded by the fact that the information often belongs to other companies and interests. As such, the pressure on the legal industry to become watertight where private data is concerned is mounting. Security is particularly hard to guarantee and track with information on physical documents, and is easily compromised as documents pass through the UK’s mainstream mail networks. Whilst legal firms focus increasingly on cyber security, thought must also be spared for the secure transit of physical information. Sending documents through a secure postal network is a sure fire way to stop unencrypted information falling into the wrong hands.
Perhaps the biggest surprise revealed by the Freedom of Information request is not the quantity of breaches being reported, but the nature of the causes. Far outweighing hacking is the prevalence of human error, with accidental disclosures through mis-sent communications providing the leading cause. Email in particular is an undeniably necessary communication medium in today’s working world, but firms need to ensure they are doing the minimum due diligence required to ensure that confidential information can’t be shared with the wrong person or left vulnerable to attack.
In addition to providing this vital protection, email encryption can also provide the missing piece in the jigsaw that law firms need to satisfy industry regulators, as it will allow them to demonstrate that they are compliant with the latest data protection regulations.”
ICO guidance: https://www.lvcriminaldefense.com/information-commissioner-sounds-alarm-data-breaches-within-legal-profession/
“Information Commissioner ‘sounds the alarm’ on data breaches within the legal profession
Posted 05 August 2014
The Information Commissioner’s Office (ICO) is warning barristers and solicitors to keep personal information secure, especially paper files. This follows a number of data breaches reported to the ICO involving the legal profession.
The ICO can serve a monetary penalty of up to £500,000 for a serious breach of the Data Protection Act provided the incident had the potential to cause substantial damage or substantial distress to affected individuals. In most cases these penalties are issued to companies or public authorities, but barristers and solicitors are generally classed as data controllers in their own right and are therefore legally responsible for the personal information they process.
In the last three months, 15 incidents involving members of the legal profession have been reported to the ICO. The information handled by barristers and solicitors is often very sensitive. This means that the damage caused by a data breach could meet the statutory threshold for issuing a financial penalty. Legal professionals will also often carry around large quantities of information in folders or files when taking them to or from court, and may store them at home. This can increase the risk of a data breach.
Information Commissioner, Christopher Graham, said: “The number of breaches reported by barristers and solicitors may not seem that high, but given the sensitive information they handle, and the fact that it is often held in paper files rather than secured by any sort of encryption, that number is troubling. It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach. We have published some top tips to help barristers and solicitors look after the personal information they handle. These measures will set them on the road to compliance and help them get the basics right.””
Not a horror story as such – this is as a rule a perfectly legal activity unless the material being auctioned does not belong to the institution offering it for sale. Isn’t it sad, though, that some legal institutions would rather make money from selling off their history than making sure it is preserved in an archives for posterity?
Below is a sample of “solicitors’ papers” offered at public auction, courtesy of The National Archives’ (TNA) manuscript Sales Monitoring Service. TNA keeps an eye on all auctions and notifies the relevant record office when something comes up in which the record office might be interested. The record office will then bid, but only if it has sufficient funds or time to apply for a grant before the auction. For an advertisement of a current sale see https://www.the-saleroom.com/en-gb/auction-catalogues/lloyd-cameron-and-partners/catalogue-id-srtheau10073/lot-b1afc31d-65ca-4b08-8389-a6be00e5deb1
|199: solicitors bill book, Chard, Somerset., 1802-1809
|164: Cheltenham Solicitor Clerks day book, 1832-1834
|116: Cheltenham solicitors: letter book, 1839-1846
|134: Solicitor’s bill book of John Reed Clarke, Chard area, 1802-1809
|86: Cheltenham solicitor’s bill book (prob TV Banner), 1827-1830
|74: London lawyer’s bill book, 1786-1809
|74: Warwickshire solicitor’s notebook, 1700-1800
|457: Account book of Roberts & Carter, solicitors, Barnstaple, 1834-1837
|131: Banner, Thomas Vaughan, solicitor, Cheltenham: bill book, 1827-1830
|166: John Reed Clarke, solicitors, Chard: bill book and index of clients, 1802-1809
|28: Hall, Robert, lawyer: ms legal commmonplace book, 1713
|486: Legal case notebook, 1824
|147: Solicitors ledgers for firm (Francillon and Willott?) in Dursley, Glos listing clients and cases, 1868-1915
|109: Lewis & Lewis solicitors of Ely Place corresp including blackmail letters and details of payments relating to royal, noble and celebrity scandals (Quantity not given), 1800-1950
|320463130450: Thorp & Dickson solicitors Alnwick legal papers (15 bundles), 1800-1850
|320463132564: Legal papers of Robert Thorp, Nortumberland rel to Foster v Burrell, 1810-1820
|128: Forster, solicitor of Aylsham, client corresp (several hundred items), 1883-1886
|136: Wymondham legal corresp, files, lunatic asylum papers, court papers, 1800-1950
|138: Bodenham & James, solicitors Hereford, letters received (100), 1860-1869
What happens when legal entities do decide to deposit records with a local authority archives? Here are some comments to LRAR on the legal profession’s attitude to its records from five local authority record office archivists who accepted deposits of law firms’ records in 2015-2016.
“We would actually find it impossible to take a large collection these days as we have no room and because they are generally a terrible mess they take a huge amount of resources to make them usable…we do worry that many important documents are being destroyed particularly as land is registered and deeds are destroyed. Of course there are issues with preserving client files for historical purposes as I doubt any clients have given their consent to that and there are issues with solicitors not understanding the ownership of the material that they send us. The general attitude seems to be we don’t want this you can have it if you want as a gift without them understanding it is not their property and therefore we can only take it on deposit in case the owner turns up and claims it. It is increasingly difficult for us to keep track of who are the current firms responsible for our older deposits as firms merge and change and as far as I am aware no firm has contacted us about the material they have deposited with us since the moment it left their premises so I think you can safely say that they do not consider them an asset to the firm and feel no link to them once they believe the file closed”.
“There was one notable disaster in acquisition which was when a large collection was accepted unconditionally and was found to contain masses of rather uninteresting and fairly recent (e.g. still subject to DPA) records. It appears we can’t give them back, we can’t sample or destroy them, the firm has never requested anything back – and they’ve never been catalogued. I suspect the more general problem is just a simple lack of historical awareness by lawyers. I wonder how you could make reading that nice practice note compulsory? I think you may also be right in believing there may be confidentiality issues – perhaps solicitors don’t understand that archivists deal with DP and other aspects of record security all the time. I suppose the most basic aspect of all this is that everyone is so busy – the preservation of [records] totally peripheral to the work of the lawyers. Other than by making an archival element to the CPD points system (perhaps it could be part of a wider record-keeping agenda?) I’m not sure how best to go about changing the status quo.”
“I was appointed in January 2015 to complete…..an 18 month National Cataloguing Grants funded project to catalogue the records of a historic law firm. This included a large accession (383 boxes) made in 1998 consisting mostly of client papers. Due to the time constraints, there was not time to catalogue in great detail (although this would not have been desirable in hindsight) and the project was designed to include a significant contribution from volunteers. The approach that was adopted was that it was not appropriate for volunteers to work with client papers so they were directed towards deeds and sale particulars while I catalogued the client papers. This work was completed with the Data Protection Act in mind but with a broad intention to make the records as accessible as possible….Because of how concerned the firm were about client confidentially, the partners were invited to look at the catalogue to agree access restrictions. The result is that on one of the catalogues, clients papers dated 1900 or later may only be accessed with permission of the firm…There were two separate concerns from the firm a) complaint to legal ombudsman for breach of confidentially from the descendent of a client and b) bad publicity from the impression that they would advise clients then make details public later on. We have since been offered additional deposits from the firm, but declined to collect additional client papers”.
“In my experience:
- Solicitors have extremely poor record keeping as far as older client records are concerned – the records can be kept in appalling conditions and in a state of disorder
- They don’t recognise the ongoing historic value of what they hold and may therefore destroy records
- As an alternative to destruction, they are often happy to deposit with the local record office, but at no cost to themselves. This means that the financial burden falls to the record office (usually the local authority) to assess, transport, list, package and repair the documents – with the solicitors often imposing timescales for removal of the records at entirely their own convenience! As you cannot fail to be aware, local authority budgets are shrinking, and it is no longer appropriate to expect the taxpayer to cover the cost of solicitors’ own neglect of their duty to their clients and their clients’ records.
You can probably tell that I’m a bit fed up about all this. For example, we have a collection of over 600 boxes from one solicitor’s firm, which has arrived in a disorganised state over several decades, which is unlisted and some of which has suffered terribly from damp and dirt. One of the clients of this firm (the owner of a landed estate) is trying to access his own legal documents from this collection and has been trying to do so for several years; the solicitors firm themselves takes no responsibility and it falls to us to try and find, within these 600 boxes, the records that might relate to his estate. If I were him, I would be tempted to sue the solicitors for their neglect of his records. The problem we have is that when it comes to the crunch, much though we would like to refuse collections like this, we know that if we don’t accept them, the firm will throw them into a skip”.
“I was hired to organise the dreadful filing of one very busy solicitor, but also spent two solid months reorganising 800 boxes of closed files into a retention order. These boxes had been sent to external storage three years previously following a flood in the partner’s basement where they had been kept. Many were flood damaged – little attempt had been made to conserve them. They weren’t in any real order and there was no way, prior to my project, to know when files were ready to be destroyed. Whilst carrying out this project, I also looked into records management and archiving processes at the firm and found that it was a very confused situation. For example, they had two different retention schedules that no one really knew about and didn’t seem to have a great understanding of how to use their external storage. All in all, this firm seemed to have a desire to improve their records management and archiving – for example, they had relatively recently appointed one of their receptionists to manage the closing of files and were pleased to be able to use me for the box reorganisation project. However, it appeared that records management was always going to take a back seat to their other activities, and while they may have liked things to be better, they didn’t know how to go about it easily, especially since they were very busy. During my time there, I tried to find as much guidance as possible about managing legal records, but found that there was very little”.