PowerPoint Presentation

[Audio] Hello and welcome to Risk and Best Practice's data protection and confidentiality refresher training..

[Audio] The purpose of this training session is to refresh your knowledge on the regulations that mandate the protection of personal data and your role in safeguarding it. The applicable regulations are the UK data protection laws, that's the UK GDPR and the Data Protection Act 2018, as well as the Solicitors Regulations Authority Standards and Regulations 2019. The session is divided into 4 sections. In section one, we'll delve into what constitutes a personal data breach by defining personal data, the requirements of the regulations and what a personal data breach entails. Section 2 will focus on the risks and implications of personal data breaches illustrated by case studies. In Section 3, we'll learn best practise for preventing personal data breaches and in the final Section 4, we'll discuss our policies and guidance for effectively responding to, and managing personal data breaches. Let's get started..

[Audio] We'll start with the basics, what is personal data? personal data is a broad term that includes any information that can identify a living individual. This identification can be direct, such as using a name or an email address, or indirect, where the individual can be identified by combining different pieces of information, for example, a job title and company name together might indirectly identify someone. Information that has been replaced with identifiers to pseudonymise the data also falls under the definition of personal data. The comprehensive definition applies to all living individuals including clients, instructed barristers, experts and employees. Within the definition of personal data, is a subset known as special category data. These data are considered particularly sensitive due to the potential harm or impact on an individual if misused or disclosed to unauthorised persons. Special category data includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life or sexual orientation, health data, genetic data, and biometric data used for identification purposes. Additionally, children's data, criminal offence data or financial information like bank details, while not strictly falling under the definition of special category data, are considered sensitive and require special protection. Understanding the different data categories and how to handle them responsibly is essential for compliance with the regulations. Under the SRA 2019 guidelines, all personal data—whether it's special category data, children's data, financial data, or criminal offence data—is classified as confidential information. This means, it is more broadly defined than data protection definitions, but nevertheless, the underlying principles for protecting personal data remain consistent. For more detailed information and training on S-R-A obligations, please refer to the S-T-A-R-S training available on the Risk intranet page on Heads Up..

[Audio] The UK General Data Protection Regulation and the Data Protection Act 2018 establish a comprehensive framework for protecting data, to ensure it remains confidential and secure. These requirements are embedded within seven key principles which we will explore. Principle 1: Lawfulness, Fairness, and Transparency. You should always process personal data in a fair, lawful and transparent manner. This involves being clear about how we collect and use data and ensuring that we have a lawful basis for processing it. Principle 2: Purpose Limitation, requires that personal data should be collected for specific purposes and used only for those purposes. Data Minimization in principle 3, stipulates that data should be adequate, relevant and not excessive. This means you must ensure that you are only processing the personal data you truly need for the intended purposes. Principle 4, data accuracy, ensures that data is accurate and kept up to date with provisions in place for correcting and updating incorrect data. Storage limitation principle 5, stipulates that we should not keep personal data longer than necessary. principle 6 is about integrity and confidentiality. Data should be kept secure at all times during the processing lifecycle. we would talk about this principle in detail later in the session. Organisations must demonstrate compliance with all the data protection requirements, as stated in Principle 7: Accountability. This means that our organisation must show evidence of compliance with all the data protection principles every time we handle personal data..

[Audio] Our key focus for complying with confidentiality is on principle 6, integrity and confidentiality. The security principle. It requires the implementation of appropriate and adequate technical and organisational controls to safeguard data. Legal practises handle vast amounts of personal data making us particularly vulnerable to security incidents such as accidental disclosures, phishing, and cyber-attacks..

[Audio] Rule 6 of the S-R-A Standards and Regulations requires solicitors to maintain client confidentiality throughout the solicitor-client relationship and beyond. This obligation applies to all information obtained from a client or former client, including personal, professional, and private information. Therefore, a data breach directly affects client's confidentiality. It should be emphasised that the S-R-A regulations does not only apply to solicitors but to anyone who works within the legal practise and handles personal data. You are personally responsible and accountable for compliance with the S-R-A regulations and can be held liable for any data breaches..

[Audio] We have seen that both data protection laws and the S-R-A regulations impose confidentiality and integrity obligations on personal data. The UK GDPR defines a data breach as a security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, to personal data. This broad definition covers a wide range of security incidents, I'll break it down with some examples. A data loss can occur when we lose control or ownership of data through theft, or accidental deletion of data, or loss of documents resulting from a lost handbag or briefcase, confidential papers left on the train, or documents that go missing in the post. unauthorised disclosure to a third party occurs when data is shared with third parties where we shouldn't have. This can happen in various ways, for example, accidentally emailing the wrong person, sending data to another person without the client's knowledge or consent, or when a third-party service provider that you work with, experiences a data breach that affects your clients' data. Unauthorised access is where third parties gain access to data without permission, such as physical intrusions of a break in to our premises, or cyberattacks resulting from hacking into systems. In all the examples provided, the incidents directly impact data protection and the S-R-A duty of client confidentiality. For additional information, you can refer to our data protection policy available on Heads up..

[Audio] Section 2, Recognise the risks and implications of personal data breaches, Why should you care?.

[Audio] let's start with a question, what do you think are the potential consequences of mishandling data? Take a moment to think about the most appropriate response..

[Audio] the correct answer is C, it can damage the firm's reputation and lead to financial loss..

[Audio] Mishandling personal data can have serious consequences depending on the severity of the breach. The Information Commissioner's Office, the ICO, is the UK's data protection regulatory authority responsible for enforcement of data privacy laws. The I-C-O can impose significant fines on organisations that fail to adequately protect personal data. They can issue fines of up to 17.5 million pounds or 4% of annual global turnover. Additionally, the I-C-O can issue decision notices ordering an organisation to take corrective actions. Data breaches can also cause reputational damage. Affected individuals may seek legal action for breach of contract or compensation claims. Law firms involved in data breaches face additional scrutiny from the SRA. The S-R-A may investigate and impose their own regulatory sanctions and fines. As we'll see in the upcoming case studies, the consequences can be severe..

[Audio] In the first case study, we'll examine the ransomware attack on Tuckers law firm. In February 2022, Tuckers was fined 98 thousand pounds due to inadequate security measures. The I-C-O cited lack of multi factor authentication, unpatched software and a failure to encrypt data as contributing factors to the breach. Despite the law firm's prompt reporting and mitigation efforts, Tuckers faced a hefty fine of three point two five % of its annual turnover. This case underscores the severity and importance of robust data protection practices..

[Audio] In another example of the story of Axiom Ince. In March 2022, the Ince group experienced a ransomware attack resulting in a staggering 5-million-pound loss which led to share price drop, unsuccessful fund-raising efforts and a declaration of bankruptcy. The firm was then acquired by Axiom and a new set of legal troubles emerged ending in investigations by the civil court, the S-R-A and the Serious Fraud Office for allegations of misappropriation of client funds. Ultimately in October 2023, the S-R-A shut down the law firm..

[Audio] Outside the legal sector we can also observe the ICO's approach to enforcement by learning from other sectors. In April 2024, the Central Y-M-C-A was fined 7500 pounds for accidentally revealing the email addresses of people living with H-I-V--. This happened when a staff member used the carbon copy "C-C---" field instead of the blind carbon copy "B-C-C--" field in an email to a support group, compromising the privacy of the individuals involved. the I-C-O initially considered a 300 thousand pounds fine but reduced it and warned organisations to avoid using CC when sending sensitive data..

[Audio] Having considered the implications and consequences of data breaches in the previous section, we'll move on to Section 3, where we will discuss best practice for preventing data breaches..

[Audio] This section outlines essential best practise to prevent data breaches. Always double check e-mail recipients before sending emails. Accidentally emailing the wrong person is a common breach due to various reasons including using autofill suggestions. Protect privacy by using the B-C-C field when sending emails to multiple recipients. Use secure transfer methods especially when sending special category data. Be aware that poor record keeping and disposal, can expose confidential information. when working remotely, follow company procedures for secure connections including using strong and complex passwords. Be vigilant against phishing emails and avoid clicking on unknown links or prompts to download attachments. If a breach does occur, act quicky and report immediately by following our firm's reporting procedures..

[Audio] To effectively report incidents, follow these guidelines. If information has been sent to the wrong e-mail address, confidential information posted to an unintended recipient, or information has been accidentally shared via link to unintended recipients, you must report this to the risk and best practise team Cyber security incidents such as lost or stolen devices, accidentally clicking on a phishing e-mail, detection of a network intrusion, must be reported to both the (I-T ) service desk as well as the risk and best practise team immediately. Remember that prompt reporting allows the organisation to react quickly and take immediate steps to contain the breach and limit its impact..

[Audio] We have come to the last section of our training, let's review what our policy and guidance provide on how to effectively respond to, and manage personal data breaches..

[Audio] Our data protection policy details your obligations to report actual or potential data breaches. As soon as an incident is identified, you must immediately notify your supervisor and the risk and best practise team, even if you are unsure whether the incident is significant enough to be reported. The risk team will determine the appropriate action and notification requirements to resolve the incident, which may include notifying the client under S-R-A obligations of client confidentiality, notifying the Information Commissioner's Office within a 72 hour deadline, our insurers and other relevant parties. We strive to create a risk aware culture where reporting incidents is viewed as a proactive measure to enhance our data protection practices, rather than assigning blame. Nonetheless, persistent non-compliance with our policies and procedures will be addressed in line with our non-compliance policy. For more information about this you can read our data protection policy and non-compliance policy on Heads Up..

[Audio] We have come to the end of the refresher training, and I hope you have found the information useful. If you would like to find out more or you have questions or concerns on data protection and confidentiality, you can reach out to the risk and best practise team, by contacting us through our intranet page on Heads Up, or e-mailing riskandbestpractice@rwkgoodman.com Thank you for listening..