General Data Protection Regulation
The General Data Protection Regulation (“GDPR”) is a regulation that governs data protection and privacy for all individuals within the European Union. It establishes a new framework for handling and protecting the personal data of EU-based residents. It comes into effect on the 25th May 2018. Because as a barrister I hold data for and on behalf of clients, I am a data controller in the terms of the regulations.
Although for many organisations, it is important to gain consent to process the data of EU individuals, in my work I have taken the view that in almost all cases it will be necessary for me to hold and process data without consent. The Information Commissioner’s Office (“ICO”) advises that if I would still process the personal data on a different lawful basis even if consent were refused or withdrawn, then seeking consent from the individual is misleading and inherently unfair. It presents the individual with a false choice and only the illusion of control. The reasons that I would still process data, regardless of consent, are:
1. The ‘consent’ is a condition of service
There are a number of reasons which consent is not appropriate in the work that I do. As a barrister, most of the work that I do is criminal. Almost all of the cases that I do are based on Crown Court Digital Case System (“CCDS”) and it would be impossible for me to do my job within the Bar Standards Board Code of Conduct without processing the data that I access from that system, whether I am prosecuting or defending.
2. A position of power
Those who depend on my services, or fear adverse consequences, might feel they have no choice but to agree to me processing data – so consent is not considered to be freely given.
3. Compliance with a legal obligation: The Bar Standards Board, governed by The Legal Services Act 2007, regulates barristers and their professional practice and specialised legal services businesses in England and Wales in the public interest. It requires me, amongst other things, to provide a competent standard of work and service, to promote fearlessly and by all proper and lawful means my clients’ best interests, and to read their instructions promptly. All of these responsibilities require me to process data.
4. A public task: I need to process personal data to represent or prosecute defendants in the Magistrates’ and Crown Court, which is a task in the public interest.
Retention of Data
There is a legitimate public interest in me retaining data indefinitely for a number of reasons. These include:
1. The ability to deal with complaints, which often arise long after cases have been concluded.
2. The ability to deal with appeals, which again often arise long after cases have been concluded.
My Data Processing Procedures
Most of my work is done digitally. Where I receive paper documents, I usually scan them to digital format and then shred them. When I receive data on disc rather by email or through the CCDS, I usually load the disc material onto my computer and either destroy the disc or return it to my instructing solicitors.
The data that I retain on computers and tablet devices is kept only on hardware that has industry standard encryption installed and used. Because I have been involved in many cases, some of which have been “paper heavy”, I have to store some of my older data on an internet-based cloud service which is GDPR compliant because of the amount of data involved.
In carrying out the work that I do, it may be necessary to share data with other barristers in the case, with the Judge and with my instructing solicitors. It would not be possible for me to comply with my professional obligations without doing this. I will normally share the data either by use of the CCDS or by secure Criminal Justice Secure Mail.
Other Types of Case
The policy that I have set out above relates to primarily to criminal cases but is likely to apply in family and civil cases too. I will review each case of that type on an individual basis.
Ability to Make Representations
I will always consider representations from anyone who might be affected by this policy.
I will report any actual or suspected data breaches to the ICO immediately.