Home working and data loss – a cautionary tale from the Solicitors Disciplinary Tribunal
The Solicitors Disciplinary Tribunal (SDT) handed down judgment in a sad case last week which may strike a chord with many of us who are working at home, possibly with hard copy confidential papers.
The respondent was a junior solicitor who was instructed to draft a strike out application. In a curious twist, the firm’s client was the SRA and the application related to a claim made by a litigant in person, X, who asserted that the SRA had misused their personal data.
The respondent was permitted to take a bundle of papers from the office on 24 May so that she could draft the application at home the following day (when it was due to be served). The bundle consisted of documents which had been lodged in the County Court (pleadings and statements). The documents contained personal information about X. The documents were taken home in a combination locked briefcase.
The briefcase was left on the train when the respondent alighted at her station. Despite the respondent’s best efforts, it has not been found.
The following day, colleagues of the respondent sought to contact her to establish whether the application had been drafted. The respondent did not reply and, eventually, another colleague prepared the application so the deadline was not missed – there was no client detriment.
Regrettably, the respondent did not immediately inform her colleagues of the loss of the briefcase – despite the fact that she had attended GDPR training just three days earlier on 21 May.
Following a bank holiday weekend and a day of sickness absence, the respondent returned to the office on 30 May and it was alleged told a colleague that the briefcase was at home – the respondent said she had forgotten to bring it in as she had moved over the weekend and all of the boxes had not been unpacked.
On 31 May, (1) a further conversation was alleged in which it was said that the briefcase was at home and (2) later, an email was sent to colleagues stating that the briefcase had been left on a train that morning on the way to work.
The respondent then confirmed, in a meeting on 1 June, that the briefcase had been lost on 24 May.
The allegations and findings
Breaches of Principle 2 (integrity) and 6 (failure to maintain trust and confidence in the profession) were made and it was submitted that the respondent’s actions were dishonest.
Allegation 1 concerned what was said on 30 and 31 May. Having heard evidence from key witnesses, the SDT was satisfied that the allegation concerning the 31 May conversation (albeit not the 30 May conversation) was proven.
Allegation 2 concerned the 31 May email. The SDT was satisfied that the email contained an untrue account of events.
Allegation 3 concerned a delay in reporting the data breach to the firm in accordance with the firm’s GDPR policies. This too was proven.
Breaches of Principles 2 and 6 were therefore established for allegations 1 and 2 and breach of Principle 6 only for allegation 3 (even though this allegation did not involve any matters other than a breach of internal policies).
The SDT then turned to consider dishonesty. Having directed itself in accordance with Ivey v Genting , the SDT found that: “The Respondent had sought to conceal the loss of the briefcase and contents from her colleague and from her manager by providing them with information which she knew to be untrue. These were actions which the Respondent should have known would be considered dishonest by ordinary decent people.” Dishonesty was therefore proven. A striking off order was made.
Nearly all of us will be working from home presently, with secure and robust remote access IT systems in place to secure client confidentiality. But what of hard copy documents printed either at the office and brought home prior to lockdown, or documents printed at home / manuscript notes taken of calls or video conferences? What steps are being taken to ensure they are kept confidential? Are they, for example, being put in the household recycling or shredded after use (and what if someone you live with is employed by a firm acting for clients with competing interests to your clients)?
And what of the platforms that are being used for communicating with clients or third parties? Is it Skype, Zoom, Google Team, Houseparty or any of the other providers? What warnings are given to clients as to the security of these systems? Have terms of business been updated to record that, just like email, their data security cannot be guaranteed?
The SRA has published some limited guidance on homeworking. It has also said that it will be mindful of “all the relevant circumstances” in the event of a breach of confidentiality when home working – perhaps an indication that it accepts the home environment is unlikely to be as data secure as the office.
How then to satisfy the SRA that appropriate steps have been taken to ensure good data security? Practical tips would include not working on documents via unsecure home email accounts (and only using your secure remote access work account), maintaining confidential papers in lockable drawers or bags/ briefcases and keeping a centralised list of any documents sent from the office to home which is “ticked off” when the documents are returned to be filed or shredded.
Where there are heightened risk factors, such as (a) your home is shared with other professionals or persons who represent entities with interests contrary to your clients or (b) your work involves reviewing medical or price sensitive financial data, we can expect the SRA to pay particular regard to the mitigants put in place in the event of a data breach.