The Information Commissioner’s Office (ICO) has approved a certification scheme which it says will provide law firms, chambers and others with “certainty” when processing personal data.
Emily Keaney, ICO deputy commissioner, said the Legal Services Operational Privacy Certification Scheme, or LOCS:23, would reassure clients that lawyers had “strong information security” in place, with one expert predicting that it would soon become a pre-requisite when tendering for work.
Article 42 of the UK General Data Protection Regulation (GDPR) provides for the creation of official certification schemes recognised by the ‘supervisory authority’ (in this case, the ICO).
The ICO said the aim was to help organisations demonstrate compliance with data protection requirements and in “inspire trust and confidence” in customers.
The introduction to the standard says: “This standard has been developed in response to client concern, senior management feedback, the increasing risk of personal data breach or theft and a general industry desire to ensure the privacy and security of client personal data when selecting third-party service providers.”
Approving the 85-page scheme, the ICO said it applied to legal services providers (both controllers and processors of data), including law firms and barristers’ chambers, which processed large amounts of sensitive personal data in relation to the legal services provided and held in the client file.
Ms Keaney said: “Signing up to this certification scheme will provide them with certainty that they are adhering to data protection standards and reduce time and resource spent assessing third party data processors.
“It will also reassure their clients they are committed to looking after their personal details and have strong information security in place.”
Barrister Orlagh Kelly, chief executive of legal compliance business Briefed, which has been authorised to implement LOCS:23, said certification meant that everyone working in and supplying the legal profession knew the standard of compliance they needed to reach.
“The good news is that most law firms and chambers have been working hard to comply with GDPR, albeit without knowing what level to reach. That means achieving certification may not be as daunting as it first appears when reading the 85 pages of requirements.
“It’s not asking you to do any more than you already should be doing; rather, it creates a framework to make sure you have every base covered.”
Ms Kelly predicted that public bodies would soon require compliance with the LOCS:23 standard as a precondition for tendering for work.
Given the importance of GDPR compliance within supply chains, many in the private sector, especially financial institutions, were likely to follow suit, she added.
As the standard applied to any business that handled a client’s data – such as digital dictation companies and IT service providers – Ms Kelly said it could become a prerequisite for law firms and chambers’ own supply chains too.
She went on: “The standard will not stop hackers targeting lawyers. But complying with it will ensure they are better protected and more able to manage a data breach. It will also be a major mitigating factor in the event of a breach and an ICO investigation.”
She said recertification with the standard was required every three years but part of that process would be providing evidence that training and auditing have been carried out annually.
“The reality is that people are still the biggest risk but with proper training they become the first line of defence and that is a key part of the requirements.
“Law firms and chambers will need to make some upfront investment to achieve certification but it will reduce cost overall, both in demonstrating security to others and warding off costly breaches.
“The standard will rapidly become everyday business compliance in the legal sector.”
Leave a Comment