Finally the ICO has issued a warning to lawyers relating to their observance or failure to observe Data Protection Legislation. In my opinion, it is something that has been a long time coming – due to the lack of basic observance of the obligations by many lawyers.
So with a warning issued last week, it is unlikely to be very long before fines of potentially up to £500,000 may follow.
Many regular readers of Today’s Conveyancer will know that I spent a long time working with lenders in a panel management company. Back then and even to this day, it is clear that there is a massive gap between the way lenders treat data protection issues and the way conveyancers do.
I suspect at some point conveyancers will have to come into line with lenders and start complying with data protection laws shortly.
But putting that aside, as the ICO has issued warnings last week, it is likely that fines and impositions on conveyancers will at some point follow. What impact would it have on your brand if you were one of the first to be caught and named? Everyone expects lawyers to be compliant with the law and failure to do so would be a significant blow to your brands credibility.
Over recent years I have spent considerable time in conveyancing practices advising them on operations, risk management and other activities. It is incredibly rare that I come across a conveyancing practice that pays much attention to their data protection obligations.
Common failings include:-
1. Lack of Process to identify the client or other interested parties particularly over the phone. Using a recent example that baffled me, a “client” phoned the solicitor to ask a series of questions about why a case was held up. After every question the client started speaking to someone else in a different language – explaining to them the answers the solicitor was conveying. After the call I asked the solicitor if the “client” had ever spoken in different languages before or whether they were aware of any circumstances that might make that normal in this transaction. Following some encouragement from me, the solicitor later called the client on their personal mobile number, different to the number the call was made from earlier, only to be told by the real client on the end of the phone that it was not them who had phoned and were bemused as to who it could have been. In the past, I have known of instances where estate agents and brokers phone other parts of the chain pretending to be clients.
The solicitor said that the “client” had sounded like the client but really wasn’t sure.
I know many of you may personally know all of your clients, but does this mean you really know their partner that well if they were to call in?
Many firms I am glad to say, ask their clients to create a six digit alpha numeric password on their initial client questionnaire – often one for each of the husband and the wife. Whilst this isn’t fool proof, you can at least demonstrate that you have made some policy decisions to try to ensure you are talking to the person that you think you are.
Others use combinations of postcodes or dates of birth – which I think are maybe too loose to use when home movers often provide estate agents or brokers involved in the moving process with this information.
2. Taking files home – I also remain amazed at how many firms let staff take files home. One firm I know has a member of staff who commutes up to four hours by train every day. The firm therefore lets the fee earner take their files home – meaning they can work on public transport. As a frequent train user, I personally wouldn’t want some stranger looking over my shoulder at my file and details. Last year I was in the first class lounge in Euston where a fee earner was actually dictating loudly a report on title for a property in Milton Keynes. The lady enunciated the client’s names and address clearly in crystal cut English and was even good enough to repeat the names twice, to double check that her secretary had got the names correctly. Why any firm feels this is appropriate compliance with data protection requirements I have no idea.
3. Mobile Phones on desks – whilst many firms spend a fortune on IT security, they forget that mobile phones are computers too and can be used to photograph documents and store information. I know from working with lenders that they prohibit their staff from having mobile phones at their desks specifically for the purpose of avoiding their own internal staff stealing data for inappropriate purposes. Credit card details and personal client details have a tradable value. Are you sure you know what your staff are doing with the data that passes over their desks? Would it surprise you to know some lenders give their staff wipe clean boards so that staff do not have paper they could take home with client information on it?
4. Lack of training – I also see very little in the way of training of staff in respect of these issues. Some firms are excellent with posters on walls, staff training and on going audit and compliance. Other firms never even consider these issues.
5. Inappropriate treatment of credit card details – there should be no excuse for inappropriate storage of sensitive credit card data including security cards. In one firm I audited for risk about 4 years ago, there were 4 shelves about 8 feet long with files just containing copies of forms that staff had made over the phone; including all of their clients security details. This is clearly in breach of the use of credit card rules and also data protection.
If you haven’t considered these issues recently, maybe it is time to do so. It is easy to plough through, doing what firms have always done, without acknowledging that attitudes to risk change over time.
Today’s Conveyancer can offer you a data protection risk audit to help you consider your position in light of the warnings from the ICO. For further information please contact us by emailing chris.harris@practicalvision.co.uk or call 07983 485490.
