Posted by Brian Rogers, regulatory director for digital learning and compliance at Legal Futures Associate The Access Group [1]
Rogers: The SRA’s pragmatic approach should not be abused
Working from home is a new challenge for many law firms and their employees, but as long as reasonable steps are taken to ensure clients are protected and standards of compliance are met, it does not need to be daunting.
A pragmatic approach to compliance
The Solicitors Regulation Authority (SRA) has provided some very useful information on its website to help firms meet their compliance obligations.
This states: “We will take a proportionate approach: this includes our approach to enforcement. If we do receive complaints, we would take into account mitigating circumstances, as set out in our enforcement strategy.
“This includes focusing on serious misconduct, and clearly distinguishing between people who are trying to do the right thing, and those who are not. We would recommend that if you do face compliance difficulties linked to the virus, you should clearly document the approach you have taken.”
The SRA’s pragmatic approach during the Covid-19 crisis should not be abused as it will clearly take action against those who are not playing their part in ensuring clients and the reputation of the profession are protected.
Cyber security
Market intelligence clearly suggests that criminals are taking advantage of the current crisis by using scams related to Covid-19, such as emails purporting to be from government departments about health checks and tax refunds. You should ensure that all of your staff are aware of the types of scams that are around and remind them not to click on any suspicious links or attachments.
Due to the lack of time to source laptops and so on, many firms will currently be operating using IT equipment owned by their employees, but this can present a number of areas for concern and these will therefore need to be addressed, eg out-of-date protection software, client data stored outside their firm’s systems, etc.
Client confidentiality and data protection
Working from home can present a number of risks to client data, such as family members and visitors being able to see it, or client discussions being overheard during telephone calls.
Not all people working from home have a dedicated office and will therefore be working in communal areas. But appropriate precautions must still be taken to mitigate identified risks as much as possible.
Since the government confined most people to their homes, there has been an increase in the number of data subject access requests being submitted to firms. This could be down to boredom, or people having more time to focus on things they have previously had put to one side.
As with the SRA, the Information Commissioner’s Office (ICO) is taking a pragmatic approach to compliance, especially when firms may not be able to access all the personal data they hold due to offsite archive facilities being closed or back-up data being unavailable from their IT support company.
The ICO has said: “We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.
“We can’t extend statutory timescales but will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.”
Supervision and competence
Ongoing supervision is key to ensuring that the service your firm provides to clients is competent and delivered in a timely manner. So, although you are working away from your colleagues, if you are a supervisor you still need to ensure you regularly communicate with them and oversee what they are doing; this will clearly be easier if your firm is operating on a paperless basis and client matters are available via a secure connection over the internet.
As and when your firm is able to return to normal operations, there will be a number of things you will need to do, such as account for all client matters, review client files that should have been reviewed during the lockdown, and ensure client data is removed from personal computers. Planning for this should start now so you and your staff are prepared for it.
Where staff are working on client matters, they will still need to maintain their competence to do so, making it important that ongoing training is provided as appropriate. Due to the nature of remote working attending meetings or face-to-face training is no longer practical, so the use of e-learning systems is a viable alternative.
Action steps
The following steps will help you to ensure that as far as possible you are able to comply with your regulatory obligations:
- Provide appropriate staff with secure firm-owned IT equipment;
- Regularly communicate with all your staff;
- Review and update your policies and procedures and ensure staff are aware of any changes;
- Hold regular online conference calls with file handlers to ensure client matters are being progressed and supervised as appropriate;
- Remind staff to take appropriate precautions to protect client information; and
- Ensure all staff are aware of how to remotely report breaches and suspicious activity, or make a notification that a subject access request has been received.
Clients are the lifeblood of your business, so make sure they remain confident that you are protecting their interests, even when you are working away from your offices.