New ICO certification for lawyers gives “certainty” on data processing

Kelly: Compliance should not be as daunting as it looks

The Information Commissioner’s Office (ICO) has approved a certification scheme which it says will provide law firms, chambers and others with “certainty” when processing personal data.

Emily Keaney, ICO deputy commissioner, said the Legal Services Operational Privacy Certification Scheme, or LOCS:23, would reassure clients that lawyers had “strong information security” in place, with one expert predicting that it would soon become a pre-requisite when tendering for work.

Article 42 of the UK General Data Protection Regulation (GDPR) provides for the creation of official certification schemes recognised by the ‘supervisory authority’ (in this case, the ICO).

The ICO said the aim was to help organisations demonstrate compliance with data protection requirements and in “inspire trust and confidence” in customers.

The introduction to the standard says: “This standard has been developed in response to client concern, senior management feedback, the increasing risk of personal data breach or theft and a general industry desire to ensure the privacy and security of client personal data when selecting third-party service providers.”

Approving the 85-page scheme, the ICO said it applied to legal services providers (both controllers and processors of data), including law firms and barristers’ chambers, which processed large amounts of sensitive personal data in relation to the legal services provided and held in the client file.

Ms Keaney said: “Signing up to this certification scheme will provide them with certainty that they are adhering to data protection standards and reduce time and resource spent assessing third party data processors.

“It will also reassure their clients they are committed to looking after their personal details and have strong information security in place.”

Barrister Orlagh Kelly, chief executive of legal compliance business Briefed, which has been authorised to implement LOCS:23, said certification meant that everyone working in and supplying the legal profession knew the standard of compliance they needed to reach.

“The good news is that most law firms and chambers have been working hard to comply with GDPR, albeit without knowing what level to reach. That means achieving certification may not be as daunting as it first appears when reading the 85 pages of requirements.

“It’s not asking you to do any more than you already should be doing; rather, it creates a framework to make sure you have every base covered.”

Ms Kelly predicted that public bodies would soon require compliance with the LOCS:23 standard as a precondition for tendering for work.

Given the importance of GDPR compliance within supply chains, many in the private sector, especially financial institutions, were likely to follow suit, she added.

As the standard applied to any business that handled a client’s data – such as digital dictation companies and IT service providers – Ms Kelly said it could become a prerequisite for law firms and chambers’ own supply chains too.

She went on: “The standard will not stop hackers targeting lawyers. But complying with it will ensure they are better protected and more able to manage a data breach. It will also be a major mitigating factor in the event of a breach and an ICO investigation.”

She said recertification with the standard was required every three years but part of that process would be providing evidence that training and auditing have been carried out annually.

“The reality is that people are still the biggest risk but with proper training they become the first line of defence and that is a key part of the requirements.

“Law firms and chambers will need to make some upfront investment to achieve certification but it will reduce cost overall, both in demonstrating security to others and warding off costly breaches.

“The standard will rapidly become everyday business compliance in the legal sector.”

Leave a Comment

By clicking Submit you consent to Legal Futures storing your personal data and confirm you have read our Privacy Policy and section 5 of our Terms & Conditions which deals with user-generated content. All comments will be moderated before posting.

Required fields are marked *
Email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Shocking figures suggest divorce lawyers need to do more for clients

There are so many areas where professional legal advice requires complementary financial planning and one that is too frequently overlooked is on separation or divorce.

Is it time to tune back into radio marketing?

How many people still listen to the radio? More than you might think, it seems. Official figures show that 88% of UK adults tuned in during the last quarter of 2023 for an average of 20.5 hours each week.

Use the tools available to stop doing the work you shouldn’t be doing anyway

We are increasingly taken for granted in the world of Do It Yourself, in which we’re required to do some of the work we have ostensibly paid for, such as in banking, travel and technology

Loading animation