New ICO certification for lawyers gives “certainty” on data processing


Kelly: Compliance should not be as daunting as it looks

The Information Commissioner’s Office (ICO) has approved a certification scheme which it says will provide law firms, chambers and others with “certainty” when processing personal data.

Emily Keaney, ICO deputy commissioner, said the Legal Services Operational Privacy Certification Scheme, or LOCS:23, would reassure clients that lawyers had “strong information security” in place, with one expert predicting that it would soon become a pre-requisite when tendering for work.

Article 42 of the UK General Data Protection Regulation (GDPR) provides for the creation of official certification schemes recognised by the ‘supervisory authority’ (in this case, the ICO).

The ICO said the aim was to help organisations demonstrate compliance with data protection requirements and in “inspire trust and confidence” in customers.

The introduction to the standard says: “This standard has been developed in response to client concern, senior management feedback, the increasing risk of personal data breach or theft and a general industry desire to ensure the privacy and security of client personal data when selecting third-party service providers.”

Approving the 85-page scheme, the ICO said it applied to legal services providers (both controllers and processors of data), including law firms and barristers’ chambers, which processed large amounts of sensitive personal data in relation to the legal services provided and held in the client file.

Ms Keaney said: “Signing up to this certification scheme will provide them with certainty that they are adhering to data protection standards and reduce time and resource spent assessing third party data processors.

“It will also reassure their clients they are committed to looking after their personal details and have strong information security in place.”

Barrister Orlagh Kelly, chief executive of legal compliance business Briefed, which has been authorised to implement LOCS:23, said certification meant that everyone working in and supplying the legal profession knew the standard of compliance they needed to reach.

“The good news is that most law firms and chambers have been working hard to comply with GDPR, albeit without knowing what level to reach. That means achieving certification may not be as daunting as it first appears when reading the 85 pages of requirements.

“It’s not asking you to do any more than you already should be doing; rather, it creates a framework to make sure you have every base covered.”

Ms Kelly predicted that public bodies would soon require compliance with the LOCS:23 standard as a precondition for tendering for work.

Given the importance of GDPR compliance within supply chains, many in the private sector, especially financial institutions, were likely to follow suit, she added.

As the standard applied to any business that handled a client’s data – such as digital dictation companies and IT service providers – Ms Kelly said it could become a prerequisite for law firms and chambers’ own supply chains too.

She went on: “The standard will not stop hackers targeting lawyers. But complying with it will ensure they are better protected and more able to manage a data breach. It will also be a major mitigating factor in the event of a breach and an ICO investigation.”

She said recertification with the standard was required every three years but part of that process would be providing evidence that training and auditing have been carried out annually.

“The reality is that people are still the biggest risk but with proper training they become the first line of defence and that is a key part of the requirements.

“Law firms and chambers will need to make some upfront investment to achieve certification but it will reduce cost overall, both in demonstrating security to others and warding off costly breaches.

“The standard will rapidly become everyday business compliance in the legal sector.”




Leave a Comment

By clicking Submit you consent to Legal Futures storing your personal data and confirm you have read our Privacy Policy and section 5 of our Terms & Conditions which deals with user-generated content. All comments will be moderated before posting.

Required fields are marked *
Email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog


Jeff Zindani

Navigating M&A in PI and clin neg: The changing game

Consolidation has swept the PI and clinical negligence markets, accelerating mergers and acquisitions. The entry of private equity, once seen as unlikely in claimant work, changed the game.


Physical access to the courts needs to be improved

We try and use the law to mend and heal them. Being made uncomfortable in court because buildings are not properly adapted or equipped makes an already challenging day even more difficult.


The end of Google’s dominance: A new era in search

The rise of alternative search platforms like TikTok, the emergence of AI-driven tools like ChatGPT, and the development of federated search by Apple are signalling the end of Google’s unchallenged reign.


Loading animation