COVID-19: Confidentiality and Working From Home (WFH) – an updated blog
A version of this blog was published by the Law Society of England and Wales in May 2020. We have revised it slightly to take account of lessons from the pandemic a few months on. Regulatory specialist Solicitor and legal book author Paul Bennett guides on confidentiality. A Practical Guide to the SRA Principles, Individual and Law Firm Codes of Conduct 2019 – What Every Law Firm Needs to Know by Paul Bennett was published in 2019 by Law Brief Publishing.
Confidentiality should have been a key focus for law firms as we all adapted to the Covid-19 era and new ways of working. The evolving regulations in society pose a risk to law firms, though. As they fundamentally force upon us different ways of working will be legal professional privilege and the professional obligation of confidentiality. The Solicitors Regulation Authority (SRA) rules are not suspended by the Covid-19 virus itself or the legislation introduced and this means that we as solicitors do need to think about client confidentiality and legal professional privilege wherever we are working, document what we have done to assess the risks and monitor how it is working in practice.
Law firms and individual solicitors should exercise care, review the options and take advice if they are unsure from a reliable source such as a specialist solicitor.
Working from home the challenges are different to working in the office. For example, you should ensure that housemates and family members do not take photographs or make social media posts which compromise client confidentiality. One of our choices in 2020 was to build a garden studio office, we started by looking at physical security and ensuring materials meant it was secure and then focused on sound proofing.
Professionals are held to a higher standard
Being at home does not relieve the professional obligations, nor the legal ones. The 2011 example of the QC in Scotland being subject to enforcement action by the Information Commissioners Office after her laptop was stolen from her home remains a harsh reminder to all professionals that we are held to a higher standard than other sectors. It may not be our actions but the actions of malignant third parties which trigger a problem.
The 2017 case of a barrister being fined £1000 for having personal data stored on a personal device which was not encrypted highlights the current challenges if allowing staff to use their own device without enhancing the protections in place and ensuring you can remove the data when practical to do so to avoid storing it outside of the firms control.
The public expect professionals to be alive to the issues, so demonstrate this in all you do.
Since a version of this was published in May 2020 by the Law Society we have seen a steady stream of cases when problems have arisen. We have helped firms report problems to the SRA and ICO.
What should you be doing now? Try these practical tips:
- Tell your team to be confidentiality aware and set out your expectations as a firm. Law firm leaders should lead on the standards expected. If affected by a local lockdown, as we are in one location and not (yet another) go back to confidentiality first principles;
- Do a risk assessment of the working location of your staff. For example if people are talking on the phone or via video platforms in a shared house are you supplying headsets to ensure calls cannot be overheard? Are your team using the headsets?
- Have you issued guidance on each video platform you are using and on guiding them to encourage clients to use safe platforms?
- What are the standards you are setting as a law firm? Confidential or legally privileged material should not be shared by text or on a social platform such as Snapchat or Houseparty might be a standard you wish to adopt but you might have more comfort with them using WhatsApp which has end to end encryption.
- For 2020 working methods the firms Bring Your Own Device (BYOD) Policy might need a review to check if the technology and approach are fit for purpose.
- Most law firms will already have had in place arrangements to protect client information for remote workers in normal times. In the Covid-19 era the risk landscape has changed, so those job functions and personnel coming to the challenges without that existing training and awareness of confidentiality being in-build to remote working will need some guidance and support.
- Think through the risks, document the steps taken to guide your team and remind colleagues of the best practices measures they must adopt. Ensure the risks to confidentiality are minimised in the context of your client base.
Firms should be putting on a training session online about their policy on confidentiality. Firms should be ensuring they have an up to date policy. These would be good, if basic, first steps. In the Spring we did a number of these sessions, which have yet to be repeated for the local lockdown era which to me says firms risk complacency because good habits need training, reminders and a focus on.
In summary: think about the risks, manage the risks through training and policy updates and set the standards. Simple things, not expensive things but if you do not them and the SRA and ICO receive a complaint you will struggle to respond effectively so make the time to spend an hour or two and ensure you have a response.