data protection.jpg

UK Barrister fined by ICO is luckiest barrister in Europe

The Information Commissioner’s Office  (ICO) has confirmed it has levied a fine of £1000 on a UK barrister.

Details in the ICO press release indicate as follows:

“ Information belonging to up to 250 people, including vulnerable adults and children, was uploaded to the internet when the barrister’s husband updated software on the couple’s home computer.

Some 725 unencrypted documents, which were created and stored on the computer, were temporarily uploaded to an internet directory as a back up during the software upgrade.

They were visible to an internet search engine and some of the documents could be easily accessed through a simple search.

Six of those files contained confidential and highly sensitive information relating to people who were involved in proceedings in the Court of Protection and the Family Court.”

Hard to believe but in my opinion this barrister has been extremely lucky, and here is why.

Rarely does the ICO issue such a small fine, particularly for a data breach which concerns highly sensitive information. I’m astonished it was so low in this case. But that’s not where the luck lies.

The damage caused by an ICO investigation and subsequent judgment is rarely the fine itself, it is the reputational damage which flows from having the ICO issue a press release revealing to the world exactly how you failed to look after your client’s personal information. This is then picked up by the press, in this case most of the legal press, and the story spreads far and wide. It doesn’t take long for a quick google of your name or the name of your business to reveal hundreds of results all referring to a data breach. Can you imagine a client thinking of briefing you finding that? So far from the weight of a fine, it is this publicity which literally sinks businesses.

Any barrister needs to understand the risks. If your clients, particularly if you’re briefed by government bodies, banks, or insurance companies, find out you’ve failed with your information security, they will absolutely refuse to brief you.  And your career as you know it may well be over.

This is why the senior barrister in this case is lucky – the ICO has not named her or her chambers. Because of course should she be named, her colleagues in her set will all also suffer from reputational damage simply by association.

I have to say I agree with the decision not to name the lady. I do think that for an entire professional career to be wiped out simply because someone’s husband hit an update on a home computer is far too extreme.

However other barristers need to take care. Barristers carry around some of the most highly sensitive information, and are therefore considered a high risk profession when it comes to data breaches.

Next time the fine could be higher, but much more worryingly, the ICO may name and shame.  

For barristers interested in improving their data protection compliance have a look at our Data Protection Compliance Bundle for Barristers.