It’s come to my attention having extensively researched this area of the DPA that the use of ‘Cloud’ services with platforms such as ‘Dropbox’ has widespread use amongst solicitors, law firm practice managers or law firm IT staff using or even planning to use cloud services.
While cloud computing has a number of advantages for businesses, such as reducing costs and increasing storage, it carries risks which law firms must consider when engaging with a third party to handle sensitive information. Law firms have a due diligence responsibility to ensure they ask or consider the necessary security of DPA compliant requirements when choosing cloud services such as,
- Does the cloud platform meet UK Data Protection Act?
- Where is my data stored? (Is it in the EU)
- What are the security protocols?
- Can anyone else access my data?
The Law Society has published a practice note on the use of cloud computing services in law firms, warning them they could break the Data Protection Act, including storing data in foreign clouds – so in view of this law firms have very little room to manoeuvre if challenged by the ICO or the Law Society if they are currently using a non-compliant ‘Cloud’ solution or one that has a very poor security architecture.
This is by no means a ‘Dropbox’ bashing article as I believe it has its place in the market and is widely used by many professional sectors, but only for the correct and appropriate type of data and content which the ICO would describe that ‘In the event of Loss this data would NOT cause individuals damage and distress’ For this reason it’s obvious why the Law Society have issued a clear practise note on the ‘Use of Cloud Computing Services in Law Firms’ and why the use of Dropbox or similar cloud platforms could be in breach of the DPA.
The Law Society
The practice note from the Law Society is not intended to be the only standard of good practice that law firms should follow. Although not mandatory, law firms are strongly advised to follow them, and by installing a clear line by issuing them the intent is to make it easier for legal practitioners to account for their actions to oversight bodies and the regulator.
I would advise any law firm or legal practitioners who haven’t completed due diligence with their existing cloud services use, or is planning to use cloud services in the future, to ensure you carry out the minimum due diligence checks, or consult a Data Protection expert who will give you appropriate compliant advice to ensure you meet the necessary regulatory requirements.
Undertaking a Data Protection Health Check on your business will also assist to identify any potential risks of non-compliance or vulnerabilities you have in relation to you existing cloud services use.
This article does not constitute as legal advice and if you have any concerns regarding data protection then please contact us.