Keeping a secret
Training and appropriate policies should create the right foundation for confidentiality and data protection compliance in practice, says Tracey Calvert
A trainee solicitor sacked from a law firm just weeks before she was due to qualify has lost her unfair dismissal claim.
I don’t often feel the need to mention employment tribunals in this column, but this matter raises issues which have a direct link to ethical behaviours and compliance in practice.
The story is reported as follows: The trainee had been sacked by the SRA-authorised law firm after she admitted sending emails containing confidential information to both her own personal email address and to the email account of a friend outside the firm.
The incidents came to light when the firm discovered the trainee had flouted internal policies and sent emails to two clients without referring them to a senior colleague as required under the internal supervision controls.
Further investigations of the trainee’s email account were then conducted. These revealed the full extent of her improper activities with evidence that legally privileged documents, client updates, a template contract and papers relating to litigation had been emailed to her own and her friend’s email accounts.
Her actions breached the firm’s own policies and meant that confidentiality duties had been breached. There were also data protection issues.
The trainee was dismissed by the firm but made a claim for unfair dismissal. The tribunal ruled in favour of the employer. I believe this was the right outcome, however unfortunate the consequences for the individual concerned.
Her acts raised issues concerning confidentiality duties and risks to personal data processed by the firm. There are essential duties associated with holding other people’s information –with regulatory and legal consequences where there are breaches.
This is basic knowledge which must be understood by everyone; it’s essential to understand the regulatory and legal expectations if only because the consequences of non-compliance are severe – as this tribunal decision shows.
So should we be surprised by the consequences for the trainee and the fact she appears not to have found much sympathy in the tribunal forum? I would suggest not.
After all, keeping a client’s secrets (more properly described as the duty of confidentiality) is one of the fundamental components in our role as trusted advisers. It is essential there is trust in every solicitor-client relationship.
It is a fact widely understood by the public. Add to this the standards expected of us in respect of data protection, and the fact that the legislation extends our responsibilities to a far wider group of individuals than our clients: the need for systems and controls, risk management and effective monitoring are obvious.
Should we be surprised the trainee acted in the way she did? I cannot answer that question but what I would ask of law firms is this: would your firm’s compliance measures enable you to trust your colleagues to know the basics and behave appropriately when trusted with other people’s information?
The message must be loud and clear: delivering confidentiality duties and safeguarding personal data is essential. The circumstances in which information can be divulged must be strictly controlled; breaches – whether inadvertent or deliberate – must be managed by the firm. How do you ensure this happens?
Training has to be the starting point for achieving the right standards within the firm. This will either be an introduction to these concepts or a reminder of the duties, depending on an individual’s starting point.
What must be understood is that colleagues, regardless of qualification or position in your firm, are signing up to a lifelong commitment to preserve the duty of confidentiality so that, as a consequence, they will be carrying secrets to their graves.
Data protection duties are less longstanding but nonetheless just as important during the period of the firm’s retention of personal data.
In my view, recounting disciplinary decisions delivers powerful messages in training sessions and are more effective than simple rule-reciting in making your point.
They enable your audience to understand the realities of breaches and to consider themselves in the place of someone else. Consider the following examples from the SRA and the Information Commissioners Office (ICO):
The solicitor who was found to be in breach of his duty of confidentiality because he confided to a family friend that his firm was acting for a famous author who was subsequently ‘outed’ in a national newspaper: disciplined by the SRA.
The paralegal who sent himself emails containing precedent materials and templates for use in his future employment: disciplined by the SRA and subject to legal enforcement action by the ICO.
The retiring solicitor who shared stories in a newspaper article about disclosing confidential information to third parties in the 1970s and 1980s: disciplined by the SRA in 2017.
It is sensible to acknowledge how things can go wrong. Here, we’re talking about identifying such risk events as the unauthorised disclosure of information to a third party; mistaken disclosure because emails go astray or wrong enclosures sent; overheard conversations; lost data; stolen equipment; and cyber access to data.
Training should also include messages about the firm’s expectations about openness and accountability, systems and policies, reporting and record-keeping. The more frequently such expectations are repeated the harder it is to be non-compliant or to buck against the trend of consistency.
Systems should include documented policies describing the firm’s management of risks. Back to the tribunal finding and it’s noteworthy that the firm in question first realised there was a problem because of non-compliance with the internal supervision policy.
This is a great practical example of compliance with supervisory controls designed to ensure appropriate oversight and awareness of potential risk events. The fact that a breach of this policy led to further scrutiny appears to have been effective.
So, would your supervision policy provide you with the necessary intelligence about lack of adherence? Would you receive such information in an appropriate and timely way? Would you follow up with further enquiries?
There is no prescription about what should be in your portfolio of policies. Consider the appropriateness of a confidentiality policy to manage the risk of breaches and to document the firm’s expectations when mistakes occur; an IT policy to include your restrictions on the use of technology including sending emails outside the firm; a data protection policy; and a social media usage policy to avoid explicit or implied references to clients and data subjects.
The training (and these policies) should create the right foundation for compliance in practice. The effectiveness of the firm’s response can then be the subject of ongoing monitoring.
This activity will be undertaken by supervisors and also through trainers having a role in keeping colleagues up to speed with regulatory and legal priorities.
Risk-owners such as the compliance team or department heads will also have a watching brief on people and paperwork. Is it all working and if not are you responding appropriately?
The above tribunal ruling serves as a timely reminder of what matters and gives us a reason to consider again the importance of effective compliance in practice. When duties as basic as confidentiality and data protection are misunderstood, the consequences are considerable. An effective response protects the business and protects the individual.