The case of a solicitor who breached the Data Protection Act emphasises the importance of processing data properly, warns Richard Thomas

A recent case at Bolton Magistrates' Court proved very costly for a local solicitor (see [2005] Gazette, 10 March, 1). He was the defendant and having admitted a breach of section 17 of the Data Protection Act 1998 was fined £3,150 and ordered to pay costs. He found himself in court for failing to notify the Information Commissioner's Office (ICO) that he was a data controller whose processing of personal data was carried out, at least in part, on computer. The pain could have been avoided through completion of a relatively simple form and payment of a modest £35.


The Act exists to protect the personal information of the public. The register maintained by my office increases openness and transparency. It enables me to do my job as the data protection regulator. And it enables the public to see how the organisations with which they deal process their data and empowers them to make use of their rights under the Act.


The Act provides a framework for good information handling and is based on eight principles, which include processing personal data fairly and lawfully and for limited purposes. Such information should be accurate, kept up to date, securely, and only for as long as necessary. Personal data should also be adequate, relevant, not excessive and processed in line with the rights of the individual.


Solicitors have a head start in complying with these principles - in the form of The Guide to the Professional Conduct of Solicitors, 1999, eighth edition. Compliance with those rules will bring adherence to many of the principles.


The ICO has responsibility for overseeing the Act and maintaining the public register of data controllers. The term data controller is defined in the Act as 'a person who determines the purposes for which and the manner in which any personal data are, or are to be, processed'. Practising solicitors handle vast amounts of information about clients and make decisions as to how that data will be used.


Solicitors are likely to be data controllers falling within the Act. And if any processing takes place on computer, then the law is clear - you must notify the ICO.


Some solicitors have argued that they are merely 'data processors', claiming they only process data at the behest of their clients. This is not a strong argument.


Clients come to solicitors for added value to their data - to assist them in doing what they could not do on their own. Solicitors extract the nuggets of personal information needed to do the job and manipulate the information to clients' best advantage.


Would clients happily instruct a law firm if its practice rule 15 letter read 'under the Act you remain the data controller for the information that you supply to us and under the Act and as data processors we have no liability for misuse of any information provided'?


There are several exemptions to the need to notify (accounts, staff administration and marketing), but for the most part solicitors will not be able to take advantage of these. There is still a small number of firms around that do not use computers for any part of their operations. It will be these firms that have yet to embrace modern technology whose operations fall outside the requirement to notify.


There is still a sizeable minority of law firms that has not notified. After repeated warnings, the ICO has successfully prosecuted a number of those that failed to comply. And it will continue to ensure those who work in the law comply with the law.


Solicitor Richard Thomas is the Information Commissioner. For more information, visit: www.informationcommissioner.gov.uk