Self-employed barristers have been advised not to sign contracts drawn up by law firms attempting to comply with data protection legislation coming into force this month. The contracts, required by Article 28 of the General Data Protection Regulation (GDPR), provide ‘data controllers’ with guarantees that ‘data processors’ working for them will protect the rights of data subjects - in this case, clients.
The disputed contracts assume that solicitors are data controllers and that barristers instructed in a matter are data processors. However in an advice note drawn up by its information technology panel, the Bar Council vehemently rejects that status. 'For the avoidance of doubt, self-employed barristers are data controllers of their client’s data. They are not data processors,’ the note states.
Its justification for the stance is that barristers are not 'sub-contractors on the solicitor’s behalf, merely processing data accordingly’, but rather providers of ’independent objective specialist advice and advocacy’. It is therefore up to the barrister to determine what information to obtain and process for the task.
Only in ’very limited circumstances’, such as when on secondment to a law firm, are barristers properly to be considered data processors and for it to be appropriate to enter into an Article 28 contract with a solicitor, the advice adds.
Regulating the flow of personal data between controllers and processors is a core aim of the GDPR, which takes direct effect across the EU on 25 May. Legislation to mirror its measures in UK law, the Data Protection Bill, is currently awaiting a date for its report stage in the House of Commons.