To be, or not to be… compliant, that is the data retention question
3Kites’ Paul Longhurst and Richard Kemp of Kemp IT Law on how law firms are adapting to GDPR
Back in the day when GDPR was just a twinkle in the eye of a Brussels law maker, firms held on to documents and timesheets (with their highly sensitive narratives on, say, clinical negligence) for as long as their paper or IT systems’ storage would allow. This might sometimes stretch into several decades without anyone having to justify why. With the introduction of the GDPR, attitudes have changed… but many storage habits have not.
In their latest column in the series Navigating Legaltech, Paul Longhurst of 3Kites gives the systems viewpoint while Richard Kemp of Kemp IT Law covers the regulatory requirements around data compliance for law firms.
Paul Longhurst writes
At 3Kites, we often assist firms with projects to replace document and practice management (ie accounting) systems and usually arrive at the question of data retention fairly quickly. The response is worryingly consistent in that the need to tidy data and introduce retention policies has long been recognised. However, the comfort blanket of retaining all such data in a legacy system is hard to break but leaves the firm no less exposed (to the charge of holding sensitive data without permission) than it was before.
Our questions to clients are reasonably basic, and are summarised here:
- Firstly, why are you holding onto documents and timesheets ? This is generally justifiable but not necessarily understood. Firms do not have to hold this data because of the statute of limitations but rather: as a legal or regulatory duty (eg in certain cases for certain kinds of client); a contractual obligation (in their client engagement arrangements); or as a requirement of their PI insurance (if you don’t have evidence of what was done at the time, premiums are going to be much higher or unobtainable to reflect the increased risk to insurers).
- Do your clients know the firm is holding onto this data ? Many firms will have explicit terms in their engagement letters to cover this off… but many do not. If a client requests that its data should not be held after the matter has closed, the firm has a decision to make about whether or not it wants to act for this client.
- How are you holding this data, especially when it is highly sensitive? Leaving sensitive data open to all in the firm may not be considered good practice. One alternative is to flag sensitive matters, ideally at file opening, so that these can be given limited access rights whilst open/active and then given a special treatment once closed, eg access is blocked and only granted on request (from the limited access users) for a set period of time.
- What happens to documents and timesheets when the matter has been closed for the full retention policy period? Many firms have policies but do not act on these for fear of losing access to key examples of clauses, agreements and the like. However, such examples should be identified at matter close and, ideally, cleaned up (anonymised) for inclusion in a knowledge repository. If this approach is followed, matter documentation can be destroyed on reaching its policy retention period, removing forever the risk of falling foul of GDPR or Solicitors Regulation Authority (SRA) rules.
It is easy to put this in four paragraphs but far harder to implement – the starting point must be to get the partners on board with these policy decisions so that applying them is straightforward.
Failing to do this can expose the firm to unnecessary risk and, with the the Information Commissioner's Office's powers, significant fines as we have already seen in the UK legal sector.
Richard Kemp writes
From the legal standpoint, there are four key aspects of data retention: who owns the file; firms’ regulatory duties around client information; GDPR; and firms’ contractual engagement terms.
A couple of initial points:
- the rules apply equally to hard and soft copy documents and information
- different duties attach to different types of information but what constitutes the ‘file’ isn’t cast in tablets of stone.
Who owns the file?
The Law Society recently provided helpful guidance on ‘who owns the file’. The general law makes a distinction between documents prepared where the firm is acting as the client’s agent (client owns) and where the firm is acting as professional adviser (firm owns).
Documents that the client owns typically include communications as agent to and from third parties, original documents sent to the firm, and final versions of documents like agreements and submissions that were the subject of the engagement.
Documents that the firm owns include copy letters and emails to and from the client and third parties, meetings notes, drafts of agreements, and time and accounting information. These are all subject to contrary agreement in the engagement terms (see below).
The firm’s regulatory duties around client information
The firm and its solicitors will also be subject to the SRA’s Codes of Conduct (click here for the firm section and here for the solicitors' rules).
There can be tension between the SRA rules and how assertive the firm wants to be around data ownership, disclosure and retention (will it want a lien over documents for unpaid fees? how will it handle disclosure requests in the context of a potential client claim).
It’s really the GDPR that has focused attention on data retention recently. The key specific GDPR points around data retention are duration of the data retention period and subject access requests (SARs). The first point is that, although the firm will owe the client duties of confidence on all or nearly all the information in the file, we’re concerned in this context only with personal data (PD).
Generally, SARs give an access right only to the PD of the individual making the request and apply only to that specific PD and not to documents (in whole or in part). The PD can be extracted from the original document, presented in its original form with other data redacted or presented as a new document specific to the SAR.
The storage limitation principle at GDPR Article 5(1)(e) – that PD should be kept for no longer than is necessary for the purposes for which the PD are processed – is what in practice has exercised law firms and caused them to develop more elaborate data retention policies over the last few years.
The firm’s contractual engagement arrangements
All these points – file ownership and regulatory and GDPR duties – come together in firms’ engagement terms and privacy policies.
Engagement terms can contractually override the ‘who owns what’ general principles, and firms increasingly set out in their privacy policies legitimate interests as the basis of lawful processing for PD they retain.
Law firms have traditionally been magpie minded about information. These developing rules will increasingly deter firms from retaining anything that glitters and encourage a more disciplined and structured approach.
Paul Longhurst is a director of 3Kites consulting and Richard Kemp is a partner at Kemp IT Law. This is the sixth article in the series Navigating Legaltech
About 3Kites and Kemp IT Law
3Kites is an independent consultancy, which is to say that we have no ties or arrangements with any suppliers so that we can provide our clients with unfettered advice. We have been operating since 2006 and our consultants include former law firm partners (one a managing partner), a GC, two law firm IT Directors and an owner of a practice management company. This blend of skills and experience puts us in a unique position when providing advice on IT strategy, fractional IT management, knowledge management, product selections, process review (including the legal process) and more besides. 3Kites often works closely with Kemp IT Law (KITL), a boutique law firm offering its clients advice on IT services and related areas such as GDPR. Where relevant (eg when discussing cloud computing in a future article) this column may include content from the team at KITL to provide readers with a broader perspective including any regulatory considerations.