To be, or not to be… compliant, that is the data retention question

Data law

This is the latest in a series of articles, initially published in The Global Legal Post, on various technical themes in language which can be understood by those who prefer to use technology rather than immerse themselves in it. These are written by Paul Longhurst at 3Kites with Kemp IT Law contributing.

 Back in the day when GDPR was just a twinkle in the eye of a Brussels law maker, firms held on to documents and timesheets (with their narratives which on, say, clinical negligence cases may be highly sensitive) for as long as their paper or IT systems’ storage would allow. This might sometimes stretch into several decades without anyone having to justify why. With the introduction of the GDPR, attitudes have changed… but many storage habits have not. Paul Longhurst of 3Kites gives the systems viewpoint whilst Richard Kemp of Kemp IT Law covers the regulatory requirements. 

At 3Kites, we often assist firms with projects to replace document and practice management (ie accounting) systems and usually arrive at the question of data retention fairly quickly. The response is worryingly consistent in that the need to tidy data and introduce retention policies has long been recognised. However, the comfort blanket of retaining all such data in a legacy system is hard to break but leaves the firm no less exposed (to the charge of holding sensitive data without permission) than it was before. 

Our questions to clients are reasonably basic here: 

1. Firstly, why are you holding onto documents and timesheets ? This is generally justifiable but not necessarily understood. Firms do not have to hold this data because of the statute of limitations but rather as a legal or regulatory duty (eg in certain cases for certain kinds of client), a contractual obligation (in their client engagement arrangements) or as a requirement of their PI insurance (if you don’t have evidence of what was done at the time, premiums are going to be much higher or unobtainable to reflect the increased risk to insurers). 

2. Do your clients know the firm is holding onto this data ? Many firms will have explicit terms in their engagement letters to cover this off… but many do not. If a client requests that its data should not be held after the matter has closed, the firm has a decision to make about whether or not it wants to act for this client. 

3. How are you holding this data, especially when it is highly sensitive ? Leaving sensitive data open to all in the firm may not be considered good practice. One alternative is to flag sensitive matters, ideally at file opening, so that these can be given limited access rights whilst open/active and then given a special treatment once closed, eg access is blocked and only granted on request (from the limited access users) for a set period of time. 

4. What happens to documents and timesheets when the matter has been closed for the full retention policy period ? Many firms have policies but do not act on these for fear of losing access to key examples of clauses, agreements and the like. However, such examples should be identified at matter close and, ideally, cleaned up (anonymised) for inclusion in a knowledge repository. If this approach is followed, matter documentation can be destroyed on reaching its policy retention period, removing forever the risk of falling foul of GDPR or SRA rules. 

It is easy to put this in four paragraphs but far harder to implement – the starting point must be to get the Partners onboard with these policy decisions so that applying them is straightforward. Failing to do this can expose the firm to unnecessary risk and, with the ICO’s powers, significant fines as we have already seen in the UK legal sector. 

Richard notes that, from the legal standpoint, there are four key aspects of data retention: who owns the file; firms’ regulatory duties around client information; GDPR; and firms’ contractual engagement terms. 

A couple of initial points: 

  • the rules apply equally to hard and soft copy documents and information; 
  • different duties attach to different types of information but what constitutes the ‘file’ isn’t cast in tablets of stone. 

Who owns the file? 

The Law Society recently provided helpful guidance on ‘who owns the file’. The general law makes a distinction between documents prepared where the firm is acting as the client’s agent (client owns) and where the firm is acting as professional adviser (firm owns). Documents that the client owns typically include communications as agent to and from third parties, original documents sent to the firm, and final versions of documents like agreements and submissions that were the subject of the engagement. Documents that the firm owns include copy letters and emails to and from the client and third parties, meetings notes, drafts of agreements, and time and accounting information. These are all subject to contrary agreement in the engagement terms (see below). 

The firm’s regulatory duties around client information 

The firm and its solicitors will also be subject to the SRA’s Codes of Conduct – here there can be tension between the SRA rules and how assertive the firm wants to be around data ownership, disclosure and retention (will it want a lien over documents for unpaid fees? how will it handle disclosure requests in the context of a potential client claim). 

GDPR duties 

It’s really the GDPR that has focused attention on data retention recently. The key specific GDPR points around data retention are duration of the data retention period and subject access requests (SARs). The first point is that, although the firm will owe the client duties of confidence on all or nearly all the information in the file, we’re concerned in this context only with personal data (PD). 

Generally, SARs give an access right only to the PD of the individual making the request and apply only to that specific PD and not to documents (in whole or in part). The PD can be extracted from the original document, presented in its original form with other data redacted or presented as a new document specific to the SAR. 

The storage limitation principle at GDPR Article 5(1)(e) – that PD should be kept for no longer than is necessary for the purposes for which the PD are processed – is what in practice has exercised law firms and caused them to develop more elaborate data retention policies over the last few years. 

The firm’s contractual engagement arrangements 

All these points – file ownership and regulatory and GDPR duties – come together in firms’ engagement terms and privacy policies. Engagement terms can contractually override the ‘who owns what’ general principles, and firms increasingly set out in their privacy policies legitimate interests as the basis of lawful processing for PD they retain. Most firms do not currently expressly set out in their privacy policy what the data retention periods are, preferring to give an email address where the firm can be contacted for the specific applicable period. Where a particular period is expressly referred to, this is typically seven years after final bill. 

Law firms have traditionally been magpie minded about information. These developing rules will increasingly deter firms from retaining anything that glitters and encourage a more disciplined and structured approach. 

 

Share:

More Posts

Send Us A Message