Wednesday, 8 February 2012

Client data is sacrosanct. It shouldn’t be for sale

Like any busy solicitor, I receive a number of emails from all manner of people on a daily basis. Some of them are from clients who need help, while others are from the other side’s lawyers in a claim we’re handling. Still others fall in the networking category; some are even from old friends.

Fortunately, very few emails invite my firm to break the law. That, though, seems to be the effect of one particular email which a colleague received. I do not propose to identify the sender, and so I won’t even give an extract, but let’s just focus on one thing, for starters: the spelling! I am more forgiving than most of poor spelling. I have mild dyslexia, but in this instance it is indicative of a much deeper problem..

In fact this particular email – a round robin that many other law firms in the personal injury sector will have received – has more spelling mistakes than Fernando Torres has goals for Chelsea. In truth, the latter upsets me more. Torres is a great player but his inability to find the back of the net is a growing problem for my beloved Chelsea (although the less said about how the team threw away a 3-0 lead over Manchester United last weekend, the better).

Moving swiftly on... Perhaps its errant spelling is symbolic of how not all is right with this particular email. Certainly, if it were to be assessed for its linguistic elegance alone, it would come up wanting. But such things are small beer compared to what is really wrong with this email, which was sent by a large claims management company (CMC).

The email seeks to acquire personal injury claims which have stalled, for whatever reason, so that they can be placed with one of the CMC’s panel of solicitors. The incentive is a referral fee which, on the face of it, is far from insubstantial. In fact, it’s some £400 to £500 per case referred.

The problem with this is simple, and it’s to be found in the Data Protection Act 1998 (the DPA). The DPA contains eight data protection principles, which apply to anyone who processes personal data. Law firms and CMCs are governed by the Act, which, among other things, stipulates that data must be processed fairly and lawfully, in accordance with the data subject’s rights and for limited purposes. ‘Data controllers’ – again, for present purposes, law firms and CMCs – must be open and honest about how data is used, ensure that nothing unlawful happens with it, and handle it only in ways that are reasonably expected.

My question is this. Is it reasonable for a client of any law firm to expect that his or her data will be passed on to a CMC, in return for a referral fee? Bear in mind that ‘sensitive personal data’ has an additional level of protection under the Act; it would include matters of health, which, by definition, is what is in issue in a personal injury claim.

It seems to me that what this particular CMC is doing is soliciting a breach of the DPA. Of course, properly conducted law firms will baulk at the suggestion and refuse to play ball, but there are bad apples in every walk of life and some may be tempted. As such, this initiative goes to the heart of the malaise presently afflicting the personal injury sector.

Interestingly, however, harsher penalties are expected for data protection breaches following a review and new proposals by the European Commission. It is proposed that fines are to be linked to annual worldwide turnover of up to 2% (this could be a huge sum, depending on the size of the organisation), or may be as high as one million Euros for serious breaches. It is also proposed that the new law will apply to non-EU companies who market to or collect data about individual citizens based in the EU. Moreover, compulsory notification of data breaches is to be required: the Information Commissioner’s Office must be told of data breaches within 24 hours and the individuals affected without undue delay.

These and other proposed changes mean that data protection law may yet bite those who refuse to take it seriously.