Data Protection and e-mail security

 In Comment

Disclaimer: LawSkills provides training for the legal industry and does not provide legal advice to members of the public. For help or guidance please seek the services of a qualified practitioner.


For many years data protection and email security has been quite straightforward as you kept all the data in the office and you have physical security methods. However with the increasingly mobile society that we live and work in things have changed considerably.

The Rules

The Data Protection Act 1998 (the Act) requires anyone who handles personal information to comply with a number of important principles. It also gives individuals rights over their personal information. Individuals have a wide range of rights under the Act, including access, compensation and the prevention of processing.

If you handle personal information, you have a number of important legal obligations.

FREE monthly newsletter

Wills | Probate | Trusts | Tax  | Elderly & Vulnerable Client

  • Relevant learning and development opportunities
  • News, articles and LawSkills’ services
  • Communications which help you find appropriate training in your area
  • In the UK you are obliged to be registered with the Information Commissioner’s Office (ICO)
  • Pay an annual fee if you are processing data other than say an address book for personal use or just say staff records
  • The office must be notified of the type of data you are processing and the purpose
  • If the type or purpose of the data changes then this must be updated with the ICO.

The Data Protection register is a matter of public record and is open to inspection as it is a basic principle of data protection that the public should know (or should be able to find out) who is carrying out the processing of personal information as well as other details about the processing (such as for what reason it is being carried out).

Failure to register is a criminal offence.

The regulations in Europe under Directive No 95/46/EC set out seven key principles that relate to date processing and protection for the subject whose data is being processed.

  1. Notice-The person must be notified when data is being collected about them
  2. Purpose- The data collected can only be used for the stated purpose given when getting permission to collect the data
  3. Consent-You agree that you will as a data processor not disclose that data without the subjects consent
  4. Security- The data should be held securely from abuses
  5. Disclosure-It must be disclosed who has collected the data
  6. Access-The subject must be given access to the data for which a reasonable fee may be charged and the subject should be able to make corrections to the data
  7. Accountability-There should be a method to hold the data collectors accountable for the above requirements being met.

If it is an issue relating to Health then under Article 8 then extra rules apply.

So those are the rules but what is the reality? Do you have e-mails not only on the office computer but on your laptop, your phone, your iPad?


Sorry not the crumbly kind that taste nice but little devices that websites like to install on PCs which can track the user’s movements on the internet and in particular on the site being used. In order to comply with the new rules from 26th May 2011, a site must have explicit consent from the user to install cookies on their machine. If your firm’s site does not currently do this and uses cookies you will now be in breach of the rules. The Information Commissioner is aware of the many arguments that have run on this and enforcement is likely to be delayed. However why take the chance, get your IT department to make your site compliant now.

The Reality

While maintaining security in an office can involve keys and security passes; your data, when mobile is far more vulnerable, so what should you as a firm be doing to ensure that data is being kept securely?

  1. Make sure that you know which employees have remote access and keep this strictly limited so any documents are saved back on your server and not on the home PC. One way to do this is to use “Log me in” which is a secure way to access a computer remotely. The link for more information is
  2. Make sure that employees have their own passwords and these are regularly changed as this will make it easier to trace any breaches
  3. Only allow e-mails to be synched with work owned phones and make sure these are set up with password protection
  4. Make sure laptops and other mobile devices are password protected.
  5. Make sure data is encrypted when it is in transit so it cannot just be intercepted and read.
  6. Have a “kill” type program set up. What this does is enables all data to be erased remotely if a phone or other device is stolen. Possible programs for this include:-
    1. a. Lookout Mobile security that backs up your device too. This works with Android Blackberry and Windows Phones. The basic version is free and the website link is
    2. Mobiwee offers a slightly different app but includes the ability to trace your phone now that could be annoying for the thief! This works with Android, iPhone, Windows Phones and is beta testing with Blackberry at the moment. Here’s the link if you want to learn more
    3. FN Suite Anti-theft –This one only works on Nokia phones and the list can be found here
    4. FindMyiPhone from Apple is free software that can trace your phone and allows you to remotely wipe it. It works very well but only works for iPhones and iPads.
  7. Be wary of use in Public HotSpots. Most of these use open WiFi connections that means your data is unencrypted between your device and the WiFi hotspot. You can secure your connection by using a Virtual Private Network to connect to your office.

If you fail to comply be aware the penalties are not cheap.

The LawSkills Monthly Digest

Subscribe to our comprehensive Monthly Digest for insightful feedback on Wills, Probate, Trusts, Tax and Elderly & Vulnerable client matters

Not complicated to read  |  Requires no internet searching |  Simply an informative pdf emailed to your inbox including practice points & tips

Subscribe now for monthly insightful feedback on key issues.

All for only £120 + VAT per year
(£97.50 for 10+)

Lawskills Digest
Recent Posts