Proctor : March 2018
13 PROCTOR | March 2018 Notes 1 ss6C and 6D Privacy Act 1988 (Cth). 2 s26 WB Privacy Act 1988 (Cth). 3 s26WE (1)(d) Privacy Act 1988 (Cth). • Staff procedures: Detailed and robust staff procedures – and training in those procedures – should be implemented around data security, including taking data off-site in storage devices. • Remote deletion: Electronic devices such as phones and laptops should allow remote deletion if lost/stolen. • Use of USBs: If staff are to store client data on USBs and take them off-site, those USBs should be encrypted. In addition, the firm should provide the USBs, keep a register ofthem–andwhatdataisonthem–and have them signed in and out to ensure their whereabouts are always known. • Brand electronic devices: All work devices and property capable of data storage should carry the firm name and contact details, to ensure they can be easily returned if found. • Routines/checklists: Develop and utilise mental checklists to go through when leaving areas such as hotel rooms or boarding lounges (for example, before boarding a plane, check off boarding pass, wallet, home phone, work phone). As no prevention regime is foolproof, also ensure that you have a data breach response plan in place, and that staff are aware of it. It is beyond the scope of this article to cover such a plan, but useful assistance can be found in the privacy law section of the Office of the Australian Information Commissioner (OAIC) website at oaic.gov.au. Conclusion Data breaches are not an IT issue; they are a process and procedure issue, and one which will affect large numbers of law practices. We stand at a time of fundamental change to the way we do business; the value of client data and private information – and the damage that can flow from disclosure – means that, regardless of size, turnover and resources, law firms will be expected to provide high levels of data security and comply with strict standards in relation to data management. In the United States, a growth industry in auditing and ranking the cyber-security measures of law firms has sprung up almost overnight, with savvy clients now insisting on a certain rating being achieved before doing business. We can expect a similar system to evolve here. Data security is quite literally an existential issue for law firms. Not since the implementation of practice management qualifications in the 1980s have we seen such a seismic shift in the way practices are managed, and no doubt more is on the way. This scheme, and the anti-money laundering regimes, are the tip of the iceberg, and practitioners can be certain that the bar on what constitutes best practice will be raised in many areas. The time to get on top of these issues is now. And be careful not to throw out filing cabinets before checking that they are empty. Privacy law Christine Smyth is immediate past president of Queensland Law Society and partner at Robbins Watson Solicitors. Shane Budden is an ethics solicitor at the QLS Ethics Centre.