It’s well known that barristers’ chambers, law firms and other organisations need to publish privacy policies on their websites, and there was a rush to update and expand these in the months leading up to May 2018 when the GDPR took effect. But should individual barristers publish their own privacy policies on their personal profiles?
This is a question that clients have thrown at us a couple of times in recent months, so we have taken the initiative and given ourselves the task of finding out the answer!
What approaches are different chambers taking?
The Bar Council has published some helpful supporting documentation, and the Bar Standards Board appears to direct interested parties to these documents also. The salient points are:
- Every individual self-employed practising barrister is a data controller. This means that every individual self-employed practising barrister must comply with these requirements. In order to comply with these requirements, individual barristers will need to give careful thought to a number of matters, including the period for which they retain emails and files relating to previous cases. As a data controller the ultimate responsibility for compliance lies with [the individual barrister]. In some situations that responsibility may be shared with the data processor.
(Source: Introduction, point 4, GDPR Bar Council Guide for Barristers & Chambers Jan 2021)
- It is possible for members of the same set of chambers to use a single chambers privacy notice, so long as each individual barrister complies with the requirement to notify data subjects of his or her identity and contact details.
(Source: Question 10, GDPR: Frequently Asked Questions)
The Information Commissioner’s Office also has a wealth of information on its website. It has particularly useful data protection checklists for any data protection role you may undertake. It also has a really helpful questionnaire to determine if your organisation needs a Data Protection Officer.
- Barristers are members of chambers; it is more than likely that chambers will process data owned by its members; therefore, chambers is a data processor for its members’ data. As data controllers, barristers are required to notify any relevant parties of data processors handling their data.
- Chambers will have its own data and, therefore, will also be a data controller of its own data.
It is therefore not required that each barrister publishes their own individual policy on their web profile, but it may be the easiest way of covering all bases and sharing the information easily.
So, how can we publish individual barrister privacy policies for each member?
Individual barrister policy templating solution
A better solution is this: if all barristers share largely the same policy text, differing only in certain personal details, then the text can be stored centrally in the CMS, and “merge tags” used to populate it with personal details such as name, ICO number and contact details for each barrister. Each custom policy can then be automatically linked to the members’ web profiles. This means the text need only be edited in one place, and no additional pages need creating.
Coupling this with a dynamic PDF generation system can offer an automated PDF download (in addition to, not instead of) the webpage version, for those who prefer it. These can be useful if you include privacy policies in client onboarding packs.
- Supply personal data: you give us barristers’ individual data (e.g. ICO numbers) in spreadsheet form.
- Development: we code the page template and create the system to generate a policy for each member.
- Testing: policies can be kept private and shared via encrypted link so that clerks or barristers can confirm the template appears as it should and that the individual data is presented correctly.
- PDF generation (optional): if required, we add the option for automated PDF versions, using an attractive branded template.
- Go live: the policies are be made available on chambers’ website.