Do individual barristers need their own privacy policies to be GDPR compliant?

It’s well known that barristers’ chambers, law firms and other organisations need to publish privacy policies on their websites, and there was a rush to update and expand these in the months leading up to May 2018 when the GDPR took effect.  But should individual barristers publish their own privacy policies on their personal profiles?

This is a question that clients have thrown at us a couple of times in recent months, so we have taken the initiative and given ourselves the task of finding out the answer!

What approaches are different chambers taking?

Short answer: a variety of things. Longer answer: a little research has shown a good number of chambers do have individual barrister’s privacy policies, but by no means are the majority of chambers ‘doing it that way’. The rest would appear to be using a chambers-wide privacy policy, but, in this instance, all members must have agreed to comply with this policy in order for it to be effective, and there are also some other hoops to jump through, as outlined below.

Official guidance

The Bar Council has published some helpful supporting documentation, and the Bar Standards Board appears to direct interested parties to these documents also. The salient points are:

1. Every individual self-employed practising barrister is a data controller. This means that every individual self-employed practising barrister must comply with these requirements. In order to comply with these requirements, individual barristers will need to give careful thought to a number of matters, including the period for which they retain emails and files relating to previous cases. As a data controller the ultimate responsibility for compliance lies with [the individual barrister]. In some situations that responsibility may be shared with the data processor.
   (Source: Introduction, point 4, GDPR Bar Council Guide for Barristers & Chambers Jan 2021)
2. It is possible for members of the same set of chambers to use a single chambers privacy notice, so long as each individual barrister complies with the requirement to notify data subjects of his or her identity and contact details.
   (Source: Question 10, GDPR: Frequently Asked Questions)

The Information Commissioner’s Office also has a wealth of information on its website. It has particularly useful data protection checklists for any data protection role you may undertake.  It also has a really helpful questionnaire to determine if your organisation needs a Data Protection Officer.

What are the privacy policy requirements for individual barristers?

There are three key scenarios to consider, and each needs to be covered by a privacy policy:

1. Barristers are self-employed individuals therefore; they are, by definition, data controllers. As data controllers, they are required to have a privacy policy and make it available to all those to whom it is relevant.
2. Barristers are members of chambers; it is more than likely that chambers will process data owned by its members; therefore, chambers is a data processor for its members’ data. As data controllers, barristers are required to notify any relevant parties of data processors handling their data.
3. Chambers will have its own data and, therefore, will also be a data controller of its own data.

It is possible for all members of a chambers to share a common privacy policy as long as there are no differences between them.  But if they do, they must also supply clients with their contact and other identity details.  If there are minor differences, then each barrister may publish a short notice outlining those differences.  If significant differences, they should publish their own policies.

It is therefore not required that each barrister publishes their own individual policy on their web profile, but it may be the easiest way of covering all bases and sharing the information easily.

So, how can we publish individual barrister privacy policies for each member?

Manual PDFs

The most popular method traditionally has been for clerks or managers to prepare a tailored privacy policy for each barrister and save it in PDF form, and then upload it to the members’ profile.  But this has considerable drawbacks:  each policy has to be uploaded separately;  if a small change like a phone number needs to be made to every policy, then every PDF has to be replaced;  and anyway PDFs aren’t mobile-friendly.

Standalone web-pages

Some chambers have created an additional page on their website for every barrister’s privacy policy, and added the personalised text there.  This is a mobile-friendly solution, and easier to edit than a PDF;  but again if you need to make a change across all policies then they may need to be edited one-by-one, and it also creates a lot of clutter in the page structure inside your content management system (CMS).

Individual barrister policy templating solution

A better solution is this:  if all barristers share largely the same policy text, differing only in certain personal details, then the text can be stored centrally in the CMS, and “merge tags” used to populate it with personal details such as name, ICO number and contact details for each barrister.  Each custom policy can then be automatically linked to the members’ web profiles.  This means the text need only be edited in one place, and no additional pages need creating.

Coupling this with a dynamic PDF generation system can offer an automated PDF download (in addition to, not instead of) the webpage version, for those who prefer it.  These can be useful if you include privacy policies in client onboarding packs.

How does the templated individual barrister’s privacy policy solution work?

Creating a templated privacy policy system is not as difficult or as time-consuming as you might think. Here are the steps to get you there:

1. Agree a structure: we can suggest a skeleton of subheadings around which to build your individual barrister privacy policies or against which to check your existing privacy policy for members.
2. Draft your policy: you can then craft the core privacy policy for all members to use.
3. Supply personal data: you give us barristers’ individual data (e.g. ICO numbers) in spreadsheet form.
4. Development: we code the page template and create the system to generate a policy for each member.
5. Testing: policies can be kept private and shared via encrypted link so that clerks or barristers can confirm the template appears as it should and that the individual data is presented correctly.
6. PDF generation (optional):  if required, we add the option for automated PDF versions, using an attractive branded template.
7. Go live: the policies are be made available on chambers’ website.

Next steps

If you would like us to set up a templated individual barrister privacy policy system on your WordPress website, please email [email protected].