On 23rd March 2020, when the Prime Minister announced that “people will only be allowed to leave their home for very limited purposes”, there was a myriad of possibilities available to the Bar which fell in the continuum between two stark options: give-up; or carry-on. Whether it was bravery, pragmatism or necessity which drove courts, tribunals, chambers, and solicitors’ firms to enthusiastically adopt remote working, the impact is clear: things will never be the same. We shall continue to “work from home”, and as the legal profession surrenders its leases to downsize its office footprint, the advantages of virtual conferences and hearings will be firmly grasped and we will all be required to develop a space from which we can efficiently and, most importantly, securely work.
So, what are the considerations for a secure virtual space? What risks arise from working at home which were not present when cloistered in chambers? And what are the impacts and liabilities from failing to meet the requisite standards?
While the thought of becoming a barrister/IT professional may be daunting to some, the considerations that now apply in this brave new world are similar (in fact they are almost identical) to the issues that chambers faced in 2019. The only difference is that now each individual barrister must seize the mantel rather than delegating their personal responsibility to the designated “IT genius” or “tech wiz”.
The consequence of this is that every barrister whether employed or in chambers in 2019 knows, through their work, someone who is able to help or assist with setting-up their virtual office. If, in 2019, chambers had a data protection officer (“DPO”) then this person will be able to point you towards the “appropriate technical and organisational measures” which must apply in your home work space. If it was the company or firm IT department that set-up your office network, then this department should be available to address the technical security considerations which will apply to remote working.
However, those working at the self-employed Bar will be registered, as an individual, with the Information Commissioners Office, and will be personally liable for any fine (up to €20million) that could result from a personal data breach. Employed barristers must ensure that their work-place is secure as part of their employment contract. Therefore, this article sets-out five practical steps to achieving data protection and security when working remotely:
1. Ensure that your computer is encrypted
Encryption was a pre-requisite to secure data management before the coronavirus outbreak so many work laptops/desk-tops will already be encrypted. Apple products come with encryption by default (FileVault). To check whether your iMac is encrypted simply go to ‘System Preferences’. If your iMac is not encrypted with FileVault, choose Apple menu > System Preferences, click Security & Privacy, then click FileVault. Open the FileVault pane for me, and Click Turn On FileVault. You might be asked to enter your password. Choose how to unlock your disk and reset your login password if you forget it: Click Continue. It really is very straight-forward.
If available, encrypting a device running Windows 10 is not significantly more difficult than with Apple’s FileVault. However, encryption is not necessarily installed by default, and Windows 10 Home edition will not have BitLocker, the Microsoft equivalent to FileVault.
To turn on device encryption on Windows, sign-in with an administrator account. Select the Start button, then select Settings > Update & Security > Device encryption. If Device encryption does not appear then it is unavailable but you may be able to use standard BitLocker encryption instead. If encryption is available, open device encryption setting and turn encryption to ‘on’.
Standard BitLocker encryption can be accessed through the search box on the taskbar. Type ‘Manage BitLocker’ and then select it from the list of results. Alternatively, this can be accessed through Control Panel, selecting System and Security. Once you have accessed BitLocker, select ‘Turn on BitLocker’ and follow the instructions.
2. Be careful if you are sharing a computer.
When working from home it may be tempting to use the desktop which is set-up in the living room rather than sitting on a sofa or bed with a laptop on your knees. While ergonomically a desk with a proper office chair is advisable, shared computers must have separate account spaces for each user; and your account should be the only one with administrator access. Confidentiality is also essential particularly in remote conferences or hearings. Screens should not be visible and access should be locked, whether by closing a laptop or putting a desktop into ‘sleep’, whenever you step away from your machine.
Virus software and operating systems should be regularly updated if the computer is being used by multiple people. A shared computer is more susceptible to malware and viruses as there are likely to be separate email accounts to be targeted by phishing emails. Further, download files (games; music; video) from public websites are more likely to include malicious software than Word or Excel files from trusted sources.
3. Use secure video conferencing
While Zoom may be the perfect app for the online pub-quiz with the whole extended family, the Terms of Service provide Zoom with the authority to record anything captured within a Zoom meeting:
‘Recordings. You are responsible for compliance with all recording laws. The host can choose to record Zoom meetings and Webinars. By using the Services, you are giving Zoom consent to store recordings for any or all Zoom meetings or webinars that you join, if such recordings are stored in our systems. You will receive a notification (visual or otherwise) when recording is enabled. If you do not consent to being recorded, you can choose to leave the meeting or webinar’
It is highly likely that your instructing solicitor or employer will have a preferred video conferencing application. However, if not, Microsoft Teams or Skype are easy options which maintain confidentiality.
4. Maintain back-ups and decent broadband
Many chambers or employers will automatically back-up files to a specific server whether you are on the premises or remote working. If that is the case, ensure that your home broadband is sufficient to allow for regular back-ups while you are able to continue to work. Inadequate bandwidth may mean that you have to back-up at less regular intervals. Contact your IT administrator to arrange this if it cannot be completed locally.
If you are not able to back-up to a central server, then arrange for an alternative approach. Whether you opt for a physical back-up to a separate hard-drive or a cloud-based option will likely depend on how long you intend to remain working remotely. A cloud-based approach is more flexible but does come with additional security risk. For example, using a cloud service which maintains servers in the US will not be compliant with GDPR.
5. Consider physical security
The online environment is the essence of remote working but physical security is equally important. If you choose to back-up to an external hard-drive this must be kept securely. Similarly, physical documents which are confidential, or to which privilege applies, must be kept in a locked filing cabinet, at least, with secure rooms and house alarms also worth consideration.
Remote, virtual, working is not going away. The Bar Council has provided detailed guidance on secure working in the context of Covid-19. Review the guidance which is available, in anticipation of a continued pattern of working at home, because the best advice is to act now to avoid problems in the future.
Sam Thomas, Bar Council IT Panel
Blog | 4 Feb 21