Case management and GDPR compliance for lawyers
Lawyers need to handle client data securely. Data must be available in the right places, at the right time, but we must of course also comply with the GDPR. This article is about the aspects of GDPR compliance to be considered when using both a case management system and Outlook in legal work.
The toughest challenge: email
Let’s begin with the part where the GDPR normally causes most trouble for lawyers: email. Most lawyers write emails in Outlook, and when we start typing ‘he’ in the recipient field, Outlook immediately suggests ‘Henrik’. The question is whether the Henrik Outlook has in mind is the right one.
Having auto-completion of email recipients turned on is one of the greatest risks when it comes to GDPR compliance. No doubt most lawyers think it’s only other people who make mistakes, but anyone can fall into the trap when things are busy, and we have seen a great many emails sent to the wrong recipients for this reason.
The case management system contains a great deal of data that is regulated by the GDPR. The system can of course help with GDPR compliance, but there are still many decisions that have to be assessed by the lawyers.
When is a case obsolete? And who then is to assess whether an obsolete case should be erased or just anonymized?
The same applies to clients and parties. Should an obsolete client or party be anonymized or deleted altogether? It depends on the situation.
Where is personally sensitive data stored?
Personally sensitive data obviously exists on cases, clients and parties, and it can be in many different places. There may be personally sensitive data such as a social security number on the case card, or the case might be recorded as concerning a particular disease or something else of a personally sensitive nature.
But where else is personally sensitive data stored?
What about former employees? This is an area that calls especially for anonymization, because there may be very old time registrations that will be required as documentation at a later time.
The time registrations themselves, and the posted entries, may say something like ‘collection of doctor’s note re mental illness diagnosis’. That is personally sensitive, too.
Then there is all the data stored outside the case and ERP system, such as all the documents stored in a document solution (e.g. SharePoint) or on a file share. The documents will naturally contain a lot of personal data.
Nor is it certain that only searchable documents are involved. There may be audio files or video recordings of case hearings, for example. These are harder to search by name or personal details. And what about email attachments: how can those be caught?
Deletion has consequences
When you start anonymizing and deleting data in practice, a number of challenges crop up.
We ourselves have built GDPR features into our case management system, Navokat. The aim is of course to provide lawyers with as much support as possible in anonymizing and erasing data, but all decisions require individual assessments, so that it is unfortunately far from the whole process that can take place in an automated way.
We have built logic into the system allowing it to suggest cases that should be deleted. It does this according to certain criteria that you set up yourself. The lawyer can then look through the suggestions and choose what to delete. For example, you can ask the solution to propose cases that were archived more than X years ago.
Unfortunately, we have already known a customer to put too much faith in the system’s suggestions and end up erasing cases that should not in fact have been erased. And now the data is gone. It is completely gone, because, if there were an ‘undo’ feature, we would not be complying with the GDPR.
When you choose to delete a case, it is not just the case card and the journal that go. It may also be clients, parties and all the documents associated with the case. This includes time registrations, posted entries – everything in the belly of the ERP system.
Deleting a case is a weighty decision. It is required under the GDPR, but you must be sure that you understand the consequences when making your decision.
Some cases must be anonymized – not deleted
Basically, the most important parameter is time. When cases are so old that there is no longer any purpose in keeping them, they should be deleted. Some lawyers interpret this to mean 10 years, others say 5 years. Opinions vary, in fact, but time is always the most important criterion.
Not everything should be deleted, though. If you have a good reason to retain data, you can do so. A good reason may be, for example, that the case concerns issues of principle or attracts press or official attention.
Cases involving issues of principle must not be deleted, of course – but they may need to be anonymized at some point.
Again, it will be a matter of judgement whether it is of fundamental importance that a particular name appears in the case or whether the name can be anonymized. This is another judgement that your IT solution unfortunately cannot help with.Unfortunately, the challenge of anonymization gets worse still.
If we are going to anonymize Peter Petersen, a witness in a case, we can certainly search for his name. In some places, it only says P. Petersen or Mr Petersen. And on page 37 of a document, it says ‘the bicycle shop owner’, which of course everyone knows means Peter Petersen, because it’s a small town with only one bicycle shop. This mention needs to be anonymized, too.
It is hard to make an IT system recognize that ‘the bicycle shop owner’ refers to Peter Petersen, so this is another job where it is hard to obtain help from the technology. The technology not only has to recognize ‘the bicycle shop owner’ as a reference to a person; it must also judge whether it is relevant in the case of this particular mention to know that it involves the bicycle dealer. This requires either some serious artificial intelligence or many hours of manual research.
How mature is your IT system?
The ways your IT systems can help you with deletion and anonymization fall into four levels:
- Level 1 is when the system suggests cases for you to assess.
- Level 2 is when the system can carry out deletion of the cases, including posted entries and documents, that you choose to delete.
- Level 3 is when the system can perform anonymization of cases according to search criteria chosen by you. It’s a sort of search-and-replace in the case management system.
- The ultimate level is where the system can use artificial intelligence to find all the personally sensitive terms, as in the ‘bicycle shop owner’ example.
The vast majority of systems are at levels 1 and 2. We can’t name any at all that are at level 4 or that have any prospect of reaching it. Even if systems could cover items 1-4, though, a lot of the responsibility for GDPR compliance would still fall on the lawyers who must judge what is to be done in individual cases.
That’s enough about deletion and anonymization. Another topic that can create a big workload for lawyers is that of access requests.
Anybody can apply to us and ask to be told what we know about them. And then we take an employee off the shop floor so that they can sit and leaf through documents to find the places where the relevant person is mentioned. It can be utterly daunting to an ordinary law practice if many such access requests are received. This is another thing for which we need help from the system.
In principle, the challenge is the same as with anonymization. We have to be able to find data in every nook and cranny of cases and documents. The IT challenge is the same, and it is technologically hard to solve.
Who can actually do what?
There are many sub-tasks in this area, and the question is: who can actually do what in your organization? When you have a delete button available, it is no good if anyone can accidentally press it and make the data vanish into thin air.
- The first task is identification. This involves producing a longlist of cases and data that may need to be deleted. This is very much a job for the IT systems, and it is OK for most people in the organization to have access to the longlist.
- The next task is assessment of the longlist. Here, lawyers with knowledge of the particular cases must assess which of them are to be deleted or anonymized. There may need to be internal processes governing how long past deadline a deletion can be delayed without involving a partner in the decision.
- And then we come to the deletion itself. Here, the question is: who is to have the authority to press the delete button? Who will be authorized to delete a case? Here, we believe careful consideration should be given to whether, for example, final deletion should require approval by a partner.
Who can see what?
Data protection also involves securing data against disclosure to unauthorized persons. How do we ensure that nobody in the company happens to see anything they shouldn’t?
Of course, IT security must be under control so that hackers cannot steal data and either sell it or remove it from the system and demand payment for its return, as has been known to happen. Unfortunately, we can see that there are a great many failed login attempts on remote desktops with the Navokat solution, where software is working by trial and error to gain access. This is a threat that everybody should be taking seriously.
On the internal front too, though, we quite simply must ensure that only the right staff have access to data. Should all users in the office have access to all data on all cases, or can restrictions be devised that meet GDPR requirements without getting in the way of day-to-day business?
Similarly, thought can be given to whether the external IT supplier should have unrestricted access to data at all times. Of course, they must be able to provide support and fix IT problems, and in that connection it may for example make sense to give them time-restricted access to data, but the IT supplier doesn’t necessarily need to have free access all the time.
Who has accessed what?
It is of course also important to be able to document how the individual has used his or her access rights. Who has viewed what data, and when?
It is important to have this access log to enable data protection compliance to be documented and access requests to be answered satisfactorily.
Where are you up to in the GDPR process?
There is a lot to bite off if a law practice is to conform to every single aspect of the GDPR. Another contentious issue is how much you can reasonably be expected to conform to if you are a small practice with few resources and if the technology cannot actually help yet in every area.
But the first step is to take stock so that you know where you are up to, and then to plan how big you want your ambitions to be in the GDPR area.
If you need someone to act as a sounding board on GDPR issues in relation to case management systems, we will be happy to have a conversation without it costing you a penny. We are always up for a debate on one of the topics currently looming large for lawyers.