Information Commissioner’s Office approves the first certification scheme for legal service providers

On 13 February 2024, the Information Commissioner’s Office (“ICO”) announced it had approved a new certification scheme directed at legal service providers who process the personal data of clients. With reports of increased numbers of cyber-attacks on law firms, Partners, Rosehana Amin and Tom White, take a look at the certification scheme and discuss what you need to know.

The certification scheme

The UK GDPR (and EU GDPR) provides for the establishment of certification “mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance”, which will be recognised by the supervisory authority – in the UK, the ICO. 

Certification is a voluntary process and must be administered in a manner that is transparent. However, whilst certification does not reduce the responsibilities of a controller or processor, it can be used to demonstrate the existence of appropriate safeguards. 

The Legal Services Operational Privacy Certification Scheme (“LOCS:23”), developed by 2twenty4 Consulting Ltd, is the fifth certification scheme to be approved by the ICO, and the world’s first certification scheme for legal services. It is "intended to become the “kite mark” for Legal Service Providers”, such as law firms, solicitors, and barristers. 

The purpose of LOCS:23

As noted within LOCS:23, the provision of legal services often involves large amounts of, often Special Category and highly confidential, data. As such, the value of this data “has been recognised by hackers which can be seen in the significant increase in technical attacks including phishing, impostor emails and ransomware.” 

(Re)insurance group, Chaucer, recently reported that UK law firm data breaches jumped 36% in the past year to 226 incidents, as hackers target sensitive client data. It says that the attacks against law firms have been driven by a belief amongst hackers that law firms are particularly vulnerable to ransomware attacks and threats from hackers to publish stolen information online. 

Scope and requirements

LOCS:23 applies to both data controllers (such as law firms, solicitors, and barristers), processors and/or sub-processors (such as software providers and inter alia, external consultants), who may assist with relevant processing activities. 

The scope of LOCS:23, primarily, applies in relation to the processing of personal data held within client files. However, data processors and/or sub-processors may also be used within legal supply chains and as such, legal service providers are “obliged to ensure the privacy and security of Client Personal Data when selecting and using third-party service providers or sub-processors.”

The LOCS:23 standard encompasses mandatory positive and negative obligations, and best practice recommendations, focused on five core control areas mapped to GDPR requirements: 

• Organisation and File Governance

  • Organisations will need to demonstrate that they have the required governance model for the Client File in place and that all relevant policies are documented and made available to employees. This will include creating a Privacy Council (for data controllers), considering whether a Data Protection Officer is necessary, ensuring that data protection principles are applied and documenting a Data Protection Policy, amongst others. 

• Client Rights

  • The GDPR provides for numerous data subject rights, such as the right to access data and the right to the erasure of data. Subsequently, in order to fulfil their legal obligations, organisations seeking certification must be able to demonstrate that they are able to provide and honour these rights. 

• Operational Privacy

  • Organisations must be able to demonstrate that they are applying the technical and operational controls to ensure that Client File data will be protected. This may include determining whether Data Protection Impact Assessments are required, documenting Records of Processing Activities, and outlining a personal data breach notification process. 

• Third Party Suppliers & Data Sharing 

  • When handling client data, third parties should be able to provide protections and safeguards to an “equivalent level (or better)” than what is provided by the organisation itself. Additional safeguards may also be required where third-party cross-border data sharing is necessitated.

• Monitoring & Review

  • The last section of the standard is centred around enabling organisations to demonstrate that they are monitoring the implementation of LOCS:23 controls through the use of regular audits.

Is accreditation worth it?

The LOCS:23 standards for certification are lengthy, covering over 60 pages of detailed requirements and expectations, as they seek to implement steps to ensure GDPR compliance. In addition, those organisations seeking certification will be required to undertake numerous steps, such as evidencing controls, prior to being approved by an accredited LOCS:23 certification body. 

Data controllers and processors, including legal service providers, are already obliged by the GDPR to undertake measures and meet expectations in relation to data protection. As the certification scheme is based on these requirements, it could be suggested that nothing new has been added to these existing obligations.

However, accreditation may offer some benefits. LOCS:23 states that accreditation should help to develop a “robust and manageable accountability framework” which is measurable and auditable.  Not only should that reduce the risk of incidents, but it also will enable legal service providers to provide straightforward evidence to clients that they have strong data protection systems in place. The ICO has endorsed this, noting that for clients, it can provide reassurance that the firm is “committed to looking after their personal details.” Giving confidence to clients is important, given that one reason the standard has been developed was “in response to Client concern [and] Senior Management feedback”. 

Additionally, the standards provide guidance for legal service providers to ensure a robust approach is adopted not only within the organisation, but also with managing supply chain risks where outsourced service providers are relied upon.

Another important consideration is that, in the event of a data incident, the ICO may consider certification as a mitigating factor when considering enforcement action since a legal service provider will be in a position to evidence that it had strong information security in place by way of accreditation.  Similarly, if a legal service provider is threatened with a liability claim following a cyber incident, LOCS:23 certification ought to give the provider good grounds to argue that it had taken all steps reasonably required – at least in terms of its data protection infrastructure – and therefore should not be held liable for losses suffered as a result of the incident. 

Our conclusion

Whilst complying with the certification scheme may be onerous, legal service providers should consider whether it is worth putting in the effort required to acquire accredited status, given that it may (i) bring confidence to clients, (ii) potentially serve to mitigate any regulatory scrutiny from the ICO (or another regulator) or liability risks in the event of a cyber breach incident, and (iii) assist with managing supply chain risks by promoting best practice with vendors/service providers.