Looking Further at the Ethical Implications of eDiscovery
For many organisations, the ethical aspects of eDiscovery may not be a priority, but they should be taken into full consideration – we explain why.
In a previous article entitled, “The Only Way Is Ethics When It Comes To eDiscovery”, we looked at how eDiscovery fits with the ethical requirements of the American Bar Association Model Rules of Professional Conduct, the California State Bar ethics opinion, and the UK Civil Procedure Code (CPR) part 31, which relates to the disclosure and inspection of documents. There are, however, several other important ethical benefits and implications regarding the use of eDiscovery in legal cases, both for the client in terms of security, privacy, and confidentiality, and the law practitioner’s adherence to the SRA rules and regulations.
The implications of the Data Protection Act 2018 on eDiscovery
The General Data Protection Regulations (GDPR) have, among many other benefits, promoted a greater level of ethical data use by private and public organisations across the EU. That being said, in the UK, when it comes to data processing for electronic disclosure, there are specific exemptions afforded by the Data Protection Act 2018 (DPA) in s2 part 1 section 5. This section of the DPA states that specific GDPR provisions do not apply to personal data where disclosure of data is necessary for:
- the purpose of, or in connection with, legal proceedings (including prospective legal proceedings),
- the purpose of obtaining legal advice, or
- the purposes of establishing, exercising or defending legal rights, to the extent that the application of those provisions would prevent the controller from making the disclosure.
The GDPR provisions which do not apply in this context include rights relating to:
- personal data collected from data subject: information to be provided
- personal data collected other than from data subject: information to be provided
- confirmation of processing, access to data and safeguards for third country transfers
- restriction of processing
- notification obligation regarding rectification or erasure of personal data or restriction of processing
- data portability
- objections to processing
It is crucial to remember that just because there are some exemptions on the application of data protection law when it comes to eDiscovery, this does not mean that those handling ESI do not have to ensure the security of the data they hold. As such, controllers and processors are still required to adhere to DPA/GDPR rules designed to ensure the security of processing, including “implement[ing] appropriate technical and organisational measures to ensure a level of security appropriate to the risks arising from the processing of personal data”.
Ensuring adherence with SRA Standards and Regulations
Another area where ethics and eDiscovery cross is concerning adherence with the governing code of conduct. In November 2019, the new SRA Standards and Regulations will replace the existing and long-standing SRA Handbook. In addition to being much shorter and concise than the document it replaces, the SRA Standards and Regulations contain a revised section on confidentiality and disclosure, which states that Solicitors must:
- keep the affairs of current and former clients confidential unless disclosure is required or permitted by law or the client consents, and;
- make the client aware of all information material to the matter of which you have knowledge (subject to some restrictions).
It is vital that in the process of carrying out eDiscovery projects, legal teams do not inadvertently find themselves in breach of SRA obligations in respect of client data and information just because of the exemptions afforded by the DPA.
Taking a balanced approach
Those in the legal profession have an unquestionable obligation to protect the interests of clients at all times. This includes in respect to how their personal information is used. A balance must be achieved between undertaking eDiscovery work in a manner which allows them to carry out their role quickly and thoroughly but also protects their personal data.
For example, if an eDiscovery specialist is analysing client data, and according to the DPA, they are exempt from the need to disclose the purposes of the processing (article 13 p1c of the GDPR), this should not then conflict with the SRA’s requirement to make the client aware of information material to them of which they have knowledge.
To this end, law firms and in-house counsel should seek to implement a clear policy and procedure manual which defines for eDiscovery practitioners exactly how this should be achieved. The best policy is one of caution and prudence. By making sure ESI is processed in a manner which is secure and legally defensible while keeping your client abreast with information which keeps them informed but in no way compromises their case, an optimal approach can be achieved.
To find out more about how Lineal can help you with your eDiscovery needs, please call us on +44 (0)20 7940 4799 or email email@example.com.
Targeted & remote data collection services
Delivering you leading industry protection
Finding relevant information quickly