DG Legal
36 Contributions by DG Legal
PRACTICE NOTES
You are required to implement suitable technical and organisational controls to guard against unauthorised or unlawful processing, as well as accidental loss or damage to personal data. Security incidents are not solely IT-based; mistakes by people pose a major risk too. Whatever the cause, losing confidential information can have serious consequences for your firm:
Misplacing your own data may hinder completion of tasks and heighten the likelihood of error and omission claims
Compromising clients’ data can cost you clients and harm your standing, and any breach of confidentiality is liable to hit your bottom line
The Information Commissioner’s Office (ICO) can levy substantial penalties under the data protection framework
Practice Note
This Practice Note looks at practical measures you can adopt to enhance and sustain information and data security. See also Precedent: Information security review, which includes links to other
Practice Compliance
PRACTICE NOTES
This Practice Note has been carefully put together to assist you to:
pinpoint the information and data your firm currently retains and for which it ultimately bears responsibility (often referred to as your information assets)
assess the related risks (the information risks)
explore practical ways those information risks can be reduced or eliminated
The time spent identifying and managing information and the related risks will vary widely from firm to firm and will depend on numerous different factors, such as the size of the firm and the extent to which it holds and processes information and data, including personal data.
Identifying what information you hold, manage or are responsible for
There are several management tools available to help you determine what information you possess and are legally accountable for. One such tool is an information audit...
Practice Compliance
PRACTICE NOTES
This Practice Note outlines the principal statutory and regulatory frameworks for handling and protecting information and data—together termed information management and security.
SRA
You must preserve the confidentiality of clients’ affairs unless the law requires or permits disclosure, or the client gives consent. The SRA expects you to recognise, monitor and control all material risks to your business. You are also obliged to protect money and assets placed in your care by clients and others.
UK General Data Protection Regulation (UK GDPR)
Assimilated Regulation (EU) 2016/679 (UK GDPR) imposes wide-ranging duties concerning information security, record-keeping and broader information governance. For further assistance, see Practice Note: How to comply with information security requirements and Precedent: Small business GDPR compliance—self-audit.
The UK GDPR security principle
Data security is fundamental to the UK GDPR. You must process personal data with appropriate technical and organisational measures to ensure security, including
Practice Compliance
PRACTICE NOTES
This Practice Note offers guidance for law firms on the advantages of adopting a business plan and on the approach to preparing and implementing one that succeeds. It outlines why a plan matters and explains practical steps for putting it in place. See also Precedents: Strategic business plan—consumer and Strategic business plan—commercial.
What is a business plan?
A business plan sets out how a firm intends to achieve its objectives. For some practices, it underpins every action they take across the business and guides day-to-day operations. Such firms commit substantial time and effort to agreeing a rigorous, defensible plan, which is then reviewed at regular intervals so that progress towards the firm’s aims is maintained. Others prefer a lighter document that broadly states their aims, and they may revisit it less frequently—often once a year.
Why have a business
Practice Compliance
PRACTICE NOTES
This Practice Note outlines the meaning of information and communication technology (ICT), how organisations can gain from integrating it, and the potential risks tied to its use. It also offers practical guidance on how to formulate, draft and implement a strategic ICT plan. For guidance on the use of artificial intelligence (AI), see subtopic: Artificial intelligence compliance.
What is ICT?
Information and communication technology (ICT) is an umbrella term for all technical means used to manage information and support communication. It spans tools such as computer and network hardware and software, satellite systems and mobile phones, together with the many services and applications linked to them. Many regard the significance of ICT not as the technology itself but as its ability to expand access to information and communication.
Benefits of ICT
With tighter budgets and growing economic and environmental pressures, organisations may find they need to invest in and
Practice Compliance
PRECEDENTS
Please note: the data within these tables remains strictly confidential...
Practice Management
PRECEDENTS
1 General
Date of meeting
Chair
Persons in attendance (names and roles)
2 Agenda
General business
Apologies and announcements
Matters arising from the previous health and safety consultation minutes not listed elsewhere, and approval of those minutes
For information
Details of significant health and safety incidents since the last consultation meeting
Confirmation of immediate remedial measures taken and/or future actions to reduce the chance of recurrence
Outcomes of any health and safety testing or investigations completed since the previous meeting
Confirmation of changes that may materially affect employees’ health and safety (e.g. alterations to procedures, equipment or working methods, or the introduction of new machinery or technology) and any newly identified risks
Future action points set to mitigate these risks and secure employees’ health and safety
Details of upcoming training or other
Practice Management
PRECEDENTS
1 Introduction
This risk assessment sets out the hazards we have recognised in connection with homeworking practices, along with controls we have implemented, or plan to implement, to reduce those risks. It draws on replies to [ insert, eg a questionnaire circulated to staff on [ date ] ]. A copy of the questionnaire is enclosed...
Practice Management
PRECEDENTS
This diagram outlines our steps for handling any incidents where injuries have been sustained...
Practice Management
PRECEDENTS
A: General information
Date of the annual review
Person(s) carrying out the annual review [ Provide name and role ]
B: Review and findings
Is your health and safety documentation current and suitable for purpose? [ Yes OR No ]
If not, make sure you record an action in section C below
Is your schedule of Planned Preventative Measures (PPMs) up to date, and have all due routine maintenance tasks been completed? [ Yes OR No ]
If not, make sure you record an action in section C below
Are there any action points within your risk assessments or priority action lists that are overdue?
...
Practice Management
PRECEDENTS
Please click for an Excel version of this register.
Issue
Date
Action and outcomes
Signature
[ Draft and integrate H&S programme ]
[ Insert date ]
[ Insert, eg We have created a new action plan to manage health and safety across our workplace. ]...
Practice Management
PRECEDENTS
Date of review Outcome of review Corrective action Responsibility Timescales
[ Date ]
[ Record any problems found through the review ]
[ Note any actions that have been determined; this may involve revising the policy and/or particular health and safety obligations that require attention as needed accordingly ]
[ State who is accountable for enacting changes ]
[ Provide the timeframe for delivering the changes ]
...
Practice Management
PRECEDENTS
Following our recent risk evaluation, we have chosen to prioritise a number of immediate tasks, which are now set out in this action list.
The following priority actions are planned for the year commencing [ insert year ]:
Action
By whom
Start date
End date
Total cost
Achieved
[ Insert, eg Purchase a mop and pail for staff to tidy up spillages ]
[ Insert, eg, Office manager ]
[ date ]
[ date ]
[ eg £15 ]
[ date ]...
Practice Management
PRECEDENTS
1 ICT maintenance schedule
Please select to view an Excel version of this schedule.
Asset
Asset is maintained by
Maintenance date (DD/MM/YYYY)
Any issues detected?...
Practice Compliance
PRECEDENTS
1 General information
Date of review: [ Insert date ]
Person(s) conducting review: [ Insert name(s) ]
2 Review and findings
Have shifts in your organisation’s principal business goals altered anything that would affect the objectives of your ICT plan at this time? ☐ Yes (create an action at 3 below to revise the ICT plan) ☐ No
Does your organisation’s ICT plan align with all other related policies and documents in full? ☐ Yes ☐ No (record an action at 3 below)
Is the Schedule of primary ICT contacts current at present? ☐ Yes ☐ No (note an action at 3 below)
Does the Schedule of the current ICT environment accurately represent your organisation’s present ICT resources right now?...
Practice Compliance
PRECEDENTS
1 Introduction
1.1 This plan sets out how our organisation currently uses information and communication technology (ICT), our aspirations for its future application, and the principal matters to address over the next [ state how many years your will cover, usually two to five ] years.
1.2 ICT is central to delivering services for clients, eg by:
[ helping us to communicate with clients in ways that best match their needs ]
[ enabling us to reply promptly to clients, eg via email ]
[ allowing clients to view the progress of their matter through our secure portal ]
[ allowing us to provide certain services outside normal hours ]
1.3 Our organisation’s primary business objectives are detailed in our business plan, which is located [ insert details of location, eg on our intranet ]. ...
Practice Compliance
PRECEDENTS
Please select to access an Excel version of this plan.
1 Introduction
1.1 This health and safety plan sets out our arrangements and measures for controlling and managing the risks highlighted in our health and safety risk assessment, together with the key matters to be addressed.
2 Overview of the planning process
2.1 The principal personnel responsible for preparing and delivering the plan are as follows:
Name — Role
[ Insert name ] — [ Insert role ]
[ Insert name ] — [ Insert role ]
[ Insert name ] — [ Insert role ]
3 Responsibility
3.1 Overall responsibility for this assessment lies with [ insert name ].
3.2 Delegated responsibilities for specific health and safety issues are recorded within this plan.
3.3 [ Insert name(s) ] conduct[ s ] a [ monthly OR quarterly ] review of this plan to ensure it remains
Practice Management
PRECEDENTS
Precedent ICT (information and communication technology) risk assessment and risk management plan
This Precedent ICT (information and communication technology) risk assessment and risk management plan lets you record risks linked to any proposed ICT development and explain how those risks will be handled. It is pre-populated with examples, which you can easily delete if needed...
Practice Compliance
PRECEDENTS
Precedent Information communication technology (ICT) action list
This Precedent Information communication technology (ICT) action list can be used to catalogue all ICT tasks scheduled for the current and forthcoming financial years, eg procuring new laptops or undertaking any website developments over those periods...
Practice Compliance
31 Contributions by DG Legal Experts
PRACTICE NOTES
This Practice Note outlines what a business continuity plan (BCP) involves, considers the requirements of industry standards concerning BCPs, and offers guidance on developing a BCP, including a Business Impact Analysis (BIA).
What is a BCP?
A BCP is a written plan describing how the organisation will handle an adverse incident that could jeopardise the continuation of its operations.
Purpose of the BCP
The BCP is a vital component of the overall risk management framework for any organisation. It helps ensure the business can withstand a critical incident and that the organisation can meet its obligations to clients or customers, regulators and other stakeholders. The BCP pinpoints potential risks and/or disruptions to the business and records the organisation’s systems or procedures to:
minimise the threat of harm to the business
respond to a business interruption
recover from a business interruption
BCP v disaster recovery plan
Although sometimes used as if they are the same, a BCP
Practice Compliance
PRACTICE NOTES
This Practice Note outlines regulatory duties concerning the use and care of visual display screen equipment. For details on other regulatory requirements linked to managing health and safety in the workplace, see Practice Note: Health and safety in the workplace—regulatory requirements...
What is display screen equipment?
Display screen equipment (DSE) is the commonly used term for devices featuring an alphanumeric or graphic screen, and covers conventional display screens and laptops, touch-screens and similar technologies.
There are particular risks associated with prolonged DSE use and, in some situations, organisations must implement specific measures.
DSE requirements apply whenever workers are using DSE, including when:
working at a fixed workstation
working remotely/mobile working
hot-desking
Where staff use DSE both in the office and away from it, for example when working from home, the requirements will apply in both
Practice Management
PRACTICE NOTES
This Practice Note offers guidance for commercial organisations on composing and rolling out a health and safety policy. It highlights key considerations and points to tools that may assist. It also explains the benefit of having a policy document that both states the overarching commitment to health and safety and sets out the organisation’s aims and targets. This Practice Note focuses on health and safety obligations in an office-based setting. Sector- or workplace-specific duties may arise in other environments. For detail on regulatory requirements tied to implementing a health and safety policy, see Practice Note: Health and safety policy—regulatory requirements.
What is a health and safety policy?
A health and safety policy is a statement of the organisation’s principles and aims for protecting staff and visitors. It should usually be distinguished from a health and safety plan, which develops and records the concrete measures and
Practice Management
PRACTICE NOTES
You are obliged to take steps to reduce the likelihood of fire at work and to protect your staff should a fire occur. There are no fixed rules on the level of fire safety measures you must adopt: small organisations might only require basic provision, whereas larger businesses or those with distinct fire hazards may need greater resources. To determine what is adequate and proportionate for your activities, you must perform a suitable and sufficient review of the risks—a fire risk assessment. This Practice Note provides guidance and information on conducting a fire risk assessment. It focuses on fire safety within office-based, non-residential workplaces. Other industry or premises-specific requirements may apply in different settings, particularly in relation to residential and domestic buildings, including flats and multi-storey residential properties. Regulatory requirements concerning fire safety in residential and domestic premises are outside the scope of this
Practice Management
PRACTICE NOTES
Putting a carefully designed and accessible health and safety framework in place helps an organisation oversee these matters effectively and efficiently. An organisation should therefore:
set out its core principles and aims for protecting the health and safety of its key stakeholders, ie what it intends to achieve (see subtopic: Health and safety policy)
identify key members of staff and obtain their input
carry out a risk assessment (see Practice Note: How to conduct a health and safety risk assessment)
develop an action plan explaining what the organisation needs and why
implement the plan, and
review the plan
This Practice Note explains how to design, implement and review a plan to manage health and safety, and control related risks in an office-based workplace. Other
Practice Management
PRACTICE NOTES
You are responsible for taking steps to reduce workplace fire hazards and to protect staff should a fire occur, minimising risk and safeguarding employees. There is no single, prescriptive set of rules dictating the exact fire safety measures you must adopt. Smaller organisations might require only basic arrangements, whereas larger organisations or those facing specific fire risks may need greater provision and additional resources. This Practice Note offers practical guidance and information on arranging, managing and maintaining fire safety in the workplace. Its scope is office-based, non-residential settings. It addresses fire safety in that workplace context only. Distinct, industry or premises-specific obligations may apply elsewhere, notably in residential and domestic properties, such as flats and multi-storey residential buildings. Regulatory requirements concerning fire safety in residential and domestic premises fall outside this Practice Note, as do building regulations requirements relating to fire safety. For
Practice Management
PRACTICE NOTES
An organisation has an obligation to manage health and safety risks across its workplace in an effective, efficient manner. This Practice Note offers guidance on organising and securing health and safety at work. It addresses the requirements for office-based workplaces. Different working environments may attract additional, sector- or workplace-specific requirements. For information about regulatory requirements relevant to workplace safety, see Practice Note: Health and safety in the workplace—regulatory requirements.
What are the organisation’s workplaces?
The organisation’s own premises, including office space and any other areas from which it delivers its services.
Other locations from which it provides services or goods, such as outreach or voluntary centres.
Shared workspaces with other businesses; for example, serviced offices with communal reception, toilet and kitchen areas. In such circumstances, some communal protection measures may already be in place and/or the
Practice Management
PRACTICE NOTES
This Practice Note sets out guidance on investigating, managing and reporting health and safety incidents within an office-based workplace. Different sectors or workplaces may have their own specific requirements in other settings.
Dealing with incidents
Employers, and anyone with control of work premises, must keep records and report specified events, including serious injuries, fatalities, cases of disease, or dangerous occurrences. For details of the regulatory obligations relating to health and safety incidents, see Practice Note: Dealing with health and safety incidents—regulatory requirements.
Key staff members
Ensure the individual (or designated team) with overall responsibility for health and safety has sufficient seniority to direct the assessment and management process when an incident arises and to supervise any actions implemented—see Practice Note: Dealing with health and safety incidents—regulatory requirements.
According to the organisation’s size and the nature of its activities, additional personnel may need to be appointed to help the
Practice Management
PRACTICE NOTES
This Practice Note sets out the regulatory obligations for health and safety incidents, including duties to report injuries, diseases and other hazardous events. It addresses incident requirements for office-based workplaces. Different sectors or work settings may have additional, specific rules. For practical guidance on investigating, managing and reporting incidents, see Practice Note: How to manage health and safety incidents.
Procedures
Under the Management of Health and Safety at Work Regulations 1999 (SI 1999/3242), organisations employing staff must:
Put in place, and where needed activate, suitable procedures to be followed where there is serious and imminent danger to people at work
Nominate a sufficient number of competent persons to carry out any evacuation procedures
Ensure employees do not enter any workplace area where access is restricted on health and safety grounds unless they have received adequate health and safety
Practice Management
PRACTICE NOTES
The illustration outlines principal steps for evaluating health and safety risks and developing a health and safety plan. It covers health and safety obligations in an office setting. Alternative sector or workplace-specific duties could be relevant in other types of workplaces.
Note 1:
Engage with employees or their chosen representatives to obtain views on health and safety issues—see Precedents: Health and safety employee consultation meeting agenda and Health and safety...
Practice Management
PRACTICE NOTES
Health and Safety at
This table sets out an overview of the principal legislation relevant to health and safety in an office-based environment. Additional sector- or workplace-specific obligations may apply in other working contexts. The table shows how these requirements apply according to the organisation’s nature and size.
Organisation trading as a sole practice, partnership or LLP (5+ employees)
Organisation trading as a sole practice, partnership or LLP (fewer than 5 employees)
Organisation trading as a sole practice, partnership or LLP (no employees)
Organisation operating as a limited company (5+ employees)
Organisation operating as a limited company (fewer than 5 employees)
Organisation operating as a limited company (no employees)
Organisation where employees are represented by a trade union...
Practice Management
PRACTICE NOTES
A clear, accessible health and safety framework helps an organisation manage it effectively and efficiently. Certain aspects, such as assessing and controlling risks in the workplace, are required by law. An organisation should therefore:
define its overarching principles and aims for ensuring the health and safety of key stakeholders—what it seeks to achieve (see subtopic: Health and safety policy)
pinpoint key personnel and secure their input
carry out a risk assessment
develop a justified action plan explaining what the organisation needs and why (see Practice Note: How to formulate a health and safety plan)
put the plan into practice
review the plan
This Practice Note outlines how to conduct a health and safety risk assessment in an office-based setting. Other sector- or workplace-specific matters may arise in different environments. For details of regulatory
Practice Management
PRACTICE NOTES
This Practice Note outlines regulatory obligations concerning health and safety, with particular emphasis on assessment and planning. It addresses health and safety requirements in an office-based workplace. Different industry or workplace-specific obligations may apply in other working environments. For guidance on undertaking a health and safety assessment and preparing a plan, see Practice Notes: How to conduct a health and safety risk assessment and How to formulate a health and safety plan.
What are health and safety assessments and plans?
A health and safety assessment is the process by which an organisation determines the risks to health and safety within its workplace and the measures adopted to mitigate, transfer, avoid or reduce those risks. The assessment may be documented. A health and safety plan is a document that sets out the means by which an organisation will implement its health and safety
Practice Management
PRACTICE NOTES
This Practice Note addresses regulatory duties for workplace health and safety, including safe work equipment and manual handling. The framework derives from multiple sources; see our Health and safety—key legislation table for an overview. It focuses on office-based environments; other sectors may have additional, context-specific rules. For requirements on visual display screen equipment, consult the Practice Note: Display screen equipment—regulatory requirements. For practical guidance on running and assuring health and safety, see Practice Note: How to manage health and safety in the workplace. For detailed manual handling duties, refer to the subtopic: Manual handling.
Legislative requirements
Multiple pieces of legislation apply to health and safety in the workplace.
Health and Safety at Work etc Act 1974
The Health and Safety at Work etc Act 1974 (HSWA 1974) is the principal statute governing occupational health and safety. In short, employers have a duty to secure, so far as is
Practice Management
PRACTICE NOTES
This Practice Note outlines the regulatory requirements that relate to fire safety within the workplace environment. It focuses specifically on an office-based, non-residential workplace context. Other sector- or premises-specific rules may apply in different contexts and environments, particularly for residential and domestic buildings, such as flats and multi-storey residential properties. Requirements for fire safety in residential and domestic premises, and building regulations relating to fire safety, are expressly outside the scope of this Practice Note. For practical information about managing fire safety in an office-based workplace, see Practice Note: How to manage fire safety in the workplace.
Legislative requirements
There are several statutory obligations concerning workplace fire safety, including the following areas:
what constitutes a workplace
who is a ‘responsible person’
general fire precautions, for example:
recognition and control of fire risks
Practice Management
PRACTICE NOTES
This Practice Note outlines the regulatory duties for first aid in an office environment, covering the need for stocked first aid boxes, trained first aiders and suitable first aid rooms. For practical advice on running first aid at work, see Practice Notes: How to conduct a first aid needs assessment and How to manage first aid in the workplace.
What is first aid?
The term ‘first aid’ covers both situations where preventative assistance or care is needed from doctors or nurses, and the management of minor injuries by people without medical qualifications.
Legislative requirements
There are several legislative duties relating to first aid at work, including:
the provision of first aid
first aiders
first aid room
first aid box/kit
informing staff
members of the public
signs and signals
giving or administering drugs or medication
The Health and Safety Executive (HSE) is the national independent regulator for workplace health and safety and first aid matters, playing a key part in
Practice Management
PRACTICE NOTES
You are not obliged to keep a first aid box or kit, yet it is widely regarded as sound practice and the basic measure every organisation ought to adopt. The British Standard BS 8599 (BS 8599) sets out guidance on the items that workplace first aid kits should contain. Possessing a kit that conforms to this standard is not compulsory, though you may judge that your circumstances warrant meeting or even surpassing the BS 8599 contents. At minimum, it offers a helpful benchmark for judging the suitability of your kit’s stock. Regardless of whether you follow BS 8599, the contents must be customised to the particular requirements of your organisation, as indicated by the results of your first aid needs assessment—see Precedent: First aid needs assessment and Practice Note: How to conduct a first aid needs assessment. This Practice Note outlines the
Practice Management
PRACTICE NOTES
You have a duty to supply suitable and sufficient equipment, facilities and competent personnel so employees receive immediate attention if they are hurt or become unwell in the workplace.
There is no fixed rulebook setting out the precise first aid arrangements you must implement; requirements vary with context. What you establish should be suited to your organisation's circumstances.
Smaller organisations may only need the minimum first aid provision, while larger organisations, or those with specific first aid risks, often require additional resources and coverage. Consequently, provision should increase where risks or scale dictate.
This Practice Note explains how to manage and secure effective first aid provision across your workplace. For material on the regulatory requirements relating to first aid, see Practice Note: First aid in the workplace—regulatory requirements.
First aid needs assessment
You should already have completed a first aid needs
Practice Management
PRACTICE NOTES
You are responsible for supplying suitable and sufficient equipment, facilities and personnel so employees can receive prompt attention if they are hurt or fall ill at work. What counts as suitable and sufficient will vary according to several factors, such as the scale and nature of your undertaking. To determine what is right for your operations, you should carry out a first aid needs assessment. This Practice Note sets out guidance on performing such an assessment. For details of the regulatory obligations that apply to first aid, see Practice Note: First aid in the workplace—regulatory requirements.
Key staff members
Ensure the individual (or team) with overall responsibility for evaluating first aid needs holds enough seniority to lead the process and supervise any actions implemented. You should also think about how to properly involve all staff in discussing and agreeing the key elements of the
Practice Management
PRACTICE NOTES
This Practice Note outlines compliance and regulatory obligations linked to health and safety, with a focus on the need for a written health and safety policy. It addresses health and safety requirements in an office-based working environment. Different sectors or workplace-specific contexts may have additional obligations in other settings. For guidance on drafting a health and safety policy, see Practice Note: How to formulate a health and safety policy.
What is a health and safety policy?
A health and safety policy is a written statement describing the organisation’s principles and aims for protecting the health and safety of employees and visitors.
Regulatory requirements
Health and Safety at Work etc Act 1974
The Health and Safety at Work etc Act 1974 (HSWA 1974) is the core statute governing occupational health and safety. In essence, employers must, so far as is reasonably practicable, secure the health, safety and welfare of their
Practice Management
If you expected to see yourself on this page, click here.
