DG Legal
36 Contributions by DG Legal
PRACTICE NOTES
You are required to implement suitable technical and organisational controls to guard against unauthorised or unlawful processing, as well as accidental loss or damage to personal data. Security incidents are not solely IT-based; mistakes by people pose a major risk too. Whatever the cause, losing confidential information can have serious consequences for your firm:
Misplacing your own data may hinder completion of tasks and heighten the likelihood of error and omission claims
Compromising clients’ data can cost you clients and harm your standing, and any breach of confidentiality is liable to hit your bottom line
The Information Commissioner’s Office (ICO) can levy substantial penalties under the data protection framework
Practice Note
This Practice Note looks at practical measures you can adopt to enhance and sustain information and data security. See also Precedent: Information security review, which includes links to other
Practice Compliance
PRACTICE NOTES
This Practice Note has been carefully put together to assist you to:
pinpoint the information and data your firm currently retains and for which it ultimately bears responsibility (often referred to as your information assets)
assess the related risks (the information risks)
explore practical ways those information risks can be reduced or eliminated
The time spent identifying and managing information and the related risks will vary widely from firm to firm and will depend on numerous different factors, such as the size of the firm and the extent to which it holds and processes information and data, including personal data.
Identifying what information you hold, manage or are responsible for
There are several management tools available to help you determine what information you possess and are legally accountable for. One such tool is an information audit...
Practice Compliance
PRACTICE NOTES
This Practice Note outlines the principal statutory and regulatory frameworks for handling and protecting information and data—together termed information management and security.
SRA
You must preserve the confidentiality of clients’ affairs unless the law requires or permits disclosure, or the client gives consent. The SRA expects you to recognise, monitor and control all material risks to your business. You are also obliged to protect money and assets placed in your care by clients and others.
UK General Data Protection Regulation (UK GDPR)
Assimilated Regulation (EU) 2016/679 (UK GDPR) imposes wide-ranging duties concerning information security, record-keeping and broader information governance. For further assistance, see Practice Note: How to comply with information security requirements and Precedent: Small business GDPR compliance—self-audit.
The UK GDPR security principle
Data security is fundamental to the UK GDPR. You must process personal data with appropriate technical and organisational measures to ensure security, including
Practice Compliance
PRACTICE NOTES
This Practice Note offers guidance for law firms on the advantages of adopting a business plan and on the approach to preparing and implementing one that succeeds. It outlines why a plan matters and explains practical steps for putting it in place. See also Precedents: Strategic business plan—consumer and Strategic business plan—commercial.
What is a business plan?
A business plan sets out how a firm intends to achieve its objectives. For some practices, it underpins every action they take across the business and guides day-to-day operations. Such firms commit substantial time and effort to agreeing a rigorous, defensible plan, which is then reviewed at regular intervals so that progress towards the firm’s aims is maintained. Others prefer a lighter document that broadly states their aims, and they may revisit it less frequently—often once a year.
Why have a business
Practice Compliance
PRACTICE NOTES
This Practice Note outlines the meaning of information and communication technology (ICT), how organisations can gain from integrating it, and the potential risks tied to its use. It also offers practical guidance on how to formulate, draft and implement a strategic ICT plan. For guidance on the use of artificial intelligence (AI), see subtopic: Artificial intelligence compliance.
What is ICT?
Information and communication technology (ICT) is an umbrella term for all technical means used to manage information and support communication. It spans tools such as computer and network hardware and software, satellite systems and mobile phones, together with the many services and applications linked to them. Many regard the significance of ICT not as the technology itself but as its ability to expand access to information and communication.
Benefits of ICT
With tighter budgets and growing economic and environmental pressures, organisations may find they need to invest in and
Practice Compliance
PRECEDENTS
Please note: the data within these tables remains strictly confidential...
Practice Management
PRECEDENTS
1 General
Date of meeting
Chair
Persons in attendance (names and roles)
2 Agenda
General business
Apologies and announcements
Matters arising from the previous health and safety consultation minutes not listed elsewhere, and approval of those minutes
For information
Details of significant health and safety incidents since the last consultation meeting
Confirmation of immediate remedial measures taken and/or future actions to reduce the chance of recurrence
Outcomes of any health and safety testing or investigations completed since the previous meeting
Confirmation of changes that may materially affect employees’ health and safety (e.g. alterations to procedures, equipment or working methods, or the introduction of new machinery or technology) and any newly identified risks
Future action points set to mitigate these risks and secure employees’ health and safety
Details of upcoming training or other
Practice Management
PRECEDENTS
1 Introduction
This risk assessment sets out the hazards we have recognised in connection with homeworking practices, along with controls we have implemented, or plan to implement, to reduce those risks. It draws on replies to [ insert, eg a questionnaire circulated to staff on [ date ] ]. A copy of the questionnaire is enclosed...
Practice Management
PRECEDENTS
This diagram outlines our steps for handling any incidents where injuries have been sustained...
Practice Management
PRECEDENTS
A: General information
Date of the annual review
Person(s) carrying out the annual review [ Provide name and role ]
B: Review and findings
Is your health and safety documentation current and suitable for purpose? [ Yes OR No ]
If not, make sure you record an action in section C below
Is your schedule of Planned Preventative Measures (PPMs) up to date, and have all due routine maintenance tasks been completed? [ Yes OR No ]
If not, make sure you record an action in section C below
Are there any action points within your risk assessments or priority action lists that are overdue?
...
Practice Management
PRECEDENTS
Please click for an Excel version of this register.
Issue
Date
Action and outcomes
Signature
[ Draft and integrate H&S programme ]
[ Insert date ]
[ Insert, eg We have created a new action plan to manage health and safety across our workplace. ]...
Practice Management
PRECEDENTS
Date of review Outcome of review Corrective action Responsibility Timescales
[ Date ]
[ Record any problems found through the review ]
[ Note any actions that have been determined; this may involve revising the policy and/or particular health and safety obligations that require attention as needed accordingly ]
[ State who is accountable for enacting changes ]
[ Provide the timeframe for delivering the changes ]
...
Practice Management
PRECEDENTS
Following our recent risk evaluation, we have chosen to prioritise a number of immediate tasks, which are now set out in this action list.
The following priority actions are planned for the year commencing [ insert year ]:
Action
By whom
Start date
End date
Total cost
Achieved
[ Insert, eg Purchase a mop and pail for staff to tidy up spillages ]
[ Insert, eg, Office manager ]
[ date ]
[ date ]
[ eg £15 ]
[ date ]...
Practice Management
PRECEDENTS
1 ICT maintenance schedule
Please select to view an Excel version of this schedule.
Asset
Asset is maintained by
Maintenance date (DD/MM/YYYY)
Any issues detected?...
Practice Compliance
PRECEDENTS
1 General information
Date of review: [ Insert date ]
Person(s) conducting review: [ Insert name(s) ]
2 Review and findings
Have shifts in your organisation’s principal business goals altered anything that would affect the objectives of your ICT plan at this time? ☐ Yes (create an action at 3 below to revise the ICT plan) ☐ No
Does your organisation’s ICT plan align with all other related policies and documents in full? ☐ Yes ☐ No (record an action at 3 below)
Is the Schedule of primary ICT contacts current at present? ☐ Yes ☐ No (note an action at 3 below)
Does the Schedule of the current ICT environment accurately represent your organisation’s present ICT resources right now?...
Practice Compliance
PRECEDENTS
1 Introduction
1.1 This plan sets out how our organisation currently uses information and communication technology (ICT), our aspirations for its future application, and the principal matters to address over the next [ state how many years your will cover, usually two to five ] years.
1.2 ICT is central to delivering services for clients, eg by:
[ helping us to communicate with clients in ways that best match their needs ]
[ enabling us to reply promptly to clients, eg via email ]
[ allowing clients to view the progress of their matter through our secure portal ]
[ allowing us to provide certain services outside normal hours ]
1.3 Our organisation’s primary business objectives are detailed in our business plan, which is located [ insert details of location, eg on our intranet ]. ...
Practice Compliance
PRECEDENTS
Please select to access an Excel version of this plan.
1 Introduction
1.1 This health and safety plan sets out our arrangements and measures for controlling and managing the risks highlighted in our health and safety risk assessment, together with the key matters to be addressed.
2 Overview of the planning process
2.1 The principal personnel responsible for preparing and delivering the plan are as follows:
Name — Role
[ Insert name ] — [ Insert role ]
[ Insert name ] — [ Insert role ]
[ Insert name ] — [ Insert role ]
3 Responsibility
3.1 Overall responsibility for this assessment lies with [ insert name ].
3.2 Delegated responsibilities for specific health and safety issues are recorded within this plan.
3.3 [ Insert name(s) ] conduct[ s ] a [ monthly OR quarterly ] review of this plan to ensure it remains
Practice Management
PRECEDENTS
Precedent ICT (information and communication technology) risk assessment and risk management plan
This Precedent ICT (information and communication technology) risk assessment and risk management plan lets you record risks linked to any proposed ICT development and explain how those risks will be handled. It is pre-populated with examples, which you can easily delete if needed...
Practice Compliance
PRECEDENTS
Precedent Information communication technology (ICT) action list
This Precedent Information communication technology (ICT) action list can be used to catalogue all ICT tasks scheduled for the current and forthcoming financial years, eg procuring new laptops or undertaking any website developments over those periods...
Practice Compliance
31 Contributions by DG Legal Experts
PRECEDENTS
1 Priority list of functions
Key function
Key elements of business required
e.g. case management:
Access to the [ online case or document ] management platform
Internet access
Diary of key dates
Paper files
Client contact details
Telephones
e.g. processing payments:
Access to online accounting system
Access to online banking and bank fobs
Passwords and other credentials to log in
Internet connection
Telephone
Use of a PC or laptop
e.g. client advisory services:
Access to the [ case or document management system ]
Internet access
Diary of key dates
Paper files
Client contact details
Telephones
2 Individual risk analysis
2.1 Flood
2.1.1 Flood—first 24 hours
Effects on functions/services
Resources required
Data required
Key staff
Action points
Cost
Additional information
[ insert details
Practice Compliance
PRECEDENTS
This presentation serves as a tool to train your staff members on your Business continuity plan (BCP) arrangements. The training materials are customisable. This version of the training pack is provided in PowerPoint, therefore it cannot be downloaded into Word from this page. Click the link below to download the PowerPoint presentation using the link...
Practice Compliance
PRECEDENTS
1 Introduction
Our policy is to ensure that, should our operations be disrupted, we restore full functionality at the earliest opportunity. In pursuing this, we seek to safeguard our employees, clients, and any other stakeholders we engage with. This document sets out the steps we will take in the event of a business disruption. If you have queries or concerns about this plan, please contact [ insert name of appropriate contact here ].
2 Scope of the Business Continuity Plan (BCP)
2.1 This BCP covers all personnel within [ every business unit OR insert which department(s) or office(s) the plan covers ].
2.2 Situations that would trigger this plan include:
flood;
fire;
theft;
IT outage;
communications breakdown (e.g. telephone system);
partial or total loss of access to premises;
severe weather;
loss of critical staff;
terrorism;
cyber security or cybercrime incident;
public health events such as a pandemic;
[ [ insert other incident ]. ]
2.3 We have
Practice Compliance
PRECEDENTS
Kindly be advised that the data within these tables is confidential...
Practice Compliance
PRECEDENTS
1 General information
Review date: [ Insert date ]
Reviewer(s): [ Insert name ]
2 Review and findings
Have you completed a new risk evaluation and a thorough risk assessment?
Yes
No
If no, be sure to add an action in section 3 to carry out a new risk evaluation and detailed risk assessment.
Are your business continuity plan (BCP) and procedures current and fit for purpose?
Yes
No
If no, ensure an action is set in section 3 to bring your policy and processes up to date.
Is your key contact list up to date?
...
Practice Compliance
PRECEDENTS
Key function Impact/consequences if disrupted Resources required for recovery Time by which function would need to be resumed Priority rating Other issues/considerations
[ Insert, eg Case management ]
[ Insert, eg Accounting—processing payments ]
[ Insert relevant key function ]
[ Insert relevant key function ]
Impacts by timeframe if disrupted: First 24 hours: [ insert impact ]; 24–48 hours: [ insert impact ]; Up to one week: [ insert impact ]; Up to two weeks: [ insert impact ]; More than two weeks: [ insert impact ]
Resources for recovery: Key personnel: [ insert resources ]; Technology: [ insert resources ]; Data & documents: [ insert resources ]; External support: [ insert resources ]; Operational equipment & premises: [ insert resources ]
Time by which function would need to be resumed: [ Insert time ] | Priority rating: [ Insert rating ] |
Practice Compliance
PRECEDENTS
Name Calls Contact number
Add name (e.g. CEO or Senior Partner) or add name (e.g. Head of compliance or Head of legal) – enter number.
Add name (e.g. CEO/Senior Partner or Head of compliance/Head of legal) linked to: Office manager, Risk manager, HR manager, Finance manager, Marketing/PR manager, IT manager, Heads of departments, Other – enter number for each.
For managers, list the related teams and numbers: Office manager – Postroom staff, Reception staff, Housekeeping staff, Library staff; Risk manager – Risk and compliance staff; HR manager – HR staff; Finance manager – Finance staff; Marketing/PR manager – Marketing/PR staff; IT manager – IT staff; Heads of departments – Staff within their department; Other – Other – number.
...
Practice Compliance
PRECEDENTS
Why are we undertaking this survey?
[ Insert name of organisation ] prepares for unforeseen emergencies through a robust business continuity plan. To [ formulate OR update ] our business continuity plan, we wish to engage with staff so that, if our operations are disrupted:
we can account for the safety of our people, clients, and any other parties we work with; and
we can restore full operations as swiftly as possible
To ensure every business function is addressed and a comprehensive plan is created, we need insights from colleagues across the organisation. Please take a few minutes to complete this survey and submit it to [ insert details of how and to whom the completed survey should be submitted ] by [ insert date ]. Thank you for completing this survey.
Survey questions
What is the name of your
Practice Compliance
PRECEDENTS
Role summary
This position ensures daily adherence to fire safety legislation, regulations and recognised good practice across the organisation
Key responsibilities:
Guiding and supporting colleagues on fire safety awareness
Shaping evacuation procedures and assembly points, and running regular drills to validate them
Staying current with applicable fire safety law by attending periodic training
Coordinating with the emergency services, and in an incident directing evacuations and relaying issues
Keeping required fire notices in place and checking escape routes remain clear and usable
Managing testing of alarms, emergency lighting, fire doors, emergency exits and fire safety equipment
Key deliverables:
Acting as [ the OR a ] appointed individual for organisational fire safety
Contributing to the fire risk assessment and fire safety action plan as needed
Producing management updates and bulletins
Helping record and maintain fire safety
Practice Management
PRECEDENTS
The following table contains our assessment of business continuity risk within our organisation:
Risks are set out with their impact (low/medium/high), likelihood (low/medium/high), and the steps already in place to lessen, avoid, or transfer them.
Flooding
Impact: High; Likelihood: Low.
The chance of flooding affecting the firm’s office is slight.
We can relocate to a temporary workspace if an incident occurs at our premises.
The office occupies the third floor of the building.
It is a serviced space overseen by the landlord.
Routine inspections of pipework, boilers and the water supply take place under the office’s overall maintenance programme.
Additional regular checks of the pipework, boilers and water supply are carried out by the landlord.
The firm owns the property and uses all three storeys.
Archived records are kept in the basement.
Although flood risk is low,
Practice Compliance
If you expected to see yourself on this page, click here.
