UK GDPR – Communicating safely with clients

This helpsheet has been issued by ICAEW’s Technical Advisory Service to help ICAEW members to understand the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 in relation to communicating safely with clients. Detailed guidance is available from the Information Commissioner’s Office (ICO).

Members may also wish to refer to the following related helpsheets:

• UK GDPR – Data processor or data controller?
• UK GDPR – Data breaches
• UK GDPR – Lawful basis for processing

A firm must be able to demonstrate compliance with the principles of the UK GDPR including the integrity and confidentiality (security) principle. This says that personal data shall be, “processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.

Guidance on the definition of personal data and what constitutes a personal data breach can be found in the UK GDPR - Data breaches helpsheet.

The UK GDPR does not specify exactly how this security should be achieved, although it does require firms to be accountable as to how data is collected, used and processed. A firm should therefore adopt a risk-based approach which clearly documents how personal data is being used and processed and justifies a defendable position.

Using a simple analogy, most people are happy to entrust a simple letter to the post office. However, if we wish to send a valuable item recorded or special delivery is often used instead as an additional precaution. Many firms now routinely send documents such as payslips and tax returns to clients via electronic means and similar considerations will nevertheless apply. Each firm will need to establish a policy governing how these documents are sent to clients and demonstrate how the policy complies with the above security principle. A number of approaches are explored below.

Unprotected attachment

Sending personal data in an unprotected email or attachment would be ill-advised as it would be difficult to justify this approach complies with the principle of ensuring appropriate security.

It is also important to note that even if a client requests or agrees to personal data being communicated in this way, the firm still has its obligations to ensure security of the data and therefore this would not generally be considered a defendable position.

If someone manages to gain unauthorised access to the email account, then there would be no further protection of the personal data contained in the attachment. Additionally, it is all too easy to accidently send an email to the wrong recipient. If the personal data is not secured in any way this could expose the data subject.

Password protected attachment

Sending personal data in password protected email attachments such as password PDFs may on the face of it seem like adequate security. Whilst this certainly makes it more difficult to access the personal data in the attachment, a wide range of password removal tools are available. Whilst some firms may feel that they can justify this position, simple password protection alone may not always be considered appropriate and firms may look to a higher level of security.

Where a password is used this should not be included in the same email as the password protected attachment for obvious reasons. Additionally, it would not be advisable to send the password to the same email account. Best practice would be to send the password via a different medium, perhaps over the phone to the client or via text message for example.

Encrypted and password protected

Sending personal data in encrypted and password protected email attachments may be a good option for many firms. These facilities are often built into existing email programs and indeed some commonly used programs automatically encrypt files when password protection is applied. By encrypting the attachments data is not only protected on route to the client but also when it is at rest on the remote server or client’s computer. It would be difficult to read the encrypted email even if the remote computer was hacked or stolen which enhances the level of security provided.

The ICO offers further guidance on encrypted emails and types of encryption.

Secure portal

Using a secure file sharing portal is generally considered the most secure option. In many cases it is possible to embed tools within email programs such as Outlook to force attachments to be sent via the secure portal which assists in preventing members of staff from sending unprotected attachments in error. Whilst the cost of file sharing portals may be prohibitive for smaller practices, it is worth noting that many of the accounting software providers have begun to offer such facilities as part of their product offering.

If firms are using file sharing portals, care should be taken to ensure that the geographical location of the portal’s servers is known as additional requirements apply to international data transfers. Further details are available from the ICO and ICAEW’s Data Protection webpage

What if my client sends me personal data in an unprotected email?

If a client does send personal data in an unprotected email, it would be worthwhile reminding them of the firm’s policies and procedures regarding the transfer of data. Care should be taken not to simply hit reply to the email however as often the original email would be below the reply and the firm would therefore be sending the personal data in an unprotected manner. A firm should also take steps to protect the personal data received, perhaps by moving the email to secure file storage for example.

Firms should ensure that they adopt an appropriate policy with regard to the use of mobile devices such as mobile phones, tablets and laptops. Many users of such devices have work emails set up to download automatically to the device. If the device is lost or stolen (which is much more common with such devices compared with non-mobile devices such as desktop computers and servers), this poses a significant risk of unauthorised access to personal data.

Firms should therefore implement appropriate policies governing the use of such devices to minimise the risk of unauthorised access. It may be appropriate for example to require the use of software which forces strong passwords to be used, encrypts data and which facilitates remote wiping of data contained on a device if it is lost or stolen.

Where firms make use of bring your own device (BYOD) schemes, firms should consult the ICO BYOD guidance, which, whilst written under the Data Protection Act 1998 is still of relevance.

There are many free email providers including Hotmail, Gmail, Live or Outlook accounts. Smaller firms and sole practitioners may currently be using such providers for their email services.

The geographical location of the servers storing the personal data should be established as additional requirements apply to international data transfers. Further details are available from the ICO and ICAEW’s Data Protection webpage

With the free email services especially, this location can be difficult to establish as providers have server farms all over the world. Depending on the provider, deleting an email may not always result in it being removed from the server. As such it may be difficult to demonstrate personal data is kept only for as long as is necessary.

Consideration also needs to be given to the security and backup facilities provided in order to comply with the security principle. Generally, the paid for ‘business’ accounts offered by the same providers offer an enhanced level of security and also offer back up facilities which are not usually available with the free services.

Whatever policy a firm chooses to adopt, it is important that this (along with an appropriate risk-based justification) is well documented and that staff are appropriately trained. A policy of using a file sharing portal for sending personal data to clients for example will only be effective if it is communicated adequately to staff and staff members are trained to use it. 

The ICO, which acts as the regulator with regard to data protection in the UK, may request access to a firm’s policies and documentation.

The ICO is the regulator for data protection in the UK and has its own website and helpline.

ICAEW members, affiliates, ICAEW students and staff in eligible firms with member firm access can discuss their specific situation with the Technical Advisory Service on +44 (0)1908 248 250, via webchat or e-mail technicalenquiries@icaew.com.

The ICO is the regulator for data protection in the UK and has its own website and helpline.

ICAEW members, affiliates, ICAEW students and staff in eligible firms with member firm access can discuss their specific situation with the Technical Advisory Service on +44 (0)1908 248 250 or via webchat.