Data Access Principles for Law Firms

3 crucial data management roles for every legal practice

Law firms place client confidentiality, legal professional privilege, data privacy and information security to the strictest standards. A law firm’s reputation is built by its integrity and compliance with all laws, regulations, and the professional code of conduct. In the digital era, a software provider’s role goes hand-in-hand with the legal practitioners’ enforcement of data governance, which is integral to cybersecurity. Clearly defined access rights are a key part of efficient decision making for information management and governance.

The International Organization for Standardization (ISO) develops and publishes international standards for regulating a range of business practices, product or service quality, and management techniques. Through third party organizations, businesses can obtain ISO certifications to prove that they meet the standards recommended by ISO. For example, many technology companies pursue certification in ISO/IEC 27001 (IEC is short for the International Electrotechnical Commission), which is globally recognized as an indication that the certified information security management system (ISMS) is aligned with information security best practice, in terms of people and processes as well as technology.

While not every ISO category applies directly to law firms, the standardized guidelines set out for each category provide valuable information about good practices in data access principles and structure. For example, ISO 8000:150 provides a framework for Data Quality Management that law firms could find useful when laying out the roles and responsibilities to govern the collection, management and use of data in a legal practice. Please note, however, that ISO 8000:150 certification is not required for law firms, and that we are just referencing its contents to illustrate standards of good practice. Please bear in mind that these are general guiding principles only and do not correspond to definitions under any data privacy legislation, rules, or regulations.

ISO 8000:150 generally sets out three roles that each organization should have at minimum:

1. Data Manager

The data manager has the highest level of authority and accountability for the firm’s data. This would typically be a Managing Partner, Senior Partner or equivalent, with the authority to approve the firm’s policies, procedures, and rules on data management. The data manager operates in a high-level company-wide perspective which very often aims to ensure compliance of relevant laws and regulations.

2. Data Administrator

A data administrator is responsible for defining and implementing safeguards for data protection in accordance with policies, procedures and rules approved by the data manager. There can be multiple data administrators in a law firm, each overseeing a single domain such as a specific department or team, e.g. human resources or finance. Data administrators typically supervise the designing and setting up of data management processes in accordance with approved company policies and oversee the implementation of data management strategies within their respective departments. This role is generally held by high-ranking executives of each department.

3. Data Technician

A data technician processes data on an everyday basis, applying relevant policies, procedures, and rules to ensure the quality and integrity of data. For example, in a department that involves information of the company’s financials, the data technicians would be the employees responsible for organizing the data structure and access control in accordance with the company’s approved policies, procedures and rules.

As more and more law firm data are being processed and stored digitally, whether on internal servers or secure cloud providers, additional technical support will most likely be needed to embed and implement governance controls and processes. Whether in-house or third party, information technology providers form the final piece of the puzzle, completing the law firm’s data management strategy by offering system support and maintaining the firm’s information systems.

People, not technology, are often the weakest link in cybersecurity. The conversation of cybersecurity for law firms is shifting from a technology-focused discussion to a demand for increased engagement from senior management. Without a well thought-out, legally compliant, and practical data governance policy, a company would very often fall short of the standards of ethics and integrity required under modern day corporate governance. Ensuring from the top down that the right people have the right access to data in the firm is a necessary foundation for effective cyber security controls, and thus the strong protection of valuable data that may involve ownership or information rights from third parties.

If you are looking for service providers, choose solutions that make it easy for you to implement your access control policies. LEGALX is designed with strictest information security and access in mind. Its granular level access control can be granted to individuals or teams, given by folder or individual file, or changed in terms of editing, reading, downloading, or deleting rights.

To learn more about Cloudwork | LEGALX and its suite of productivity tools, visit our website or contact us today.