On Tuesday 5 February, the Law Society of Ireland issued a new Practice Note entitled: 'Data retention and destruction of paper and electronic files'. This follows on from a 2005 note in the same area, repeating and revising guidance in relation to best practice cyber-security procedures as they pertain to solicitors and barristers.
Following the implementation of GDPR last May, data - and the collection and retention thereof - has been elevated to a position of special importance for most practitioners, given that solicitors and barristers will undoubtedly be classified as 'data controllers' for the purposes of the regulation. Therefore, it is paramount that practitioners remain cognisant of their obligations under the GDPR.
The new Practice Note advises solicitors to draft a data retention policy and states:
The Practice Note then goes on to advise solicitors of the recommended periods of retention, as laid out in the Law Society's Guide to Good Professional Conduct for Solicitors (3rd Edition), which provides for the following:
'In order to protect the interests of clients who may be sued by third parties and also to protect the interests of a solicitor's firm which may be sued by former clients or by third parties, a solicitor should ensure that all files, documents and other records are retained for appropriate periods. Appropriate periods refer to the relevant statutory period for the issue of legal proceedings. The table below is intended to provide general guidance to solicitors in assessing appropriate periods for retention.'
All files must be retained for a minimum period of seven years, broken down as six years for the limitation period and one year for service of proceedings. Mandatory retention periods do however vary based on the subject matter of the action. Conveyancing files for example must be retained for 13 years following completion and files pertaining to minors must be retained until the child reaches the age of majority.
All of this is subject to the proviso that no personal data ought to be retained for longer than is necessary, pursuant to the provisions of the GDPR. Once the period of mandatory retention has passed, all paper files should be shredded. The Law Society also recommends physically destroying hardware to ensure that electronic data has been safely gotten rid of.