ROC Case Study - Data breach

• Consider whether the information is personal data protected by legislation, or information that is confidential for some other reason (for example your terms of engagement with your client).
• Follow proper procedures to report the breach, including to clients and to regulators where necessary.
• Identify what you could do differently to reduce the risk of the same thing happening again.
• Destroy confidential information that is sent to you accidentally.

Rules 1, 3 and 5, and behaviours 1.9, 3.5 and 3.12 are relevant here.

Disclosing personal or confidential data about clients to a third party accidentally is a breach of your professional obligations and would therefore breach Rule 1, specifically behaviour 1.9.

However, how you respond to the error will determine whether this amounts to a serious breach, including the possibility that this might be a failure to act with integrity, or whether it is the type of breach that can be managed through corrective action within the firm. See commentary for how to respond correctly.

You should inform any clients whose data was included in the spreadsheet about the error. While this is likely to be an uncomfortable conversation, it is behaviour that we would expect under several of the Rules – acting with integrity under Rule 1; providing a diligent service under Rule 3; and taking responsibility under Rule 5. Clients may make formal complaints about the breach and these should be handled openly and properly through the firm’s complaint handling processes.

Firstly, unless you are a sole practitioner, you will need to let your firm know what has happened. If you report to a manager, you will need to tell them. Your firm may have a process for reporting data breaches to a data protection officer and you should follow any processes in place. If you do not have a documented process, or a data protection officer to take advice from, you may want to take advice from a lawyer. Your data protection regulator may also provide guidance about how to handle a personal data breach.

It is very important to contact the person the information has been sent to and ask them to delete it from their systems. Most professionals will do this, but confirmation of deletion does not stop the need to take further action.

You will also need to consider whether you need to report the breach to a data protection regulator. The requirements will vary between regulators and you should take advice or seek guidance about this. You may also need to report it to RICS if the breach involved a large amount of client data or involved particularly sensitive data, like a client’s bank details or sensitive personal data.

You should carefully review how the error occurred and what steps need to be taken to reduce the risk of this happening again – for example consider the ways in which you use technology or if you can improve any written procedures or data security systems to reduce the risk of this happening again. If the breach was caused by human error you might need to improve staff training. Showing that you have done this will be important to RICS or a data protection regulator if an investigation is necessary.

If you are the recipient of confidential information that was obviously not intended for you, professional integrity requires you to delete the confidential information as soon as possible, inform the sender of their error, and you should not use the information in any way. This may involve balancing two apparently competing expectations – that you will share material information with a client, and that you should act with integrity. However, whatever the benefits to your client, using information you have acquired improperly, even through no fault of your own, is likely to damage the expectations of trust that the public would have in a professional and may lead to legal proceedings. You should also consider whether it is necessary to disclose the issue to the data protection regulator.