Global information governance considerations for law firms task force report


Privacy and data protection regulations differ widely by country. This report from Iron Mountain provides guidance and points to consider for law firms as they develop a global IG strategy.

August 14, 201512 mins
Iron Mountain logo with blue mountains

The exponential growth of electronically stored information (ESI) creates opportunities, challenges and threats for businesses and individuals throughout the world. Many businesses mine this ESI for business intelligence and business development purposes, seeking to segment, target and contact potential customers. Criminals seek to steal that same data for unauthorized and often illegal reasons. In response, governments across the globe have adopted regulations and laws that specifically govern the use and storage of data. The lack of uniformity across these laws, as well as opportunities for conflict, amplify the management challenges faced by law firms and numerous other organizations.

Firms must address the challenges associated with data management for regulation compliance in relation not only to information regarding the operation of their business (accounting, employment, etc.), but also information received and created on behalf of clients in the course of providing legal services. While firms with office locations in more than one country are clearly impacted by these global issues, so too are firms with clients residing in, or doing business with customers in multiple countries. Further, due to the globalization of business through electronic commerce (or e-commerce), it is imperative for firms to pay particular attention to rules and regulations around data protection and incorporate a global data management strategy.

Information governance (IG) has been defined as an enterprise-wide approach to the management and protection of a law firm’s client and business information assets. This report will discuss how global perspectives toward fundamental issues, such as the right to privacy and data protection, shape IG requirements and the resulting implications to firms. Several key IG areas, components of the Law Firm Information Governance Framework, are highlighted within the report:

  • Cross-border collaboration
  • Information retention
  • Privacy and data security
  • System configuration and data storage
  • Information and device mobility

Given the number of countries participating in today’s global economy, a country-by-country analysis of regulations for each of these areas is beyond the scope of this report. Rather, it provides law firm managers, administrators, records and technology professionals, and others with an awareness of the IG factors that must be considered when conducting business globally.

Considering that regulations among countries are not only inconsistent, but often in conflict, there is not a single best practice to be applied in all situations. Additionally, in many instances a country’s final position on these issues continues to evolve in the courts as well as other international tribunals and legislative bodies. This uncertainty and inconsistency makes one size fits all solutions impossible and requires firms to make decisions based on both their specific circumstances and tolerance for risk. More detailed information on specific countries can be found through the resources listed in the bibliography.

Cross-border collaboration

Implementing and sustaining even the most basic IG program can be challenging. Cross-border collaboration introduces additional complexities on many levels as every aspect of IG becomes more complicated when firms, or their clients, operate in more than one country. Legal, compliance, cultural and other considerations create IG issues that must be considered.

Laws, regulations and ethics rules

Just as the ABA Model Rules and individual state bar rules provide guidance on questions related to IG in the US, most other countries have similar regulations and/or ethics codes to which firms must adhere.

In the European Union (EU), The Council of Bars and Law Societies of Europe (CCBE), the Code of Conduct for European Lawyers, and the Charter of Core Principles of the European Legal Profession all apply in addition to individual country requirements. These are core principles common to the entire European legal profession.

Those relating specifically to information governance and client file management are:

  • The independence of the lawyer and the freedom of the lawyer to pursue the clients’ case (matter mobility implications).
  • The obligation to avoid conflicts of interests.
  • The right and duty of the lawyer to keep clients’ matters confidential and to respect professional secrecy. In some jurisdictions the act of providing a client’s address to third parties without their consent can be a violation of the client’s rights.

Professional rules often differ across countries and firm administrators have a duty to inform themselves as to how these rules impact IG-related policy and decisions. Additionally, strategies for dealing with different requirements must be considered when attorneys from different jurisdictions work on the same matter. For example, due to data transfer restrictions it might be necessary for lawyers in an EU office to maintain a separate electronic file from a counterpart in the US for the same matter. Similarly, professional rules requirements may create the need for separate files for retention purposes. German laws place a much higher liability on the lawyer as an individual in malpractice cases. As a result, lawyers in Germany are much more reluctant to agree to retention disposition authorities that do not account for these concerns and do not add supplemental periods to the firm’s retention schedule for the ‘what if’ and ‘just in case’ scenarios.

Matter mobility is another area impacted by local rules and regulations. While the US generally has rules that prohibit the release of client information (whether work product, client data, etc.) to third parties without client consent, other jurisdictions may not agree. Work product may be considered the property of the lawyer and failure to promptly release anything the lawyer authored may in fact be a reportable offense that can be escalated to the appropriate Law Society. In some countries, such as Ireland, the file does not belong to the client until the fees have been paid. Complicating matters, when an EU lawyer who has worked on cross-border matters leaves a firm and seeks to transfer a file, a determination must be made as to whether they are entitled to only information within their jurisdiction or in all jurisdictions in which the data resides, which may depend in part on the laws of the relevant jurisdictions. Other factors to consider during a client file transfer include:

  • Whether the firm is permitted to make and retain copies of the files post-transfer, and if so, who bears the cost of making files?
  • Determining what files can/should be transferred and which are not considered part of the client file and thus retained. In some jurisdictions, lawyer notes do not need to be released.
  • Whether or not the client has been charged for the creation of documents/information. As such, payment may be a determining factor as to whether the firm may withhold release.
  • Whether it is appropriate and/or ethical to charge the client for the cost of the transfer of files.
  • Whether the release of files can be withheld as collateral pending the receipt of monies owed/accounts payable.

Clearly, lawyers and firm IG professionals must familiarize themselves with the appropriate ethics rules and regulations when operating outside of the US. References to ethics rules for a number of countries can be found in the professional ethics section of the bibliography.


There are multiple governing legal codes and regulatory authorities in the international community. Compliance impacts not only information governance decisions, but can also create roles within a law firm. To illustrate further, this section will focus on compliance roles that are now required as part of rules set forth by the Solicitor Regulatory Authority (SRA) of the Law Society of England and Wales.

The SRA Handbook outlines principles and service lines that address conduct, financial and fiduciary responsibilities, disciplinary and cost recovery actions, client protection and other areas. All firms practicing under the authority of the SRA have obligatory and relevant IG dependencies.

Two roles have been created under the SRA rules that mandate firm compliance. The roles of Compliance Officers for Legal Practice (COLPs) and for Finance and Administration (COFAs) are an integral part of the SRA’s objectives to achieve outcomes-focused regulation and that firms will take responsibility for managing risks in their delivery of legal services. The COLP and COFA should be champions of risk management and compliance within a firm, and will have responsibility for the firm’s systems and controls. They are responsible for ensuring processes are in place to enable the firm, its managers and employees to comply with SRA Handbook requirements.

Individuals holding the role of COLP or COFA are not solely responsible for compliance with SRA Handbook requirements. Ultimately compliance is the responsibility of the firm and its leaders. However, the COLP and COFA have a key role in ensuring that suitable systems and controls are in place for recording breaches, and in reporting material breaches to the SRA. In this capacity, a regular and interactive dialogue must be maintained with the firm’s practitioners supporting the IG program.

Audits, official inquiries and annual reporting on the firm’s financial activities and other business practices are mandated in the SRA Handbook. As such, the firm’s records will be subject to review and used to support the firm’s position and potentially produced as exhibits to verify the submitted information. These records must be authenticated as valid and true. Audit logs, data protection measures, default deny settings to verify privacy and permission settings may be called upon for demonstration to verify and authenticate relevant information. The COLP and COFA roles will be dependent on a firm’s IG support arm for this information verification.