Law firm Slater and Gordon fined £80,000 for Quindell client information disclosure

The Australian law firm Slater and Gordon’s ill-fated £637 million acquisition of the professional services division of the British insurance outsourcer Quindell plc in 2015 has attracted a great deal of negative attention over the past few years.

Soon after the purchase, the Financial Conduct Authority and the Serious Fraud Office opened investigations into Quindell’s historic accounting practices, prompted by PwC’s identification of behaviour that was “at the aggressive end of acceptable practice”.

Slater and Gordon’s share price plummeted as a result, losing 90% of its value in the eight months following the acquisition.

Its UK subsidiary then served a claim for breach of warranty and/or fraudulent misrepresentation against Watchstone Group plc (as Quindell is now known) in June 2017. Watchstone denied any wrongdoing.

Unredacted confidential information breached

Now, the SRA (Solicitors Regulation Authority) has announced that, in March, it fined two branches of Slater and Gordon a record £40,000 each and ordered them to pay £26,000 in costs for breaching its principles during the takeover:

  • Slater Gordon Solutions Legal Limited (then known as Quindell Legal Services Limited) was fined £40,000 for “disclosing un-redacted confidential information and documents from 7,087 client matter files to other firms, without the knowledge or consent of the relevant clients”, thereby breaching Principles 4 and 6 of the SRA Principles 2011 and failing to achieve Outcome 4.1 of the SRA Code of Conduct 2011.
  • Slater and Gordon (UK) LLP was fined £40,000 for “inspecting un-redacted confidential information and documents from 7,087 client matter files of another firm, Quindell Legal Services Limited, without the knowledge or consent of the relevant clients”, and for “disclosing un-redacted confidential information and documents from a selection of Quindell Legal Services Limited client matter files to two other firms without the knowledge or consent of the relevant clients”, thereby breaching Principles 3 and 6 of the SRA Principles 2011.

Worse fines if the GDPR had been in effect

Although these fines are merely the latest items on an ongoing list of bad news for the company, Slater and Gordon is at least fortunate that the GDPR (General Data Protection Regulation) was not in effect at the time.

The GDPR – successor to the various European personal data protection laws that enacted the DPD 1995 (the EU Data Protection Directive) – came into effect in May 2018, bringing with it stringent new obligations for data controllers and processors.

The Regulation defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” (my italics).

The new law is backed by a regime of administrative fines of up to €20 million (approximately £17.5 million) or 4% of annual global turnover (whichever is greater), and grants data subjects the right to an effective judicial remedy against data controllers and processors if they consider that their rights have been infringed by processing that does not comply with the Regulation.

Help complying with the GDPR

IT Governance is at the forefront of helping organisations address the challenges of GDPR compliance. Our experts can help your firm with a variety of best-practice GDPR solutions, from evaluating your current state of compliance and developing a remediation roadmap, through to implementing a best-fit privacy compliance framework.

We have a wide range of comprehensive solutions, services and expertise to help you meet your GDPR compliance objectives, including training courses, books, compliance toolkits and software, staff awareness training and consultancy services. Visit our professional services sector web pages for further details.

Simply complete an enquiry form to contact our experts or call our team on +44 (0)333 800 7000 to discuss your firm’s GDPR requirements.

Leave a Reply

Your email address will not be published. Required fields are marked *