For anyone who hasn’t come across DropBox, the strapline on their site is as good an introduction as any: “Your stuff, anywhere.”

In (slightly) more technical terms, DropBox is a cloud-based storage service which maintains a copy of one of more folders on your computer. The clever part is that it also ensures that the local copy (on pretty much any computer, tablet and phone you may have) and on the DropBox server are automatically synchronised.

Personal use for cloud storage

I have used DropBox extensively for my personal documents for several years, increasingly so since I bought a Doxie Go scanner and started to use a paperless system for as much of my personal stuff as possible.

My personal use is pretty basic, using a folder structure to store various scanned documents in PDF for future reference. There are a couple of tips I would share though if you are using DropBox as part of a paperless system for scanned documents. Firstly, it is beneficial to use a scanner with decent OCR or a software package like PDFPen on the Mac which adds OCR data to PDFs as this allows you to do a full text search across all your scanned documents. I also use a utility called Hazel which picks out certain pieces of content from scanned documents (like an electricity bill account number) and files the scanned document in the appropriate folder automatically, saving a lot of time on the filing front.

Sharing and collaboration issues

Things get more interesting when you start to look at using DropBox in the course of legal practice.

The uses which clients make of DropBox tend to focus more on its sharing and collaboration functions. This means that you can securely share a folder of documents with other people working on a matter without having to email copies around and it also allows basic collaboration and version control (ie anyone can upload a new version of a document and DropBox maintains copies of the various previous versions).

I have written in the past about how I can’t square this with professional regulation and Data Protection Act obligations. However, the goalposts have moved somewhat as since February 2012, DropBox has been certified as compliant with the EU-US Safe Harbour Scheme, which means that transferring data outside of the EU by uploading it to the DropBox servers in the US should not, of itself, give rise to a breach of the 8th Data Protection Principle.

The 7th Data Protection Principle is still relevant, however, to the extent that DropBox acts as a data processor in respect of data.

The Data Protection Act requirements in this case include that you are able to check that security measures promised by the processor are being put into practice and also that there must be a written contract setting out what the processor can do with the data and requiring it to take the same security measures as you would have to if you were processing it yourself.

DropBox do have a comprehensive privacy policy as well as a detailed breakdown of the security measures which are in place to protect data and these seem robust; however, their terms do contain the usual purported exclusion of any liability arising from the use of the service which would appear to include data security breaches.

Your Dropbox data is actually stored on Amazon’s S3 storage service, which means that it is securely encrypted but that DropBox retain the encryption keys and could theoretically access it. Indeed, DropBox’s privacy policy states that certain employees have this power for use when data is legally required to be disclosed.

It is possible to encrypt data yourself before uploading it, which would avoid this problem, but in the absence of this lawyers should be aware that US rules which allow forced disclosure of data could apply to information stored in your DropBox account.

It is also unlikely that you will be able to take any steps to evaluate whether DropBox are complying with their terms and conditions, so where does this leave you from a DPA perspective?

The Information Commissioner’s Office guidance note on cloud computing acknowledges this issue with public cloud services and suggests that audit by an approved third party may be sufficient. The ICO has indicated that it supports the use of privacy seals and launched a consultation last year with a view to considering these in more detail, but at this stage it isn’t clear whether the TrustE Privacy Seal (which DropBox is covered by) would carry any weight in terms of compliance with the 7th Data Protection Principle.

On balance, I still don’t think that I could recommend a law firm pro-actively to adopt DropBox for use with confidential client information, although in reality I suspect the security they have in place is over and above that which many law firms could boast for their own servers.

However, the debate doesn’t end here as the use of DropBox is starting to be driven more by clients who present it as their chosen tool for basic data rooms, document collaboration and information sharing. In that context the discussion is rather different as it may be difficult to tell the client that you don’t want to use it and would prefer to stick to exchanging information by email (which of course offers no guarantee of security anyway). Maybe the answer here is to ensure you have a compliant alternative in place which you can offer to use instead (there are plenty around although they are certainly not free).

The pressure from clients to use this type of service is only likely to increase and my personal view is that we will end up with a situation where third party audit and certification (like the TrustE seal) are seen as sufficient to satisfy the requirements of the Data Protection legislation. However, I’m not sure we are there yet and if you do intend to use DropBox for confidential personal data then it would still be advisable to make sure it is encrypted before uploading.

Jon Bloor is a partner in the corporate services team at Prettys in Ipswich and Chelmsford, specialising in business and share sales, management buy-outs and private equity investment. He has a particular interest in the digital and online sectors.


Comments are closed