Safeguarding and managing data
Standard 4.3 of The Architects Code: Standards of Professional Conduct and Practice (the Code) provides guidance for architects on the safeguarding of sensitive client information. Under the Code architects are required to ensure that adequate security is in place to safeguard both paper and electronic records for clients, taking into account data protection legislation.

Although this has been a long-standing provision of the Code, we appreciate that changes in working practices and developments in technology have changed the way in which professionals manage their responsibilities. For example, a recent hearing of the Professional Conduct Committee (PCC) centred on the architect’s use of personal, cloud-based storage devices. The legislation in relation to data protection also changed earlier this year with the introduction of the General Data Protection Regulation (GDPR), something we provided guidance on in our Dear Architect article in May.

We know that portable technology and online solutions are a convenient way of accessing working and personal documents remotely and across different locations and devices. This does, however, raise questions as to how you can ensure data used in this manner is protected, both in terms of data security and to ensure compliance with practice policies around information management.

For example, is it permissible to keep copies of project documentation if this helps increase efficiency for the client? Is it okay to use past project documentation for personal, professional portfolios or to maintain precedents to enable good quality work for future clients? And is it permissible to make copies of more general administrative documentation such as practice templates and policy documents? In answer to these questions, the first and most crucial consideration is data protection.

Those who are self-employed or employ staff should ensure there are adequate guidance and policies in place which make clear to all concerned their responsibilities for safeguarding client data. You should also ensure you and your staff receive adequate training in data protection and ensure that sensitive information is encrypted, password protected and/or restricted as appropriate. Remember that you are ultimately responsible for the data you hold. Employers may also want to go a step further and think about policies around the copying and use of general practice documentation to ensure your staff know exactly what is and is not allowed.

Our advice to employees is to ensure you familiarise yourself with data security and data management processes and procedures at your practice. If you are unsure whether you are permitted to use personal storage systems, or whether you may access or copy information then you should check with your employer before doing so. Remember that what is permitted at one practice may differ elsewhere.
We hope this information is useful but feel free to contact us by email or by phone for further advice and we’ll be happy to help (professionalstandards@arb.org.uk / 020 7580 5861).