Metadata: 5 Considerations For Professional Services Firms

METADATA : 5 Considerations For Professional Services Firms

Chris Kemp, Partner, Kemp IT Law

If you're looking for a definition of 'metadata', don't worry if you're finding it hard to pin down - it's a broad and reasonably fluid concept and, as with most technical terms, it depends who you ask and what field they're in. Most definitions will say that metadata is "data about data." But this is too vague to be practically useful. A linguist could say the title of this article is metadata, because it's data 'about' this article.

We're interested in a subset of metadata called 'application metadata'. This is data automatically saved within the document files (.docx, .pdf, .pptx, etc.) you use on a computer: date last modified, date last printed, author, 'last modified by', 'total editing time', etc. At a slightly higher level, it's the data that tells you who entered a margin comment in a Microsoft Office document and at what time, who struck out a paragraph showing in track changes and when, and so on.

Taken together, this metadata is a rich trove of information that can say as much about the document itself as the 'words on the page'. This makes metadata a risk. At best it can mean slight embarrassment - for instance if the timestamp in a Word Document comment reveals that a Partner was working on a contract at 4:14 AM. At worst the consequences can be much more severe.

Here are five metadata considerations for professional services firms.

1. Metadata and negotiations - giving the game away

Staff in your transactional departments (e.g. M&A and Commercial lawyers) will be acutely aware of what metadata can say about their clients' negotiation positions. Details about who inserted or deleted a clause and when can speak volumes about your priorities. It is far better to strip out or standardise metadata, so instead of revealing individual contributions all amendments to a particular document read 'Firm Name X', or similar.

A similar point can be made about document passwords (another form of metadata). The following example will be all too familiar to Public M&A lawyers: in the frenetic days before the announcement of a public takeover, a system that reliably applies passwords to documents before they leave your Firm can mean the difference between an inadvertent leak of market-sensitive information at the last minute and guiding your client smoothly through a transaction process.

2. Metadata and confidentiality - a core consideration

It goes without saying that client confidentiality is at the heart of a professional services firm's relationships. Metadata's role is fairly obvious here: if you aren't careful about the metadata in your documents, you can inadvertently reveal confidential information, about both you and your clients.

Examples of inadvertent disclosures of confidential or sensitive information via metadata are not hard to come by. The 'classic' example here is the Blair government's dossier on WMDs in Iraq - the uncleansed metadata of which revealed the names of four people who prepared the document and led to further conclusions being drawn about the political objectives of the document.¹

3. Metadata - regulatory implications

As well as going to the heart of the client relationship, confidentiality often applies to professional services firms as legal and regulatory obligations. Metadata is no exception here.

Law firms governed by the SRA Code of Conduct for Firms, for example, are reminded that "the duty to preserve confidentiality is unqualified, in that it is a duty to keep the information confidential, not merely to take all reasonable steps to do so."² The SRA advises Firms to have "sensible and pragmatic security arrangements to support you and your staff while you use IT systems".³

Factoring metadata into an infosec strategy can support your regulatory compliance position.

4. Metadata and GDPR - it's also personal data

GDPR (and increasingly privacy laws around the world) recognise metadata as a type of personal data. This brings metadata within scope of a complex web of privacy rules. For example, an accidental disclosure of metadata could constitute a personal data breach, triggering - in serious cases - reporting obligations to privacy regulators and affected individuals under GDPR.

More likely, it will just be an awkward faux pas. For instance, if your lawyers use a template Banking Facilities Agreement which shows as its author a Partner who has retired. Or worse, a Partner from another Firm. It's preferable just to have a failsafe system which eliminates this risk altogether.

5. Metadata and systemic risk - the law of averages

A big firm could be churning out thousands of documents each day. Some staff will 'get' metadata - they'll know why it's important, and they'll know how to strip it out of their documents manually. Others won't. The ones that 'get' it won't remember 100% of the time; sometimes they'll forget because they're too busy. So, the law of averages suggests that something will go wrong at some point. As a parting shot, this systemic risk is better addressed at a systems level, rather than an individual level.

---

¹ BBC, "Tools reveal secret life of document" (accessed 30 January 2022) available here: http://news.bbc.co.uk/1/hi/technology/3037760.stm.

² SRA Guidance, "Confidentiality of client information" (accessed 29 January 2022) available here: https://www.sra.org.uk/solicitors/guidance/confidentiality-client-information.

³ SRA Guidance, "Technology and legal services" (accessed 29 January 2022) available here: https://www.sra.org.uk/sra/research-report/technology-legal-services/.

About Kemp IT Law

Kemp IT Law have a deep, relevant, sector specific experience advising at the intersection of regulation, intellectual property and tech law. They understand how to meet the growing demand for enhanced tech law expertise and provide a top of class enhanced tech law service.

Kemp IT Law is widely recognised for its expertise in all aspects of tech law, and have won over 100 awards for legal expertise, innovation and business leadership.

Visit Kemp IT Law Website

©Copyright Kemp IT Law 2024.