From the beginning of this month, October 2025, those holding & wishing to hold a Criminal Legal Aid contract MUST:

a) register with the ICO as a Data Controller
b) Appoint a Data Protection Supervisor or Data Protection Officer
c) Have in place compliant policies (see listed below)
d) Train all staff on Data Protection obligations and information risk awareness - initially now, any new staff as they join and an ANNUAL training plan to maintain the level of staff awareness of obligations with policies and procedures.
e) Review at least annually all data protection and information security policies
f) Conduct Data Protection Impact Assessments where appropriate of any new system or projects
g) Conduct staff screening to ensure reliability
h) Maintain Access Records - who has access to personal data with audit trails
i) Maintain Adequate Physical Security to premises housing personal data
j) Implement Controlled Disposal of Records
k) Have Cyber Essentials accreditation

Policies & Plans the LAA state that you MUST now have:

• Business Continuity Plan
• Disaster Recovery Plan
• Incident Management Policy
• Information Risk Management
• Data Protection compliance
• IT Security, including an acceptable use policy
• Compliance with the Government Security Classification System
• Remote/Home Working Policy detailing security arrangements/procedures (where such working is permitted by the Contract).

We have only listed above those items which are Mandatory. There are other recommendations which you can read in the full document. Here is a link to it: https://hunningsconsultancy.co.uk/wp-content/uploads/2025/10/Provider_Data_Security_Requirements_v5_October_2025.pdf

You know that your LAA Contract Manager will check for this in their audit.

Why are they doing this?

The LAA is, very belatedly, getting itself into line to be compliant with the Data Protection Legislation (click here for training on this legislation: https://hunningsconsultancy.co.uk/hcl-launches-cpd-training-courses-data-protection-compliance/). The LAA is Data Controller. Legal Aid firms are Data Providers and also Data Controllers under the UK GDPR. As such the LAA wants to make sure that firms doing Criminal Legal Aid work have taken every reasonable and appropriate measure to maintain the security of the data you will be processing on its behalf or shall be processing in common with the LAA. Notice that this rationale will logically extend to any firm doing Legal Aid work, so, inlcuding Civil Legal Aid. We believe that the LAA has focused on Criminal Legal Aid purely because of the new contract that started in October 2025. We believe that all other areas of Legal Aid will follow. The legislation and all other factors are the same.

How we can help you be compliant?

• Help you get Cyber Essentials accreditation through one of our trusted partners
• A review of your current measures
• Training - 121 + on-line training courses
• Drafting of policies and procedures
• Carry out an annual review
• Acting as your part-time external Data Protection Officer (DPO)

Contact Us

Fill in the form on the web page or [email protected]