An SRA inspector arrives at your firm with short notice, as is standard. They review a sample of open files. Somewhere on the second floor, a client matter document is sitting uncollected in the output tray of the shared printer. The duty under Paragraph 6.3 is absolute. There are no exceptions in the Code. The SRA does not need a cyber-attack or a data theft to find a breach. It needs an uncollected document and a device with no access controls.
What Paragraph 6.3 Requires and What It Does Not Excuse
Paragraph 6.3 of the SRA Code of Conduct for Solicitors, RELs and RFLs states: “You keep the affairs of current and former clients confidential unless disclosure is required or permitted by law or the client consents.” This duty exists as an obligation under both common law and data protection legislation and is one of the core professional principles set out in section 1(3)(e) of the Legal Services Act 2007. There are no exceptions to Paragraph 6.3 within the Code itself. Where a breach occurs and justification exists, that justification may mitigate regulatory action, it does not prevent the breach from being recorded and assessed.
The Code of Conduct for Firms imposes the parallel duty on the firm as an entity at Paragraph 8.6. This matters because it places the firm’s systems and infrastructure within scope, not just individual solicitors’ conduct. A printer with no access controls, producing uncollected client documents in an open environment accessible to colleagues, contractors and visitors, is a system that is not meeting the standard the Code requires.
The SRA’s own guidance on confidentiality is explicit that the obligation extends to physical as well as digital handling of client information. SRA compliance requirements under Paragraphs 6.3 and 8.1 require controlled access to client information and full audit trails of access. A standard output tray satisfies neither requirement.
Why the Print Environment Is a Gap Most Firms Have Not Assessed
Law firms in 2026 apply serious controls to their digital document infrastructure. Case management systems require authentication. Email is encrypted. Cloud storage carries access permissions. Client portals are protected. Firms have invested substantially in these controls because the digital risk is visible, understood and regularly in the regulatory conversation.
The physical print environment has received none of the same scrutiny. The same firm that requires a fee earner to authenticate twice before accessing a client file on the case management system sends a draft contract to a shared printer in an open corridor and considers the matter handled. The document is now in an output tray accessible to any colleague, contractor, maintenance engineer or visiting client who walks past. There is no authentication required to collect it. There is no audit trail of whether anyone did.
This inconsistency is not unusual. It is, in fact, the norm. Most law firm information security policies address digital systems comprehensively and printed documents partially or not at all. The print device exists in a category of infrastructure that compliance reviews have historically not reached, which is precisely why it remains one of the most consistently overlooked Paragraph 6.3 risks in the sector.
The SRA does not distinguish between a digital data breach and a physical one. An uncollected client document in an unsecured output tray is a potential Paragraph 6.3 breach regardless of how the document arrived there.
Four Print Scenarios That Create a Direct Paragraph 6.3 Risk
These situations are not hypothetical. They are the everyday moments at which print-related confidentiality breaches occur in law firm environments, often without anyone recognising them as regulatory events until it is too late.
The Privileged Advice Note Collected by the Wrong Colleague
A solicitor sends a privileged advice note to the shared office printer and collects it twenty minutes later. In the intervening period, a colleague from a different department picks it up, reads the matter name and client reference, and replaces it. The client’s affairs have been disclosed to a person with no authority to access them and no knowledge of the matter. Paragraph 6.3 has been breached. The COLP must record it and assess whether it requires reporting. The fact that the disclosure was brief and unintentional does not alter the analysis.
The Draft Contract Left Overnight on a Networked Device
A fee earner sends a draft commercial contract to the nearest networked printer at half past five before leaving for the evening. The document remains in the output tray through the night and into the following morning. Facilities staff, cleaning contractors and early-arriving colleagues from unrelated departments pass the device. By the time the fee earner collects it, the document has been physically accessible (and potentially viewed) by an unknown number of people. The firm cannot demonstrate that the client’s information was protected because no control was in place to achieve that protection.
The Completion File Collected by the Wrong Member of Support Staff
A conveyancing solicitor prints a full completion file (title documents, financial statements, client identity copies and mortgage paperwork) and leaves it at the shared printer while taking a call from the lender. A member of support staff collects it thinking it belongs to a different matter they are working on. The documents contain personal financial data, identity information and property details relating to a client. This is simultaneously a Paragraph 6.3 breach and a UK GDPR personal data breach requiring assessment against the 72-hour ICO reporting threshold. Both obligations are triggered by the same uncollected document.
The Legacy Device Retaining Queued Print Jobs
An older networked MFD in the firm’s back office retains queued print jobs in its local memory after the print session ends. A technician carrying out routine maintenance on the device accesses the administration interface and the stored job history, including matter names, document types and originating user details, is visible. The client information held in those queued jobs has been accessed by a person with no client relationship and no authorisation. Devices that store print jobs locally without automatic purging after completion are a specific Paragraph 6.3 risk that most firms have not assessed because they have never been prompted to look for it.
What the SRA’s 2026 Inspection Regime Means for Your Practice
The regulatory context makes this more than a theoretical compliance consideration. The SRA’s Anti-Money Laundering Annual Report 2024–25 confirmed 935 proactive regulatory engagements in that period (almost double the previous year) with 833 firms undergoing an on-site inspection or desk-based review. The direction of travel is unmistakeable.
SRA inspections can arrive with short notice and cover a sample of open and closed files. During an on-site review, the conditions under which client files are accessible in the working environment (including at the print device) are part of what the inspector is assessing. A print environment with no access controls and no audit trail would not, on examination, demonstrate the effective information governance that the Code of Conduct for Firms requires at Paragraph 8.6.
The enforcement data reinforces this. In 2024–25, the SRA intervened in 47 practices where IT security failures were identified as a primary or contributing factor. Critically, the SRA’s published guidance makes clear that firm size provides no exemption: small practices face the same regulatory expectations as large ones. “We don’t have the budget” is not a position the SRA accepts.
The SRA expects firms to demonstrate a prevent, detect and respond approach to data security across their entire information handling environment. An unmanaged print setup fails all three tests. Prevention: no authentication at the device. Detection: no audit trail of what was printed or collected. Response: no mechanism to know that a breach has occurred unless someone reports it voluntarily.
Four Steps to Close the Print Security Gap
None of these steps require significant technical resource to initiate. The first two can be carried out immediately by the COLP or practice manager. The third and fourth are addressed as standard within a managed print service.
1. Assess your current print environment against the Paragraph 6.3 framework
Map every device in the firm. For each one, ask: who has physical access to the output tray, whether the device retains queued print jobs in local memory, whether any authentication is currently required to collect a document and whether any audit trail exists of what has been printed and by whom. Most firms find this exercise surfaces devices and access gaps their information security policy has never reached.
2. Review your information security policy for physical document controls
Most law firm information security policies address digital systems in detail and physical documents briefly or not at all. Check whether your policy explicitly covers print output: who may collect documents from shared devices, what happens to uncollected output, how documents containing client information are disposed of and who is responsible for ensuring compliance. A policy that does not reach the printer tray has a Paragraph 6.3 gap.
3. Implement secure print release on all devices handling client matter documents
Secure print release holds documents in a secure queue until the authorised user authenticates at the device using a PIN, staff ID card or app. Documents only print when the right person is standing at the machine. This closes the uncollected document risk, creates an auditable record of print activity by user and matter type, and is the single most effective technical control available for print-related Paragraph 6.3 compliance. It is included as standard within a managed print service and requires no change to how fee earners submit documents to print.
4. Ensure devices do not retain queued jobs in local memory
Confirm whether your current devices purge queued print jobs automatically after completion or after a defined period. Where they do not, configure them to do so or flag the device for priority replacement. This is a straightforward technical fix that the majority of firms have not carried out because the risk has never been included in their compliance review scope. It should be.
A free law firm print audit from Shine Business Solutions includes a specific assessment of your current print environment against information security requirements, identifying where access controls are absent, where audit trails do not exist and where your current setup is creating a compliance gap. No commitment required, no commercial conversation until you are ready to have one.
Frequently Asked Questions
Does Paragraph 6.3 apply to printed documents as well as digital records?
Yes. The duty of confidentiality under Paragraph 6.3 applies to client information in any format. A printed document containing client matter information is subject to the same confidentiality obligation as a digital file. Leaving it accessible to an unauthorised person, whether through an uncollected output tray, an unattended desk or a device visible to third parties, constitutes a potential breach of the duty regardless of whether any disclosure was deliberate.
Does the SRA assess physical document handling during inspections?
SRA on-site inspections review a sample of files and assess the firm’s systems and controls for protecting client information. The Code of Conduct for Firms at Paragraph 8.6 requires effective governance structures and systems across the firm’s information handling environment. Physical document handling (including the controls applied at print devices) falls within the scope of those systems. A firm that cannot demonstrate effective controls at the point of printing is carrying a compliance gap that an inspection could identify.
What is secure print release and is it disruptive to implement in a law firm?
Secure print release holds a print job in a secure queue until the fee earner or member of staff authenticates at the device using a PIN, staff ID card or app. The document only prints when the right person is present. For the individual user, the experience is unchanged: they submit the job from their workstation and collect it at the device. The difference is that nothing prints until they arrive. Implementation is handled by the managed print provider and requires no change to existing workflows or case management system configuration.
Is an uncollected client document automatically a Paragraph 6.3 breach?
A document that remained uncollected but was demonstrably not accessed by any unauthorised person may not constitute a breach in itself. However, the absence of controls to prevent access means the firm cannot demonstrate that no unauthorised access occurred. The inability to evidence appropriate controls is itself a compliance concern the SRA would note during a review. In practice, the standard the Code requires is one under which the risk of unauthorised access is actively controlled, not one where the firm hopes for the best.
Does a print-related confidentiality breach need to be reported to the ICO as well as recorded internally?
If the breach involves personal data (which most client matter documents will) it must be assessed against the UK GDPR reporting threshold. Breaches posing a risk to the rights and freedoms of the individuals affected must be reported to the ICO within 72 hours of the firm becoming aware. A breach involving sensitive financial information, identity documents or legally privileged material relating to an individual is likely to meet that threshold. All breaches, reportable or not, must be recorded in the firm’s breach log.