Can apps or services relieve the burden of bundling?

tl;dr: Not without some pain, and considerable cost if you’re a solo practitioner. But we have a winner. Albeit at the cost of breaking a fundamental rule of British journalism.*

It turns out my blog on nested emails struck a chord. Several cries of pain rang out. Clearly it isn’t just me for whom this is a needless annoyance.

Fortunately, there are a number of web services and apps which take the misery out of bundling. Surely they’ll step in and sort it?

Well… yes. Some of them. But at considerable cost. And with a lot of bells and whistles that I just don’t need.

The ask

I admit it; my requirements are idiosyncratic. So I may not be the target market. But honestly I’m not convinced I’m so far out of the bulls-eye, particularly among the growing number of barristers who are comfortably digital-first, that there isn’t a viable customer base for what I’m after.

Put simply: I don’t want mark-up. I don’t want the ability to add comments, highlights or otherwise mess about with the text. PDF Expert (for me – I recognise Adobe Pro will suit others) is a far better precision tool for that, particularly since it means I can move smoothly from iPad to laptop in native apps without fuss or bother.

So stripped down to the bare essentials, all I want to do is bundle. And in doing so, the app/service/whatever needs to be better at merging PDFs, moving stuff around, adding page numbers or creating hyperlinks than PDF Expert already is. (It’s great at the first three, and not bad at the fourth.)

So in short, I want something that does the following, with minimal fuss:

  1. Sucks in a variety of filetypes. Including, blast them, nested emails.
  2. Puts them together into a single PDF, allowing me to reorder and retitle.
  3. Creates an index page, with each entry linked to the first page of the document it represents, whose format I can define.
  4. Also creates a table of contents (in PDF Expert terms, Outlines), again in the format of my choosing.
  5. Adds page numbers – and yet again allows me to choose how they’re formatted, since different courts have different preferences.
  6. Exports as a PDF with a reasonable file size.

(If it OCRs the lot of it as well, with a file size that’s not stupidly big, then so much the better.)

And that’s it. This really is table stakes. None of these five things (with the exception of number 1) is anything more than what the courts near-universally now require.

The options

There are probably loads. But a quick canvass of colleagues, and a moderate amount of DuckDuckGoing (yeah, I refuse to use “to Google” as a generic verb) brought me to three options: Casedo, Bundledocs and Hyperlaw.

(There were a couple of others; but they were PC-only. So no.)

I tried Casedo first, and was pleased to find it a native app rather than a web service. From a security perspective, I rather like keeping everything in file locations I can control. It’s very good value – about £12.50 a month. And it sucks in documents quickly, and makes organising them a breeze. Its interface is designed with care, and works well.

But… but, but, but. Its limitations are pretty huge. It only takes PDF and Word documents, so no Excel, PowerPoint or even emails without converting them first (and certainly no nested emails). Its OCR takes (I kid you not) 30 seconds a page, and often far longer. Its index page is pretty inflexible. And its page numbering seems only to allow a couple of formats, neither of which comply with the requirements of some of the courts and tribunals before which I appear. (And I’m always sceptical about apps which make my laptop fan scream. It’s not the fastest machine in the world, but it isn’t a slouch.)

So no. I wanted to like it, but no.

On to Bundledocs. Lots of law firms use it. Again, its intake worked well. Its index pages were well-thought-through, and at least to some extent customisable. Its page numbers likewise, although the settings to do so were like some ghastly throwback to Windows Vista. I didn’t get a chance to test its nested email-handling, since that didn’t seem to work on the demo version I was using.

But I loathed the interface. Clunky, clumsy and a poor use of a webservice. Worst of all: they wanted £48 a month. After advertising that your prices start at £15 a month, to slap a sole practitioner like that is just a joke. It’s clear that Bundledocs isn’t interested in us independent barristers. So I’m not interested in them.

Lastly, Hyperlaw, which comes out at £300 a year (£25 a month). I tried it out as part of a chambers-wide trial earlier this year, and wasn’t impressed. I liked its nested-email handling (and other intake), but spent too much time on its markup functions, which I didn’t like at all and which were near-useless for someone who spends a lot of time on an iPad.

So I’ve now given it a do-over, with a focus solely on bundling.

And… it’s pretty good. It sucks in nested emails quite happily, a big win. It appears to OCR stuff reasonably effectively. And it churns out usable bundles with a good deal of customisation of page numbers and tabbing.

I’m not entirely dancing for joy. Its interface, again, is horrible. Wholly unintuitive. It took me forever, even with the manual, to work out how to ensure documents were sorted in date order. Although it does a great job of detecting dates in documents, nine times out of ten it selects the wrong one, requiring one manually to tell it, for each document, which of several dates it’s extracted it should use. Overall, this is an awfully long way from being a pleasure to use.

But it pulled in a whole bunch of documents, of varying types. It OCRed them. It enabled them to be split, ordered and bundled. It created (again, with a certain amount of fiddling) a workable hyperlinked contents page. (Although please, Hyperlaw – if you’ll allow me to use Bates page numbering, as a number of courts require, could you put that on the index as well? Thanks.) And I should be able to design a standard template into which to squirt documents, so that bundles come out as I want them to look.

The outcome

People, we have a winner.

Of course I don’t have my ideal scenario. I’d infinitely prefer something native, rather than a web service. And huge chunks of Hyperlaw are essentially useless to me, and it hurts to be paying for something I have no intention of using.

But is avoiding bundling pain worth £300 a year to me? I think it may be. I haven’t signed up yet. But I’m certainly well on the way to doing so.

That said, I’m sure I’ve missed options. Do tell. I’d like to make sure I’m doing the right thing. Let me know.

(*Footnote to the headline: It’s an old adage in British journalism that if a piece has a headline posing a yes-no question, the answer is almost always “no”. Mostly because if it wasn’t, and the piece was on solid ground, there wouldn’t have been any need to put in the question mark in the first place. It’s a bit like headlines with quote marks in – they mostly mean “we haven’t actually stood up this quote, and it might well be bollocks. But it’s a great top line, and we just want the clicks.” Sorry to have broken the rules there.)

Unlawful? Or – far worse – dangerous?

Test and trace relies on trust. Undermine it, and people’s lives are at risk. If the Times is to be believed, companies gathering customers’ data on behalf of restaurants and bars are doing just that.

If there’s one thing that the nations which have succeeded in containing Covid have in common, it’s that a robust, successful and trusted test/trace/isolate system.

Technical skill and fearsome logistics are critical, of course. But trust is the key. If citizens don’t trust the system, they won’t comply with it – or won’t even participate to start with. And then we’re stuffed.

Which is why today’s Times story (paywalled) is so disturbing. It alleges that companies which run services gathering details of customers for restaurants, bars and pubs via QR codes are holding onto the customer data and selling it on. If that’s the case, the companies (and the outlets they’re hired by) are not only acting in a way that’s potentially unlawful. What’s in some ways worse is that they’re undermining the trust without which a test-and-trace system is useless. And that puts us all in genuine danger.


Of course, I don’t know if the story is true. I haven’t seen the T&Cs that allegedly customers are being asked to sign up to. And I don’t know how transparent the process is.

But let’s work on the hypothesis that the story is essentially true, but also that there’s at least a nod to data protection rights by the companies concerned. Let’s therefore assume the following:

  1. Customers snap a QR code;
  2. They’re taken to a web page on their device which asks for their personal details;
  3. there’s either a privacy policy on the page, or a link to one;
  4. customers are asked to consent to the policy as they provide their personal details.

Note that it isn’t clear whether consent to the policy is a condition of providing details through this service (and thus a refusal means they can’t come in), or whether the system allows customers to provide their details (and thus permits entry) even if they refuse to consent to the privacy policy.

For the purposes of this analysis, I’m going to assume it’s the latter. (Consider this a form of steel-manning.) I’m also going to ignore the distinction between data controllers and processors. Without seeing the contractual arrangements between (say) pub and QR firm, I don’t for certain know who’s in which box. For this purpose, though, it doesn’t really matter. Both roles need a lawful basis on which to process customers’ personal data, and that’s the focus of this analysis.

Is it lawful?

Let’s start with the easy bit. Collecting customers’ personal data for the purposes of supporting NHS Test and Trace is not only lawful. For restaurants and so on (I’m going to just say “restaurants” from now on), it’s been obligatory since 18 September under the Health Protection (Coronavirus, Collection of Contact Details etc and Related Requirements) Regulations 2020. Of course, these regulations also require the NHS QR code to be displayed as the primary option – so it’s hard to see why anyone would snap a private sector code instead of that one. (Despite justified earlier concerns, the current NHS app is in fact pretty privacy-friendly, working as it does – at long last! – on the Apple/Google keep-it-on-the-phone basis instead of the abortive, and thoroughly arrogant and foolish, previous centralised approach.)

But if someone doesn’t want to use the NHS App, the restaurant is still obliged to collect the data another way. Whether through a QR code, or otherwise. And till 18 September, restaurants were doing so because they were asked to, although it wasn’t a legal requirement.

Which is where the data collection firms stepped in. Paper forms are a pain. Unless you pre-book everyone (in which case you’re collecting the data in any case) far better to allow the walk-in customer to snap a QR code, fill in a few details and bingo! All done. With the bonus that your own staff aren’t harassing and annoying your customers, to their detriment and yours.

But here’s the problem. Clearly collecting someone’s name and contact details means processing their personal data. And to do that under the Data Protection Act 2018 and GDPR, you need a lawful basis: at least one out of consent, a contractual requirement, a legal obligation, the data subject’s vital interests, a public task, or your legitimate interests.

Note that each purpose for processing needs its own lawful basis. So just because one purpose is fine, that doesn’t mean others will be too.

If all you’re doing (or were doing prior to 18 September) is to take records for Test and Trace purposes, holding them solely for that, and junking them after the recommended 21 days (or even a bit longer if need be), I don’t see a problem. As of now, it’s both a legal obligation and likely a public task, and a fair argument can be made for it being in the vital interests (that is, protection of life) of the data subject as well. Honestly: I can’t see a challenge on this basis holding up.

But what about keeping the data for marketing or onward sale?

If you’re the restaurant itself, and you make clear to the customer that they have the option of allowing you to use the data for you to stay in contact with them – and, critically, they can say no as easily as saying yes without being barred from entering or otherwise inconvenienced – there’s not a huge problem. So long as you explain really clearly, in plain English, what you’re doing, make it easy for customers to opt out later, and don’t abuse the data for other purposes.

In other words, you’re relying on consent. There really isn’t any other basis that works. Legitimate interest is a non-starter, since your interest in hanging onto the data for marketing purposes without consent is dwarfed by their interests in privacy; your contract with them to serve them food in exchange for money can easily happen without contact details; and the others are just ludicrous. (Sending them emails about your Winter menu will save their life? Please.)

And consent is tricksy. It has to be (by Article 4(11) GDPR) a “freely-given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she by a statement or a clear affirmative action signifies agreement”. It has to be possible to get the service in question without consenting to the data processing (Art 7(4)). And the data subject has clearly to be able to distinguish between the processing they’re being asked to consent to, and other matters.

I can imagine how a restaurant could write a request for customers to allow it to retain the test-and-trace data with sufficient clarity and choice.

But I really struggle to see how the business running the collection on their behalf could do so, in any meaningful sense. Or at least, in any way that wouldn’t drive away the vast majority of customers.

Let’s take the best-case scenario. ([Steel-manning], after all, is a good intellectual and ethical practice.) Let’s say the QR code landing site says, in capital letters (to paraphrase): You’re filling this in for health protection purposes. But alongside that, we’d like to hang onto the data you provide, sell it to data brokers and other customers, and to keep doing so for the next 20 years. Please tick this box if you’re OK with that. But you don’t have to, because it’s totally optional. So feel free not to bother.

Good luck getting anyone to tick that. And even that’s arguably non-GDPR compliant, since it’s hard to work out how anyone could meaningfully later opt out.

What seems rather more likely is either a link to a lengthy privacy policy, coupled with a box that asks people to confirm they’ve read it, or at best something mealy-mouthed about “other purposes” or “providing you with information and services you may like”. In either case, I don’t think this comes close to sufficing.

And consider the context. People are providing their data for what they think is a vital health protection purpose. Against that context, satisfying the Article 7 requirement for consent to a collateral purpose to be clearly distinguished from “other matters” is, in my view, a pretty high hurdle. Nothing short of crystal clarity is likely to suffice.

So if the Times is right, I suspect the 15 firms that ICO is apparently investigating could have an interesting time.

Why do you say it’s dangerous?

Lawfulness, or rather a lack of it, is bad enough.

But what really concerns me is the trust factor. We’ve had enough trouble in the UK with people mistrusting the Government’s actions and motives. Whether it’s people claiming the North is being treated far worse than the South as far as lockdowns are concerned, or the furore over the infamous Cummings odyssey in May, or the frustration of the UK Statistics Authority over what it saw as misleading or even manipulated test statistics, it’s clear that for many the predominant response to Coronavirus restrictions is now suspicion, rather than acceptance or support.

And that’s the public sector. The private sector, meanwhile, is being asked to police the restrictions – restaurants, for instance, have to refuse entry (under regulation 16 of the Regulations linked to above) to anyone who refuses to use the NHS QR code and won’t give their information otherwise. This is hard enough for restaurant staff. Imagine how much worse it could be if the refusenik customer thinks their data’s being stolen at the same time.

The real threat, though, is to broader trust. As I said earlier, the countries who are coming through this nightmare without terrible social and economic damage (not to mention, of course, with far fewer deaths and debilitating illnesses) are those with political leaders who have played it straight. Who haven’t exaggerated or appeared to use Covid as a tool for other political ends. Who’ve shown that this isn’t just the highest policy priority, but the only one that matters. And who’ve shown that competence is more important than ideology or loyalty.

In other words: those whose leaders have taken trust seriously, and done everything in their power to earn it, every day. It’s not that they haven’t made mistakes. It’s that they’ve been recognised and learned from.

We have a trust deficit. It’s killing people. Anyone deliberately or recklessly (as opposed to accidentally or inadvertently) undermining that trust is playing with lives.

And when you do something that discourages people from engaging with test/trace/isolate, you’re doing just that.

Nested emails: the bane of bundling.

A heartfelt plea from a non-Windows, non-Outlook user: sending a string of emails, containing other emails, containing attachments, is a huge timesuck. Think how much advice I could’ve given in the time I spent disentangling it…

I’ll keep this short. Sending Counsel nested emails is a waste of your client’s money.

What do I mean by “nested emails”? They’re the Mac-using barrister’s bane. Emails containing not only file attachments, in multiple formats, but other emails. And those emails have attachments, and yet more emails. And so on, in a babushka-doll spiral of frustration.

If you use a PC, and live out of Outlook, then this is a pain. Open each email. Save its contents. Then open each of the new emails as well; save theirs. And so on. Tedious, but manageable.

But if you use a Mac, the story’s different. Even in Outlook or Mail, not all the attached emails open properly. Saving them other than as PDFs can be problematic. And if – like me – you’ve found other email tools (in my case Spark) to offer advantages you can’t live without, then you’re stuffed. Back to Outlook. Just for that.

Honestly, by the time I’ve extracted everything, saved it all as PDFs (so I can see it all in one place and mark it up) and packaged it together, that’s anything up to an hour. And if we’ve agreed five hours for advice… well, do the maths.

In practice, of course, this time isn’t chargeable. I just suck it up. But if time is money, losing it to something like this leaves a bitter taste.

So what’s the answer? Absent a tacit agreement to bury nested emails in a deep, dark hole – not, of course, going to happen – swear quietly and just get on with it? Probably. Although be aware that since this is a pain point, every client who doesn’t deliver papers this way is automatically on my Angel list.

Or perhaps someone’s come up with tools to cope? That’s for next time.


Yesterday, just for a while, I broke.

Without going into detail (others deserve their privacy), personal stuff has been unremitting and draining the past month and more. A bunch of work deadlines collided in September. The outcome: a relentless grind of sleeplessness and toil that never seemed to diminish, or leave space for thought or rest or peace.

And yesterday… well, for a while I just stopped being able to handle it. For several chunks of the day – even while trying to write a skeleton for a case later this week – the tears kept flowing. And the anger; at myself and at others who, wholly unfairly, I felt were leaving me to carry burdens alone. And the frustration. And a sense of hopelessness, that nothing would or could change.

Now, before I go further, a caveat or two. I’m OK, fundamentally. I know depression; I know too many people who have to live with it, and this isn’t it. I’m no danger to anyone, least of all myself. And it’s possible that yesterday was a particularly bad day to finish Jim Butcher’s latest, which was an emotional minefield and roller-coaster combined. (And no, Jim: you’re not forgiven yet. Not for that. Can’t say anything more – spoilers! – but you know what I’m talking about.)

And most importantly: I know a good chunk of this isn’t about me, but about these strange days we’re living through.

Because I think, like many people – including vast numbers who are hurting far more than I am, financially, physically or spiritually – I’ve found the past months and years have delivered some wounds that just can’t, for the moment, heal.

I’m not just talking about the pain of living through the time of Covid, watching people suffer and die as those whose responsibility it is to step up fail, dismally, over and over again, as others pay for their arrogance and incompetence and obsession with a Kulturkampf that, right now, should be relegated to irrelevance. Watching chickens from a decade or more of grasping short-termism come home to roost.

But about the change of the past four years, as many of the things I hold dear about how human beings can, at their best, relate to one another – summed up, perhaps, in the ability to say “I could be wrong” and mean it – are trampled underfoot in a wave of straw-man attacks and visceral ugliness.

At the enabling of our darker sides, the ones we all have, to speak out as though they’re the sole truth, as opposed to just being one element in the mixture of soul and sin that’s woven into all our psyches.

At the refusal to remember we’re all frail, all failing, and all – therefore – desperately in need of generosity, understanding and acceptance, of ourselves and of others.

We try to keep going. To ride through the chunks taken out of our well-being, of our yearning for this not to be all there is.

It’s hard. It’s sometimes too much. And yesterday, it was too much for me.

Again: I’m here. I’m OK. Today’s been far better. And I know my trials are but pinpricks compared with those of others.

But it’s a lesson. I mustn’t – we mustn’t – ignore that underlying pain. I don’t know quite how I’ll deal with it, except I know I need more exercise. More quiet. More solitude, but also more time with those I care about. More natural beauty. More things, like playing the piano, that salve and save my soul.

A better control on the work I take on, managing better that fear which all self-employed people know, of how to keep the cash flowing. (The Bar can be a terrible place for this, hardly helped by how its lingering machismo about stupid hours combines with the constant thud – literal or PDF-metaphorical – of bundles landing on one’s desk at the last minute.)

And I need to keep giving love, because that will feed me as it feeds those who receive it.

That way, I can preserve the things that, in my core, will keep me going. Love, certainly. Hope, that our better angels (call them what you will; I continue to believe we all have them) will one day prevail and that we’ll see the best, as well as the worst, in those around us. And also faith: that this chaos and disorder isn’t all we have, that this darkest timeline can change, that whatever our deserts we can rise to the challenge and remake this world so all can flourish.

Faith manages. Hope, somehow, survives. And most of all, love endures. As long as those three things are true – and thus far, God willing, they always have been – I’ll be OK.