Data Protection Policy - May 2018
1. Introduction to Data Protection
These are the details of my policy on personal privacy and data protection, including in particular my obligation to comply with the Data Protection Principles contained in the General Data Protection Regulation to protect the personal privacy of all living people.
1 Data Protection Supervisor
If you have any questions or need information on anything to do with data protection, please contact me by email at email@example.com.
2 What is Data Protection?
In simple terms, data protection is the protection of information about living people. This information can be created and kept in many forms - for example on computer (such as emails), paper, CCTV, photographs, phones and many others; it covers both facts and opinions about people.
3 What is the General Data Protection Regulation?
The General Data Protection Regulation (the “Regulation”) imposes obligations on businesses that hold personal information, and gives rights to individuals whose data is held. The Information Commissioner oversees and enforces the Regulation in the UK.
4 What does the Regulation apply to?
The Regulation applies to “personal data”. This is information relating to living people who can be identified from the information that a “data controller” has, even if an individual’s name is not specifically mentioned, and is referred to throughout this policy as “Personal Information”. These individuals are known as “data subjects”. The Regulation is intended to protect this information and the way that the information is used. It is also intended to regulate against the potential misuse of this information.
“Sensitive personal data” is given additional protection under the Regulation. This is information that relates to an individual’s:
• racial or ethnic origin
• political opinions
• religious or similar beliefs
• trade union membership
• physical or mental health or condition
• sexual life
• criminal history (including convictions or commission of offences/alleged offences). This is referred to throughout this Policy as “Sensitive Personal Information”.
5 Who does the Regulation apply to?
The Regulation applies to anyone who processes personal information. “Processing” is a broad term referring to almost anything that can be done to information - including collecting, recording, storing, transferring, amending, destroying it or simply holding it.
6 What are the Data Protection Principles?
There are 6 Data Protection Principles, which are designed to protect the personal privacy of each of us and with which we must comply under the Act.
The Principles state that personal information must be: -
i. Processed lawfully, fairly and in a transparent manner.
ii. Collected and processed for a specified, explicit and legitimate purpose.
iii. Adequate, relevant and not excessive.
iv. Accurate and kept up to date.
v. Kept only for as long as necessary for the specific limited purposes.
vi. Kept secure.
2. Data Protection Policy
1. Collection and use of personal data
Data I collect
How this is collected
Purpose of collection
Lawful basis for processing
Identity Data: forenames, last name, email address
Direct interaction or you submit the information on my website to sign up to my newsletter
To initially engage with you to discuss your legal requirements
Contact Data: business address, email address, telephone number, VAT number
To continue our work together, and submit my invoice for work done
Performance of a contract with you
Know-Your-Customer Data: copy of passport or ID card, other letters or bills addressed to you
It is a legal and regulatory requirement for a lawyer in England and Wales to complete basic Know Your Customer identity checks
Performance of a contract with you
To comply with a legal obligation
Profile Data: Enquiries, survey responses
To improve the services I offer to my clients
Matter specific data: files notes covering your legal instructions and the progress of your matter
Lawyers maintain file notes of their interactions with their clients in order to effectively manage the matter - this is a regulatory and best practice requirement
Performance of a contract with you
2. Security of personal Information
I will: -
· take positive steps to prevent the accidental, improper or deliberate disclosure, mis-use or loss of personal information and prevent unauthorised access to it.
· limit the disclosure of and access to personal information to those who have a business need to access the information.
3. Disclosure of personal information to others
I will: -
· not disclose personal information relating to individual contacts at client companies, business contacts, employees, consultants, agents and contractors without the individual’s consent.
· ensure that where any person or organisation processes personal information on my behalf (such as a marketing agency, legal secretary or IT service provider) I will enter into a written agreement with them requiring them to: -
- process the personal information only in accordance with my instructions;
- maintain adequate information security; and
- take reasonable steps to ensure staff who have access to the information are reliable.
4. Disclosure of personal information outside the EEA
I will either: -
· make sure that personal information is not transferred, whether directly or indirectly, to any country outside the EEA;
· make sure that the data subject(s) concerned has/have consented to the transfer of the information; or
· make sure that an agreement has been entered into with the organisation the data is being transferred to based on the EU standard model clauses or is covered by the EU-US or EU-Swiss Privacy Shield Framework.
5. Subject Access Requests
A person on whom I hold information has the right to be informed of this and to have a copy of the information, subject to a few limited exceptions. He or she must make a written request (which can be by email).
Because all personal information is potentially disclosable to the person to whom it relates, I should bear this in mind when recording expressions of opinion about people and ensure that I can justify what I write (e.g. in interview notes or in emails).
If his/her personal information is being processed, the individual will be provided with (subject to limited exceptions):
- a copy of the data
- the source of the data
- the purposes for which the data is being processed
- to whom it may be disclosed
- an explanation of any unintelligible codes or rating systems.
Compliance with the subject access request is not required where I have complied with an identical or similar request of the data subject in the 6 month period prior to the new request and the data held has not changed substantially in that period.
The response to the subject access request should be made promptly. It must be made no more than 40 days from receipt of the request.
6. Information about Staff and Contractors
This section sets out the policy in relation to the processing of information about my staff, and contractors and their staff.
As I may need to hold and use certain information relating to my staff and contractors in the course of their employment or role in the business, this section gives information about the personal information that I may hold and how it is used or is intended to be used:
7. Use of Personal Information
Information may be used in relation to the following:
· payroll and benefits administration (including sick pay, pensions, health insurance, gym membership etc);
· disciplinary and grievance procedures (including monitoring compliance with and enforcing policies);
· absence monitoring;
· training course management;
· monitoring registrations with regulatory bodies (e.g. the Law Society) to ensure compliance, training and other requirements are met;
· work and career management, including performance appraisals;
· administering termination of employment, references etc;
· maintaining contact details to contact you for urgent business or personal reasons when you are out of the office;
· maintaining emergency contact and beneficiary details (which involves the firm holding information on those you nominate in this respect); and
· protecting the safety and security of staff and property.
· to ensure health and safety compliance.
I may also hold other information for accounting and billing purposes, work management and client work.
8. Disclosure of Personal Information
Your consent will be obtained before I respond to requests for information about you from third parties such as banks, mortgage lenders, prospective landlords or employers (e.g. requests for references), insurance and health providers.
In relation to fee earning staff, your curriculum vitae (CV) may also be disclosed to clients (both existing and prospective) and other professional advisers in the course of the provision of legal services and marketing.
9. Data Retention
It is my practice to maintain all client data for 6 years from the date I close the matter. Where potential clients make queries that do not lead to a contractual engagement, I will maintain that data for up to 2 years before deleting. This helps me to create a fuller picture of the industries contacting me about my legal services.
10. Your “right to be forgotten”
At any time you may request that your details are deleted from my files. Please note, however, that I may not always be able to delete the data for specific legal reasons which will be notified to you, if applicable, at the time of your request.
11. Future Developments
The law and practice in relation to data protection is still evolving. This will be reflected, so far as necessary, by amendments to this Policy. If material changes are made, you will be notified.
is a person who either alone, or jointly with other people, gives instructions as to what should happen to personal information and how it is to be processed.
means an individual to whom the personal information relates.
Personal Data or Personal Information
means any information that relates to a living individual (not companies). It includes information by which that individual can be identified and includes facts and expressions of opinion about individuals.
means almost anything that can be done to personal information - including collecting, recording, storing, transferring, amending, using, holding and destroying the information.
Sensitive Personal Data or Sensitive Personal Information
means any information relating to an individual’s:
(a) racial or ethnic origin;
(b) political opinions;
(c) religious beliefs;
(d) trade union membership;
(e) physical or mental health conditions;
(f) sexual life;
(g) criminal offence
(Please note that there are additional restrictions on how this type of information can be used.)
Subject Access Request
means a written request by a data subject made to a data controller, who must:
· inform him whether it has processed or is processing any information concerning him;
· describe the personal information, the source of the personal information, the purpose for which it is used and any third parties who receive the personal information; and
· provide the individual with a copy of the personal information except in certain limited circumstances.