Data Protection Policy & Risk Assessment
We are committed to ensuring:
This policy should be read in conjunction with the information security standards and acceptable use policy set out within our staff compliance manual. It sets out how we comply with the GDPR and includes signposts to clear staff standards and training requirements.
We are required by Article 30 of the GDPR to maintain certain records of our processing activities and these are as detailed / signposted below:
Our name and contact details: | As detailed above. |
Purposes of our processing data | In order to operate as an employer and to provide legal advice and services we obtain, store and use personal information about clients, staff and others. |
Categories of data subjects | In broad terms we hold information about our staff, unsuccessful job applicants, the staff of our business contractors and partners, clients, experts, counsel, Courts, government bodies and agencies, unconverted client enquiries, potential clients and other individuals connected to client case. See our information audit and data mapping exercise for further detail. |
Categories of personal data | See our risk assessment below and our information audit and data mapping exercise for further detail. |
Categories of third parties with whom personal data will be shared | In broad terms we may share personal data with lawyers representing others in the proceedings, official bodies with whom legal documents must be lodged such as the Courts and Land Registry, our regulatory bodies in appropriate circumstances, our contractors and consultants and their staff, those requesting references, witnesses, experts, counsel, IT service and software providers. Further information on how we ensure compliance when sharing personal data in this way is set out below. |
Countries outside of the EU where data is transferred | We do store much of our information electronically but this does not involve data being moved outside of the EEA. Where this becomes necessary and for those countries which have not been specifically approved for such purposes under article 45 of the GDPR, we are nonetheless satisfied that appropriate safeguards are in place for ensuring the security of this data and for ensuring enforceable legal |
| rights for accessing this data (article 46 of the GDPR). We inform our clients within our privacy notice of data transfers outside of the EU.
|
Time limits for erasing our data | See our retention policy below and information audit and data mapping exercise for further detail. |
Information security | Please see the safeguards set out below. |
We receive personal data in respect of our clients’ legal matters and our staff. In many instances personal data is processed because this is necessary either to fulfil the terms of the contract between us and the client or employee or because it is necessary to comply with legal requirements. In order to work with our clients and staff it is necessary to obtain their data, store and use their personal information. This will include sharing it at certain points with other parties, for example, with opponents in the case of clients and tax officials in the case of employees. It may also involve, in the case of working with clients, disclosing information where required to do so by law such as under anti-money laundering legislation and retaining a small amount of personal data after a file has been destroyed to comply with rules on conflicts of interest. We consider such processing to be necessary and permitted under the GDPR and associated legislation.
Upon receiving client enquiries, we may in the future contact those individuals via a newsletter or similar provided that we have a clear opt out option upon receipt of the communication. We will provide the individual with clear information on how to opt out in the first of such communications at the latest (this is permitted under the GDPR Article 21.4). We consider such processing to be permitted under the ‘legitimate interests’ condition (see recital 47). We have also had regard to the separate rules on marketing such as the ‘soft opt in’ requirements for email set out in the Privacy and Electronic Communications Regulations. We will balance our interests in promoting our services with those of the individuals we contact and will not rely upon the ‘legitimate interests’ condition where on a particular set of facts it would be unfair to the individual concerned. For example, we will not assume that minors or other more vulnerable individuals can be ‘opted in’ for these purposes in this manner and will obtain express consent from the appropriate person before sending any such communications.
In scenarios other than those set out above, we will generally speaking obtain express affirmative client consent to any data processing. This will typically involve explaining to the client within a privacy notice in our engagement documents how their information will be used and obtaining their instructions to proceed on that basis. We will not obscure consents by placing this within a detailed set of terms without specifically flagging the issue up. We do reserve the right to obtain consent verbally and retain a very clear record of what the relevant individual was told and agreed to and when. We will not necessarily obtain a fresh consent however where the modified use which we wish to make of client information is so closely linked to our original instructions that it will not come as any surprise to the client that their information is being used in this way. For example, if in our privacy notice to clients we have stated that we use a particular outsourcer or cloud provider we will not ordinarily need to seek express consent to switch to a comparable provider as a business where no material risks are posed to the client’s information or rights. Whereas if we have never informed the client about outsourcing and we decide to outsource legal work on their file overseas we should seek their express consent. This because outsourcing core work overseas is not a necessary method of delivering our services to the client and so separate consent should be sought. We will retain records of client consents on the file and staff consents on the personnel file i.e. the retainer and contract / staff handbook sign off. We will exercise particular caution in obtaining consent for new uses of any sensitive personal data (i.e. race or ethnicity, political opinions and trade union membership, religious beliefs, health, sex life and genetic or biometric data) which we hold (there are greater restrictions on handling such information).
We do sometimes work with sensitive personal data (i.e. race or ethnicity, political opinions and trade union membership, religious beliefs, health, sex life and genetic or biometric data) which we hold. There are greater restrictions on handling such information. For clients, working with this information will often be necessary in order to pursue or defend their legal matter. In personal injury cases details of health must be processed for example. For staff this will typically be in order to comply with employment or equality legislation, namely around making reasonable adjustments and monitoring absences. Using sensitive information to pursue legal claims or comply with employment legislation is permitted under GDPR. However in order to be prudent and ensure best practice we are nonetheless transparent with staff and clients about how such information is used and seek agreement to information being used in this way in the respective contracts.
In accordance with ICO guidance we have made an assessment of the risks posed to the information which we hold. This has been done to inform our policies and procedures on ensuring compliance and security of information in practice. In particular, we have assessed our information’s sensitivity, financial value and what damage or distress could be caused if there was a security breach (e.g. if the information was destroyed, corrupted or improperly accessed by a third party). We have also considered the nature of our business and our working environment. Having done so, we have assessed the work across our firm as posing a [moderate/high] risk. The reasons for this are as follows[1]:
sensitive in the context of individuals’ health, finances, sexual orientation such as personal injury, mental capacity, criminal law or employment law]
The outcome of our risk assessment above has informed the policies and procedures developed by our firm and the training provided to staff.
We have named an Information Officer to oversee compliance and best practice in this area[2]. The Information Officer duties will include the following:
In terms of ensuring that our staff manage information safely and in accordance with the requirements of the GDPR, we:
In addition, we work hard to make sure that our infrastructure and processes as a business maintain the security of our information. We have obtained expert input from our IT team / contractors in ensuring best practice in the following areas:
Patches / software updates will be deployed without delay and if IT assets need to be disposed of we will make use of a reputable contractor for this purpose who are ISO27001 or equivalent certified.
Guidance and training is provided to staff to ensure that they do not inadvertently do anything which could undermine our infrastructure. More detail is set out in our acceptable use standards for staff.
Our staff manual includes a requirement to inform our Information Officer of proposed contracts to share information with third parties in order to ensure that the contract contains the paragraphs required by the SRA in terms of outsourcing and the GDPR. More detail is set out in our Outsourcing Policy.
We are registered with the ICO and provide a privacy notice to every client within our standard terms and conditions to explain how we use their information. We make use of template privacy notices for this purpose which detail the following information in as clear and transparent a manner as possible:
While we acknowledge that under the GDPR privacy notices should also be given to individuals whose personal data we hold because it has been given to us by someone else, generally speaking such information is held confidentially and is privileged. For example, a client may give us information about other individuals connected to their legal matter but this will typically be confidential and privileged. As such we would not be required to provide such a privacy notice under the GDPR (Article 14.5(d)). In other cases we will however take steps to provide the necessary information about how we handle personal data to other individuals within a reasonable time period of receiving it and in any event within one month (Article 14.3).
We take care to ensure that our website is secure (see above), up to date, does not infringe copyright and is compliant with SRA requirements and applicable accessibility standards. Our office manual sets out a procedure for approving web content and the standards expected in this respect.
Our website provides appropriate information to users on privacy and cookies.
We have set out in our office manual:
Our COLP has taken responsibility for considering SRA guidance on bogus law firms[4] and fraud in the context of our business and staying up to date with scam alerts and trends. Trends or alerts which pose a particular risk to us will be shared by our COLP with colleagues in a particular department or throughout the firm as appropriate.
In order to minimise the risks of identity theft a member of staff periodically:
[1] It is good practice to perform an information audit / mapping exercise which lists how the different categories of information come into the organisation and what happens with them from there. Information audit mapping tools are available: contact@complianceoffice.co.uk
[2] This individual will if required to do so take on the role of Data Protection Officer for the purposes of the GDPR. Many if not most law firms however will not need to formally appoint a Data Protection Officer because the firm will not be involved in ‘large scale processing’ of sensitive personal data or information about criminal offences.
[3] An e-learning module is available for this purpose.
[4] See ‘Bogus law firms and identity theft’ and ‘High Yield Investment Fraud’; the Risk reports ‘In the Shadows’ and ‘Spiders in the web: The risks of online crime to legal business’).