Data Protection Policy (May 2024)

Part A – Introduction

Scope

This policy applies to us all, including managers, consultants and any third party that this policy has been communicated to.

The policy covers all personal and sensitive personal data, processed on computers or stored in manual (paper based) files.

Purpose

This policy aims to protect and promote the data protection rights of individuals and of our firm, by informing us all of our data protection obligations, of the procedures that must be followed and of the systems we have adopted to ensure compliance with the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (UK GDPR).

Responsibility

Timothy Halliday Compliance Officer for Legal Practice (COLP) and Data Protection Manager (DPM) is responsible for this policy and for monitoring our compliance with it.

We (and any third party to whom this policy applies) are responsible for ensuring that we comply with this policy. Failure to do so may result in disciplinary action.

Key data protection terms

The UK GDPR and DPA are designed to protect individuals and their personal data. These statutes use some key terms to refer to individuals, those processing personal data about individuals and the types of data they cover. These key terms are:

Data Subject

Means any living, identified or identifiable individual who is the subject of personal data, i.e., the person that the personal data is about.

For our purposes, our clients are data subjects (other individual third parties that we hold personal data about are also likely to be data subjects).

Data Controller

Means a person who (either alone or jointly or in common with other persons) determines the purpose for which and the manner in which any personal data are, or are to be, processed. Data controllers can be individuals, organisations or other corporate and unincorporated bodies of persons.

For our purposes, the firm is a Data Controller.

Processing

Means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:

  • organisation, adaptation or alteration of the information or data;
  • retrieval, consultation or use of the information or data;
  • disclosure of the information or data by transmission, dissemination or otherwise making available; or
  • alignment, combination, blocking, erasure or destruction of the information or data.

For our purposes, everything that we do with client information (and personal information of third parties), is “processing” as defined by the DPA.

Personal Data

Means data which relate to a data subject who can be identified or is identifiable, directly or indirectly:

  • from those data; or
  • from those data and other information which is in the possession of, or is likely to come into the possession of, the Data Controller, and includes any expression of opinion about the individual and any indication of the intentions of the Data Controller or any other person in respect of the individual.

Personal data includes sensitive personal data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed.

Examples: name; date of birth; address; employment and education history; video footage; photographs, IP addresses, mobile device IDs, etc

Sensitive Personal Data/Special Categories of Personal Data

Means personal data consisting of information as to:       

  • the racial or ethnic origin of the data subject;
  • their political opinions;
  • their religious beliefs or other beliefs of a similar nature;
  • whether they are a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992);
  • their physical or mental health or condition;
  • any genetic or biometric information (where used to identify an individual);
  • their sexual life or sexual orientation;
  • the commission or alleged commission by them of any offence; or
  • any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.

Part B – Data Protection and Information Management – Staff Responsibilities

The firm holds a huge amount of confidential information about clients, staff and third parties. We must all of us comply with data protection law and keep confidential information secure. Accordingly, all staff must study and observe the precautions set out below.

Timothy Halliday (COLP & DPM) has overall responsibility for data protection and this policy. Questions on or concerns about these issues should be referred either to him or to your supervisor.

Our obligations

When we hold information about data subjects, this gives rise to obligations under the UK GDPR. The UK GDPR applies whether such information is held in electronic form or in a paper filing system.

We may be liable in various ways if we fail to hold data appropriately. This may include liability in damages for negligence and breach of confidentiality or even criminal liability. We may also be subject to professional sanctions for breach of the SRA Codes of Conduct. The following is a summary of our obligations under data protection law, but is not a substitute for full research where appropriate.

The Data Protection Principles: In processing personal data we must be able to demonstrate that we comply with the “data protection principles”. These require that that personal data must be:

  • fairly and lawfully processed in a transparent manner;
  • processed for limited purposes;
  • adequate, relevant and limited to what is necessary;
  • accurate and, where necessary, kept up to date;
  • kept for no longer than is necessary;
  • made available to the data subjects and processed in accordance with the data subject’s rights;
  • kept with appropriate security; and
  • not transferred to countries without adequate protection.

Grounds for Processing Personal Data: We should only process personal data if we have a lawful basis for doing so.

At least one of the following bases must apply whenever you process personal data:

  • Consent from the individual. But note that in the case of someone under the age of 16 they cannot give that consent themselves and instead consent is required from a parent, or other person holding ‘parental responsibility’.
  • It is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  • It is necessary for you to comply with the law (not including contractual obligations).
  • It is necessary to protect someone’s vital interests. Vital interests are those relating to life and death issues.
  • the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  • It is necessary for our legitimate interests or those of a third party, except where such interests are overridden by the interests or rights of the person concerned.

Sensitive Personal Data: Sensitive personal data (referred to in the UK GDPR as “special categories of personal data”) can only be processed under strict conditions. Sensitive personal data includes information about someone’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life and sexual orientation, genetic data and biometric data.

The usual grounds which entitle us to process such sensitive data are the following.

  • Explicit consent of the data subject.
  • It is necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent.
  • Data manifestly made public by the data subject.
  • It is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity.

Your responsibilities

Do not collect or use personal data without a good reason

If clients give us information about themselves, this is rarely a problem, as they will usually expect us to record that information and use it for usual professional purposes. However, take particular care with information about third parties, who may be unaware that we hold information about them. Bear in mind three simple principles.

  • Do not record information about people unless you need to do so and have a justification pursuant to the above-listed grounds.
  • Keep it secure.
  • Delete it promptly when you no longer need it.

These principles apply especially to information of an embarrassing, secret or sensitive nature, and where the people concerned have not consented to us holding the information.

Limit the use of the personal data to the purpose it was collected for

You must be clear about what your purposes are for processing personal information from the start. Do not process the information for a different purpose unless it is compatible with the original purpose, you have the individual’s consent or you have a clear obligation or function set out in law. For example, if a client gives you details of his/her family members for the purpose of their matter you cannot use this data to send them marketing materials without first getting their consent.

Take care when sending personal data to others

You will often need to share personal data and confidential information with others, such as barristers, expert witnesses and other law firms. However, before doing so, consider these issues:

  • Do they really need the information?
  • Should we redact documents so that they do not include irrelevant and unnecessary confidential information and or personal data?
  • Can we rely on the recipient to keep the information secure?
  • Are you sending the information outside the European Economic Area? If so, you should check either that the country in question has been designated by the EU Commission as providing adequate data protection, or that we have appropriate standard contractual clauses agreed with the recipient in place to protect the data.
  • In publications and publicity materials all client identification information must be removed unless clients have consented.
  • Work on the principle of “check twice, send once” to emphasise the importance of double-checking what information we are sending to others.

Keep papers and data secure

  • Keep confidential papers in locked cabinets when they are not in use (these include HR records, high profile files, market sensitive business matters etc). Bear in mind that cleaning personnel, temporary staff and others may be present in the building, and that leaving papers where they can be seen risks a breach of security. When working remotely, you must treat hard copy documents as you would at work – keep a clear desk policy and lock documents away when you’re not working on them, to ensure that other household members/ visitors cannot access them.
  • Report any unaccompanied stranger you see in an entry-controlled area.
  • Minimise the amount of data taken out of the office – only take client files (or other confidential information) out of the office when it is necessary to do so and only carry information that is essential to the task at hand. Take precautions to ensure that such items are not stolen or lost. For example, do not leave files in an unattended car.
  • Be aware that taking paper files out of the office is especially risky. Where possible, take information in encrypted digital form, e.g., on a laptop.
  • Bear in mind that laptops and other electronic devices may be stolen if taken out of the office. Hence confidential files taken out of the office in electronic form must be encrypted. It is not enough that the machine on which they are stored is password protected. Where possible, if you are working outside of the office, access documents through remote access.
  • Ensure confidential papers that are no longer required are disposed of in our confidential waste bins in the office.
  • If working remotely, bear in mind the additional confidentiality and security risks when discussing confidential matters during virtual meetings or on the telephone and use headphones for privacy whenever possible.

Keep IT secure

  • Take care with any email you receive from an unknown source. Bear in mind that clicking on attachments or links may result in viruses being downloaded.
  • Follow the firm’s policy on the use of passwords, including the level of complexity, the frequency with which they should be changed, and other precautions such as not writing them down in any form which might be intelligible to a third party. Secure passwords are particularly important with mobile devices, or with logins that would enable people to access the firm’s systems remotely.
  • Log off from/ lock your computer when it is left unattended. This also applies to those working in a remote/hybrid working arrangement.
  • Be aware of your desk’s positioning and ensure that your computer screen does not show confidential information to those who are not authorised to see it e.g., to passers-by through a window. This is particularly important when using a laptop or other device in public places, when a privacy screen should be used to protect your screen from prying eyes. Update the software on your computer whenever required to do so. Updates frequently fix security weaknesses.
  • Even if data has been deleted from electronic media, it may be possible for others to recover it. Hence computer hard drives, data sticks, floppy disks, CD-ROMs, etc. should either be cleaned by an expert or physically destroyed when no longer required.

Take Care with Payments

  • The firm has policies in place to protect itself from the risk of funds being diverted. Those responsible for making payments from our bank account receive separate guidance, which includes a strict prohibition on divulging account credentials or security information (including usernames, passwords, PINs and other security codes).
  • All staff should be aware of the risk of criminals seeking to divert funds, e.g., by phone calls or emails to the firm purporting to be from clients, our bank or senior staff, or to clients purporting to be from the firm, asking for payments to be made to inappropriate accounts. Staff must report to their supervisor or the Compliance Officer immediately any request they receive for information which might be used to facilitate fraudulent payments.

Take Care When Dealing with Enquiries

Beware of “blaggers” (people who attempt to obtain confidential information by deception). This is most commonly done by phone but may also be by email or by calling in person. The following are examples of the precautions you should take when dealing with enquiries.

  • Check the identity of the person making the enquiry.
  • Check we are authorised by the client (or other relevant person) to pass on this information.
  • Ask callers to put their request in writing if you are not sure about the caller’s identity and their identity cannot be checked.
  • Refer to your supervisor for assistance in difficult situations.
  • Take particular care with callers who claim to be from our bank. A number of firms have had money stolen from their bank accounts after staff gave confidential banking information out over the phone.

Report any Breaches and Complaints

  • Breaches

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

You have a duty to report any actual or suspected personal data breach without delay to Timothy Halliday (DPM)] who will record it in the Access Legal Compliance Breach Reporting module.

Please refer to the firm’s Data Breach Reporting Procedure for further details regarding the firm’s data breach obligations and procedures.

All breaches can be logged and tracked through the Access Legal Compliance Breach Reporting module.

The Breach Reporting module will give the option to log SRA or ICO regulated breaches, once the details have been logged the record will then automatically escalate to management for a full investigation.

A task workflow will take the user through the process of investigating the breach and if required reporting to the appropriate regulator. All details of the investigation and responses from the regulator will be recorded on the module, external communications can also be uploaded to the record.

Reports will give a high-level overview of the type of breach being identified; this will allow for action to be taken in advance to help reduce issues in the future.

When an individual is notified about the incident, all their information can be logged and an investigation task can be generated. If the incident needs to be escalated to a breach, this can be done through the record itself or linked to an existing or new breach record through the Breach Register.

The Breach Reporting module will track details about each breach in the system. It will include the type and sub-type of breach and the details on who has been notified.

  • Complaints

Complaints relating to breaches of the DPA and/or complaints that a data subject’s data is not being processed in line with the data protection principles should also be referred to the COLP without delay.

The Access Legal Compliance Complaints module is used to record specific details of a complaint such as the complaint type and parties involved, once a complaint is logged a workflow is then generated taking the complaint handler through the complete complaint process.

Evidence of when the complaint was received, acknowledged and completed are all shown through this module, with a full audit trail being produced. External communications can be uploaded to the record keeping all the details of a complaint in the one place.

If the complaint is referred to the Legal Ombudsman, details of this investigation can also be logged and managed through this module.

Reports can be generated to identify any trends within the complaints. This will allow action to be taken in advance to stop or reduce complaints of the same nature recurring.

Data Subject Access Requests and Other Data Subject Rights

Under the UK GDPR and DPA, anyone can request that we provide them with their personal data. This is known as a data subject access request (DSAR) and can be made orally or in writing. If you receive a DSAR, you must forward it to Timothy Halliday (COLP/DPM) immediately. It is his responsibility to consider and record the request and to respond in a timely manner.

Please refer to the Data Subject Access Request Policy for full details about our data subject access request procedures.

Data subjects have numerous other rights under the UK GDPR and DPA, including:

  • a right to request correction of the personal information we hold. This enables them to have any incomplete or inaccurate information we hold about them corrected;
  • a right to receive a copy of the personal information you have provided to us or have this information be sent to a third party
  • a right to request erasure of their personal information if we have no justification for holding it;
  • a right to object to the processing of their personal information where we are relying on a legitimate interest (or those of a third-party) and there is something about their particular situation which allows them to object to processing on this ground;
  • a right to prevent processing for direct marketing;
  • a right to object to decisions being taken by automated means;
  • a right to complain to a supervisory authority;
  • a right to withdraw consent; and
  • a right to claim compensation for damages caused by a breach of the DPA.

Requests to exercise any of these rights must also be referred to Timothy Halliday (COLP/DPM) immediately or another Director, in his absence.

Part C – Our Approach to Data Protection and Information Management

This section sets out the firm’s approach to data protection and information management, including how the firm manages confidential information and the precautions the firm takes to keep information secure.

We encourage a culture of trust where employees feel able to report breaches and potential breaches without fear of being reprimanded.

The firm has obtained the Cyber Essentials accreditation.

Each individual member of staff has responsibility for the day-to-day management of data; however, we have appointed Timothy Halliday as our Data Protection Manager (DPM) and he has overall responsibility for this policy. (The firm has not appointed a Data Protection Officer (DPO). It is not required to do so since it is not a public authority and its core activities do not require large scale, regular or systematic monitoring of individuals, nor large scale processing of special categories of data relating to criminal convictions or offences).

The policy is reviewed and updated annually by the DPM. Reviews will include considering the data processing activities of the firm in light of the obligation of data protection by design and default. A review will also be carried out at the time of any substantial change in the data processing activities of the firm. A data protection impact assessment will be carried out before the firm undertakes processing that is likely to result in a high risk to individuals.

Data Protection Impact Assessment (DPIA)

The DPM will prepare a DPIA for any major project that is being undertaken within the firm which requires the processing of personal data. The DPIA must:

  • describe the nature, scope, context and purposes of the processing;
  • assess necessity, proportionality and compliance measures;
  • identify and assess risks to individuals; and
  • identify any additional measures to mitigate those risks.

Privacy notices

The firm provides information to data subjects by means of privacy notices including on its website and in its terms of business and employment documentation, including information about data transfers to third countries.

Protection and security of the information assets

The great majority of the information assets are confidential. We take care to protect confidential information applying the principles set out in Part B of this Policy.

Retention and disposal of information

We retain information for the periods set out in our Retention and Disposal Policy. These periods reflect our data protection obligation not to keep personal data for longer than is necessary, and also our statutory, regulatory and business needs to keep records.

The firm will review these retention periods at least every year, or more frequently if there are changes in limitation periods or statutory obligations as to the retention of records.

Thereafter information is disposed of securely, by shredding, electronic deletion, or otherwise as appropriate.

Firewalls

The firm maintains a firewall to prevent unauthorised access to the firm’s network and data.

Procedures to manage user accounts

User accounts can be disabled at any time, for example on discovering a breach of security. Accounts are disabled when a member of staff leaves the firm.

Staff responsible for the management of payments (including fee earners and finance staff) are only recruited or assigned to that function after passing suitable background checks, including taking references and the verification of claimed qualifications.

Procedures to detect and remove malicious software

If, despite the precautions described elsewhere, malicious software (malware) is present on the system, this should be detected by the firm’s anti-virus software. It is then the responsibility of the firm’s IT department to remove the malware according to the nature of the threat and industry standard procedures at the relevant time.

Register of software used by the practice

Please see the Information Management and Security Policy for details of software which the firm currently uses.

Training for personnel on data protection and information security

The firm has provided all staff with its rules on data protection and information management (the current version of which is set out above).

In addition, the firm trains staff on these issues on induction, and thereafter on a refresher basis using our Access Training Module.

Failure to complete mandatory data protection training may result in disciplinary action.

Updating and monitoring of software

All software used by the firm is supported by external software suppliers who issue routine updates from time to time. It is the responsibility of the COLP to decide whether and when updated versions are to be installed or new or better software should be obtained.

Review of this policy

This policy is reviewed, at least annually, by the Timothy Halliday (COLP & DPM)

May 2024

Go Back
01538 755 761
Email Us

©eric-whitehead 2026. All rights reserved