Data Protection Policy
We take our obligations under the Data Protection legislation very seriously. The nature of our work means that we hold highly confidential information in respect of our clients, staff and others.
We are registered with the Information Commissioner’s Office (ICO) under registration number ZA150948.
Responsibilities
Our COLP, David Mariampillai, is also our appointed Data Protection Officer (DPO).
It is our DPO’s responsibility to ensure that:
- the firm is, at all times, registered with the ICO
- there is a process of continual review to determine whether any changes in the firm’s registration are required as a result of changes in the nature of the business
- the details of the firm as registered are kept up to date
- the notification to the ICO is renewed annually
- the firm maintains and updates the public ICO Data Protection Register which will be reviewed regularly and at least on an annual basis
- the firm maintains the policies and procedures in this Manual, and oversees the reporting, managing and recovering from information risk incidents.
This policy has been drafted to reflect the requirements of the Data Protection Act 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit)
Regulations 2019 and the relevant provisions relating to the General Data Protection Regulation contained within the European Union (Withdrawal) Act 2018 and known as the UK GDPR. References throughout the rest of this manual to the GDPR should
be taken to refer to the UK GDPR.
Data Protection by Design and Default
It is our policy to consider data protection and privacy issues upfront in everything we do to ensure that we comply with the GDPR’s fundamental principles and requirements. We consider data protection issues and review processing obligations at the earliest opportunity and consider data protection within the design process where we are implementing new technologies or where we are making significant changes to the way in which we process personal data.
Whenever we substantially change our policies, procedures, software or infrastructure, we will consider data security and data protection issues and, where necessary, consider whether a Data Protection Impact Assessment (DPIA) should be undertaken.
We operate a Data Protection Impact Assessment Procedure in order to identify when a DPIA should be carried out and to ensure that the assessment is undertaken in compliance with our obligations in the GDPR.
It is our DPO’s responsibility to oversee to ensure that we meet our obligations with regard to data protection by design and default and that DPIAs are conducted wherever required.
Data Protection Principles
- processed lawfully, fairly and in a transparent manner in relation to the data subject
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- accurate and, where necessary, kept up to date with every reasonable step being taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, and are erased or rectified without delay
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed, and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
To ensure compliance with these principles, we have also put in place or adapted the policies and procedures in this Manual.
This and the other associated policies and procedures in this Manual have been implemented to mitigate and manage data protection related risks.
Data Processing
Personal Data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject.
We are only entitled to hold and process personal data where the law allows us to. The current law on data protection (Article 6 UK GDPR) sets out a number of different reasons for which a law firm may collect and process your personal data. The processing of personal data is deemed lawful if at least one of the following applies:
Contractual obligations – where the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract.
In much of our client work, the main purpose for our holding of the client’s personal data will be to provide them with legal services under the agreement we have with them. This agreement is a contract between us and we may process their personal data for the purposes of performing a contract (or for the steps necessary to enter in to a contract). We will also need to process staff member’s personal data in order to meet our obligations as an employer under contracts of employment.
Legitimate Interests – the processing is necessary for the purposes of the legitimate interests pursued by us as the data controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
In specific situations, we may require personal data to pursue our firm’s legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact the data subject’s rights, freedom or interests. This may include to satisfy our external quality auditors or our Regulators.
Legal compliance – the processing is necessary for compliance with a legal obligation to which the our firm, as data controller, is subject.
If the law requires us to, we may need to collect and process personal data to meet our legal and regulatory obligations. For example, we may need to pass on personal data when we need to pass on details of people involved in fraud or other criminal activity. We may also need to process our staff member’s personal data as part of our exercise of specific rights in the field of employment law.
Consent – the data subject has given consent to the processing of their personal data for one or more specific purposes.
In limited circumstances, we may approach data subjects for their written consent to allow us to process personal data and in particular certain particularly sensitive data. If we do so, we will provide the data subject with full details of the information that we would like and the reason we need it, so that they can carefully consider whether they wish to consent.
Vital interests – the processing is necessary to protect the vital interests of the data subject or of another natural person.
Public interest – the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
Special Category Data
Special categories of particularly sensitive personal data require higher levels of protection and we have to ensure we have further justification for collecting, storing and using this type of personal information.
We have to ensure we have fully considered the risks and impact associated with the processing of such data not least with regard to data minimisation, security and transparency.
We may process special category data (or sensitive personal data) in the following circumstances:
- where we need to carry out our legal obligations or exercise rights in connection with the law
- where it is needed in the public interest, such as for equal opportunities monitoring
- where it is needed in relation to legal claims or where it is needed to protect a data subject’s interests (or someone else’s interests)
- in the course of legitimate business activities with the appropriate safeguards
- in limited circumstances, with explicit written consent.
Depending on the circumstances of their legal matters, for some clients, we may have access to or process special category data including:
- personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership
- genetic data
- biometric data processed for the purpose of uniquely identifying a natural person, or
- data concerning health or a natural person’s sex life or sexual orientation
- in the context of casework, the details and merits of a matter.
In addition to contract lawful condition for processing under Article 6 of the GDPR, Article 9(2)(f) of the UK GDPR permits us to process this data where it is necessary for, connected to and/or or relates to legal claims including for the purposes of assisting with legal proceedings, obtaining legal advice and/or establishing, exercising or defending legal rights. We only process this specific data if it is necessary to establish, exercise or defend a client’s legal rights. We will ensure that the use of this data is relevant and proportionate and that we do not hold any more data than is needed.
Depending on the circumstances of their legal matters, for some clients, we may have access to or process personal data relating to criminal convictions and offences or related security measures. The special condition for processing this data (pursuant to Schedule 1 and Article 10 of the UK GDPR) is because it is necessary for, connected to and/or or relates to legal claims including for the purposes of assisting with legal proceedings, obtaining legal advice and/or establishing, exercising or defending legal rights.
As an employer, we may also process special categories of sensitive personal data including:
- information about gender, race or ethnicity, religious beliefs, sexual orientation and political opinions
- trade union membership
- information about health, including any medical condition, health and sickness records
- information about criminal convictions and offences.
Primarily, we process this personal data in order to be able to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach staff members for written consent to allow us to process certain particularly sensitive data.
Information Audit and Risk Assessment
We have undertaken a detailed information audit and risk assessment and have recorded associated risks in our Data Protection Audit and Processing Record.
It is the role of our DPO to ensure that the information audit and risk assessment is reviewed annually or as is necessary during the year and that any necessary policy or procedural changes are implemented and updated.
As part of the audit process, our network and devices are reviewed to determine if further steps are required to ensure the security of our systems.
As part of the process, we also maintain a record of our data processing, including maintaining records of:
- all data that we process
- how we process it
- the purposes for which it is processed, and
- any associated consents, destruction methods and other relevant information.
In particular, the record will consider staff, agents’ and approved third parties’ access to personal data.
The records are documented in our Data Protection Audit and Processing Record which is securely stored on our Compliance Caddy Software.
This record is reviewed annually or as is necessary during the year and enables us to maintain an audit trail of activities undertaken and as a means to conduct a meaningful review of our activities for compliance with our policies and procedures.
Privacy Notices
We have implemented clear Privacy Notices setting out:
- why data is held
- how it is processed
- how long it is held, and
- information about their statutory rights in respect of that data.
In particular, we remind data subjects of their rights under the GDPR including the right to be informed what information our firm holds about them. In particular, we confirm to them that they have the right to request:
- access to the personal data we hold about them – more commonly referred to as subject access
- the correction of their personal data when incorrect, out of date or incomplete
- that we stop any consent-based processing of their personal data after they have withdrawn consent, or object and we have no legitimate overriding interest, or once the purpose for which we hold the data has come to an end.
They may request a copy of any information about them that we hold at any time.
Our Data Privacy Notices confirm the name and contact details of David Mariampillai to whom they should contact for any information relating to our firm’s approach to data protection including data subject access requests.
These privacy notices are reviewed at least annually by David Mariampillai (and more often if circumstances require).
Conditions for Processing
We typically process data only for the performance of our contract / retainer with the data subject (typically our client or our employee) or for statutory or contractual purposes associated with our performance of our contract / retainer with the data subject. Where we seek to process data for any reason other than for the performance of our contract / retainer with the data subject we will always consider whether we have a lawful basis for that processing and, if necessary, we will seek explicit consent from the data subject.
Consent
Where we need to seek consent (for instance to use the data for marketing purposes or to make it available to an external auditor, other than in legally aided cases where no consent is required) then we will seek individual consent for each of the purposes for which we seek to process the data. We do not use deemed consent or opt out consent options. All consents sought will be clearly worded; individual and opt in. Details of any necessary consents will be recorded on the relevant client file and on a central register of consents.
External Data Processors
There are circumstances where we are likely to have to use external Data Processors. Typical examples include:
- Experts
- Costs Draftsmen
- File Storage Companies
- IT support and data storage companies.
Some of these are Data Processors in their own right.
Guidance from the Bar Standards Board suggests that barristers are not data processors in their own right. In any event, due to the nature of their regulation, they will be required to maintain controls over confidential data.
Wherever we use external Data Processors we will do so in accordance with our Transfer of Data to Third Parties Policy.
Data Subject Access Requests
Requests for information about data we hold about an individual including data subject access requests and/or requests to correct data, whether received verbally or in writing, are handled in
accordance with our Information and Data Subject Access Requests Procedure.
Training and Awareness
In accordance with our overall approach to Performance Management, Learning & Development (as more particularly set out in our Quality Manual), all staff are provided with training on this policy and our data protection and information security procedures.
In particular, our COLP oversees the arrangement and content of:
- an induction plan to raise awareness and provide appropriate training to new staff on data protection and information security obligations including the policies and procedures in this Manual for all staff members
- annual and refresher training for all staff members within the firm to maintain the level of awareness of obligations to comply with our policies and procedures. We aim to include this in training plans as an annual objective but will also ensure this is delivered more frequently if necessitated by changes in legislation or guidance or as a result of previously identified breaches or changes to our systems, policies or procedures.
All training is planned, evaluated and recorded in the firm wide and/or individual training plans, as appropriate, in accordance with our training procedures outlined in our Quality Manual.
An ongoing awareness training programme is maintained in order to ensure that data protection and information security awareness is refreshed and updated regularly.
Some policies in this Manual also provide specific steps and measures that are taken in relation to raising awareness and ensuring sufficient training is provide to staff members in relation to particular compliance/risk areas.
Where appropriate, any specific information about data protection and information security responsibilities is included within relevant staff members’ job descriptions.
Data Breaches
If any staff member becomes aware of a data breach including a breach or potential breach of this policy or any of the policies or procedures in this Manual (and in particular our Information Management & Security Policy and Information Security Procedures) they must report that breach to David Mariampillai immediately and agree:
- What steps should be taken to mitigate or manage the impact of the breach
- Whether the data subject needs to be notified, and
- Whether the ICO needs to be notified. Our COLP may choose to use the ICO’s self-assessment for data breaches as a tool to aid this decision-making process.
Breaches are likely to need to be reported to the ICO where they are likely to result in a risk to the rights and freedoms of the data subject. If unaddressed, such a breach is likely to have a significant detrimental effect on the data subject. For example, the breach is likely to require reporting to the ICO where it results in:
- discrimination
- damage to reputation
- financial loss
- loss of confidentiality, or
- any other significant economic or social disadvantage.
This has to be assessed on a case by case basis and it is the role of our DPO to determine whether a breach must be reported to the ICO or otherwise. Breaches must be reported to David Mariampillai immediately and in accordance with our Compliance Policy as set out in our Quality Manual. He will determine whether the breach needs to be recorded on our Breach Register and whether an incident management plan needs to be implemented.
Where our COLP determines that a breach must be reported to the ICO, this action must be taken within 72 hours of first discovering the breach. This 72 hour reporting window is not paused during weekends or other non-working days. Data breaches can be reported to the ICO through their telephone helpline during normal working hours, or they can be reported online outside of these hours.
We may not be have full knowledge of all circumstances surrounding the breach at the time of reporting, however this must not result in a delay in reporting. We must gather as much information as possible regarding the breach, including:
- what has happened
- when and how the breach was discovered
- the people who have been, or may be, affected by the breach
- what we are doing as a result of the breach, and
- who the ICO should contact if they require more information and who else has been informed of the breach, such as our professional indemnity or cyber security insurers.
Any additional information obtained as the investigation into the breach develops must be shared with the ICO.
Where a data breach occurs as a result of a cyber incidents, we must also consider whether the incident should be reported to the National Cyber Security Centre (NCSC). Incidents that may lead to a heightened risk of individuals being affected by fraud should also be reported to Action Fraud.