Privacy & Cookie Policy

PARADIGM SOLICITORS LLP
DATA PROTECTION / INFORMATION SECURITY POLICY & COOKIES

Part A    Our Approach To Data Protection And Information Management

Under the firm’s compliance plan the firm’s Compliance Officer for Legal Practice (COLP) has overall responsibility for data protection issues.  As such he is responsible for this policy, including assessing data risks and reviewing and updating the policy from time to time, and for ensuring that we comply with our obligation to be registered with the Information Commissioner.  Questions on or concerns about data protection issues should be referred either to him or to your supervisor. The policy is reviewed and updated annually.

Information Asset Register

The firm’s register appears as an appendix to this document.

Protection and Security of the Information Assets

The great majority of the information assets are confidential. We take care to protect confidential information applying the principles set out in Part B of this Policy.

Part B is periodically circulated to staff to remind them of their responsibilities.

Retention and Disposal of Information

We retain information for the periods set out in the Information Asset Register. These periods reflect our data protection obligation not to keep personal data for longer than is necessary, and also our statutory, regulatory and business needs to keep records.

Thereafter information is disposed of securely, by shredding, electronic deletion, or otherwise as appropriate.

Firewalls

The firm maintains a firewall to prevent unauthorised access to the firm’s network and data.

Procedures to Manage User Accounts

User accounts are managed by Compliance Officer. User accounts can be disabled at any time, for example on discovering a breach of security. Accounts are disabled when a member of staff leaves the firm.

Staff responsible for the management of payments (including fee earners and finance staff) are only recruited or assigned to that function after passing suitable background checks, including taking references and the verification of claimed qualifications.

Procedures to Detect and Remove Malicious Software

If, despite the precautions described elsewhere malicious software (malware) is present on the system this should be detected by the firm’s anti-virus software. It is then the responsibility of the firm’s IT department to remove the malware, according to the nature of the threat and industry standard procedures at the relevant time.

Register of Software Used by the Practice

The firm currently uses the following software:

Leap, Microsoft Office and Adobe products.

Training for Personnel on Information Security

The firm has provided all staff with its information security rules (the current version of which is set out below) and recirculates them to all staff at least annually.

In addition the firm trains staff about information security risks and precautions on induction, and thereafter at least annually using the online course provided by Socrates Training. In addition the Compliance Officer for Legal Practice etc periodically circulates e-mails reminding staff of current criminal methodologies and risks as well as necessary precautions.

Updating and Monitoring of Software

All software used by the firm is supported by external software suppliers who issue routine updates from time to time. It is the responsibility of the COLP to decide whether and when updated versions are to be installed or new or better software should be obtained.

Part B   Data Protection And Information Management – Staff Responsibilities
1- Who is Responsible?

The firm holds a huge amount of confidential information about clients, staff and third parties. We must all of us comply with data protection law and keep confidential information secure. Accordingly all staff must study and observe the precautions set out below.

The firm’s Compliance Officer for Legal Practice (COLP) has overall responsibility for data protection and this policy. Questions on or concerns about these issues should be referred either to [him/her] or to your supervisor.

In particular if you are aware of breaches of security with confidential information you must report that promptly to that person. The firm has a duty to report breaches of security to clients, and sometimes to the Information Commissioner’s office.

2- Our Obligations

When we hold information about identifiable people (known as “data subjects”) this gives rise to obligations under the General Data Protection Regulation (GDPR). The GDPR applies whether such information is held in electronic form or in a paper filing system.

People have rights if we hold information about them. That includes the right to be informed what we hold, the right to have errors corrected and the right to have data deleted if we have no justification for holding it.

We may be liable in various ways if we fail to hold data appropriately. This may include liability in damages for negligence and breach of confidentiality or even criminal liability. We may also be subject to professional sanctions for breach of the SRA Code of Conduct. The following is a summary of our obligations under data protection law, but is not a substitute for full research where appropriate.

The Data Protection Principles: In processing personal data we must be able to demonstrate that we comply with the “data protection principles”. These require that that personal data must be:

  • processed lawfully, fairly and in a transparent manner
  • collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes
  • adequate, relevant and limited to what is necessary
  • accurate and, where necessary, kept up to date
  • kept for no longer than is necessary
  • kept with appropriate security.


Grounds for Processing Personal Data: 
We should only process personal data if we have a legitimate justification for doing so.

Often the justification will be the consent of the person concerned. But note that in the case of someone under the age of 16 they cannot give that consent themselves and instead consent is required from a parent, or other person holding ‘parental responsibility’.

Otherwise we may be entitled to proceed without consent on a number of grounds. Those which most often apply are the following.

  • It is necessary for the performance of a contract to which the person concerned is a party.
  • It is necessary for compliance with a legal obligation.
  • It is necessary to protect someone’s vital interests.
  • It is necessary for our legitimate interests or those of a third party, except where such interests are overridden by the interests or rights of the person concerned.

Sensitive Personal Data:  Sensitive personal data (referred to in the GDPR as “special categories of personal data”) can only be processed under strict conditions.  Sensitive personal data includes information about someone’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life and sexual orientation, genetic data and biometric data.

The usual grounds which entitle us to process such sensitive data are the following.

  • Explicit consent of the data subject.
  • It is necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent
  • Data manifestly made public by the data subject.
  • It is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity.

3- Your Responsibilities

Do not collect or use personal data without a good reason:

If clients give us information about themselves this is rarely a problem, as they will usually expect us to record that information and use it for usual professional purposes. However take particular care with information about third parties, who may be unaware that we hold information about them. Bear in mind three simple principles.

  • Do not record information about people unless you need to do so.
  • Keep it secure.
  • Delete it promptly when you no longer need it.

Those principles apply especially to information of an embarrassing, secret or sensitive nature, and where the people concerned have not consented to us holding the information.

Take care when sending personal data to others:

You will often need to share personal data and confidential information with others such as barristers, expert witnesses and other law firms. However before doing so consider these issues.

  • Do they really need the information?
  • Should we redact documents so that they do not include irrelevant and unnecessary confidential information?
  • Can we rely on the recipient to keep the information secure?
  • Are you sending the information outside the European Economic Area?  If so you should check either that the country in question has been designated by the EU Commission as providing adequate data protection, or that we have appropriate contract clauses agreed with the recipient place to protect the data.
  • In publications and publicity material all client identification information must be removed unless clients have consented.

Keep papers secure

  • Keep confidential papers in locked cabinets when they are not in use. Bear in mind that cleaning personnel, temporary staff and others may be present in the building, and that leaving papers where they can be seen risks a breach of security.
  • Report any stranger you see in an entry-controlled area.
  • Only take client files (or other confidential information) out of the office when it is necessary to do so. Take precautions to ensure that such items are not stolen or lost.  For example do not leave files in an unattended car.
  • Be aware that taking paper files out of the office is especially risky. Where possible take information in encrypted digital form, e.g. on a laptop.
  • Also bear in mind that laptops and other electronic devices may be stolen if taken out of the office. Hence confidential files taken out of the office in electronic form must be encrypted. It is not enough that the machine on which they are stored is password protected. Where possible if you are working out of the office, access documents over the internet.
  • Ensure confidential papers are shredded on disposal.

Keep IT secure

  • Take care with any e-mail you receive from an unknown source. Bear in mind that clicking on attachments or links may result in viruses being downloaded.
  • Follow the firm’s policy on the use of passwords, including the level of complexity, the frequency with which they should be changed, and other precautions such as not writing them down in any form which might be intelligible to a third party. Secure passwords are particularly important with mobile devices, or with logins that would enable people to access the firm’s systems remotely.
  • Log off from your computer when it is left unattended.
  • Ensure that your computer screen does not show confidential information to those who are not authorised to see it. This is particularly important when using a laptop or other device outside the office.
  • Update the software on your computer whenever required to do so. Updates frequently fix security weaknesses.
  • Take particular care when transferring data between the firm’s system and an external system. For example:

-if you use a data stick or similar storage device to load documents onto your work computer that may introduce viruses or other malware into the firm

– if you transfer confidential files to your home computer you must ensure that computer is properly secure. That is a particular risk if your home computer is shared with other users or vulnerable to theft.

If in any doubt check with [the IT department].

  • Even if data has been deleted from electronic media it may be possible for others to recover it.  Hence computer hard drives, data sticks, floppy disks, CD-ROMs etc should either be cleaned by an expert or physically destroyed when no longer required.

Take Care With Payments

  • The firm has policies in place to protect itself from the risk of funds being diverted. Those responsible for making payments from our bank account receive separate guidance, which includes a strict prohibition on divulging account credentials or security information (including usernames, passwords, PINs and other security codes).
  • All staff should be aware of the risk of criminals seeking to divert funds, e.g. by phone calls or e-mails to the firm purporting to be from clients, our bank or senior staff, or to clients purporting to be from the firm, asking for payments to be made to inappropriate accounts. Staff must report to their supervisor or the Compliance Officer immediately any request they receive for information which might be used to facilitate fraudulent payments.

Take Care When Dealing with Enquiries

Beware of “blaggers” (people who attempt to obtain confidential information by deception). This is most commonly done by phone but may also be by e-mail or by calling in person. The following are examples of the precautions you should take when dealing with enquiries.

  • Check the identity of the person making the enquiry.
  • Check we are authorised by the client (or other relevant person) to pass on this information.
  • Ask callers to put their request in writing if you are not sure about the caller’s identity and their identity cannot be checked.
  • Refer to your supervisor for assistance in difficult situations.
  • Take particular care with callers who claim to be from our bank. A number of firms have had money stolen from their bank accounts after staff gave confidential banking information out over the phone.

Forward any “Subject Access Request” You Receive

Under data protection law we may receive a written request (known as a “subject access request”) from someone for information that we hold about them. If you receive such a request you should forward it to the COLP immediately.

COOKIES

Cookies allow us to do multiple things to enhance and improve your browsing experience on our website.

We use cookies to track visitors to our website; these details are in no way personal details and will never be shared. Using these cookies we can improve the performance of our website for you, the user.

We also use cookies in order to geo-target specific users to make websites more personal.

By using the website of Paradigm Solicitors you consent to the usage of data captured by the use of cookies. If you wish to turn off cookies, please adjust your browser settings. Our website will continue to function without cookies.

Personal identification information

We may collect personal identification information from Users in a variety of ways, including, but not limited to, when Users visit our site, subscribe to the newsletter, fill out a form, and in connection with other activities, services, features or resources we make available on our Site. Users may be asked for, as appropriate, name, email address, phone number. Users may, however, visit our Site anonymously. We will collect personal identification information from Users only if they voluntarily submit such information to us. Users can always refuse to supply personally identification information, except that it may prevent them from engaging in certain Site related activities.

How we protect your information

We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorised access, alteration, disclosure or destruction of your personal information, username, password, transaction information and data stored on our Site.

Sharing your personal information

We do not sell, trade, or rent Users personal identification information to others. We may share generic aggregated demographic information not linked to any personal identification information regarding visitors and users with our business partners, trusted affiliates and advertisers for the purposes outlined above. We may use third party service providers to help us operate our business and the Site or administer activities on our behalf, such as sending out newsletters or surveys. We may share your information with these third parties for those limited purposes provided that you have given us your permission.