Under the firm’s compliance plan the firm’s Compliance Officer for Legal Practice (COLP) has overall responsibility for data protection issues. As such he is responsible for this policy, including assessing data risks and reviewing and updating the policy from time to time, and for ensuring that we comply with our obligation to be registered with the Information Commissioner. Questions on or concerns about data protection issues should be referred either to him or to your supervisor. The policy is reviewed and updated annually.
The firm’s register appears as an appendix to this document.
The great majority of the information assets are confidential. We take care to protect confidential information applying the principles set out in Part B of this Policy.
Part B is periodically circulated to staff to remind them of their responsibilities.
We retain information for the periods set out in the Information Asset Register. These periods reflect our data protection obligation not to keep personal data for longer than is necessary, and also our statutory, regulatory and business needs to keep records.
Thereafter information is disposed of securely, by shredding, electronic deletion, or otherwise as appropriate.
The firm maintains a firewall to prevent unauthorised access to the firm’s network and data.
User accounts are managed by Compliance Officer. User accounts can be disabled at any time, for example on discovering a breach of security. Accounts are disabled when a member of staff leaves the firm.
Staff responsible for the management of payments (including fee earners and finance staff) are only recruited or assigned to that function after passing suitable background checks, including taking references and the verification of claimed qualifications.
If, despite the precautions described elsewhere malicious software (malware) is present on the system this should be detected by the firm’s anti-virus software. It is then the responsibility of the firm’s IT department to remove the malware, according to the nature of the threat and industry standard procedures at the relevant time.
The firm currently uses the following software:
Leap, Microsoft Office and Adobe products.
The firm has provided all staff with its information security rules (the current version of which is set out below) and recirculates them to all staff at least annually.
In addition the firm trains staff about information security risks and precautions on induction, and thereafter at least annually using the online course provided by Socrates Training. In addition the Compliance Officer for Legal Practice etc periodically circulates e-mails reminding staff of current criminal methodologies and risks as well as necessary precautions.
All software used by the firm is supported by external software suppliers who issue routine updates from time to time. It is the responsibility of the COLP to decide whether and when updated versions are to be installed or new or better software should be obtained.
The firm holds a huge amount of confidential information about clients, staff and third parties. We must all of us comply with data protection law and keep confidential information secure. Accordingly all staff must study and observe the precautions set out below.
The firm’s Compliance Officer for Legal Practice (COLP) has overall responsibility for data protection and this policy. Questions on or concerns about these issues should be referred either to [him/her] or to your supervisor.
In particular if you are aware of breaches of security with confidential information you must report that promptly to that person. The firm has a duty to report breaches of security to clients, and sometimes to the Information Commissioner’s office.
When we hold information about identifiable people (known as “data subjects”) this gives rise to obligations under the General Data Protection Regulation (GDPR). The GDPR applies whether such information is held in electronic form or in a paper filing system.
People have rights if we hold information about them. That includes the right to be informed what we hold, the right to have errors corrected and the right to have data deleted if we have no justification for holding it.
We may be liable in various ways if we fail to hold data appropriately. This may include liability in damages for negligence and breach of confidentiality or even criminal liability. We may also be subject to professional sanctions for breach of the SRA Code of Conduct. The following is a summary of our obligations under data protection law, but is not a substitute for full research where appropriate.
The Data Protection Principles: In processing personal data we must be able to demonstrate that we comply with the “data protection principles”. These require that that personal data must be:
Grounds for Processing Personal Data: We should only process personal data if we have a legitimate justification for doing so.
Often the justification will be the consent of the person concerned. But note that in the case of someone under the age of 16 they cannot give that consent themselves and instead consent is required from a parent, or other person holding ‘parental responsibility’.
Otherwise we may be entitled to proceed without consent on a number of grounds. Those which most often apply are the following.
Sensitive Personal Data: Sensitive personal data (referred to in the GDPR as “special categories of personal data”) can only be processed under strict conditions. Sensitive personal data includes information about someone’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life and sexual orientation, genetic data and biometric data.
The usual grounds which entitle us to process such sensitive data are the following.
Do not collect or use personal data without a good reason:
If clients give us information about themselves this is rarely a problem, as they will usually expect us to record that information and use it for usual professional purposes. However take particular care with information about third parties, who may be unaware that we hold information about them. Bear in mind three simple principles.
Those principles apply especially to information of an embarrassing, secret or sensitive nature, and where the people concerned have not consented to us holding the information.
Take care when sending personal data to others:
You will often need to share personal data and confidential information with others such as barristers, expert witnesses and other law firms. However before doing so consider these issues.
-if you use a data stick or similar storage device to load documents onto your work computer that may introduce viruses or other malware into the firm
– if you transfer confidential files to your home computer you must ensure that computer is properly secure. That is a particular risk if your home computer is shared with other users or vulnerable to theft.
If in any doubt check with [the IT department].
Beware of “blaggers” (people who attempt to obtain confidential information by deception). This is most commonly done by phone but may also be by e-mail or by calling in person. The following are examples of the precautions you should take when dealing with enquiries.
Under data protection law we may receive a written request (known as a “subject access request”) from someone for information that we hold about them. If you receive such a request you should forward it to the COLP immediately.
Cookies allow us to do multiple things to enhance and improve your browsing experience on our website.
Personal identification information
We may collect personal identification information from Users in a variety of ways, including, but not limited to, when Users visit our site, subscribe to the newsletter, fill out a form, and in connection with other activities, services, features or resources we make available on our Site. Users may be asked for, as appropriate, name, email address, phone number. Users may, however, visit our Site anonymously. We will collect personal identification information from Users only if they voluntarily submit such information to us. Users can always refuse to supply personally identification information, except that it may prevent them from engaging in certain Site related activities.
How we protect your information
We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorised access, alteration, disclosure or destruction of your personal information, username, password, transaction information and data stored on our Site.
Sharing your personal information
We do not sell, trade, or rent Users personal identification information to others. We may share generic aggregated demographic information not linked to any personal identification information regarding visitors and users with our business partners, trusted affiliates and advertisers for the purposes outlined above. We may use third party service providers to help us operate our business and the Site or administer activities on our behalf, such as sending out newsletters or surveys. We may share your information with these third parties for those limited purposes provided that you have given us your permission.