What is “personal information”?
Personal Information is information relating to an identified or “identifiable natural person”. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location information, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
We do not consider personal information to include information that has been anonymised or aggregated so that it can no longer be used to identify a specific natural person, whether in combination with other information or otherwise.
We collect personal information on clients, their friends, relatives and witnesses, and on members of staff, job applicants, agents and suppliers.
All classes of such people are known as subjects. Their personal information is known as data. Dealing with it any way is known as processing.
How do we collect personal information?
We collect personal information from clients when they use our services, from their friends, relatives and witnesses, during the course of meeting or talking to them, and via e-mail and correspondence. We collect information from other agencies such as the police or prosecuting or regulatory authorities.
We also collect information from members of staff and job applicants, and agents and suppliers through meeting or talking to them, and via e-mail and correspondence.
Our systems are hosted on a remote secure platform that allows for permanent and unlimited storage. You have the right to have such data deleted, subject to exceptions. We do not generally collect information from social media, though we may do so from time to time.
We process information on the basis that;
> It is needed for us to do something under a contract.
> The processing is necessary because of a legal obligation that applies to us, or
> It is necessary for the administration of justice.
> It is in the legitimate interests of the firm.
How we will use personal information
When subjects provide information to us it will be processed by us or on our behalf under the provisions of the Data Protection Act 1998 and the General Data Protection Regulations of 2018. Processing means any treatment of a person’s information, including for example holding, transferring and storing it. We will process this information and we will hold it in hard form on paper or electronically or both. We process data through a secure link to a hosted platform and store personal information on that platform. We are required by the Solicitors Regulatory Authority to retain files including personal information for a period of 6 years after the conclusion of a matter. Therefore at the conclusion of a matter it will be archived and retained for a minimum of 6 years.
Any personal information provided to us in respect of clients, their friends, relatives and witnesses will be used for the purpose of supplying services in relation to a matter that we have been instructed to deal with by the client, in accordance with our contract with the Legal Aid Agency. Any personal information provided to us in relation to staff, job applicants, agents or suppliers will be used for the purpose for which it was provided.
We may provide a person’s personal information to other parties including our staff, suppliers and agents, and to government agencies (known as third parties) where it is necessary to do so to for the purpose for which the information was obtained, for example to the Legal Aid Agency in respect of an application for Legal Aid, or to fulfil a legal obligation or regulatory requirement, or where it is necessary to do so for our legitimate interests, for example submitting a bill of costs to the Legal Aid Agency.
Subject to the exception below, information will only be passed to third parties for the purpose for which it was obtained on the understanding that it will be processed by third parties on the same strict terms that we will deal with that information. We will obtain binding written commitments from our staff, suppliers and agents to this effect.
We will otherwise only disclose a subject’s information as follows; to a law enforcement agency requesting it in connection with the commission of an offence subject to our being satisfied as to the propriety of any request to do so, to comply with legal or regulatory requirements, to protect ourselves, our staff, our clients and agents or suppliers.
We will not use a subject’s information for marketing purposes.
We will not make use of automated-decision making systems about subjects.
How can subjects have access to, control and correct their personal information?
A person can see, review and change any personal information that we hold in respect of them. Subject to certain exceptions, we will honour any statutory right the subject may have to access, modify or erase their personal information. To request access and to find out whether any fees may apply, the subject must contact us in writing via The Data Protection Manager, Hallinan Blackburn Gittings & Nott LLP, 1st Floor Alexandra House, and 55A Catherine Place, London SW1E 6DP or via e-mail to email@example.com, for the attention of the Data Protection Manager. Any request must be in writing. Photographic proof of identification must be provided by the person making the request before we will deal with a request and this will usually be in the form of the subject’s passport. Where a person has a right to request access or request the modification or erasure of their personal information, subject to certain exceptions specified below, we will provide access or the modification or erasure of their personal information within 30 days of receipt of their proof of identification.
Where a person requests that we stop processing some or all of their personal information, or that we do not use or disclose their personal information for purposes set out in this privacy notice, subject to certain exceptions specified below we will stop processing that personal information within 30 days and will not use or disclose their personal information within 30 days of receipt of their proof of identification. Where a person requests that we remove their personal information, subject to certain exceptions specified below we will remove their personal information as soon as reasonably practicable.
Where a person has a right to request access to or to request the modification or removal of their personal information, we can still withhold that access or decline to modify or remove their personal information where to do so would prevent us from continuing to carry out our duties in accordance with agreements or contracts with that person or third parties, or where we are required to continue to hold that person’s personal information in accordance with a legal or regulatory obligation. For example we are required by the Solicitors’ Regulation Authority to retain client and matter records for 6 years after the conclusion of a matter.
Where a person has requested a copy of their information this will be provided without charge in a manner to be agreed, although we will not pay to provide external drives that may be required to provide large electronically-held information or for large quantities of paper to print large quantities of electronically-held information. Such personal information will be provided within 30 days of receipt of photographic proof of identity.
Where a person asks us to transfer their personal information to another data controller, this will transferred within 30 days of receipt of photographic proof of identity.
A person’s personal information cannot be transferred beyond the European Economic Area (EEA) and a number of other listed countries where adequate provision has been made for the protection of that information. Should a request be made to transfer the personal information outside the EEA and listed countries, that information can be transferred if the subject gives written permission to do so.
How long will we hold data?
We are required by the SRA to retain data for a minimum of 6 years following the conclusion of a matter. At the conclusion of a matter it will be “archived” and retained for a minimum if 6 years. At the end of the 6 year retention period the information will be dealt with on the following basis:
> All hard or paper records will be destroyed.
> All electronic records relating to a matter will be permanently deleted.
> Personal contact information of clients will be permanently deleted, unless it is required in relation to another on-going or more recently archived matter.
How will we deal with a breach of the regulations?
A “breach” is a breach of security that leads to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of or access to personal information that is being stored or otherwise processed. If a subject discovers a breach it should be brought to the attention of the Data Protection Manager immediately. An immediate assessment will be made as to whether the breach is likely to result in a risk to individuals. If a breach is brought to our attention by a person or agency other than the subject, we will notify the subject if the breach is likely to result in a high degree of risk to the subject. If necessary we will notify the Information Commissioner’s Office. We will investigate the causes of a breach and instigate corrective measures where appropriate.