Data Protection Policy
This Firm is committed to ensuring that the use of personal data throughout the business is dealt with in accordance with legal requirements to ensure that the integrity and protection of that data is maintained at all times.
The Data Protection Act 1998 was introduced to ensure that personal data, namely any data that identifies a living individual, that is processed (including obtained, recorded or held) by persons or companies is accurate, confidential and secure and used in a fair and legitimate manner. The Act applies to both electronic (including emails) and manual (including hard copy) data.
Penalties for breaching the Act can be serious and can apply to both the Firm and to individuals.
Data Protection Principles
The Act lays down 8 Principles, summarised as follows:-
1. Personal data must be processed fairly and lawfully (i.e. the individual must be made aware that their personal data is being processed or stored)
2. Information must only be used for the purpose for which it was originally collected unless explicit agreement has been received from the subject that it can be used for other purposes (i.e. marketing campaigns etc..)
3. Excessive or irrelevant data must not be stored or processed
4. The information must be accurate and where necessary, kept up to date
5. Data must only be kept as long as necessary
6. Personal data must be processed in line with the rights of the data subject
7. Data must be kept secure at all times (e.g., paper files kept in locked cabinets, passwords on computers etc..)
8. Data must not be transferred outside the European Economic Area without the data subject’s permission unless that country has an adequate level of protection for the rights and freedoms of the individual in relation to the processing of personal data.
We need to collect and use certain types of information about people with whom we deal in order to conduct our business. These people may include current, past and prospective employees, third parties, suppliers, clients, opponents, and others with whom we communicate.
The purpose of this policy is to establish guidelines for use by all staff when dealing with and processing personal data.
• All personal data held on computer and manual filing systems must be identified together with the purpose for which that information is being processed, including data held for staff, clients and others with whom we communicate
• Obtain the data subject’s consent to process the data
• Ensure measures are in place for data security such as having computer passwords and manual data only accessed by authorised personnel
• Periodically check the accuracy of data obtained and held. It is generally insufficient to rely upon the data being received from the data subject. Additional steps may need to be taken to verify the accuracy of the data if obtained from other sources
Erasing / Destroying Data
• Ensure that the retention and destruction of data is in accordance with our archiving, retention and disposal procedures
• Seek permission from the data subject before any personal data is transferred outside the EEA unless it can be shown that jurisdiction of transfer has an adequate level of protection for the rights and freedoms of data
• Where data is to be processed on behalf of the Firm by an external third party (e.g. Barrister’s Chambers), written agreement must be obtained ensuring that this third party undertakes to have necessary procedures in place and complies with the Data Protection Act
• Only collect relevant information
• Do not mislead data subjects about why the information is being collected – explain why it is needed and how it will be used
• All documentation that gathers personal information of any kind should include a non disclosure statement such as “this information will not be used for any other purpose nor disclosed to any other third party unless previously agreed with you”
• Record the information accurately and do not add details, comments or opinions that you would not be prepared to defend in court
• Consider whether someone else could misconstrue the information
• Respect the data subject’s right to privacy and handle the information with care
• Additional requirements apply under the Act to the processing of sensitive personal data, including racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, physical or mental health, sex life, criminal proceedings or convictions
Disclosure Of Personal Data
Personal data must not be disclosed unless disclosure is:
• To the data subject
• To a person nominated by the data subject
• To a staff member performing authorised activities
• To people / organisations identified in the Firm’s Data Protection Notification
• In connection with legal proceedings (disclosure must be necessary for the proceedings, or to obtain legal advice or to establish, exercise or defend legal rights)
• To comply with another law to make the information public
• For crime or taxation purposes, including the prevention / detection of a crime, or apprehension or prosecution of offenders, or assessment or collection of any tax / duty
• Required by the law or the Courts (subject to a Court Order)
Handling Requests For Personal Data
When personal data is requested by someone else other than the data subject, establish to whom you are speaking. Always confirm that the person requesting the data has authority from the data subject before releasing the data.
It is a criminal offence for someone to attempt to obtain personal information to which they are not entitled (s.55 Data Protection Act 1998).
Mentoring And Review Of The Policy
This policy is reviewed annually by Karen Pointon. We will continue to review the policy to ensure the effectiveness and that it is achieving its stated objectives.
This policy does not form part of any employees’ contract of employment and it may be amended at any time. Any breach of this policy will be taken seriously and may result in disciplinary action.