The Data Protection Act relates to the handling of all data including employee information as well as client or customer-related data.Data under the Act breaks down into two categories – ordinary personal data and sensitive personal data.
The Act requires the Firm to take additional steps to protect sensitive personal data.Our firm is Data Controller in some cases (own clients for example) and a Data Processor in other cases (when acting as agent for other firms for example).
We take the two roles seriously and our compliance plans and policy are set out in this office manual.The Firm is committed to best standard compliance with all relevant aspects of GDPR (EU General Data Protection Regulation) and the expected Data Protection Act currently a Bill before Parliament.
Our Data Protection Officer (DPO)
What is expected of our DPO
Our DPO must conduct research and attend training or produce a self-training manual that considers all aspects of GDPR that apply to our firm.
Our DPO must then cascade the training received or generated by self-study and research to all senior staff.
Our DPO and all senior staff must share this knowledge and awareness with all other staff.
The required training and awareness must reflect the policies, procedures, internal governance and technology systems used by our firm which has been set out below.
It should explain the GDPR and how it applies to the work staff undertake at our firm on a daily basis.
The required training must also emphasize the risks of fines and regulatory action to our firm, and criminal sanction for individuals within our firm.
As well as considering the training needs of staff in relation to their roles and responsibilities for processing personal data, our firm’s DPO who is also function as our GDPR lead will also want to consider the specialist training needs of our members of staff work in areas including marketing, database management, or human resources.
A particular focus of training should be the identification of data subject access requests, and the handling of data breaches.
What Sensitive Personal Data Do We Hold?
The Firm believes that the vast majority of the information which it holds is considered (under the terms of the Act) to be sensitive personal data and therefore Data Protection is a serious aspect of managing the firm.
The Firm believes that relevant data include:
- racial or ethnic origin – which we hold for the purposes of equal opportunity monitoring;
- pre-employment health questionnaire and other information relating to your health and sickness absence – which the Firm holds so it we can monitor and control sickness absence and ensure that it can pay you sick pay; and
- any disciplinary or other records to the extent that they relate to criminal offences. For example, this would include criminal offences which you disclosed when you applied for a job with the Firm (and which are not exempt from disclosure under the Rehabilitation of Offenders Act) and data created in the thankfully infrequent event of allegations being made against employees that involve or could involve a criminal offence, such as theft.
- Criminal Conviction information of some clients
- Banking details of some clients
- Legal Privilege information such as advice given to some clients
- Documents in clients’ case files and documents disclosed by third parties in litigation or other matters
How do we record the Data we hold?
All Data Received will be documented in the incoming correspondence log and will be stored in relevant client files.
How will we review our record keeping obligations?
We will regularly check our file opening procedures and our compliance with our incoming correspondence logging operations on a quarterly basis to ensure that all incoming data is captured.
Who will receive disclosures?
- Clients are entitled under Subject Access Requests
- Clients need to be aware that our regulators can access data and legal aid clients need to be aware that the LAA can access data.
- Clients may give us authority to issue data to a third party.
- Our client care letter must make clear that work may be outsourced outside the EU and instructions are accepted subject to client permission we may outsource some aspects of our work for them to Agents and legal support service providers outside the EU.
- Agents and Consultants may access data from us with client consent as given in terms of business agreement.
- The police and law enforcement may access data by warrant and without warrant in some circumstances.
- We will continue to review who can access data from our system.
Subject to some exceptions, the Data Protection Act requires the Firm to obtain client and staff explicit consent to hold and process sensitive personal data.
Without this consent the Firm will not be able to process this data which would for example potentially produce the result that the Firm could not perform a required task for the person without consent.
How do we comply with transparency and responsibility and liability?
Our records of data must be organized and ready for delivery to the relevant authorities including the ICO and SRA and also to clients so far as the record concerns a particular client.
We are a micro organization in GDPR terms, however our aim is to comply as far as we can above minimum requirements.
Why do we process data?
- To provide legal services
- To comply with regulation
- To employ staff and agents
- To conduct client satisfaction surveys
Whose data do we hold?
- Clients, staff and agents.
- Persons related to clients and client matters e.g. witnesses and litigation friends.
Who do we transfer data to?
- Persons Nominated by Clients
Data Transfers Outside the EU
We may outsource items and parts of work comprising our legal services in accordance with professional terms which are set out by the SRA materials on outsourcing. Please visit https://www.fcsolicitors.com/outsourcing for more information about outsourcing.
If data is transferred outside the EU, all data transferred outside EU must be encrypted or hand delivered or sent by secure email addresses such as cjsm addresses or .gov or .nhs addresses and must be sent with client consent only.
What is our retention schedule?
- 6 years for all clients when we are the data controller.
- When we are data processor depending on the contract with the Data Controller or the Client.
- Our strategy and capacity is further outlined below in the remainder DPA and in the cyber security section below.
- Title, Name, Address – for contact purposes;
- Home and mobile phone numbers (if supplied) – for contact purposes;
- National Insurance number – for payroll processing and tax purposes;
- Date of birth and age – in order to address benefit related queries where age is a relevant factor and for the purpose of applying our retirement policy;
- Emergency contact (possibly next of kin) details – for emergency contact purposes and for administration of flexible benefits; and
- Marital status – in order to address benefit related queries where marital status may be a factor and for tax purposes.
Employment record data we hold about our staff and applicants
- Start date and length of service – for processing and informational purposes and so as to determine employment rights and eligibility for some benefits;/li>
- Employment history – in order to monitor career development;
- Holiday entitlement – for payroll processing and informational purposes;
- Pension scheme member – in order to respond to enquiries;
- Health and safety roles – if applicable;
- Accidents at work – if applicable for health and safety reasons; and any current disciplinary warnings.
More Types of Data We May Hold
- Marketing Data – Not applicable. We generally do not hold any data that arising from our marketing activities as we simply advertise our website and all information arising from client enquiries are not held on our data base unless the enquiry results in any immediate instruction. However, we may change our marketing practices in future and we will review our data obligations in this regard to ensure our full and whole compliance with the GDPR and Domestic Data Protection Laws.
- Database management – Our Database is managed by Mr Obinna Baranta. Electronic access to data granted to all staff and agents is protected by the attached Data Processor Agreement and the penalty for breach is as high as £500,000. Our data processors if outside the EU must have some insurance cover even though this may not be as high as the above-mentioned limit. We do not at this time employ any external database managers but if we decide to do so in future this document will be reviewed to ensure our continued compliance is achieved.
- Human Resources – Please see above at employment records which also apply to Agent’s and Consultant’s data in the same manner as employee data.
GDPR PRIVACY NOTICE ANNEX
Our firm is First Continental Solicitors Ltd
Our firm’s address is 44A Upper Wickham Lane, Welling, Kent DA16 3HF
Our Data Protection Officer is Mr Obinna Baranta.
Our Data Protection Officer’s address is the same as our firm’s address above and he is reachable on 07944345443.
The purpose of our collection and processing and storage of your data is:
- If you are a client – in order to provide legal services to you and in order to comply with laws such as money laundering laws and our professional rules or public funding (Legal Aid) rules.
- If you are a staff – in order to provide employment to you and to supervise you and safe guard our clients and our business and the law such as benefits and tax laws and professional regulatory laws.
- We mostly only collect, receive, and store your data with your request following your approaching us for legal services or for employment.
- Recipients of your data may include our regulators, persons nominated by you, law enforcement authorities and yourself, our agents and subcontractors and our storage facility or database managers.
- We may use agents who are based outside the EU to conduct our legal work for you. This will be done only in accordance with our terms of business which you must consent to before we can act for you if you are a client. We may also store data outside the EU with your consent only.
What protections do we have as safeguards for Data going outside the EU?
- Our agents must have some form of insurance to compensate us for loss even though this may not cover the full value of losses you or our firm may incur.
- All data sent outside the EU must be sent and received by Secure Email only such as government certified email address in our case this will usually be the CJSM system or email sent on our firms’ private server.
- Data sent outside the EU will go to computers own by us in the relevant country.
- Data sent outside the EU will be destroyed when your case concludes unless you opt for storage outside the EU.
- Data sent outside the EU will only be seen by employed staff and agents of our firm.
- Data sent outside the EU will be encrypted if it is very sensitive and contains any financial risk.
- Data sent outside the EU will only be for the purpose of enabling a quality service to you.
How long will we keep your data?
- For 6 years if you are our client.
- For shorter period if we are processing your data for our client or for another organization.
In summary you have the following rights:
- the right to be informed about what’s happening to your data and that your data has been collected
- the right of access (Within one month of your request to us and in any event as soon as possible)
- the right to rectification
- the right to erasure:
Erasure may however be limited, where there is a lawful reason for continued processing, including ‘for the establishment, exercise or defence of legal claims’. This could include our firm’s right to keep a copy of files to defend our service in the unlikely event that a potential claim or a complaint against our firm arises from or person who may be our client or may not be our client but may be a third party.
- the right to restrict processing
You can object to processing of your data whether this processing relying on our legitimate interests or performance of a task carried out in the public interest.You can object to any processing for direct marketing and processing for scientific, historical, or statistical purposes.
- The right to data portability:
Portability allows a data subject (you) to instruct a data controller to transmit their personal data to another controller, i.e., from one solicitor to another, where it is technically feasible to do so, and the right only applies to processing by automated means on the basis of contract or consent.The aim of this provision is to enhance consumer rights and create opportunities for innovative data sharing between controllers.Data subjects will be entitled to receive the personal data they have provided to a controller in a structured, commonly used and machine-readable format and to have that data transmitted to another controller without hindrance.
The right to portability must not adversely affect ‘the rights and freedoms of others’.
- the right to object, and
- the right not to be subject to automated decision-making including profiling.
You have several rights in relation to your data:
- You can request your data at any time and we must comply within time limits set by law (30 days for usual requests i.e not complex).
- You can complain to the Information Commissioner about our usage or storage or collection or processing of your Data. The ICO’s address is:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745
if you prefer to use a national rate number Fax: 01625 524 510
- You can withdraw your consent to us holding your data in certain circumstances
- You can demand erasure of your data
- You can demand correction of inaccurate data
- You can do all of the above by writing to us or speaking to us about your rights
- We do not use your personal data for other marketing purposes usually but if you have given us consent we may share your data with service providers who deliver services ancillary or related to our service to you so that they may contact you. This is only done with your consent.