Skip to content

Privacy Policy

1. Policy Statement

The Practice is committed to ensuring that the use of personal data throughout the business is dealt with in accordance with legal requirements to ensure that the integrity and protection of that data is maintained at all times.

2. Background

The Data Protection Act 1998 (the Act) was introduced to ensure that personal data, namely any data that identifies a living individual, that is processed (including obtained, recorded or held) by persons or companies is accurate, confidential and secure and used in a fair and legitimate manner. The Act applies to both electronic (including emails) and manual (including hard copy) data.

Penalties for breaching the Act can be serious and can apply to both the Practice and individuals.

3. Data Protection Principles

The Act prescribes eight data protection principles, summarised as follows.

  • Personal data must be processed fairly and lawfully (for example, the individual should be made aware that their personal data is being processed or stored).
  • Information must only be used for the purpose for which it was originally collected unless explicit agreement has been received from the subject that it can be used for other purposes (e.g. for mailshots, marketing campaigns, etc.).
  • Excessive or irrelevant data must not be stored or processed.
  • The information must be accurate and, where necessary, kept up to date.
  • Data must only be kept as long as necessary.
  • Personal data must be processed in line with the rights of the data subject (i.e. the individual who is the subject of the personal data).
  • Data must be kept secure at all times (e.g. paper files should be stored in a locked cabinet and computer data password protected).
  • Data must not be transferred outside the European Economic Area (EEA) without the data subject’s permission unless that country has an adequate level of protection for the rights and freedoms of the individual in relation to the processing of personal data.

4. Purpose

We need to collect and use certain types of information about people with whom we deal in order to conduct our business. These people include current, past and prospective employees, third parties, suppliers, clients, opponents, and others with whom we communicate.

The purpose of this policy is to establish guidelines for use by all staff when dealing with and processing personal data.

5. General Guidelines

Recording data

  • All personal data held on computer and manual filing systems must be identified together with the purpose for which that information is being processed. This includes information held in relation to partners, staff, third parties, clients and others with whom we communicate.
  • Obtain the data subject’s consent (to be carried out at the time of collection of the personal data) to process the data. Where this has not/does not occur at the time of collection, consent should subsequently be obtained.

Holding data

  • Ensure measures are in place for data security, such as having computer records password protected and manual data kept secure and only accessible to authorised personnel.

Amending data

  • Periodically check the accuracy of data obtained and held. It is generally insufficient to rely on the data being received from the data subject. Additional steps may need to be taken to verify the accuracy of the data if obtained from other sources.

Erasing or destroying data

  • Ensure that the retention and destruction of data is in accordance with our archiving, retention and disposal procedures.

Transferring data

  • Seek permission from the data subject before any personal data is transferred outside the EEA, unless it can be shown that that jurisdiction of transfer has an adequate level of protection for the rights and freedoms of data.
  • Where data is to be processed on behalf of the Firm by an external third-party (e.g. a barristers’ Chambers), written agreement must be obtained ensuring that that the third-party undertakes to have necessary processes in place and complies with the Data Protection Act.

6. Specific Guidelines

  • Only collect relevant information, do not collect superfluous information merely because it may be useful at some other later date.
  • Do not mislead data subjects about why the information is being collected. Explain why it is needed and how it will be used.
  • All documentation that gathers personal information of any kind should include a non-disclosure statement such as: ‘This information will not be used for any other purpose nor disclosed to any other third party unless previously agreed with you’.
  • Record the information accurately and do not add details, comments or opinions that you would not be prepared to defend in court (such additional information is still considered “personal data”).
  • Consider whether someone else could misconstrue the information.
  • Respect the data subject’s right to privacy and handle the information with care.
  • Additional requirements apply under the Act to the processing of sensitive personal data (including racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, physical or mental health condition, sex life, criminal proceedings or convictions). Mr Lever is responsible for compliance with these requirements. 

7. Disclosure of Personal Data

Personal data must not be disclosed unless disclosure is:

  • to the data subject (note, if the data subject requests the data in writing and provides the appropriate fee, currently £10.00, we must provide a copy of the data within 40 days of receiving the request);
  • to a person nominated by the data subject (refer below);
  • to a staff member performing authorised activities (e.g. appraisals);
  • to people or organisations identified in the companies’ data protection notification;
  • in connection with legal proceedings (the disclosure must be necessary for the proceedings, or to obtain legal advice, or to establish, exercise or defend legal rights);
  • to comply with another law to make the information public;
  • for crime and taxation purposes, including the prevention or detection of a crime or the apprehension or prosecution of offenders (for example, a request from police in relation to the former) or the assessment or collection of any tax or duty; and
  • required by the law or the Courts (subject to a Court order).

8. Handling requests for personal data

When personal data is requested by someone other than the data subject, establish to whom you are speaking by asking for corroborating information which can be verified. Also, always confirm that the person requesting the data has the authority of the data subject before releasing the data (for example, this may be a password).

If you are not satisfied that a person is entitled to the information, advise the person that the information and its use are regulated by the Act, and since the information is personal and confidential and you are not satisfied that the person is entitled to the information, it cannot be disclosed.

It is a criminal offence for someone to attempt to obtain personal information to which they are not entitled. (Section 55 of the Data protection Act 1998).

9. Monitoring and review of the policy

This policy is reviewed annually by the Directors of the firm. We will continue to review the effectiveness of this policy to ensure it is achieving its stated objectives.

This policy does not form part of any employee’s contract of employment and it may be amended at any time. Any breach of this policy will be taken seriously and may result in disciplinary action.