We are committed to being transparent about how we collect and use the Personal Data we process and to meeting our data protection obligations. This policy sets out our commitment to data protection, and individual rights and obligations in relation to their Personal Data.

This policy applies to the Personal Data of our employees, clients, suppliers and other third parties.

We have appointed a Compliance Manager who is the person with responsibility for data protection compliance. Questions about this policy, or requests for further information should be directed to them.

Definitions

Criminal Records Data: means information about an Individual’s criminal convictions and offences, and information relating to criminal allegations, criminal offences and related proceedings, including the disposal of such proceedings or the sentence of any court in such proceedings.

Data Controllers’, are the people who or organisations which determine the purposes for which, and the manner in which, any Personal Data is Processed. They are responsible for establishing practices and policies in line with relevant data protection legislation. We are the Data Controller of all Personal Data used in the business for our own commercial purposes and with respect to our employees.¹

Data Processors: include any person or organisation that Processes Personal Data on our behalf, another’s behalf and on our instructions. Employees of Data Controllers are excluded from this definition but it could include suppliers which handle Personal Data on our behalf and it can also apply If we handle Personal Data on behalf of a Data Controller.

Data Protection Breach: means any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that we or third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data Is a Personal Data Breach.

Data Subjects: for the purpose of this policy is an identified or Identifiable natural person, who is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an Identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social Identity of that natural person and who need not be a UK national or resident All Data Subjects have legal rights in relation to their Personal Data.

Personal Data: means Information relating to a Data Subject. Personal Data can be factual (for example, a name, address, e-mail address (Including business), date of birth, health data or employee bank details) ar it can be an opinion about that person, their actions and behaviour. It can be stored electronically or in paper-form. For the purposes of this Policy It also includes Criminal Records Data.

Privacy by Design: means implementing appropriate technical and organisational measures in an effective manner to ensure compliance with data protection legislation.

Processing: is any activity that Involves use of the Personal Data, It includes obtaining, recording or holding the Personal Data, or carrying out any operation or set of operations on the Personal Data Including: accessing, organising, amending, retrieving, using, storing, disclosing, erasing or destroying it. Processing also includes transferring Personal Data to third parties and ‘Process’ and ‘Processed’ shall be construed accordingly,

Special Categories of Personal Data: Includes information about a Data Subjects racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health or condition, sex life or sexual orientation, genetic or biometric data, or about the commission of, or proceedings for, Special Categories of Persona! Data are subject to stricter conditions, which may Include requiring the explicit consent of the Data Subject, For the purposes of this Policy Special Categories of Person Data will also include Criminal Records Data.

Data Protection Principles

We process Personal Data in accordance with the following data protection principles:

• We process Personal Data lawfully, fairly and In a transparent manner.
• We collect Personal Data only for specified, explicit and legitimate purposes.
• We process Personal Data only where It is adequate, relevant and limited to what is necessary for the purposes of processing.
• We keep accurate Personal Data and take all reasonable steps to ensure that inaccurate Personal Data Is rectified or deleted without delay on becoming aware of an inaccuracy.
• We keep Personal Data only for the period necessary for processing.
• We adopt appropriate measures to make sure that Personal Data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage, This includes secure lockable desks and cupboards, secure means of disposal and processes for ensuring that confidential information is not left accessible and/or unattended on PCs or desks.

We tell Individuals the reason for processing their Personal Data, how we use such Personal Data and the legal basis for processing in our privacy notices, We will not process Personal Data of individuals for other reasons. Where we rely on our legitimate interests as the basis for Processing Personal Data, we will carry out an assessment to ensure that those interests are not overridden by the rights and freedoms of individuals,

We will update Personal Data promptly if an individual advises that his/her Personal Data has changed or is Inaccurate.

Personal Data gathered during the employment or the worker/contractor relationship is held In the individual’s personnel file (in both hard copy and electronic format), and on HR systems. The retention periods for which such HR-related Personal Data is held Is contained In our privacy notices.

Personal Data gathered from clients and other third parties, including suppliers Is held in files relating specifically to the client or the third party (In both hard copy and electronic format), the retention periods for which such Personal Data is held Is contained in our privacy notices.

Individual Rights

As a Data Subject, individuals have a number of rights in relation to their Personal Data.

Subject Access Requests

Individuals have the right to make a subject access request. If an individual makes a subject access request, we will tell them:

• whether or not their Personal Data is processed and if so why, the categories of Personal Data concerned and the source of the Personal Data if it is not collected from the individual;
• to whom their Personal Data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;
• for how long their Personal Data is stored (or how that period is decided);
• their rights to rectification or erasure of Persona! Data, or to restrict or object to processing;
• their right to complain to the Information Commissioner If they think we have failed to comply with their data protection rights; and
• whether or not we carry out automated decision-making and the logic involved In any such decision-making.

We will also provide the individual with a copy of the Personal Data undergoing processing. This wili normally be in electronic form if the individual has made a request electronically, unless they agree otherwise.

To make a subject access request, the individual should send the request through to the Compliance Manager in writing. We may need to ask for proof of identification before the request can be processed. We will inform the individual if they need to verify their Identity and the documents required.

We will normally respond to a request within a period of one month from the date it is received. In some cases, such as where we process large amounts of the individual’s Personal Data, we may respond within three months of the date the request Is received. We will write to the individual within one month of receiving the original request to tell them if this is the case,

If a subject access request is manifestly unfounded or excessive, we are not obliged to comply with it, Alternatively, we can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which we have already responded. If an individual submits a request that is unfounded or excessive, we will notify them that this is the case and whether or not we will respond to It.

Other Rights

Individuals have a number of other rights in relation to their Personal Data. They can require us to:

• rectify inaccurate Personal Data;
• stop processing or erase Personal Data that is no longer necessary for the purposes of processing;
• stop processing or erase Personal Data if the individual’s Interests override our legitimate grounds for processing Personal Data (where we rely on legitimate interests as a reason for processing Personal Data);
• stop processing or erase Personal Data if processing is unlawful; and
• stop processing Personal Data for a period If Personal Data is inaccurate or if there Is a dispute about whether or not the individual’s interests override our legitimate grounds for processing the Personal Data.

To ask us to take any of these steps, the individual should send the request to the Compliance Manager in writing.

Data Security

We take the security of Personal Data seriously, We have Internal policies and controls in place to protect Personal Data against loss, accidental destruction, misuse or disclosure, and to ensure that Personal Data is not accessed, except by employees in the proper performance of their duties,

Where we engage third parties to process Personal Data on our behalf, such parties do so on the basis of written instructions from us, are under a duty of confidentiality and are obliged to implement appropriate technical and organizational measures to ensure the security of the Personal Data,

Impact Assessments

Some of the processing that we carry out may result in risks to privacy, Where processing would result in a high risk to individual’s rights and freedoms, we will carry out a data protection impact assessment to determine the necessity and proportionality of processing,

This will Include considering the purposes for which the activity Is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.

Personal Data Breaches

If we discover that there has been a breach of Personal Data that poses a risk to the rights and freedoms of Individuals, we will report it to the Information Commissioner within 72 hours of discovery. We will record all Personal Data breaches regardless of their effect.

If the breach Is likely to result In a high risk to the rights and freedoms of individuals, we will tell affected Individuals that there has been a breach and provide them with Information about its likely consequences and the mitigation measures it has taken.

International Data Transfers

We will not transfer Personal Data to countries outside the EEA.

Individual Responsibilities

Employees are responsible for helping us keep their Personal Data upto date. Employees should let us know If Personal Data provided to us changes, for example if an employee moves to a new house or changes their bank details.

Employees may have access to the Personal Data of other employees and of our clients and other third parties, including suppliers, In the course of their employment. Where this is the case, we reiy on employees to help meet our data protection obligations to employees and to clients and such other third parties.

Employees who have access to Personal Data are required:

• to access only the Personal Data that they have authority to access and only for authorised purposes;
• not to disclose Personal Data except to individuals (whether inside or outside the firm) who have appropriate authorisation;
• to keep Personal Data secure (for example by complying with rules on access to the premises, computer access, including password protection, and secure file storage and destruction);
• not to remove Personal Data, or devices containing or that can be used to access Personal Data, from our premises without adopting appropriate security measures (such as encryption or password protection) to secure the Personal Data and the device;
• not to store Personal Data on local drives or on personal devices that are used for work purposes; and
• to report Personal Data breaches of which they become aware to the Compliance Manager immediately.

Training

We will provide training to ail Individuals about their data protection responsibilities as part of the induction process and at regular Intervals thereafter.

Individuals whose roles require regular access to Personal Data, or who are responsible for Implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them,

Audit

We are responsible for, and must be able to demonstrate, compliance with data protection principles. In order to do this, we will periodically review our systems and processes to ensure that we comply with this policy and check that adequate governance controls and resources are in place to ensure proper use and protection of Personal Data.

Breaches of this Policy

We take a strict approach to breaches of this policy. Failure to comply with this policy by employees may be treated as misconduct and addressed in accordance with the disciplinary policy. Serious or deliberate breaches may amount to gross misconduct which could result In dismissal without notice.

This notice explains when and why we collect personal information about you; how we use it, the conditions under which we may disclose it to others and how we keep it secure.

For clients of this firm, you should read this notice alongside our general terms and conditions which provide further information on confidentiality, data privacy etc.

Who we are:

Data is collected, processed and stored by Barrett Nelligan Solicitors and we are what is known as the ‘data controller’ of the personal information you provide to us.

Barrett Nelligan Solicitors is a limited company, authorised and regulated by the Solicitors

Regulation Authority. SRA number 556280

Our Data Protection Officer is Simon Barrett who can be contacted by email simon@barrettandnelligan.co.uk

What we need

The exact information we will request from you will depend on what you have asked us to do or what we are contracted to do for you.

There are two types of personal data (personal information) that you may provide to us:

• Personal data: is the general information that you supply about yourself – such as your name, address, gender, date of birth, contact details, financial information etc.
• Sensitive personal data: is, by its nature, more sensitive information and may include your racial or ethnic origin, religion, sexual orientation, political opinions, health data, trade union membership, philosophical views, biometric and genetic data.

In the majority of cases personal data will be restricted to basic information and information needed to complete ID checks. However some of the work we do may require us to ask for more sensitive information.

Sources of information

Information about you may be obtained from a number of sources; including:

• You may volunteer the information about yourself
• You may provide information relating to someone else ~ if you have the authority to do so
• Information may be passed to us by third parties in order that we can undertake your legal work on your behalf. Typically these organisations can be:
• e-Banks or building societies
• Panel providers who allocate legal work to law firms
• Organisations that have referred work to us
• Medical or financial institutions – who provide your personal records / information
• Criminal justice agencies including the Police, Crown Prosecution Service and His Majesty’s Court and Tribunal Service HMCTS

Why we need it

The primary reason for asking you to provide us with your personal data, is to allow us to cany out your requests – which will ordinarily be to represent you and carry out your legal work.

The following are some examples, although not exhaustive, of what we may use your information for:

• Verifying your identity
• Verifying source of funds
• Communicating with you
• To establish funding of your matter or transaction
• Processing your legal transaction including:
• Providing you with advice; carrying out litigation on your behalf; attending healings on your behalf; preparing documents or to complete transactions
• Keeping financial records of your transactions and the transactions we make on your behalf
• Seeking advice from third parties; such as legal and non-legal experts
• Responding to any complaint or allegation of negligence against us

Who has access to it

We have a data protection regime in place to oversee the effective and secure processing of your personal data. We will not sell or rent your information to third parties. We will not share your information with third parties for marketing purposes.

Generally, we will only use your information within Barrett Nelligan Solicitors, However there may be circumstances, in carrying out your legal work, where we may need to disclose some information to third parties; for example:

• HM Land Registry to register a property
• I-IM Revenue & Customs; e.g, for Stamp Duty Liability
• Court or Tribunal
• Solicitors acting on the other side
• Asking an independent Barrister or Counsel for advice; or to represent you
• Non legal experts to obtain advice or assistance
• Translation Agencies
• Contacted Suppliers
• External auditors or our Regulator; e.g. Law Society, SR A . ICO etc.
• Bank or Building Society; or other financial institutions
• Insurance Companies
• Providers of identity verification
• Any disclosure required by law or regulation; such as the prevention of financial crime and terrorism
• If there is an emergency and we think you or others are at risk

In the event any of your information is shared with the aforementioned third parties, we ensure that they comply, strictly and confidentially, with our instructions and they do not use your personal information for their own purposes unless you have explicitly consented to them doing so.

There may be some uses of personal data that may require your specific consent. If this is the case we will contact you separately to. ask for your consent which you are free to withdraw at any time.

How do we protect your personal data

We recognise that your information is valuable and we take all reasonable measures to protect it whilst it is in our care.

We follow strict security procedures as to how your personal information is stored and used and who sees it, to help stop any unauthorised person getting hold of it.

We utilise technology and operational security in order to protect personally identifiable data from loss, misuse, alteration or destruction Similarly, we adopt a high threshold when it

comes to confidentiality obligations and both internal and external parties have agreed to protect confidentiality of all information; to ensure all personal data is handled and processed in line with our stringent confidentiality and data protection policies.

We use computer safeguards such as firewalls and data encryption and annual penetration testing; and we enforce, where possible, physical access controls to our buildings and files to keep data safe.

How long will we keep it for

Your personal information will be retained, usually in computer or manual files, only for as long as necessary to fulfil the purposes for which the information was collected; or as required by law; or as long as is set out in any relevant contract you may hold with us. For example:

• As long as necessary to cany out your legal work
• For a minimum of 7 years from the conclusion or closure of your legal work; in case you, or we, need to re-open your- case for the purpose of defending complaints or claims against us
• For the duration of a trust
• Some information or matters may be kept for 16 years – such as commercial transactions, sales of leasehold purchases, matrimonial matters (financial orders or maintenance agreements etc.)
• Probate matters where there is a surviving spouse or civil partner may be retained until the survivor has died in order to deal with the transferable Inheritance Tax allowance
• Wills and related documents may be kept indefinitely
• Deeds related to unregistered property may be kept indefinitely as they evidence ownership

What are your rights?

Under GDPR, you are entitled to access your personal data (otherwise known as a ‘right to access’). If you wish to make a request, please do so in writing addressed to our Data Protection Officer Simon Barrett; or contact the person dealing with your matter.

A request for access to your personal data means you are entitled to a copy of the data we hold on you – such as your name, address, contact details, date of birth, information regarding your health etc.- but it does not mean you are entitled to the documents that contain this data.

You will not usually have to pay a fee to access your personal information (or to exercise any of the other rights). However, in the event that an access request is unfounded, excessive or especially repetitive, we may charge a ‘reasonable fee’ for meeting that request.

Alternatively, we may refuse to comply with your request in such circumstances. Similarly, we may charge a reasonable fee to comply with requests for further copies of the same information. That fee will be based upon the administrative costs of providing the information.

Under certain circumstances, in addition to the entitlement to ‘access your data’, you have the following rights:

1. The right to be informed: which is fulfilled by way of this privacy notice and our transparent explanation as to how we use your personal data
2. The right to rectification: you are entitled to have personal data rectified if it is inaccurate or incomplete
3. The right to erasure / ‘right to be forgotten’: you have the right to request the deletion or removal of your personal data where there is no compelling reason for its continued processing. This right only applies in the following specific circumstances:

• Where the personal data is no longer necessary in regards to the purpose for which it was originally collected
• Where consent is relied upon as the lawful basis for holding your data and you withdraw your consent
• Where you object to the processing and there is no overriding legitimate interest for continuing the processing
• The personal data was unlawfully processed
• Where you object to the processing for direct marketing purposes

 

4. The right to object: you have the right to object to processing based on legitimate interests; and direct marketing. This right only applies in the following circumstances:

• An objection to stop processing personal data for direct marketing purposes is absolute – there are no exemptions or grounds to refuse – we must stop processing in this context
• You must have an objection on grounds relating to your particular situation
• We must stop processing your personal data unless:
• We can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms; or
• The processing is for the establishment, exercise or defence of legal claims.

 

5. The right to restrict processing: you have the right to request the restriction or suppression of your data. When processing is restricted, we can store the data but not use it. This right only applies in the following circumstances:

• Where you contest the accuracy of the personal data — we should restrict the processing until we have verified the accuracy of that data
• Where you object to the processing (where it was necessary for the performance of a public interest or purpose of legitimate interests), and we are considering whether our organisation’s legitimate grounds override your right
• Where processing is unlawful and you request restriction
• If we no longer need the personal data but you require the data to establish, exercise or defend a legal claim

 

Complaints about the use of personal data

 

If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer who will investigate further. Our Data Protection Officer is Simon Barrett and you can contact him at simon@barrettandnelligan.co.uk.

If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law, you can complain to the Information Commissioner’s Office (ICO).

How we may use your details

The following are examples, although not exhaustive, of how we may use your personal information for our legitimate business interests:

• fraud prevention
• network and information systems security
• data /analytics /enhancing, modifying or improving our services
• identifying usage trends

Your rights

You have the right to object to this processing. Should you wish to do so please email simon@barrettandnelligan.co.uk.

Any questions regarding this notice and our privacy practices should be sent by email to simon@barrettandnelligan.co.uk.