General Data Protection Policy
- Terms used in this policy which are defined terms in the GDPR have that defined meaning.
- I will process personal data lawfully within the meaning of Art 6, and fairly and transparently.
When instructions have been received and work upon them is not yet complete, I will collect, retain, access, use and communicate the data for the purpose of delivering my services.
When instructions have been fulfilled, I will retain the data only for one or more of the Art 6 reasons: essentially to meet my business needs (to enable me to provide a better service if instructed again in relation to the same or a related matter), to comply with legal requirements, to provide evidence in the event of disputes and to ensure that any records of historic value are preserved.
- I will collect data only for the purpose of delivering legal services in my practice as a Barrister.
- I will not further process data in a manner incompatible with that purpose.
- I will collect and process adequate and relevant information, and only to the extent that it is needed for the purpose identified above.
However, I will take a practical approach to this. I will not sift every document delivered to me and delete those parts which are not strictly necessary for the case on which I am working. It would not be practicable to do so. I will trust professionals and lay clients providing me with data to provide only what is reasonably necessary.
- I will ensure that so far as it is necessary and within my reasonable power to do so, the personal data is kept up to date.
- I will keep personal data only so long as the purposes identified above persist.
- I will take appropriate technical and organisational security measures to safeguard personal data
- I will not transfer information outside the UK except by communicating it to a client or his/her/its authorised representative abroad.
- I will set out clear procedures for responding to requests for information
- I will ensure that the rights of people about whom information is held, can be fully exercised under the GDPR.
Data Storage and access
- The data I control may be divided into the following groups, according to how and where it is kept. This categorisation is not intended to be exhaustive but is intended to assist in achieving the objectives identified in paragraph 24 below:
- Hard copy documents
- Electronic files (pdf, Word, spreadsheets, jpegs, PowerPoint etc) stored securely on my laptop.
- Documents open for the purpose of working on them, and therefore visible on a screen.
- Emails – Emails to and from clients which will often include case information and correspondence. I receive, send and store emails on my PC and using the Mail app on my phone.
- Contact details of clients including personal data such as name/address and financial information relating to billing. This data is kept for me by Millennium Chambers.
- The devices which I use to access this data are:
- A laptop which I often carry with me when out of chambers and away from home.
- A mobile phone which is always with me.
- I occasionally receive data from solicitors or lay clients on external media such as USB sticks. Very occasionally I may wish to copy data to external media.
- The only third parties with which I share data are Millennium Chambers and its staff. I do not have a formal data sharing agreement with my chambers because I have total confidence in the integrity of its systems.
- My security objectives are to ensure:
- Confidentiality of information – access to information is restricted to those persons with appropriate authority to access it.
- Integrity of information – information shall be complete and accurate.
- Availability of information – information shall be available and delivered to the right person at the time when it is needed.
Hard copy documents
- I usually need papers with me wherever I am working, which might be in chambers, at home, in court, at others’ offices, while travelling or in hotels.
- All papers will be moved securely between these locations. On public transport they will not be left unattended out of my briefcase. Papers left in an unattended car will be stored out of sight. This will only occur where necessary and for brief periods of low risk. Case files will not be left in a car overnight.
- Papers will never be left freely available in any common area in circumstances where there is a real risk that they may be read by unauthorised individuals. They will never be opened in circumstances where there is such a risk.
- I take papers home where I often work. They are kept in my private study to which only I have access. Given the nature of my practice, I am satisfied beyond any doubt that no member of my family has any interest in these papers or will look at them.
- My home has a security system which is on at all times. Given the nature of my practice, I am satisfied that my home is most unlikely to be targeted for the purpose of stealing personal data and that my case papers are unlikely to be of interest to a casual burglar.
Files being accessed and/or accessible from my devices
- Electronic files will never be opened on a screen in circumstances where they can be read by members of the public.
- All two devices identified above will be kept secure at all times within the limits of reasonable practicability.
- The phone is password protected and encrypted and will not be left unattended away from home.
- The laptop is encrypted to FIPS 140-2 or CCTM (CESG Claims Tested Mark) standards. It will not be left unattended and on view. It will only be left unattended at all where this is not reasonably avoidable.
- My laptop is protected by up-to-date anti-virus and anti-spyware software, subjected to regular virus scans and protected by an appropriate firewall.
- Operating software is checked regularly to ensure that the latest security updates are downloaded.
- Removable storage media such as memory sticks will be occasionally used. I do sometimes accept documents on such media and from time to time may load documents onto them. On such occasions the memory stick will be guarded as carefully as all other devices containing personal data.
- This policy covers all personal data irrespective of the media on which they are created or held and includes
- client documents
- notes of meetings
- instructions received and advice given
- My policy is to retain electronic data for at least 7 years. I consider it proportionate to retain for that period since the possibility of a dispute may endure for 7 years from the date of the last work undertaken.
- As to paper documents, these will be returned to instructing solicitors or other professional clients when I no longer need to keep them for the purposes of working on the case. The solicitors are entitled to their return and will have their own professional obligations and retention policies.
- In public access cases, documents will be retained for at least 7 years and then destroyed.
- However, none of the above three paragraphs is definitive. I will keep individual cases under review. The ultimate disposal decision will have regard to:
- on-going business and accountability need (including audit)
- current applicable legislation
- whether the record has any long-term historical or research value
- best practice in the profession
- costs associated with continued storage.
- No destruction of data will take place unless:
- the data is no longer required for the purpose of my practice
- no work is outstanding
- no litigation or investigation is current or pending which affects the data
- there are no current or pending FOIA or GDPR subject access requests which affect the data
- All data subjects have the right to access the information I holds about them, except where specific exemptions apply.
- I will deal with subject access requests in accordance with the Subject Access Request Policy of Millennium Chambers.
- I may share data with other agencies such as government departments and other relevant parties.
- The data subject will be made aware in most circumstances how and with whom their information will be shared. There are circumstances where the law allows disclosure (including of sensitive data) without the data subject’s consent.
Data Protection Training
I will ensure that I am appropriately trained in Data Protection.
How to make a complaint?
I hope that you are happy with the service I provide and that the Deputy Head of Chambers, Gregory Bull KC can resolve any issues or complaints that arise. Please get in touch if you have any concerns.
The General Data Protection Regulation also gives you the right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where the alleged infringement of data protection laws occurred. The UK supervisory authority if the Information Commissioner’s Office who can be contacted at https://ico.org.uk/concerns/
Under the General Data Protection Regulation, you have a number of important rights that you can exercise free of charge. In summary, these rights are:
- Transparency over how I use your personal data and fair processing of your information.
- Access to your personal information and other supplementary information
- Require me correct any mistakes or complete missing information I hold on you
- Require me to erase your personal information in certain circumstances
- Receive a copy of the personal information you have provided to me or have this information be sent to a third party, this will be provided to you or the third party in a structured, commonly used and machine-readable format
- Object at any time to processing of your personal information for direct marketing
- Object in certain other situations to the continued processing of your personal information
- Restrict my processing of your personal information in certain circumstances
- Request not to be subject to automated decision making which produce legal effects that concern you or affect you in a significantly similar way.
If you want more information about your rights under the GDPR please see the Guidance from the Information Commissioners Office on Individual’s rights under the GDPR.
If you want to exercise any of these rights, please:
- Email, call or write to me; email@example.com
- Provide information so that I can identify you, for example, a copy of your Passport, Driver’s License, Utility Bill etc. I may need to contact you to request further information to verify your identity
- Let me have proof of your identity and address
- State the right or rights that you wish to exercise
I will respond to you within one month from when I receive your request.