General Data Protection Regulation Policy Statement
GDPR stands for General Data Protection Regulation and replaces the previous Data Protection Directives that were in place. It was approved by the EU Parliament in 2016 and came into effect on 25th May 2018. GDPR states that personal data should be ‘processed fairly & lawfully’ and ‘collected for specified, explicit and legitimate purposes’ and that individual’s data is not processed without their knowledge and are only processed with their ‘explicit’ consent.
MJP Law is committed to complying with the data protection regulations and protecting the rights and freedoms of individuals with respect to the processing of personal data. GDPR gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly. MJP Law is registered with the ICO (Information Commissioners Office) under registration number Z3149405.
The person responsible for data protection in this firm is the firm’s Compliance Officer for Legal Practice for the time being whose name we will provide on request.
Rights for Data Subjects
- the right to be informed about the collection and the use of their personal data
- the right to access personal data and supplementary information
- the right to have inaccurate personal data rectified, or completed if it is incomplete
- the right to erasure (to be forgotten) in certain circumstances
- the right to restrict processing in certain circumstances
- the right to data portability, which allows the data subject to obtain and reuse their personal data for their own purposes across different services
- the right to object to processing in certain circumstances
- rights in relation to automated decision making and profiling
- the right to withdraw consent at any time (where relevant)
- the right to complain to the Information Commissioner
Use of Information
We use the information you provide primarily for the provision of legal services to you and for related purposes including:-
- updating and enhancing client records
- analysis to help us manage our practice
- statutory returns
- legal and regulatory compliance and crime prevention
Our use of that information is subject to your instructions, data protection law and our duty of confidentiality. Please note that our work for you may require us to give information to third parties such as expert witnesses and other professional advisers. We may also give such information to others who perform services for us such as printing or photocopying. We do not normally copy such information to anyone outside the European Economic Area, however, we may do so when the particular circumstances of your matter so require. All such third parties are required to maintain confidentiality in relation to your files.
You have a right of access under data protection legislation to the personal data that we hold about you. We seek to keep that personal data correct and up to date. You should let us know if you believe the information we hold about you needs to be corrected or updated.
When processing personal data for accounting and auditing in accordance with Solicitors Regulation Authority, taxation and related services, we act as the data controller. We confirm that we will comply with the obligations GDPR places on MJP Law as a data controller. For services such as tax returns you are the data controller and we act as the data processor and we confirm we will comply with the obligations the GDPR places on us as a data processor.
If the firm appoints an expert witness to give evidence, the expert witness could be classed as a ‘data processor’ as they too will process the client’s personal data. But they are not in ‘control’, they will be acting under instruction from the firm. In this instance the firm will be the data controller. The expert witness will be the data processor.
What we record
We record clients’ names, addresses, telephone numbers, email addresses, dates of birth and National Insurance numbers. In family matters we need to know children’s full names, addresses, and dates of birth. Information is stored on our case management system on our servers. In the course of acting for clients, certain information may be sent to third parties via a secure electronic file transfer system.
We may receive personal data from you for the purposes of our money laundering checks such as a copy of your passport. These will be processed only for the purposes of preventing money laundering and terrorist financing or as otherwise permitted by law or with your express consent. You consent to us retaining such data for longer than the five year statutory period unless you tell us otherwise.
If you send us personal data about anyone other than yourself you will ensure you have any appropriate consents and notices in place to enable you to transfer that personal data to us and so that we may use it for the purposes for which you provide it to us.
We record details of our suppliers, referrers and experts’ names, addresses, telephone numbers, email addresses and fax numbers which are held on a secure server.
In respect of our Health and Safety policy, we record names of visitors/contractors to our offices on a daily sign in sheet and this is destroyed on a weekly basis via confidential waste.
As an employer MJP Law is required to hold data on its employees; names, addresses, email addresses, telephone numbers, dates of birth, National Insurance numbers, photographic ID for example passport, driver’s licence, bank details, utility bills. This information is also required for Disclosure and Barring Service checks (DBS) and proof of eligibility to work in the UK. This information is sent via a secure file transfer system to a third party for the processing of DBS checks.
At any point an individual can make a request relating to their data and MJP Law will provide a response within 14 days. MJP Law can refuse a request i.e. if we have a lawful obligation to retain data but we will inform the individual of the reasons for the rejection.
Individuals have the right to request the deletion of data where there is no legal reason for its continued use. If an individual requests their personal data is removed from the firm’s practice management system, where a case is linked to the contact record, the request cannot be fulfilled, because case files have to be kept for a specific length of time by law. However, the data record can be restricted for processing and its contents scrambled so that only the data protection officer can see it until such time that the legal period for holding the case has expired, at which point it can be deleted. The individual will have the right to complain to the ICO if they are not happy with the decision.
Data security and marketing
MJP Law requires data to be transferred from one IT system to another. These recipients use secure file transfer systems and have their own policies and procedures in place in relation to GDPR.
Clients and staff can object to their data being used for certain activities like marketing or research.
MJP Law does not use personal data for marketing based organisations.
Access to all office computers is password protected and the passwords are changed every 90 days. When a member of staff leaves the firm their password will immediately be changed in accordance with MJP Law leavers process.
GDPR means that MJP Law must:-
- manage and process personal data properly
- protect the individual’s rights to privacy
- provide an individual with access to all personal information held on them
The legislation places a responsibility on every data controller to process any personal data in accordance with it’s principles. Detailed guidance on how to comply with these principles can be found by following this link to the ICO’s website (https://ico.org.uk/) In order to comply with its obligations MJP Law undertakes to adhere to it’s principles.
This policy will be updated as necessary to reflect best practice or future amendments made to the General Data Protection Regulation (GDPR) May 2018 and Data Protection Act 1998.