GENERAL DATA PROTECTION REGULATION (GDPR)
General Data Protection Regulation Policy Statement GDPR stands for General Data Protection Regulation and replaces the previous Data Protection Directives that were in place. It was approved by the EU Parliament in 2016 and comes into effect on 25th May 2018. GDPR states that personal data should be ‘processed fairly & lawfully’ and ‘collected for specified, explicit and legitimate purposes’ and that individual’s data is not processed without their knowledge and are only processed with their ‘explicit’ consent.
MJP Law is committed to protecting the rights and freedoms of individuals with respect to the processing of personal data. GDPR gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly. MJP Law is registered with the ICO (Information Commissioners Office) under registration number Z3149405.
We confirm that we will comply with the General Data Protection Regulation from 25 May 2018. In order to provide legal services to you and for related purposes shown below we may obtain, process, use and disclose personal data about you:-
- updating and enhancing client records
- analysis to help us manage our practice
- statutory returns
- legal and regulatory compliance and crime prevention
Our use of that information is subject to your instructions, the GDPR and our duty of confidentiality. Please note that our work for you may require us to give information to third parties such as expert witnesses and other professional advisers. You have a right of access under data protection legislation to the personal data that we hold about you.
When processing personal data for accounting and auditing in accordance with Solicitors Regulation Authority, taxation and related services, we act as the data controller. We confirm that we will comply with the obligations GDPR places on MJP Law as a data controller. For services such as tax returns you are the data controller and we act as the data processor and we confirm we will comply with the obligations the GDPR places on us as a data processor.
If the firm appoints an expert witness to give evidence, the expert witness could be classed as a ‘data processor’ as they too will process the client’s personal data. But they are not in ‘control’, they will be acting under instruction from the firm. In this instance the firm will be the data controller. The expert witness will be the data processor.
We record clients’ names, addresses, telephone numbers, email addresses, dates of birth and National Insurance numbers. In family matters we need to know children’s full names, addresses, and dates of birth. Information is stored on our case management system on our servers. In the course of acting for clients, certain information may be sent to third parties via a secure electronic file transfer system.
We record details of our suppliers, referrers and experts names, addresses, telephone numbers, email addresses and fax numbers which are held on a secure server.
In respect of our Health and Safety policy, we record names of visitors/contractors to our offices on a daily sign in sheet and this is destroyed on a weekly basis via confidential waste.
As an employer MJP Law is required to hold data on its employees; names, addresses, email addresses, telephone numbers, dates of birth, National Insurance numbers, photographic ID for example passport, driver’s licence, bank details, utility bills. This information is also required for Disclosure and Barring Service checks (DBS) and proof of eligibility to work in the UK. This information is sent via a secure file transfer system to a third party for the processing of DBS checks.
At any point an individual can make a request relating to their data and MJP Law will provide a response within 14 days. MJP Law can refuse a request i.e. if we have a lawful obligation to retain data but we will inform the individual of the reasons for the rejection.
Individuals have the right to request the deletion of data where there is no legal reason for its continued use. If an individual requests their personal data is removed from the firm’s practice management system, where a case is linked to the contact record, the request cannot be fulfilled, because case files have to be kept for a specific length of time by law. However, the data record can be restricted for processing and its contents scrambled so that only the data protection officer can see it until such time that the legal period for holding the case has expired, at which point it can be deleted. The individual will have the right to complain to the ICO if they are not happy with the decision.
MJP Law requires data to be transferred from one IT system to another. These recipients use secure file transfer systems and have their own policies and procedures in place in relation to GDPR.
Clients and staff can object to their data being used for certain activities like marketing or research.
MJP Law does not use personal data for marketing based organisations.
Access to all office computers is password protected and the passwords are changed every 90 days. When a member of staff leaves the firm their password will immediately be changed in accordance with MJP Law leavers process.
GDPR means that MJP Law must:-
- manage and process personal data properly
- protect the individual’s rights to privacy
- provide an individual with access to all personal information held on them
The legislation places a responsibility on every data controller to process any personal data in accordance with the eight principles. Detailed guidance on how to comply with these principles can be found by following this link to the ICO’s website (www.ico.org.uk) In order to comply with its obligations MJP Law undertakes to adhere to the eight principles.
This policy will be updated as necessary to reflect best practice or future amendments made to the General Data Protection Regulation (GDPR) May 2018 and Data Protection Act 1998.