Data Protection Policy
Whitestone Solicitors takes its responsibilities with regard to the management of the requirements of the General Data Protection Regulation (GDPR) very seriously. This policy sets out how the firm manages those responsibilities.
Whitestone Solicitors obtains, uses, stores and otherwise processes personal data relating to potential staff and clients, current staff and clients, former staff and clients, contractors and suppliers, website users and contacts/third parties, collectively referred to in this policy as data subjects. When processing personal data, the firm is obliged to fulfil individuals’ reasonable expectations of privacy by complying with GDPR and other relevant data protection legislation (data protection law).
This policy therefore seeks to ensure that we:
- are clear about how personal data must be processed and the firm’s expectations for all those who process personal data on its behalf;
- comply with the data protection law and with good practice;
- protect the firm’s reputation by ensuring the personal data entrusted to us is processed in accordance with data subjects’ rights
- protect the firm from risks of personal data breaches and other breaches of data protection law.
The main terms used are explained in the glossary at the end of this policy (Appendix 3).
This policy applies to all personal data we process regardless of the location where that personal data is stored (e.g. on an employee’s own device) and regardless of the data subject. All staff and others processing personal data on the firm’s behalf must read it. A failure to comply with this policy may result in disciplinary action.
All Heads of Departments and Directors of the firm are responsible for ensuring that all staff within their area of responsibility comply with this policy and should implement appropriate practices, processes, controls and training to ensure that compliance.
The Data Protection Manager is responsible for overseeing this policy. The firm’s Data Protection Manager (DPM) is Sajid Sadiq, he can be reached at firstname.lastname@example.org.
Personal data protection principles
When you process personal data, you should be guided by the following principles, which are set out in the GDPR. The firm is responsible for, and must be able to demonstrate compliance with, the data protection principles listed below:
Those principles require personal data to be:
- processed lawfully, fairly and in a transparent manner (Lawfulness, fairness and transparency). Detail on how to achieve this can be found in Appendix 1.
- collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes (Purpose limitation). Detail on how to achieve this can be found in Appendix 2.
- adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data minimisation). Detail on how to achieve this can be found in Appendix 2.
- accurate and where necessary kept up to date (Accuracy). Detail on how to achieve this can be found in Appendix 2.
- not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data is processed (Storage limitation). Detail on how to achieve this can be found in Appendix 2.
- processed in a manner that ensures its security, using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (Security, integrity and confidentiality). Detail on how to achieve this can be found in Appendix 2.
Data Subjects’ Rights
Data subjects have rights in relation to the way we handle their personal data. These include the following rights:
- where the legal basis of our processing is Consent, to withdraw that Consent at any time;
- to ask for access to the personal data that we hold (see below);
- to prevent our use of the personal data for direct marketing purposes
- to object to our processing of personal data in limited circumstances
- to ask us to erase personal data without delay:
- if it is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- if the only legal basis of processing is Consent and that Consent has been withdrawn and there is no other legal basis on which we can process that personal data;
- if the data subject objects to our processing where the legal basis is the pursuit of a legitimate interest or the public interest and we can show no overriding legitimate grounds or interest;
- if the data subject has objected to our processing for direct marketing purposes;
- if the processing is unlawful.
- to ask us to rectify inaccurate data or to complete incomplete data;
- to restrict processing in specific circumstances e.g. where there is a complaint about accuracy;
- to ask us for a copy of the safeguards under which personal data is transferred outside of the EU;
- the right not to be subject to decisions based solely on automated processing, including profiling, except where necessary for entering into, or performing, a contract, with the firm; it is based on the data subject’s explicit consent and is subject to safeguards; or is authorised by law and is also subject to safeguards;
- to prevent processing that is likely to cause damage or distress to the data subject or anyone else;
- to be notified of a personal data breach which is likely to result in high risk to their rights and freedoms;
- to make a complaint to the ICO; and
- in limited circumstances, receive or ask for their personal data to be transferred to a third party (e.g. another firm to which a client or employee is transferring) in a structured, commonly used and machine readable format.
You must verify the identity of an individual requesting data under any of the rights listed
Requests (including for data subject access – see below) must be complied with, usually within one month of receipt. You must immediately forward any Data Subject Access Request you receive to the Data Protection Manager. A charge can be made for dealing with requests relating to these rights only if the request is excessive or burdensome.
The firm must implement appropriate technical and organisational measures in an effective manner to ensure compliance with data protection principles. The firm is responsible for, and must be able to demonstrate compliance with, the data protection principles.
We must therefore apply adequate resources and controls to ensure and to document GDPR compliance including:
- appointing a suitably qualified Data Protection Manager;
- implementing Privacy by Design when processing personal data and completing a Data Protection Impact Assessment (DPIA) where processing presents a high risk to the privacy of data subjects;
- integrating data protection into our policies and procedures, in the way personal data is handled by us and by producing required documentation such as Privacy Notices, Records of Processing and records of Personal Data Breaches;
- training staff on compliance with Data Protection Law and keeping a record accordingly; and
- regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.
- Firms responsibilities
As the Data Controller, the firm is responsible for establishing policies and procedures in order to comply with data protection law.
- Data Protection Manager’s responsibilities
The DPM is responsible for:
(a) advising the firm and its staff of its obligations under GDPR
(b) monitoring compliance with this Regulation and other relevant data protection law, the firm’s policies with respect to this and monitoring training and audit activities relate to GDPR compliance
(c) to provide advice where requested on data protection impact assessments
(d) to cooperate with and act as the contact point for the Information Commissioner’s Office
(e) the data protection manager shall in the performance of her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
- Staff responsibilities
Staff members who process personal data about clients, staff, applicants, Counsel, experts or third parties or any other individual must comply with the requirements of this policy. Staff members must ensure that:
(a) all personal data is kept securely;
(b) no personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party;
(c) personal data is kept in accordance with the firm’s retention schedule;
(d) any queries regarding data protection, including subject access requests and complaints, are promptly directed to the DPM;
(e) any data protection breaches are swiftly brought to the attention of the Data Protection Manager and that they support the DPM team in resolving breaches;
(f) where there is uncertainty around a data protection matter advice is sought from the Data Protection Manager.
Where members of staff are responsible for supervising other staff doing work which involves the processing of personal information, they must ensure that those staff are aware of the Data Protection principles.
Staff who are unsure about who are the authorised third parties to whom they can legitimately disclose personal data should seek advice from the Data Protection Manager.
- Third-Party Data Processors
Where external companies are used to process personal data on behalf of the firm, responsibility for the security and appropriate use of that data remains with the firm.
Where a third-party data processor is used:
(a) a data processor must be chosen which provides sufficient guarantees about its security measures to protect the processing of personal data;
(b) reasonable steps must be taken that such security measures are in place;
(c) a written contract establishing what personal data will be processed and for what purpose must be set out;
(d) a data processing agreement, available from the DPM or data processor, must be signed by both parties.
For further guidance about the use of third-party data processors please contact the Data Protection Manager.
- Service providers, Suppliers, Short-Term and Voluntary Staff
The firm is responsible for the use of personal data by anyone working on its behalf. Managers who employ contractors, short term or voluntary staff must ensure that they are appropriately vetted for the data they will be processing. In addition managers should ensure that:
(a) any personal data collected or processed in the course of work undertaken for the firm is kept securely and confidentially;
(b) all personal data is returned to the firm on completion of the work, including any copies that may have been made. Alternatively that the data is securely destroyed and the firm receives notification in this regard from the service provider/supplier or short term / voluntary member of staff;
(c) the firm receives prior notification of any disclosure of personal data to any other organisation or any person who is not a direct employee of the service provider;
(d) any personal data made available by the firm, or collected in the course of the work, is neither stored nor processed outside the UK unless written consent to do so has been received from the firm;
(e) all practical and reasonable steps are taken to ensure that contractors, suppliers, short term or voluntary staff do not have access to any personal data beyond what is essential for the work to be carried out properly.
- Client responsibilities
Clients are responsible for:
(a) familiarising themselves with the Privacy Notice provided when they instruct the firm;
(b) ensuring that their personal data provided to the firm is accurate and up to date.
Data subject Access Requests
Data subjects have the right to receive copy of their personal data which is held by the firm. In addition, an individual is entitled to receive further information about the firm’s processing of their personal data as follows:
- the purposes
- the categories of personal data being processed
- recipients/categories of recipient
- retention periods
- information about their rights
- the right to complain to the ICO,
- details of the relevant safeguards where personal data is transferred outside the EEA
- any third-party source of the personal data
You should not allow third parties to persuade you into disclosing personal data without proper authorisation. For example, clients’ parents do not have an automatic right to gain access to their son’s or daughter’s data where the client is over 18 years of age.
The entitlement is not to documents per se (which may however be accessible by means of the Freedom of Information Act, subject to any exemptions and the public interest), but to such personal data as is contained in the document. The right relates to personal data held electronically and to limited manual records.
You should not alter, conceal, block or destroy personal data once a request for access has been made. You should contact the Data Protection Manager before any changes are made to personal data which is the subject of an access request.
Reporting a personal data breach
The GDPR requires that we report to the Information Commissioner’s Office (ICO) any personal data breach where there is a risk to the rights and freedoms of the data subject. Where the personal data breach results in a high risk to the data subject, he/she also has to be notified unless subsequent steps have been taken to ensure that the risk is unlikely to materialise, security measures were applied to render the personal data unintelligible (e.g. encryption) or it would amount to disproportionate effort to inform the data subject directly. In the latter circumstances, a public communication must be made or an equally effective alternative measure must be adopted to inform data subjects, so that they themselves can take any remedial action.
We have put in place procedures to deal with any suspected personal data breach and will notify data subjects or the ICO where we are legally required to do so.
If you know or suspect that a personal data breach has occurred, you should immediately contact the Data Protection Manager at email@example.com. You must retain all evidence relating to personal data breaches in particular to enable the firm to maintain a record of such breaches, as required by the GDPR.
Limitations on the transfer of personal data
The GDPR restricts data transfers to countries outside the EU in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined. You transfer personal data originating in one country across borders when you transmit or send that data to a different country or view/access it in a different country.
You may only transfer personal data outside the EU if one of the following conditions applies:
- the European Commission has issued a decision confirming that the country to which we transfer the personal data ensures an adequate level of protection for the data subjects’ rights and freedoms.
- appropriate safeguards are in place such as binding corporate rules, standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism, a copy of which can be obtained from the DPO;
- the data subject has provided explicit Consent to the proposed transfer after being informed of any potential risks; or
- the transfer is necessary for one of the other reasons set out in the GDPR including:
- the performance of a contract between us and the data subject;
- reasons of public interest,
- to establish, exercise or defend legal claims or
- to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving Consent.
The GDPR requires us to keep full and accurate records of all our data processing activities. You must keep and maintain accurate corporate records reflecting our processing, including records of data subjects’ Consents and procedures for obtaining Consents, where Consent is the legal basis of processing.
These records should include, at a minimum, the name and contact details of the firm as Data Controller and the DPM, clear descriptions of the personal data types, data subject types, processing activities, processing purposes, third-party recipients of the personal data, personal data storage locations, personal data transfers, the personal data’s retention period and a description of the security measures in place.
Records of personal data breaches must also be kept, setting out:
- the facts surrounding the breach
- its effects; and
- the remedial action taken
Training and Audit
We are required to ensure that all firms staff undergo adequate training to enable them to comply with data protection law. We must also regularly test our systems and processes to assess compliance.
Data privacy by design and default and Data Protection Impact Assessments (DPIAs)
We are required to implement privacy-by-design measures when processing personal data, by implementing appropriate technical and organisational measures in an effective manner, to ensure compliance with data-protection principles. The firm must ensure therefore that by default only personal data which is necessary for each specific purpose is processed. The obligation applies to the volume of personal data collected, the extent of the processing, the period of storage and the accessibility of the personal data. In particular, by default, personal data should not be available to an indefinite number of persons. You should ensure that you adhere to those measures.
As well as complying with firm-wide practices designed to fulfil reasonable expectations of privacy, you should also ensure that your own data-handling practices default to privacy to minimise unwarranted intrusions in privacy e.g. by disseminating personal data to those who need to receive it to discharge their duties.
The firm must also conduct DPIAs in respect of high-risk processing before that processing is undertaken.
You should conduct a DPIA (and discuss your findings with the DPM) in the following circumstances:
- the use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes);
- automated processing including profiling;
- large scale processing of sensitive (special category) data; and
- large scale, systematic monitoring of a publicly accessible area.
- A DPIA must include:
- a description of the processing, its purposes and the Data Controller’s legitimate interests if appropriate;
- an assessment of the necessity and proportionality of the processing in relation to its purpose;
- an assessment of the risk to individuals; and
- the risk-mitigation measures in place and demonstration of compliance.
We are subject to certain rules and privacy laws when marketing to clients and any other potential user of our services.
The right to object to direct marketing must be explicitly offered to the data subject in an intelligible manner so that it is clearly distinguishable from other information.
A data subject’s objection to direct marketing must be promptly honoured. If a data subject opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.
Sharing Personal Data
In the absence of Consent, a legal obligation or other legal basis of processing, personal data should not generally be disclosed to third parties unrelated to the firm.
Some bodies have a statutory power to obtain information (e.g. regulatory bodies such as the Health & Care Professions Council, the Nursing and Midwifery Council, government agencies such as the Child Support Agency). You should seek confirmation of any such power before disclosing personal data in response to a request.
Changes to this policy
We reserve the right to change this policy at any time without notice to you so please check regularly to obtain the latest copy.
This policy was approved on 25th May 2018. It will be reviewed again in May 2019.