GDPR Data Protection Policy
Introduction
2 New Street Chambers is committed to protecting the rights and freedoms of data subjects and safely and securely processing their data in accordance with all of our legal obligations.
2 New Street Chambers needs to gather information and use certain information about individuals. These can include direct clients (Solicitors & Direct Access clients), third-party clients (those we represent in Court), suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards and to comply with the law.
Why this policy exists
This data protection policy ensures 2 New Street Chambers:
- Protects of the fundamental rights and freedoms of individual persons, in particular, the protection of personal data,
- Protects the principle of free movement of personal data within the EU,
- Complies with data protection law and follows good practice,
- Protects the rights of staff, customers and clients,
- Is open about how it stores and processes individuals’ data,
- Protects itself from the risks of a data breach.
Scope
This policy applies to all staff and members of Chambers, who must be familiar with this policy and comply with its terms.
As our data protection officer (DPO), Ben Leuty has overall responsibility for the day-to-day implementation of this policy. You should contact the DPO for further information about this policy if necessary.
Ben Leuty
Email: benleuty@2newstreet.co.uk
Tel: 0116 262 5906
Definitions
Business Purposes
The purpose for which 2 New Chambers may use personal data:
- Professional, personal, administrative, financial, regulatory, payroll and business development purposes
Business purposes include the following:
- The preparation of case files and representation of clients
- Liaising with instructing solicitors and other appropriate parties in regards to, and to ensure, case progression and management.
- Compliance with our legal, regulatory and corporate governance obligations and good practice.
- Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests.
- Ensuring business policies are adhered to.
- Investigating complaints.
- Checking references, ensuring safe working practices, monitoring and managing staff.
- Monitoring staff conduct, disciplinary matters.
- Marketing our business.
- Improving services.
Data Subject
A ‘Data Subject’ is an individual who is the subject of personal data.
Personal Data
‘Personal Data’ means any information relating to an identified or identifiable natural person (‘Data Subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as: a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.
Special categories of Person Data
Special categories of Personal Data include information about an individual’s racial or ethnic origin, political opinions, religious or familiar beliefs, trade union membership (or non-membership), physical or mental health condition, sexual life or sexual orientation, genetic data and biometric data.
Processing
‘Processing’ means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organising, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Controller
‘Controller’ means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
Data Processor
‘Processor’ means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
Data protection law – The Principles
2 New Street Chambers shall comply with the principle of data protection (the Principles) enumerated in the EU General Data Protection Regulation. 2 New Street Chambers will make every effort possible, in everything we do, to comply with these principles. The principles are:
The Lawfulness, Fairness and Transparency Principle
- Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
The Purpose Limitation Principle
- Personal Data shall be collected for specified, explicit and legitimate purposes and not for further processing in a manner that is incompatible with those purposes.
The Data Minimisation Principle
- Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed
The Accuracy Principle
- Personal Data shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.
The Storage Limitation Principle
- Personal Data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which personal data is processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for the purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to the implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject.
The Integrity and Confidentiality Principle
- Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Our Procedures
Fair and Lawful Processing
2 New Street Chambers will process personal data fairly and lawfully in accordance with the individuals’ right under the first Principle. This generally means that 2 New Street Chambers will not process personal data unless the individual whose details we are processing has consented to this happening.
If a lawful basis (explained below) cannot be applied, our processing does not conform to the first Principle and will be unlawful. Data subjects have the right to have any data unlawfully processed erased.
Controlling vs. Processing Data
2 New Street Chambers is classified primarily as a data controller, but also as a data processor, and will maintain appropriate registration with the Information Commissioners Office (ICO) in order to continue lawfully controlling and processing data.
When acting as a data processor, 2 New Street Chambers will comply with its contractual obligations and act only on the documented instructions of the data controller. If at any point data is processed without the instructions of the data controller, 2 News Street Chambers will be regarded as a controller and have the same liability as the controller. As a data processor, 2 New Street Chambers will:
- Not use a sub-processor without written authorisation of the data controller,
- Co-operate fully with the ICO or other supervising authority,
- Ensure the security of the processing,
- Keep accurate records of processing activities,
- Notify the controller of any personal data breaches.
If there is any doubt about how data is handled, contact the DPO for clarification.
Lawful Basis for Processing Data
2 New Street Chambers will establish a lawful basis for processing data. At least one of the following conditions will apply whenever we process personal data:
- Consent
We hold recent, clear, explicit, and defined consent for the individual’s data to be processed for a specific purpose.
- Contract
The processing is necessary to fulfil or prepare a contract for the individual.
- Legal Obligation
We have a legal obligation to process the data (excluding a contract).
- Vital Interests
Processing the data is necessary to protect a person’s life or in a medical situation.
- Public Function
Processing the data is necessary to carry out a public function, a task of public interest or the function has a clear basis in law.
- Legitimate Interest
The processing is necessary for our legitimate interests. This condition does not apply if there is good reason to protect the individual’s personal data which overrides the legitimate interest.
The primary reason 2 New Street Chambers processes data is for Legitimate Interest reasons, but also for Consent and Contract purposes, primarily where Direct Access is concerned.
Legitimate Interests in more detail:
The Data Protection Act recognises that you may have legitimate reasons for processing personal data that the other conditions for processing do not specifically deal with. The ‘Legitimate Interests’ condition is intended to permit such processing, provided you meet certain requirements
- You must need to process the information for the purposes of your legitimate interests or those of a third party to whom you disclose it.
- These interests must be balanced against the interests of the individual(s) concerned.
- Legitimate Interests can include ordinary honest business practices.
Consent in more detail:
The data subject has given consent to the processing. ‘Consent’ remains a lawful basis for processing personal data. However, under GDPR, valid consent becomes significantly harder to obtain.
It must be ‘freely given, specific, informed and unambiguous’.
- A statement of consent, or
- A clear affirmative action
- Pre-ticked boxes or implicit consent are not allowed
- Consent may be withdrawn at any time
- The burden is on the data controller to demonstrate consent was given.
Conditions for consent must be:
- Specific
- Written in clear and plain language
- Separate from other written matters
Contract in more detail:
The processing is necessary:
- For the performance of a contract to which the data subject is a party.
- For the taking of steps at the request of the Data Subject with a view to entering into a contract.
Special Categories of Personal Data
Previously known as sensitive data, this means data about an individual which is more sensitive, so requires more protection. This type of data could create more significant risks to a Data Subjects fundamental rights and freedoms, for example by putting them at risk of unlawful discrimination. The special categories include information about an individual’s:
- Race,
- Ethnic origin,
- Politics,
- Religion,
- Trade Union membership,
- Genetics,
- Biometrics,
- Health,
- Sexual orientation.
Data Subject Rights
Individuals have rights to their data which must be respected and complied with to the best of our ability. 2 New Street Chambers will ensure that individuals can exercise their rights in the following ways:
Access – Subject Access Request
- To allow data subjects to enforce their data protection rights, EU data protection law obliges controllers to provide data subjects with access to their personal data.
- An individual who makes a written request is entitled to be told whether or not any of the personal data is being processed.
- If this is the case then they are entitled to the following information:
- A description of the personal data, the purpose for which it is being processed, recipients, retention period and rights of rectification, erasure, restriction and objections.
- Any existence of automated decision making.
- Any transfer safeguards that exist.
- A data subject has the right to be given a copy of the information comprising the data, and given details of the source of the data.
Under GDPR
- In general a fee is no longer payable by the subject for subject access requests,
- but can charge for additional copies (Art 15 (3)) and
- UK DP Bill cl 11 also provides for fees for unfounded or excessive requests
- An elevated risk that individuals will attempt to exercise these rights merely because they can, or as a cheap but effective means of protest against an organisation.
- Information must now be supplied within 1 month, not 40 days.
- Data can include opinions, voice recording and manual records.
- Must provide ‘where possible’ how long data will be stored.
Rectification
- Data subjects are entitled to require a controller to rectify any errors in their personal data.
- This must be done without delay, and no later than one month. This can be extended to two months with permission from the DPO.
- Source of ‘error’ issue will need to be investigated.
If data is corrected:
- Check whether you need to keep a record of the old data,
- Has the data been sent to anyone else? If so, send them a correction.
Erasure (Right to be forgotten)
- Data must be deleted or removed if requested to do so by the Data Subject, and there is no compelling reason for its continued processing.
For example:
- Withdrawal of consent when consent was basis of collection,
- No longer necessary for purpose collected,
- No overriding legitimate grounds.
Restriction of Processing
- Data Subjects may not be entitled to require the controller to erase their personal data, but may be entitled to limit the purposes for which the controller can process the data.
For example when:
- Accuracy of data is contested,
- Processing is unlawful but individual requests restriction instead of deletion,
- Data no longer needed by Data Controller but individual requires it for establishment, exercise of defence of legal claims.
Right to Data Portability
- Data Subjects have the right to transfer their personal data between controllers (e.g. to move account details from one controller to another).
- The data must be supplied to the Data Subject in a commonly used, machine-readable format.
- The data can be sent directly to another controller if requested by the Data Subject.
Object to Processing
- A controller must have a lawful basis for processing personal data. However, where that lawful basis is either ‘public interest’ or ‘legitimate interest’, those lawful bases are not absolute, and data subjects may have a right to object to such processing.
- The Data Controller is obliged to consider the request but not necessarily comply.
- The Data Controller must respond with justifications for decision.
Right not to be evaluated on the Basis of Automated Processing
- Data subjects have the right not to be evaluated in any material sense solely on the basis of automated processing of their personal data. Exceptions:
- Necessary for entering into or performance of contract,
- Authorised by Union or Member State Law,
- Individual’s explicit consent has been obtained.
Data Security
2 New Street Chambers will keep personal data secure against loss or misuse.
Storing data securely
- In cases when data is stored on printed papers, it will be kept in a secure place where unauthorised personnel cannot access it.
- Printed data should be returned to instructing solicitors or confidentially shredded when it is no longer needed.
- Data stored on a computer is protected by strong passwords that are changed regularly.
- Data stored on CDs or memory sticks are encrypted or password protected and locked away securely when not in use.
- Data is backed up on a daily basis.
- All computers and servers are protected by security software.
- All possible technical measures are made to keep data secure.
Responsibilities
Our responsibilities
- Analysing and documenting the type of persona data we hold,
- Checking procedures to ensure they cover all the rights of the individual,
- Identify the lawful basis for processing data,
- Ensuring consent procedures are lawful,
- Implementing and reviewing procedures to detect, report and investigate personal data breaches,
- Store data in safe and secure ways,
- Assess the risk that could be posed to individual rights and freedoms should data be compromised,
- Ensuring all systems, services and software and equipment meet acceptable security standards,
- Ensuring security hardware and software is regularly checked to ensure that it is functioning properly.
Accuracy and Relevance
2 New Street Chambers will ensure that any personal data processed is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.
Individuals may ask that we correct inaccurate personal data relating to them. If you believe data is inaccurate you should record the fact that the data accuracy is disputed and inform the DPO.