Privacy Statement

Purpose

This policy sets out how Harris & Harris complies with the GDPR and DPA 2018, confidentiality issues, information security and the SRA’s regulatory requirements.

Harris & Harris is registered with the Information Commissioner as a data controller.

Harris & Harris is committed to ensuring personal data is dealt with in compliance with the GDPR and DPA 2018 and to protect the rights of individuals (data subjects) about whom Harris & Harris holds ‘personal data’

Application

This policy applies to all employees in Harris & Harris including those undertaking work through a consultancy arrangement, in a volunteer capacity, on a temporary basis or through an agency.  The term ’employees’ is used to refer to all members, partners, directors, managers and employees.

All employees must familiarise themselves, and comply with, this policy and related procedures.  Failure to comply with this policy and the related procedures may result in disciplinary action because of the significant risks of fines, enforcement action, reputational consequences and disciplinary action.

Responsibilities

All employees are responsible for ensuring that all types of data are properly protected.

Any issues or concerns must be raised with: –

  • the Data Protection Partner or Deputy Data Protection Partner, where they involve data, data processing or disclosure
  • the COLP where they involve confidentiality.

The person responsible for GDPR compliance is Joshua Eva (the ‘Data Protection Partner’ (DPP)).  The deputy is Andy Hambleton (the ‘Deputy Data Protection Partner’ (DDPP)).

Under the GDPR, an organisation must appoint a data protection officer (DPO) if its core activities require large-scale, regular and systematic monitoring of individuals (for example, online behaviour tracking) or if its core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.  The Law Society has said that, whilst legal practices must reach their own conclusion, practices providing a wide and diverse range of legal services are unlikely to need to appoint a DPO.  The partners have decided that the core activities of Harris & Harris do not involve the types and scale of activities that would require a DPO to be appointed.

What to do if there is a breach or potential loss of personal/confidential data

If you become aware of any:

  • data incident or loss or potential loss of personal data;
  • breach or potential breach of confidentiality;
  • loss of laptop or other device, e.g. smartphone or mobile phone (whether it belongs to Harris & Harris or to an employee personally) that may result in a loss of data or breach of confidentiality;
  • breach of information security, whether physical or electronic;

you must immediately inform the DPP and COLP so that appropriate action can be taken and because serious breaches must be reported to the ICO within 72 hours.  The COLP will decide whether to report to the SRA.

Relevant legislation

The following legislation must be complied with:

  • General Data Protection Regulation (GDPR)
  • Data Protection Act 2018 (DPA 2018);
  • Computer Misuse Act 1990;
  • Regulation of Investigatory Powers Act 2000;
  • Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699);
  • Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426);
  • SRA’s Standards and Regulations.

Definitions

Data means information in many diverse forms.  Examples include but are not limited to paper documents (printouts, paper documents), electronic documents (databases, emails, presentations, spreadsheets, etc.) or information contained in spoken conversations.

Data breach is defined as a breach of security relating to the accidental or unlawful destruction, loss, unauthorised disclosure or access to personal data that is transmitted, stored or otherwise processed.

Data controller means the natural or legal person who (alone or jointly with others) determines the purposes and the means of processing.

Data processing means the collection and manipulation of items of data to produce meaningful information.

Data subject means a living individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data and online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data processor means, in relation to personal data, a natural or legal person (other than an employee of the data controller) who processes the data on behalf of the data controller.

Personal data is personal information about a living individual who can be identified from that data or from that data and other information. Examples of personal data would include someone’s name, National Insurance number, date and place of birth, mother’s maiden name, biometric records, etc.

Processing means any operation or set of operations that is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Principles

The importance of keeping clients’ affairs confidential, protecting personal and special categories of personal data and keeping information secure is fundamental. This policy is designed to cover all these areas so that all employees are clear about their obligations and how to protect data/ensure confidential information is kept confidential.

The GDPR and DPA 2018 establish a framework of rights and duties designed to protect personal data. Personal data must be processed in compliance with the GDPR and DPA 2018 and the data protection principles. Individuals have a range of rights under the legislation including the right to access data held about them and the right to be forgotten.

All personal data must be processed in accordance with the data protection principles, which require data to be:

  • processed fairly and lawfully and in a transparent manner;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date (this includes erasing or rectifying inaccurate data);
  • kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;
  • processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organizational measures.

While solicitors have a duty to keep clients’ affairs confidential under the SRA Standards and Regulations, they must also ensure that information belonging to employees, suppliers and third parties is kept confidential. Confidential information about clients can only be released if the individual consents or if that duty is overridden by law, e.g. the money laundering legislation.

Data protection

Harris & Harris must keep information on its clients, employees, third parties and suppliers to carry out its day-to-day operations, to meet its objectives and to comply with legal obligations.  The data protection legislation applies to personal data and special categories of personal data but Harris & Harris must keep all client (and employee) information confidential and all information secure.

The GDPR imposes duties on those who decide how and why such data is processed (data controllers).

Harris & Harris and all employees must ensure there is a lawful basis for processing personal data and special categories of data.

Individuals are provided with the necessary information about how their data will be processed in the privacy notice (privacy statement) and the client care letter/terms of business.  If clients have any queries, employees must contact the DPP or DDPP for advice.

Harris & Harris will not transfer data outside the EEA unless the transfer is approved by the DPP or DDPP who will ensure that the data is appropriately protected.  Employees must discuss any request to transfer outside the EEA with the DPP or DDPP.

Special categories of personal data

Harris & Harris processes data about clients and third parties that will include special categories of personal data.  Where such data is held additional consideration must be given to ensuring it is properly protected and held securely.

Special categories of personal data are:

(a)     race;
(b)     ethnic origin;
(c)     politics;
(d)     religion;
(e)     trade union membership;
(f)      genetics;
(g)     biometrics (when used for ID purposes);
(h)     health;
(i)      sex;
(j)      sexual orientation.

Criminal convictions or offences (previously sensitive data) must be treated in the same way as special category data.

Employees

Harris & Harris also processes data about prospective and current employees in accordance with Harris & Harris’s HR policies and the employment legislation, for example:

  • information on applicants for posts, including references;
  • employee information – contact details, bank account number, payroll information, supervision and appraisal notes.

See the Employee or Contractor Privacy Notice.

Data subject access requests (SARs) and other rights

The GDPR and DPA 2018 give individuals a range of rights including the right to access personal data held about them and the right to be forgotten. Any person wishing to exercise these rights should apply in writing to the DPP or DDPP. The privacy statement/terms of business provide details of how to exercise those rights.

If a request is made referring to data protection or if an individual makes a data subject access request (SAR) or other request, that must be referred to the DPP or DDPP immediately.  Individuals may also ask for details of information held about them without mentioning the word ‘data’ or the data protection legislation; all such requests must be forwarded immediately to the DPP or DDPP as that request may still be a SAR or other request.

There are strict timescales for compliance with an individual’s request and failure to comply can result in a significant fine from the ICO.

Accuracy of data

Employees must ensure that data is as accurate as possible.  If data is or appears to be inaccurate, misleading or not up to date, employees must take every reasonable step to amend/update the information as soon as possible.  Individuals have the right to prevent processing of their personal data in some circumstances and the right to correct or rectify information regarded as wrong.

Retention and destruction of data

Personal data must be retained or disposed of securely in accordance with Harris & Harris’s Data Retention Policy.

Duty of confidentiality

The duty of confidentiality to clients is a fundamental duty for solicitors and their employees.  The SRA Standards and Regulations requires that the affairs of clients are kept confidential unless disclosure is required or permitted by law or the client consents.

Where the duty of confidentiality to one client conflicts with the duty of disclosure to another client, the duty of confidentiality takes precedence. Employees must ensure that they comply with Harris & Harris’s confidentiality and conflicts policy.

Information security

The sixth data protection principle requires Harris & Harris to have appropriate security to prevent personal data from being accidentally or deliberately compromised.

Initial risk assessment

The partnership, DPP and COLP will identify, assess and record the data protection and information security risks applicable to Harris & Harris using the risk identification matrix.

The DPP will undertake the data inventory and update it annually and ensure that the policies and procedures are updated, where necessary, as a result.  Taking into account the risks identified and the data inventory, the DPP and COLP with input from the other partners will complete the risk mitigation form, setting out how the legal practice will meet its regulatory and legal obligations.

The COLP will ensure that this information is added to the risk register and compliance plan for Harris & Harris.

Ongoing risk assessment

The DPP and COLP with input from the other partners will review the risk profile of the legal practice whenever Harris & Harris considers any significant change to its business model, including:

  • merging with or taking over another legal practice;
  • entering into a referral arrangement or best-friend relationship with another organisation;
  • introduction of new information security/IT systems or significant changes to existing systems;
  • introduction of new services or products;
  • opening a new office;
  • undertaking a new area of practice;
  • seeking clients from a new jurisdiction or a new domestic market with links to a foreign jurisdiction.

The DPP will consider whether a DPIA is required as a result of a change.  They will review the risk profile of Harris & Harris during the preparation of the annual DP report to management.

Communications and training

All new employees are given training on the GDPR and DPA 2018 and their obligations in relation to personal data.  The training is mandatory so that they understand what is meant by personal data and special categories of personal data and what their obligations are.

All employees will have training annually in respect of the GDPR obligations and the data subject rights requests procedure.

Record keeping

The DPP will keep records of all data breaches and incidents (and follow-up action), data subject rights requests and training.

Monitoring and review

The policy will be reviewed by the DPP or DDPP if there are changes to the law and they will annually monitor the suitability of and effectiveness of the processes, systems and controls.  The DPP will report annually to the Partners. Where applicable, additional monitoring will be carried out to comply with any additional client requirements.

Glossary

COLP compliance officer for legal practice
DP data protection
DPA 2018 Data Protection Act 2018
EEA European Economic Area
GDPR General Data Protection Regulation
ICO Information Commissioner’s Office
SAR data subject access request
SRA Solicitors Regulation Authority

Date of effect/date of review

This policy shall come into effect on 24 May 2019 and will be reviewed annually.