Worthingtons Solicitors

Data Protection Policy

 
  • Home »
  • Data Protection Policy

3 October, 2020

Worthingtons Data protection, confidentiality and information security policy

Purpose

This policy sets out how Worthingtons complies with the GDPR and DPA 2018, confidentiality issues, information security and the SRA’s regulatory requirements.

Worthingtons is committed to ensuring personal data is dealt with in compliance with the GDPR and DPA 2018 and to protect the rights of individuals (data subjects) about whom Worthingtons holds ‘personal data’.

Worthingtons is registered with the Information Commissioner as a data controller. The person responsible for DP compliance is Barry Keating. The deputy is Rhona Jardella

Application

This policy applies to all employees in Worthingtons including those undertaking work through a consultancy arrangement, in a volunteer capacity, on a temporary basis or through an agency. The term ‘employees’ is used to refer to all members, partners, directors, managers and employees.

All employees must familiarise themselves, and comply with, this policy and related procedures. Failure to comply with this policy and the related procedures may result in disciplinary action because of the significant risks of fines, enforcement action, reputational consequences and disciplinary action.

Responsibilities

All employees are responsible for ensuring that all types of data are properly protected. Any issues or concerns about DPA 2018 must be raised with the [person responsible for DP compliance/COLP. Barry Keating and his Deputy Rhona Jardella

Relevant legislation

The following legislation must be complied with:

  • General Data Protection Regulation (GDPR)
  • Data Protection Act 2018 (DPA 2018);
  • Computer Misuse Act 1990;
  • Regulation of Investigatory Powers Act 2000;
  • Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699);
  • Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426);
  • SRA’s Standards and Regulations.

Definitions

Data means information in many diverse forms. Examples include but are not limited to paper documents (printouts, paper documents), electronic documents (databases, emails, presentations, spreadsheets, etc.) or information contained in spoken conversations.

Data breach is defined as a breach of security relating to the accidental or unlawful destruction, loss, unauthorised disclosure or access to personal data that is transmitted, stored or otherwise processed.

Data controller means the natural or legal person who (alone or jointly with others) determines the purposes and the means of processing.

Data processing means the collection and manipulation of items of data to produce meaningful information.

Data subject means a living individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data and online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data processor means, in relation to personal data, a natural or legal person (other than an employee of the data controller) who processes the data on behalf of the data controller.

Personal data is personal information about a living individual who can be identified from that data or from that data and other information. Examples of personal data would include someone’s name, National Insurance number, date and place of birth, mother’s maiden name, biometric records, etc.

Processing means any operation or set of operations that is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Principles

The importance of keeping clients’ affairs confidential, protecting personal and special categories of personal data and keeping information secure is fundamental. This policy is designed to cover all these areas so that all employees are clear about their obligations and how to protect data/ensure confidential information is kept confidential.

The GDPR and DPA 2018 establish a framework of rights and duties designed to protect personal data. Personal data must be processed in compliance with the GDPR and DPA 2018 and the data protection principles. Individuals have a range of rights under the legislation including the right to access data held about them and the right to be forgotten.

All personal data must be processed in accordance with the data protection principles, which require data to be:

  • processed fairly and lawfully and in a transparent manner;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date (this includes erasing or rectifying inaccurate data);
  • kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;
  • processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures.

While solicitors have a duty to keep clients’ affairs confidential under the SRA Standards and Regulations, they must also ensure that information belonging to employees, suppliers and third parties is kept confidential. Confidential information about clients can only be released if the individual consents or if that duty is overridden by law, e.g. the money laundering legislation.

Data protection

Worthingtons must keep certain information on its clients, employees, third parties and suppliers to carry out its day-to-day operations, to meet its objectives and to comply with legal obligations. The data protection legislation applies to personal data and special categories of personal data but Worthingtons must keep all client (and employee) information confidential and all information secure.

The GDPR imposes duties on those who decide how and why such data is processed (data controllers).

Worthingtons and all employees must ensure there is a lawful basis for processing personal data and special categories of data.

Individuals are provided with the necessary information about how their data will be processed in the privacy notice and the client care letter/terms of business. If clients have any queries, employees must contact the Rhona Jardella for DP compliance/ COLP or in her absence Barry  Keating  as Deputy for advice.

Worthingtons and all employees must comply with the Worthingtons data subject rights policy.

Worthingtons will not transfer data outside the EEA unless the transfer is approved by the person responsible for DP compliance who will ensure that the data is appropriately protected. Employees must discuss any request to transfer outside the EEA with the Rhona Jardella COLP or Barry Keating in her absence.

Special categories of personal data

Worthingtons processes data about clients and third parties that will include special categories of personal data. The privacy notice explains to individuals how their data will be processed and the lawful bases of processing. If an individual has a query about special categories of personal data, guidance should be sought from the person responsible for DP compliance and/or their deputy.

All employees must ensure that they recognise special categories of personal data. All employees must ensure that, wherever the data is held, it is properly protected and held securely.

Special categories of personal data is personal data about an individual’s:

(a)     race;

(b)     ethnic origin;

(c)     politics;

(d)     religion;

(e)     trade union membership;

(f)      genetics;

(g)     biometrics (when used for ID purposes);

(h)     health;

(i)      sex;

(j)      sexual orientation.

Criminal convictions or offences (previously sensitive data) must be treated in the same way as special category data.

Employees

Worthingtons also processes data about prospective and current employees in accordance with Worthingtons’ HR policies and the employment legislation, for example:

  • information on applicants for posts, including references;
  • employee information – contact details, bank account number, payroll information, supervision and appraisal notes.

All employee data must be protected in the same way as client data.

Data controllers/processors

Personal data must not be disclosed to another party unless they are a data controller or a data processor (as defined by this policy) and it is for the purposes of the matter. The client must always be advised to whom the data will be disclosed and why.

Before sending data to a data controller or a data processor, the employee must ensure that proper contractual arrangements are in place to protect the data. Alternatively, the employee must contact the COLP Rhona Jardella or deputy Barry Keating to determine whether there is already a contractual arrangement or what further steps need to be taken. Worthingtons must ensure that the data controller or data processor is clear as to the basis on which they will hold the data, when they will return it, what the security arrangements are and what will happen if there is any data loss.

The COLP is responsible for ensuring that appropriate due diligence is undertaken and that Worthingtons is registered with the ICO. The COLP or Deputy will record the details of the data controller or data processor on the data controller/data processor log. If an employee has any queries about the way in which a data controller or data processor is dealing with data, he or she must contact the COLP or Deputy.

The GDPR and DPA 2018 give individuals a range of rights including the right to access personal data held about them and the right to be forgotten. Any person wishing to exercise these rights should apply in writing to the /COLP or Deputy. The privacy notice/terms of business provide details of how to exercise those rights.

If a request is made referring to data protection or if an individual makes a data subject access request (DSAR) or other request, that must be referred to the COLP or Deputy immediately. Individuals may also ask for details of information held about them without mentioning the word ‘data’ or the data protection legislation; all such requests must be forwarded immediately to the COLP or Deputy as that request may still be a DSAR or other request.

There are strict timescales for compliance with an individual’s request and failure to comply can result in a significant fine from the ICO. Employees must comply with Worthingtons’ policy for dealing with data subject rights.

Accuracy of data

Employees must ensure that data is as accurate as possible. If data is or appears to be inaccurate, misleading or not up to date, employees must take every reasonable step to amend/update the information as soon as possible. Data only has to be kept up to date where necessary and employees should seek guidance if they are not sure whether the data should be updated. Individuals have the right to prevent processing of their personal data in some circumstances and the right to correct or rectify information regarded as wrong. Any concerns must be discussed with the COLP or Deputy.

Retention and destruction of data

Personal data must be retained or disposed of securely in accordance with Worthingtons data retention and destruction policy.

Duty of confidentiality

The duty of confidentiality to clients is a fundamental duty for solicitors and their employees. The SRA Standards and Regulations requires that the affairs of clients are kept confidential unless disclosure is required or permitted by law or the client consents.

Employees must tell a client all the information relevant to that retainer of which he or she has personal knowledge. Where the duty of confidentiality to one client conflicts with the duty of disclosure to another client, the duty of confidentiality takes precedence. Employees must ensure that they comply with Worthingtons confidentiality and conflicts policy.

Worthingtons has effective systems and controls that are set out in the conflicts and confidentiality policy and procedures to identify risks to client confidentiality and to mitigate those risks. Employees must comply with Worthingtons policies and procedures.

Employees must ensure conversations about client matters which take place outside a secure environment, e.g. in the reception area, the lift and outside the office (especially mobile phone conversations in public places, including trains), cannot be overheard.

Employees must not name clients or inform or confirm to a third party that Worthingtons acts for someone unless that client has expressly given consent. This extends to enquiries from law enforcement as to whether Worthingtons is acting for a particular individual, which must be dealt with in accordance with the procedure for responding to requests from law enforcement (see Annex 6B).

Employees must not answer any questions from the press or even confirm that Worthingtons is acting for a particular client. Such questions must be passed to the COLP or Deputy.

Employees cannot provide an address of a client or an employee to a third party (but can offer to pass on a letter to a client) and must refer all enquiries to the COLP or the supervising partner.

When in court, employees must not discuss the client’s matter in the hearing of the press or third parties, including the other parties to the case unless it is in the course of carrying out the client’s instructions.

All employees must be aware of their duties under this policy and keep clients’ affairs confidential except in the following situations:

  • the client consents or asks that confidential information be provided;
  • confidential information has to be provided by law.

All employees must comply with this policy and related procedures, attend training provided, raise any queries with the COLP or Deputy and report any breaches or allegations or suspicions of breaches of confidentiality to the COLP and or Deputy.

While the above provisions relate to clients, employees must ensure that they also keep information about other employees, third parties and suppliers confidential, as required by the law of confidence.

Personal conflicts

If employees have any personal knowledge of or any close connection to the client or others involved in any matter on which they are working, they must comply with Worthingtons’confidentiality and conflicts policy.

Information security

The sixth data protection principle requires Worthingtons to have appropriate security to prevent personal data from being accidentally or deliberately compromised.

All files, laptops, smartphones and mobile phones must be kept securely by the employee to minimise the risk of breaches of confidentiality and ensure that information is kept securely.

All electronic devices issued by the legal practice will be encrypted so that the risk of data loss is reduced. Employees must comply with Worthingtons policy in relation to any confidential information that may be held on their personal devices.

Employees are not permitted to use USB sticks, or other mechanisms of transferring data, on electronic devices owned by Worthingtons unless approval has been received from the COLP or Deputy.

When out of the office, files/papers must not be carried in a way which shows information that can identify the client (e.g. Mrs McGregor, 43 Acacia Avenue, Divorce). Files/papers must not be left in unlocked cars, and in no circumstances in cars overnight. If it is unavoidable, e.g. due to another appointment or court hearing, during the day, files/papers must be kept in the boot of a locked car.

If staff receive electronic data on their personal for firm electronic devices for essential processing, relevant to the client it must be transferred to the main computer within 72 hours and then deleted from their electronic device.

All waste/unwanted letters and documents (including drafts and unwanted photocopies) must be disposed of securely in the nearest secure waste basket in your room or nearest to you room and not in the general waste basket. They will then be securely removed to the secure and locked waste bin.

Employees must not:

  • install any software without authorisation;
  • disclose their password to anyone else;
  • use other people’s login details;
  • take equipment, data, information sources or software offsite unless they have written authority to do so;
  • copy files from the network server into a personal directory without authority.

Employees must:

  • log off when leaving their PC or workstation unattended, unless they hve specific authority for the partner for an agreed period of time to access and process data from home for client use only.
  • change their password, if it appears to have been discovered/in accordance with Worthingtons policy;
  • ensure that no-one other than an employee has access to the computer system;
  • always ensure laptops and mobile devices are secured in unattended offices;
  • ensure data is transferred between laptops/mobile devices and the main system as soon as possible to preserve its integrity and in accordance with Worthingtons policy;
  • keep master copies of important data on the network server and not on a PC’s local drive or USB sticks. Data will not be backed up unless it is on the network server and so it is at risk;
  • ask for advice from IT in conjunction with Rhona Jardella or Barry Keating, if it is necessary to store, transmit or handle large quantities of data, e.g. DVDs or images.

If there is any loss of data or risk of loss, employees must immediately contact the COLP Rhona Jardell or Deputy – Barry Keating who will advise what to do next. Employees must comply with the practice’s data incident/ breaches policy.

Employees are reminded that under the Computer Misuse Act 1990, there are three criminal offences:

s.1:    Unauthorised access to computer material.

s.2:    Unauthorised access with intent to commit or facilitate the commission of further offences.

s.3:    Unauthorised modification of computer material.

Employees who are unsure as to whether they can access or modify material must contact COLP or Deputy for guidance. Any commission of or attempt to commit a criminal offence by an employee will be dealt with in accordance with Worthingtons disciplinary policy.

As Worthingtons monitors and/or stores the electronic communications of fee earners and other employees for business/security reasons, Worthingtons must comply with the relevant provisions of the Regulatory and Investigatory Powers Act 2000 and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699). Further information is contained in the [Employee Handbook/the Employment policies].]

All employees must always keep information about the clients and Worthingtons secure. If an employee is concerned that data or confidential information is at risk, he or she must immediately contact the COLP – Rhona Jardella or Deputy – Barry Keating.

Communications and training

All new employees are given training on the GDPR and DPA 2018 and their obligations in relation to personal data. The training is mandatory so that they understand what is meant by personal data and special categories of personal data and what their obligations are.

The partners and department heads are responsible for ensuring appropriate ongoing awareness of all employees in respect of the GDPR obligations and the data subject rights requests procedure.

Monitoring and review

The policy will be reviewed by the [person responsible for DP compliance and or deputy if there are changes to the law and they will annually monitor the suitability of and effectiveness of the processes, systems and controls through the firm’s audit programme. The results will feed into the annual report prepared by the person responsible for DP compliance and or Deputy. Where applicable, additional monitoring will be carried out to comply with any additional client requirements.

Record keeping

Records must be kept of all data breaches and incidents (and follow-up action), data subject rights requests and training.

All records must be maintained for at least five years and will be maintained by the [person responsible for DP compliance/deputy] who will identify common errors and trends and follow up with the relevant teams.

Breaches of policy

Breaches of this policy may require disclosure to the SRA, which may result in disciplinary action. A report may also have to be made to the ICO under Worthingtons policy on reporting to the ICO.

Further advice

If there are concerns regarding a client or a retainer and potential breaches of confidentiality, employees must contact the COLP or Deputy immediately for advice.

Related policies and procedures

The following policies and procedures must be considered when complying with this policy:

  • Disciplinary policy
  • Data subject rights policy and procedure
  • Responding to requests from third parties policy
  • Reporting to the ICO policy
  • Data retention and destruction procedure
  • Ongoing monitoring procedure
  • Data loss policy
  • Data protection complaints policy
  • Training procedure.

Glossary

COLP compliance officer for legal practice
DP data protection
DPA 2018 Data Protection Act 2018
DSAR data subject access request
EEA European Economic Area
GDPR General Data Protection Regulation
ICO Information Commissioner’s Office
SRA Solicitors Regulation Authority

Date of effect/date of review

This policy shall come into effect on 14th  November 2019 and replaces Worthington’s policy dated May 2017 and will be reviewed annually.

Latest News

Client Testimonials

“Can I say a big thanks to Worthingtons Solicitors for the very good professional advice you have given me over the last few months. Without it, I don’t think I would have received the satisfactory outcome of my divorce and financial matters.” 

Ian A.

“Worthingtons have handled my case for many years and where most would have given up, they persevered even when it got extremely tough! Their patience transformed a nightmare situation and made it humorous and pleasurable!”

John R.

“I’ve come to rely on Worthingtons for their professional advice with unfailing good humour and compassion. I have no hesitation recommending them for all legal matters and fully intend to retain their services for many years.”

Anon.

logo