Data protection

1. Introduction

    1. We are a data processor under the terms of the EU General Data Protection Regulation (GDPR) and as such are committed to complying with our legal and professional obligations to manage personal and confidential data in an appropriate manner.
    2. Data protection places greater duties on businesses to abide by the data protection principles and ensure that all personal data is used fairly, lawfully and for the purposes notified to clients. We have made a number of changes to our terms of business, letters, and website to comply with these obligations.
    3. In addition, the practice is legally and professionally obliged to ensure that it sets out clear procedures on the use of information and data, including the content and format of emails and responsible use of the internet.
    4. We are also required by the GDPR to map out where and how we hold personal data on our clients, in part as there is an obligation to be able to demonstrate that we comply with our obligations and also so that we can provide full and accurate responses to any data subject access requests from our clients. If any individual — client or otherwise — does intimate to you that they would like to know what personal data we hold on them you must let our Data Manager know as soon as possible in order that we can respond within the time frame allowed for this. This applies regardless of how that request is made, and the enquirer does not need to use the term ‘data subject access request’ for it to be such.
    5. Our data use policy also contains an ‘acceptable use policy’ that all personnel is required to sign. This not only sets out your agreement to use the practice’s IT facilities in accordance with our relevant controls but it also indicates your consent to the monitoring of emails received and sent by you through the firm’s email address and your use of the Internet facilities provided by the firm.

2. Data protection policy statement

We comply with all relevant legislative and regulatory provisions governing the management and storage of data in both electronic and paper formats. We are registered with the Information Commissioner. We comply with the data protection principles, i.e that all data covered by the Act (which includes not only computer data, but also personal data held in a filing system in a systematic manner) is:

    1. fairly and lawfully processed;
    2. processed for limited purposes;
    3. adequate, relevant, and not excessive;
    4. accurate;
    5. not kept longer than necessary;
    6. processed in accordance with the data subject’s rights;
    7. secure; and
    8. not transferred to non-EU countries without adequate protection.

3. Information management responsibilities and processes

    1. The person with overall responsibility for data management is the Data Protection Manager. Please refer any concerns on data protection issues to him. He is also responsible for ensuring that an annual review of this policy is conducted, and that data protection and information security issues are given due attention in any risk review carried out as part of the business planning processes.
    2. Data consists of any information in electronic format, or any hardware or software that makes the storage and use of such information possible. It also includes paper files that contain information about individuals, for example:
      1. databases;
      2. externally accessed databases;
      3. CDs;
      4. video;
      5. recorded magnetic media;
      6. photographs;
      7. digitised information;
      8. electronic communication systems; and
      9. personnel files.
    3. Paper files and other records or documents containing personal/sensitive data are kept securely and retained for as long as — but no longer than — necessary. Clients are informed of their rights by way of privacy notices through our terms of business document sent out at the outset of every matter.
    4. The data contained in our network, including emails, is backed up and stored off-site on a daily basis.
    5. We maintain a register of all the software that we use and have a plan for monitoring and updating software.
    6. We have procedures for the safe configuration of network devices (these are the components that join our network together and allow us to access files, printers etc). Appropriate firewalls are in place to protect our systems, but if any malicious software should get through these controls there is additional software to detect and remove it.
    7. Password controls are in place, with all passwords being subject to a controlled central record. You will be requested to change your password from time to time to counter the repeated attempts to hack into such records experienced by most
    8. Regular training will be conducted on this topic. If you require additional training at any stage, please let us
    9. Please be wary at all times of compromising the firm’s data protection and client confidentiality responsibilities by your actions. In particular, be wary of clicking on any link in an email of which you are unsure. In addition, please note the following guidelines:

Protection and security guidelines:


Do not install any software unless it has been authorised and can be supported on our system.


Do not disclose your password to anyone.


If someone else finds out your password, change it.


Do not use other people’s log-ins.


Log off when you leave your PC or workstation unattended.


Ensure above all that no member of the public has access to our system when you leave your PC or workstation.


Always secure laptops and mobile devices in unattended offices.


Do not take equipment, data, information sources or software off-site unless you have written authority to do so.


To preserve the integrity of data, ensure it is transferred between laptops, mobile devices ,and the main system as soon as possible.