Scott Rees & Co solicitors Privacy Notice – May 2018
Scott Rees & Co is a modern law firm offering a broad range of legal services to private individuals and small and medium-sized businesses, including (but not limited to) personal injury, uninsured loss recovery, clinical negligence and conveyancing throughout England and Wales.
As an essential part of our business, we collect and manage client and non-client data. In doing so, we observe the UK Data Protection legislation, and are committed to protecting and respecting clients’ and non-clients’ privacy and rights. Specifically, we act as a “Data Controller” in respect of the information gathered and processed by us, and act in a fair, transparent and accountable manner.
In order that you are reliably informed about how we operate, we have developed this privacy notice, which describes the ways in which we collect, manage, process, store and share information about you as a result of you instructing us to act for you, or being employed by us, or visiting our website. The privacy notice also provides you with information about how you can have control over the use of your data.
As solicitors we owe a duty of confidentiality to our clients and staff to keep their matters private (and also may rely upon legal professional privilege). This document sets out your rights of privacy under the GDPR [General Data Protection Regulation] after 25 May 2018. Where one of our duties of confidentiality or privilege owed to you may overlap or conflict with the GDPR then they may have priority and take precedence so whilst this notice explains the GDPR rights it does not seek to remove or restrict those other duties owed to you.
If you have any comments or queries regarding our use of your data, please contact our Data Protection Officer, Tim Allen, Compliance Partner at email@example.com or the Compliance Department at Compliance@scottrees.co.uk or write to our Data Protection Officer at Compliance Department, Scott Rees & Co, 2 The Parks, Newton-le-Willows, WA12 0JQ. We are registered with the Information Commissioners Office number Z85004220.
What information do we collect about you?
The GDPR sets out six lawful bases for processing personal data. These comprise:
- Performance of a contract
- Compliance with a legal obligation
- The vital interests of a data subject
- The legitimate interests of the data controller
- Public interest or exercise of official authority
Our lawful basis to process your personal data, will include, but is not limited to:
- performance of a contract – data is used to perform our contract for legal services (if a client) or undertake processing that is necessary in order to take the steps at the request of the data subject prior to entering into a contract (prospective client) or contract of employment (if an employee).
- the legitimate interest of the data controller – so that we can carry out your instructions, we will balance our needs as data controller against those you the data subject, to ensure that this data use is something you would reasonably expect the processing of and not cause any unjustified harm to you as a data subject.
- compliance with a legal obligation – to which the data subject is subject, where this is clear and precise and its application should be foreseeable to the persons subject to it, for example, registering a property purchase with HM Land Registry on behalf of the client, complying with court orders or directions.
- consent – this is relied upon if the other above basis does not apply and we recognise that consent must be freely given and is unambiguous and specific.
In general terms, we seek to collect information about you so that we can:
- Administer our relationship with you, provide legal services and respond to enquiries
- Enable business development including sending legal updates, publications and details to events or other services
- Process applications for employment
- Deliver requested information to you about our additional services and our subsidiaries (if any) services
- Ensure the billing of any procured services and obtain payment
- Process and respond to any complaints
- Enable us to meet our legal and other regulatory obligations imposed on us
- Audit usage of our websites
The information that we need for these purposes is known as your “personal data”. This includes your name, home address, email address, telephone and other contact numbers and financial information. We collect this in a number of different ways. For example, you may provide this data to us directly online or over the telephone, or when corresponding with us by letter.
We also process sensitive classes of information that includes:
- Physical or mental health details (only to the extent required to enable us to deal with your accident or injury or medical negligence legal claim) , and
- Racial or ethnic origin (only so far as it is necessary, for instance to provide language or translation services to assist you).
We will only process this and record it if necessary to progress your instructions and at under the agreed contract or agreement.
Please also be advised that when you visit our website, cookies will be used to collect information about you such as your Internet Protocol (IP) address which connects your computer or mobile device to the Internet, and information about your visit such as the pages you viewed or searched for, pages response times, download errors etc. We do this so that we can measure our website’s performance and make improvements in the future. Cookies are also used to enhance this website’s functionality and personalisation, which includes sharing data with third party organisations. You can control this by adjusting your cookies settings. We refer you to our Cookies Policy on our website for more information on this.
How will we use the information?
We use the data collected from you for the specific purposes listed in the table below. Please note that this table also explains:
- The legal basis for processing your data, linked to each processing purpose; and
- In what circumstances your data will be shared with a third party organisation.
|Purpose for processing data||Legal basis for processing data||Third party organisations with whom data is shared|
|To administer our relationship with you, provide legal/ contractual services as a client or employee and respond to enquiries. This includes; (i) Permission for disclosure of your information so far as is necessary to fulfil your instructions to Data Processors, or third parties or the Court, (ii) Permission for searches of databases using your details and recording the results to fulfil your instructions, (iii) Audits – when required by a third party (i.e. Solicitors Regulation Authority government bodies, regulators, professional bodies) or Data Processor (e.g. insurers) to provide audit facilities to demonstrate compliance with legislation or regulation or service standards. We have permission to disclose such material as deemed reasonably necessary.||To meet the requirements of a contract/compliance with a legal obligation/legitimate interest of the data controller/or in default consent||We use “Data Processors” and/or Third Parties to carry out tasks and obtain records and information to progress your matter and they process data on our behalf. These include; barristers, medical experts and agencies, engineers, GPs, hospitals, other experts, outsource agents, enquiry and statement drafting agents, hire companies, BTE/ATE insurers, costs draughtsmen, care experts, employment experts, actuary experts, courts, Third Party Insurers/Solicitors, Experian and Call ML, Equifax, Companies House, Electoral Roll and Netfoil, DVLA, MIB (including askMID, askCUE PI, MEDCO).|
|To ensure the billing of any procured services by you and obtain payment.||To meet the requirements of a contract/legal obligation.||Government VAT and tax inspectors, external auditors, internal auditors.|
|To communicate with you about legal updates, breaking news, newsletters and event invitations which are relevant to your interests and in line with your preferences.||To seek explicit consent prior to sending individuals the information and in line with preferences/ or as agreed with you in our contract/agreement.||We use marketing services such as Mailchimp.|
|To provide enquirers support by telephone||To fulfil contractual obligations this includes taking action before entering into a contract.||None.|
|To process and respond to complaints.||To meet a legal obligation/performance of a contract.||None.|
|To monitor and record information relating to the use of and quality of our services, to include our website.||To meet a legitimate interest in order to improve the services and experience and website for individuals and visitors.||Web service providers and cookie providers. We may invite you to use on line review services such as Trust Pilot, Google, Facebook, YouTube.|
|To capture photographs and videos to be used for marketing and promotional material for the firm, including our website, brochures, bids and tenders.||To seek explicit consent prior to collecting and using this information.||None.|
|To ensure the firms offices and its stored information is secure we use CCTV services.||To meet the requirements of a contract.||CCTV service providers.|
|For employees – To conduct human resource administration to include assessing suitability, eligibility and/or fitness to work.||To fulfil contractual obligations this includes taking action before entering into a contract.||Disclosure and Barring Service. HR software providers, Payroll Accountants.|
|To maintain the firms accreditation with recognised bodies and practice management standards||To meet the requirements of a contract/comply with a legal obligation||Lexcel, CQS, ISO 27001, Investors in People|
Under the terms of data protection legislation, you have the following rights as a result of using our service and our website (subject to confidentiality, as mentioned above):
(a) Right to be informed
This privacy notice fulfils our obligation to tell you about the ways in which we use your information as a result of you using our services.
(b) Right to access
You have the right to ask us for a copy of any personal data that we hold about you. This is known as a “Subject Access Request”. Except in exceptional circumstances (which we would discuss and agree with you in advance), you can obtain this information at no cost after 25th May 2018. We will send you a copy of the information within 30 days of your request.
Please Note – A Subject Access Request is not the same as a request for your file of papers and whether you are entitled to your file of papers will be bound by the terms of our contract or agreement with you and we can advise you further on that. We may be entitled to exercise a lien over your file of papers when our costs are unpaid, and be able to charge you for copies of information that you have already been provided with.
To make Subject Access Request, please email or write to our Data Protection Officer Mr Allen, at the details set out above.
(c) Right to rectification
If any of the information that we hold about you is inaccurate, you can contact our Data Protection Officer in writing. Before we can do this it may be necessary for us to investigate this with you and obtain proof of your identity.
(d) Right to be forgotten
From 25 May 2018, you can ask that we erase all personal information that we hold about you. Where it is appropriate that we comply, your request will be fully actioned within 30 days. Please note that there may be very good reasons why we cannot comply, for instance where we need to hold your file of papers electronically after conclusion of your matter for a statutory period e.g. limitation period. For further information please contact our Data Protection Officer, who will be able to help you and advise you on your case.
You have the right to object to:
- The continued use of your data for any purpose listed above for which consent is identified as the lawful basis for processing i.e. you have the right to withdraw your consent at any time.
- The continued use of your data for any purpose listed above for which the lawful basis of processing is that it has been deemed legitimate.
(e) Right to restrict processing
If you wish us to restrict the use of your data because (i) you think it is inaccurate but this will take time to validate, (ii) you believe our data processing is unlawful but you do not want your data erased, (iii) you want us to retain your data in order to establish, exercise or defend a legal claim, or (iv) you wish to object to the processing of your data, but we have yet to determine whether this is appropriate, please contact our Data Protection Officer.
(f) Right to data portability
If you would like to move, copy or transfer the electronic personal data that we hold about you to another organisation, please contact our Data Protection Officer.
(g) Rights related to automated decision-making
If you would like to object to automated decision making without any individual involvement, and to the profiling of your data, please contact our Data Protection Officer.
Is the processing of information likely to cause individuals to object or complain?
Scott Rees & Co is not aware of any justifiable reasons that would constitute a legitimate reason for objecting or complaining about the way we process or control information.
How long will we retain information for?
Scott Rees & Co will typically retain information for a period of six years from the conclusion of litigation matters and sale matter or twelve years from the conclusion for re-mortgage or purchase matters. Or six years for employment records. This is due to regulatory reasons and limitation periods in respect of any future claims or complaints and to ensure our business records are adequate to maintain the requisite levels of insurance to protect our clients and non-clients.
None of the information that we collect process or store as a result of this website is transferred outside of the European Economic Area (EEA). This includes information that is exchanged with any third party organisation as described above.
Data privacy and security
At Scott Rees & Co, we maintain a comprehensive data management work programme, which includes processes for ensuring that data protection is a key consideration of all new and existing IT systems that hold personal data. Where any concerns, risks or issues are identified, we conduct relevant impact assessments in order to determine any actions that are necessary to ensure optimum privacy.
We also maintain an active information security work programme which seeks to protect the availability, confidentiality and integrity of all physical and information assets. Specifically, this helps us to:
- Protect against potential breaches of confidentiality;
- Ensure all IT facilities are protected against damage, loss or misuse;
- Increase awareness and understanding of the requirements of information security, and the responsibility of our colleagues to protect the confidentiality and integrity of the information that they handle; and
- Ensure the optimum security of this website.
- We have been awarded ISO 27001 Certification for Information Security Management.
Questions and comments regarding this Privacy Notice are welcomed, and should be sent to our Data Protection Officer at firstname.lastname@example.org
Alternatively, you can write to our Data Protection Officer at Tim Allen, Scott Rees & Co, 2 The Parks, Newton-le-Willows, WA12 0JQ if you have any concerns or complaints about the ways in which your personal data has been handled as a result of you using our website.
If we cannot resolve your concerns, you have the right to lodge a complaint with the Information Commissioner’s Office who may be contacted at Wycliffe House, Water Lane, Wilmslow SK9 5AF or https://ico.org.uk.