PRIVACY NOTICE

PRIVACY NOTICE FOR CLIENTS

What is the purpose of this document?

Alcocks Solicitors Limited is committed to protecting the privacy and security of the personal information of clients, contacts and the other third parties we deal with in the course of the provision of our services to our clients (Data Subjects). Therefore, Data Subjects may include third parties who are not our clients but whose personal data is processed by us in connection with the provision of our services to our clients, for example:

  1. where our client is an individual – family members, friends, associates and/or employees of that individual;
  2. where our client is connected to an unincorporated body (e.g. the trustees of a trust (such as a private family trust, a charitable trust or an occupational pension scheme) – settlors, trustees, beneficiaries/members,   employees and/or ultimate controllers of that unincorporated body; and
  3. where our client is a corporate body or partnership (e.g.   public and private companies, charitable incorporated organisations, co-operatives, community benefit societies, limited liability partnerships,   limited partnerships) – directors, trustees, members, shareholders, employees, partners and/or ultimate controllers of that corporate body or   partnership (as the case may be).

The section of this notice headed How is personal information about Data Subjects collected? provides further information regarding how personal information about Data Subjects who are not our clients is collected, and the obligations of our clients regarding that information.

This privacy notice describes how we collect and use personal information about Data Subjects during and after the provision of our services to our clients, in accordance with the General Data Protection Regulation (GDPR). It applies to all Data Subjects (whether current or former).

Solicitors is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about Data Subjects. We are required under data protection legislation to notify Data Subjects of the information contained in this privacy notice.

This notice does not form part of any contract to provide our services to our clients. We may update this notice at any time.

It is important that Data Subjects read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about Data Subjects, so that they are aware of how and why we are using such information.

Data protection representatives

We have appointed one data protection representative (DPR) to oversee compliance with this privacy notice and the processing by us of personal information about Data Subjects. If you have any questions about this privacy notice or how we handle the personal information referred to in it, please contact our DPR (hhawkins@alcocks-solicitors.co.uk). If you have any complaints about the processing of the personal information referred to in this privacy notice, you have the right to make a complaint to the Information Commissioner’s Office (ICO) (www.ico.org.uk), the regulator and supervisory authority for data protection in the UK.

Data protection principles

We will comply with data protection law. This says that the personal information we hold about Data Subjects must be:

  1. Used lawfully, fairly and in a transparent way.
  2. Collected only for valid purposes that we have clearly explained to them and not used in any way that is incompatible with those purposes.
  3. Relevant to the purposes we have told them about and limited only to those purposes.
  4. Accurate and kept up to date.
  5. Kept only as long as necessary for the purposes we have told them about.
  6. Kept securely.

The kind of information we hold about Data Subjects

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are “special categories” of more sensitive personal data which require a higher level of protection.

We may collect, store, and use the following categories of personal information about Data Subjects:

  • Personal contact details such as name, title, addresses, telephone numbers and email addresses.
  • Date of birth.
  • Marital status, friends, family members and dependants.
  • Lifestyle and social circumstances.
  • Bank account details, tax status information and other financial details.
  • Salary, pension and benefits information.
  • Business affairs.
  • National Insurance number.
  • Copy of passport.
  • Copy of driving licence.
  • Credit history.
  • Education and employment details.
  • Complaints and grievance information.
  • Information about criminal convictions and offences.
  • Information about use of our information and communication systems.

We may also collect, store and use the following “special categories” of more sensitive personal information about Data Subjects:

  • Information about race or ethnicity, religious or philosophical beliefs, sexual orientation, trade union membership and political opinions.
  • Information about physical and/or mental health.

How is personal information about Data Subjects collected?

We typically collect personal information about Data Subjects either directly from the Data Subject or sometimes from third parties such as credit reference agencies and background check providers [see footnote 1] or other professional advisers.

We will collect additional personal information about Data Subjects in the course of the provision of our services to our clients. For example, it may be necessary for a client to provide to us the personal information about Data Subjects (including “special category” personal information (see below)). If a client does so:

  • it must comply with data protection law and ensure that any instructions it issues to us shall comply with data protection law; and
  • it has sole responsibility for the accuracy, quality and legality of such other Data Subject personal information, and the means by which it acquired such other Data Subject personal information and it shall establish the legal basis for processing such other Data Subject personal information under data protection law, including by providing all notices and obtaining all consents as may be required under data protection law in order for us to process such other Data Subject personal information to provide our services to our clients.

How we will use information about Data Subjects

We will only use personal information about Data Subjects when the law allows us to do so. Most commonly, we will use personal information about Data Subjects in the following circumstances:

  1. Where the Data Subject is a client of the firm and we need to perform the contract we have entered into with the Data Subject (being the engagement terms set out in our  client care letter and Standard   Terms of Business).
  2. Where we need to comply with a legal obligation.
  3. Where it is necessary for our legitimate interests (or those of a third party) and the interests and fundamental rights of the Data Subject do not override those interests.
  4. Where we have obtained the Data Subject’s freely given, specific, informed and unambiguous consent by way of a statement or clear affirmative action.

We may also use personal information about Data Subjects in the following situations, which are likely to be rare:

  1. Where we need to protect the Data Subject’s vital interests (or someone else’s vital interests).
  2. Where it is needed in the public interest.

Situations in which we will use personal information about Data Subjects

We need all the categories of information in the list above (under the heading The kind of information we hold about Data Subjects) primarily to allow us to perform our contract with the Data Subject (where the Data Subject is a client of the firm)[*] and to enable us to comply with legal obligations[**]. In some cases we may use personal information about Data Subjects to pursue legitimate interests of our own or those of third parties[***], provided the interests and fundamental rights of the Data Subject do not override those interests. The situations in which we will process personal information about Data Subjects are listed below. We have indicated by asterisks the purpose or purposes for which we are processing or will process personal information about Data Subjects.

  • Complying with our legal obligations to verify the identity of our clients and to identify any conflicts of interest that may arise in acting for them**
  • Complying with our legal, accounting and reporting obligations to the Solicitors Regulation Authority (SRA) and other regulatory and statutory bodies the jurisdiction of which we are subject**
  • Performing the contractual obligations we owe to our clients under the engagement terms set out in our client care letter. This will include, where necessary and depending on the matter, sharing personal information with third parties [see footnote 2] *
  • Processing personal information relating to persons who are not our clients in performance of the contractual obligations we owe to our clients under the engagement terms set out in our client care letter and Standard Terms of Business.  This will include, where necessary and depending on the matter, sharing personal information with third parties [see footnote 2]***
  • Ensuring that we hold accurate contact and other information about Data Subjects through centralised and secure databases. For these purposes we use software licensed to us by a third party software provider [see footnote 1]***
  • Recording the work that we undertake (and the time taken to undertake it). For these purposes we use software licenced to us by a third party cloud based software provider [see footnote 1]***
  • Maintaining a central and secure database of the financial information relating to our client and other files (including transactions undertaken in relation to the same). For these purposes  we use software licenced to us by a third party software provider [see footnote 1]***
  • Making payments in accordance with instructions received from our clients (and others on their behalves) in accordance with the engagement terms set out in our client care letter*
  • Invoicing our clients and ensuring payment of those invoices in accordance with the engagement terms set out in our client care letter. This may include, in rare circumstances, sharing personal information with debt collection agencies to recover money owed to us*
  • Retaining our client and other files in accordance with our Data Retention and Destruction Policy in order to deal with future instructions, queries or complaints. This will include through the use of our off-site archiving and storage facilities [see footnote 1]***
  • Undertaking reviews of, and auditing, our client and other files, including in accordance with the Law Society’s accreditation schemes (e.g. Lexcel) and for the promotion of good practice. For these purposes we involve external reviewers and auditors from time to time***
  • Undertaking internal quality control of our work. This will include maintaining records relating to the same***
  • Administering, resolving and/or defending any complaint we may receive, or claim made against us, in relation to our work. This may include sharing personal information with our insurers (and our/their professional advisers (including other solicitors and barristers)) and the courts***

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of personal information about Data Subjects.

We will only process “special categories” of personal information in accordance with the paragraph below headed How we use particularly sensitive information.

If a Data Subject fails to provide personal information

Where a Data Subject is a client of the firm and fails to provide certain information when requested, we may not be able to perform the contract we have entered into with that Data Subject (e.g. we may not have sufficient information to undertake the work we have been instructed to undertake), or we may be prevented from complying with our legal obligations (e.g. we may not be able to undertake the anti-money laundering checks we are required to undertake pursuant to The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR Regs) in order to be able to take on, and accept instructions from, a Data Subject as a client of the firm).

Change of purpose

We will only use personal information about Data Subjects for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use personal information of Data Subjects for an unrelated purpose, we will tell them about the legal basis which allows us to do so.

Please note that we may process personal information about Data Subjects without their knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

How we use particularly sensitive personal information

“Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information.

We may process special categories of personal information about Data Subjects with the explicit written consent of the Data Subject.

Less commonly, we may process this type of information where:

  1. it is needed in the substantial public interest;
  2. it is needed in relation to legal claims;
  3. it is needed to protect the vital interests of the Data Subject (or someone else’s vital interests); or
  4. the Data Subject has already made the information public, and the processing is undertaken in line        with our Data Protection Policy.

Our obligations as a law firm

We will only use particularly sensitive personal information about Data Subjects who are clients of the firm in relation to the work we are instructed by them to undertake, or in order to take steps at their request prior to and in anticipation of being instructed by them to undertake work. We receive such Data Subject’s explicit written consent to process special categories of personal information relating to them for the above purposes through the engagement terms set out in our client care letter.

Where, in the course of the provision of our services to a client, we collect sensitive personal information about Data Subjects who are not our client, our client has sole responsibility for obtaining such consents from the Data Subjects as may be required under data protection law in order for us to process the sensitive personal information to provide our services to our client.

Do we need Data Subjects’ consent?

We may approach Data Subjects for their written consent to allow us to use their personal information for direct marketing purposes. If we do so, we will provide them with full details of the information that we would like and the reason(s) we need it, so that they can carefully consider whether they wish to consent. Data Subjects should be aware that it is not a condition of any contract with us that they agree to any request from us for such consent.

Information about criminal convictions and offences

We may only use information relating to criminal convictions and offences where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our Data Protection Policy.

Less commonly, we may use information relating to criminal convictions and offences where it is necessary in relation to legal claims, where it is necessary to protect a Data Subject’s vital interests (or someone else’s  vital interests), or where a Data Subject has already made the information public.

We do not envisage that we will hold information about criminal convictions and offences in the ordinary course of our business.

We will only collect information about criminal convictions and offences if it is appropriate and where we are legally able to do so. We will use information about criminal convictions and offences when undertaking the anti-money laundering checks we are required to undertake pursuant to the MLR Regs.

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in relation to Data Subjects in the following circumstances:

  1. Where we have notified the Data Subject of the decision and given him/her 21 days to request a reconsideration.
  2. Where the Data Subject is a client of the firm and it is necessary to perform the contract with the Data Subject and appropriate measures are in place to safeguard his/her rights.
  3. In limited circumstances, with the explicit written consent of the Data Subject and where appropriate measures are in place to safeguard his/her rights.

If we make an automated decision in relation to Data Subjects on the basis of any particularly sensitive personal information, we must have either the explicit written consent of the Data Subject or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard the rights of the Data Subject.

Data Subjects will not be subject to decisions that will have a significant impact on them based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified them.

We do not envisage that any decisions will be taken about Data Subjects using automated means. However, we will tell them if this position changes.

Data sharing

We may have to share personal information about Data Subjects with third parties, including third-party service providers.

We require third parties to respect the security of personal information about Data Subjects and to treat it in accordance with the law.

We may transfer personal information about Data Subjects outside the EU. If we do, Data Subjects can expect a similar degree of protection in respect of their personal information.

We do not sell personal  information about Data Subjects to any third party.

Why might we share personal information about Data Subjects with third parties?

We may share personal information about Data Subjects with third parties where required by law, where it is necessary for us to provide our services to our clients or where we have another legitimate interest in doing so.

Which third-party service providers process personal information about Data Subjects?

The following activities are carried out by third-party service providers:

  • off-site archiving and storage facilities [see footnote 1];
  • IT (including back-up) services [see footnote 1]; and
  • banking facilities [see footnote 1].

How secure is personal information with third-party service providers?

All our third-party service providers are required to take appropriate security measures to protect personal information about Data Subjects in line with our policies. We do not allow our third-party service providers to use the personal data of Data Subjects for their own purposes. We only permit them to process such personal data for specified purposes and in accordance with our instructions.

What about other third parties?

We may share personal information about Data Subjects with other third parties. For example, we may need to share such personal information with a regulator or to otherwise comply with the law.

Data transfer outside of the EU

Whilst we do not routinely do so, we (or third parties with whom we share personal information about Data Subjects) may transfer personal information about Data Subjects outside the EU.  In those cases, except where the country has been determined by the European Commission or the relevant authority in the United Kingdom (as applicable) as ensuring an adequate level of data protection, we require the recipients of personal information about Data Subjects to take appropriate measures to protect such information.  For example, by requiring them to enter into a data transfer agreement in the standard form approved for this purpose by the European Commission or the relevant authority in the United Kingdom (as applicable).  Further details of any such transfers, and any such protective measures, are available from our DPR.

Data security

We have put in place measures to protect the security of personal information about Data Subjects. Details of these measures are available upon request.

Third-party service providers will only process personal information about Data Subjects on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We have put in place appropriate security measures to prevent personal information about Data Subjects from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to personal information about Data Subjects to those employees, agents, contractors and other third-party service providers who need to know. Third-party service providers will only process personal information about Data Subjects on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from our DPR.

We have put in place procedures to deal with any suspected data security breach and will notify a Data Subject, the ICO and any other applicable regulator of a suspected breach where we are legally required to do so.

Data retention

How long will we use information for?

We will only retain personal information about Data Subjects for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different aspects of personal information about Data Subjects are available in our Data Retention and Destruction Policy which is available from our DPR. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise or pseudonymise personal information about Data Subjects so that it can no longer be associated with them, in which case we may use such information without further notice to them. Once a person has ceased to be a Data Subject (because, for example, they have ceased to be a client of the firm and we have ceased to provide legal services to him/her) we will retain and securely destroy his/her personal information in accordance with our Data Retention and Destruction Policy.

Rights of access, correction, erasure, and restriction

Data Subjects’ duty to inform us of changes

It is important that the personal information we hold about Data Subjects is accurate and current. We ask that Data Subjects keep us informed if their personal information changes during the course of the provision of our services to our clients.

Data Subjects’ rights in connection with personal information

Under certain circumstances, a Data Subject has the right to:

  • Request access to his/her personal information (commonly known as a “data subject access request”). This enables him/her to receive a copy of the personal information we hold about him/her and to check that we are lawfully processing it.
  • Request correction of the personal information that we hold about him/her. This enables him/her to have any incomplete or inaccurate information we hold about him/her corrected.
  • Request the erasure of his /her personal information. This enables him/her to ask us to delete or remove personal information where there is no good reason for us continuing to process it.
  • Object to processing of his/her personal information where we are relying on a legitimate interest (or those of a third party) and there is something about his/her particular situation which makes him/her want to object to processing on this ground. A Data Subject also has the right to object where we are processing his/her personal information for direct marketing purposes.
  • Request the restriction of processing of his/her personal information. This enables him/her to ask us to suspend the processing of personal information about him/her, for example if he/she wants us to establish its accuracy or the reason for processing it.
  • Request the transfer of his/her personal information to another party.

If a Data Subject wants to review, verify, correct or request erasure of his/her personal information, object to the processing of his/her personal data, or request that we transfer a copy of his/her personal information to another party, please contact our DPRs in writing.

No fee usually required

Data Subjects will not have to pay a fee to access their personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if their request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

What we may need from Data Subjects

We may need to request specific information from Data Subjects to help us confirm their identity and ensure their right to access the information (or to exercise any of their other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Right to withdraw consent

In the limited circumstances where a Data Subject may have provided his/her consent to the collection, processing and transfer of his/her personal information for a specific purpose, he/she has the right to withdraw his/her consent for that specific processing at any time. To withdraw a consent, a Data Subject should contact our DPR (see below). Once we have received notification that a Data Subject has withdrawn his/her consent, we will no longer process his/her information for the purpose or purposes originally agreed to, unless we have another legitimate basis for doing so in law. The potential consequences of a Data Subject withdrawing a consent to the collection, processing and transfer of his/her personal data are set out under the heading If a Data Subject fails to provide personal information.

FOOTNOTES

[1] To protect the security of our data, we do not name the providers of such services to us in this privacy notice. However, a list of our service providers is available from our DPR on written request. We reserve the right to withhold details of our service providers if we think such request might prejudice the security of our data.

[2] e.g. HMRC, the Financial Conduct Authority, the Land Registry, Companies House, the Pensions Regulator, the Pension Protection Fund, the Charity Commission, ACAS, the courts, tribunals, HM Courts and Tribunals Service, Deputy Bond Services, the Office of Public Guardian, case managers and cost assessors, care providers, benefits advisors, executors, trustees, attorneys, deputies and other professional advisers (such as accountants, surveyors, valuers, independent financial advisers, other solicitors and barristers)

Changes to this privacy notice

We review this privacy notice annually and reserve the right to update it at any time, and we will make a new privacy notice available to Data Subjects when we make any substantial updates. We may also tell Data Subjects in other ways from time to time about the processing of their personal information.

If you have any questions about this privacy notice, please contact our Data Protection Representative, via email at hhawkins@alcocks-solicitors.co.uk, post to Alcocks Solicitors Byron House Commercial Street Mansfield Nottinghamshire NG18 1EE or telephone 01623 460444.