Privacy Policy
The aim of this Policy is to ensure that all personal information NC Law holds about its clients, sub-contractors and employees is dealt with in a secure, confidential and accurate manner.
NC Law understands and endorses the requirements of the Data Protection Act 1998, and the General Data Protection Regulation 2016.
NL Law respects the right of its employees and subcontractors to privacy within the workplace, and works to balance that with the need to ensure compliance with company, tax, civil and criminal law.
Access to any data held by the NC Law will be provided to the employee, client or sub-contractor in compliance with the Act and Regulation.
Data Subject Right’s under the GDPR for Clients, Employees and Subcontractors’ are:
- The right to access
You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee. You can make a data access request of your personal data by emailing us and by providing us with proof of identity and address. Email: ncl@nclaw.co.uk - The right to rectification
You have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about you completed. - The right to erasure (The right to be forgotten)
In some circumstances you have the right to the erasure of your personal data without undue delay. Those circumstances include: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. However, there are certain general exclusions of the right to erasure. Those general exclusions include where processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims. - The right to restrict processing
In some circumstances you have the right to restrict the processing of your personal data. Those circumstances are: you contest the accuracy of the personal data; we no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise or defence of legal claims; and you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data. However, we will only otherwise process it: with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest. - The right to object to processing
You have the right to object to our processing of your personal data on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for: the performance of a task carried out in the public interest or in the exercise of any official authority vested in us; or the purposes of the legitimate interests pursued by us or by a third party. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims. - The right to data portability
To the extent that the legal basis for our processing of your personal data is consent, and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others. - The right to complain to a supervisory authority
If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. In the UK, our supervisory authority is the Information Commissioners Office: https://ico.org.uk/ - The right to withdraw consent
To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal. You may exercise this right by emailing us and providing us with proof of identity and address: Email ncl@nclaw.co.uk
NC Law strives to review our Privacy Policy Statement and Procedures including enhancing our physical and cyber security policy and practice as a means to demonstrate continual innovation and improvement in the way we manage client data.
This document is divided into three sections
Section One will summarise the key points of Client Rights and the responsibilities of NC Law pertaining to Privacy and Confidentiality of Client personal and case data.
Section Two will summarise the way in which NC Law protects the right to privacy and confidentiality of our employees.
Section Three will summarise the way in which NC Law protects the right to privacy and confidentiality of our subcontractors.
NC Law expects all staff to respect the rights of their colleagues no matter whether they be direct employees or whether they be subcontractors’ as well as demonstrating due care and respect for our clients and the legal casework we undertake for and on behalf of our clients.
SECTION ONE – CLIENTS:
NC Law is committed to collecting the minimum data and information necessary to provide a full range of legal services to our clients.
We understand that on a case by case basis the level of data my vary dependent on the type of legal service we are providing; and that in some cases we may need to collect data which under the Data Protection Act 1998 and the GDPR 2016 is considered sensitive – all data irrespective of its category whether general, sensitive or special will be treated with the highest confidence and will be stored securely at the premises of NC Law.
Data and Client case file may only be removed from the office for legal purposes such as Court Appearances.
The General Data we collect is:
- Client Name
- Client Address
- Client Phone Number
- Client Mobile Number
- Client Email Address
Legal Purpose for Data Collection & Processing:
To enable us to perform our contracted duties to our clients and to provide legal advice and representation.
Data Sources:
In the main, the data source will be the client, however there might be other instances where a family member might seek to secure our services on behalf of the client.
Data Storage:
Client data is stored both digitally and in hard copy. Digital copies reside on the company computers and server. Computers and the server are password protected to limit the risk of data loss or theft.
The computer systems are also protected by advanced anti-virus software which includes anti-malware, anti-ransomware and firewall protection. Through our anti-virus system we also have the capability to firewall individual files and folders.
Hard-copy files are kept in filing cabinets at our offices.
Data Back-ups
NC Law outsources our IT Systems maintenance and systems back-up. As part of this system data is backed-up onto an encrypted cloud service
Service Payments:
Clients are invoiced for our services using our accounting software Quill Pinpoint.
Clients are asked to pay their invoices in full or instalment directly into the NC Law bank account therefore we do not hold client bank details on our systems.
Security
Our premises are protected by alarm systems and CCTV. CCTV is provided by the local authority as part of their community crime prevention programme.
Data Retention & Deletion
NC Law is committed to keeping client data for as long as is necessary to perform our contracted legal services to our clients.
We are guided by the Conveyancing Quality Scheme and the Law Society as to how long we must retain client records and this is communicated to our clients during the contracting process.
Once the maximum data retention period has expired, the case data will be deleted safely and securely in line with our legal obligations and best practice as guided by UK laws governing the individual legal cases we have worked on for our clients.
SECTION TWO – EMPLOYEES
Administration
- NC Law will ensure that all internal staff who are involved in processing your personal information are trained in compliance with the requirements of the Data Protection Act 1998 & the General Data Protection Regulation 2016.
- NC Law will ensure that all personal information will be held in a secure centralized system and access will be restricted to the staff in (1) above. Files will not be held by individual managers and all managers will be trained accordingly.
- NC Law will carry out an annual audit of all personal data to ensure it is accurate, up to date and relevant.
Access
- Employees are entitled to have access to their records. Should you require such access you should put your request in writing to Nazmin Choudhury. The first request for personal data will be free of charge; subsequent requests for access to personal data made within a 12-month period will be charged at an admin fee of £10.00. Employees making a request for their records will within 30 days be provided with access to all their personal data other than the exceptions listed below.
- Amending data. Employees may ask the NC Law to correct any inaccurate data. However the NC Law reserves the right to maintain a copy of old data as well as appending the new data where the law or documents control requires that full and historic records be kept.
- Prevention of processing. In certain very limited circumstances you may be able to prevent the processing of your data if it is likely to cause you or another person unwarranted damage or distress.
- Automated decision-making. NC Law does/does not carry out any automated decisions.
NC Law does not provide access to the following:
- References written by the NC Law or former employers
- Any data from which a third party can be identified, unless it is possible to remove the identifying elements.
- Any data held for the purposes of management forecasting or planning if access to the same is likely to prejudice the conduct of the Employer’s business
- Any data prejudicing ongoing negotiations with the employee
- Any data protected by legal professional privilege
- Any data regarding your health which an appropriate health professional considers likely to cause serious harm to your physical or mental health or of any other person
Sensitive Personal data
This includes data relating to the following:
- Health records
- Trade Union membership
- Racial or ethnic origin
- Criminal proceedings and convictions
- Political opinions
- Sexual life
- The commission or alleged commission of any offence
The processing of such data is restricted by the Data Protection Act 1998 and the GDPR 2016. NC Law will be processing data relating to your health, in that sickness absences have to be recorded over time.
Should you have any concerns in this regard you are reminded of your rights of access in the Rights of Access section on pages 4 & 5 of this document and in the Act’s and Regulation’s requirement that all data held is accurate and relevant
Disclosure
NC Law may from time to time use external bodies to process data, for instance to outsource the payroll, or personnel functions. NC Law will ensure that such bodies will have in place sufficient security measures in place to protect your data, privacy and confidentiality.
NC Law will not disclose any information to any other person or organization seeking the same without written consent from you
Monitoring
Email, phone and Internet use. You are referred to the Electronic Information Policy for more information. If NC Law has a reasonable suspicion that the use of any of these communications devices is being abused, it reserves the right to monitor the usage of the suspected individual for a limited period in order to be able to investigate and deal with the allegations of abuse in a fair manner.
CCTV
While NC Law doesn’t use CCTV directly, there is CCTV monitoring of the street and building which is provided by the local authority for reasons of security of its personnel and to prevent theft and other criminal activity.
Data Retention & Erasure
NC Law’s data retention and erasure policy relates exclusively to what will happen to your data once you cease to be employed by NC Law.
- All personal data which we hold on you will be kept securely on file for a 3-year period from the date of your the final day of work for NC Law. The purpose of retaining your data for this length of time is to provide us with the opportunity to provide you with an accurate and thoughtful reference for future employment at your request.
- You personal data HR will be deleted within 2-working days once the 3-year retention period has expired.
- Personal data pertaining to your Salary, Tax, National Insurance, and other statutory payments made by NC Law to you and/or on your behalf will be retained for 7-years in compliance with UK Tax Law after which time the data will be deleted in compliance with the said law.
SECTION 3 – SUBCONTRACTORS
in the context of NC Law business model, all sub-contractors are self-employed and are contracted to work a specific number of days per week/month/year depending on the nature of the service provided to NC Law, the details of which are detailed in the service agreement of statement of works between NC Law and the sub-contractor.
NC Law have an obligation to undertake Due Diligence prior to finalising the engagement for service provision of any/all subcontractors, especially if a subcontractor is as part of their service provision will have direct contact with our clients.
Administration
- NC Law will ensure that all internal staff who are involved in processing your personal information are trained in compliance with the requirements of the Data Protection Act 1998 & the General Data Protection Regulation 2016.
- NC Law will ensure that all personal information will be held in a secure centralized system and access will be restricted to the staff in (1) above. Files will not be held by individual managers and all managers will be trained accordingly.
- NC Law will carry out an annual audit of all personal data to ensure it is accurate, up to date and relevant.
Access
- Sub-contractors are entitled to have access to their records. Should you require such access you should put your request in writing to Nazmin Choudhury. The first request for personal data will be free of charge; subsequent requests for access to personal data made within a 12-month period will be charged at an admin fee of £10.00. Sub-contractors making a request for their records will within 30 days be provided with access to all their personal data other than the exceptions listed below.
- Amending data. Sub-contractors may ask the NC Law to correct any inaccurate data. However the NC Law reserves the right to maintain a copy of old data as well as appending the new data where the law or documents control requires that full and historic records be kept.
- Prevention of processing. In certain very limited circumstances you may be able to prevent the processing of your data if it is likely to cause you or another person unwarranted damage or distress.
- Automated decision-making. NC Law does/does not carry out any automated decisions.
NC Law does not provide access to the following:
- References written by the NC Law or former employers
- Any data from which a third party can be identified, unless it is possible to remove the identifying elements.
- Any data held for the purposes of management forecasting or planning if access to the same is likely to prejudice the conduct of the NC Law business
- Any data prejudicing ongoing negotiations with the sub-contractor
- Any data protected by legal professional privilege
- Any data regarding your health which an appropriate health professional considers likely to cause serious harm to your physical or mental health or that of any other person
Sensitive Personal data
This includes data relating to the following:
- Health records
- Trade Union membership
- Racial or ethnic origin
- Criminal proceedings and convictions
- Political opinions
- Sexual life
- The commission or alleged commission of any offence
The processing of such data is restricted by the Data Protection Act 1998 and the GDPR 2016. NC Law will not as a rule processes this sensitive information in relation to securing the services of a sub-contractor with the exclusion of criminal proceedings or conviction. As a law firm, providing legal services to our clients we are duty bound to undertake due-diligence on all our subcontractors’ especially those that may have reason to interact with our clients.
Should a subcontractor have any concerns in this regard you are reminded of your rights of access in the Rights of Access section on pages 7 & 8 of this document and in the Act’s and Regulation’s requirement that all data held is accurate and relevant
Disclosure
NC Law may from time to time use external bodies to process data, for instance to outsource the payroll and accounts functions. NC Law will ensure that such bodies will have in place sufficient security measures in place to protect your data, privacy and confidentiality.
NC Law will not disclose any information to any other person or organization seeking the same without written consent from you.
Monitoring
Email, phone and Internet use. You are referred to the Electronic Information Policy for more information. If NC Law has a reasonable suspicion that the use of any of these communications devices is being abused, it reserves the right to monitor the usage of the suspected individual for a limited period in order to be able to investigate and deal with the allegations of abuse in a fair manner.
CCTV
While NC Law doesn’t use CCTV directly, there is CCTV monitoring of the street and building which is provided by the local authority for reasons of security of its personnel and to prevent theft and other criminal activity.
Data Retention & Erasure
NC Law’s data retention and erasure policy relates exclusively to what will happen to your data once you cease to be engaged as a sub-contractor by NC Law.
- All personal data which we hold on you will be kept securely on file for a 3-year period from the dated of your the final day of work for NC Law. The purpose of retaining your data for this length of time is to provide us with the opportunity to provide you with an accurate and thoughtful reference for future employment at your request.
- You personal HR data will be deleted within 2-working days once the 3-year retention period has expired.
- Personal data pertaining to your invoice payments made by NC Law to you will be retained for 7-years in compliance with UK Tax Law after which time the data will be deleted in compliance with the said law.
Policy Update: 22.05.2018
Approved: Nazmin Choudhury
APPENDIX – Data Processors
In every case in which you instruct us, we will need to share your information with data processors with whom we have a written agreement that they are handling your data in a way that is compliant with the 2018 General Data Protection Regulations.
Please see below for a list of some of the organisations to which we will or may need to transfer data and the kind of data that is likely to be shared. Depending on your case and legal requirements, we may need to transfer your data to other organisations or different data than that listed may need to be shared.
Data Processor |
Data Shared |
When |
---|---|---|
LEAP (accounts and CRM) |
Name, address, data of birth, national insurance number, phone numbers, email address, copies of ID
|
For all matters |
Fitzrovia IT Limited (IT support provider) |
Name, address, data of birth, national insurance number, phone numbers, email address, copies of ID, documents related to your specific matter. |
If Fitzrovia need to access our computer network |
Microsoft |
Name, address, data of birth, national insurance number, phone numbers, email address, copies of ID, documents related to your specific matter. |
Cloud backups |
Lloyds Bank plc (bank) |
Name, bank account details |
If there are any financial transactions on your matter |
Hartley Fowler LLP (accountant) |
Name, financial details |
When our accounts are audited |
HM Land Registry |
Address, Name |
When registering a conveyancing transactions |
HMRC |
Name, Address, date of birth, national insurance number |
When paying tax e.g. IHT or SDLT |
Other solicitors |
Name, Address, matter data |
For most matters |
Mortgage lender |
Name, address, matter data |
When obtaining a mortgage on a property |
Barrister |
Name, address, matter data |
For litigious matters |
Cyber Crime & Bank Fraud
Cybercrime is unfortunately increasing and fraudsters are now targeting law firms in order to divert payments to alternative bank accounts. In response to this, please note that Purdys will not update payment details via email alone. Should you receive an email attempting to amend payment details, please contact the individual dealing with your matter by telephone as we cannot accept responsibility for losses arising from your transfer of funds.
The SRA website has a section on Scam Alerts, so you can find out if fraudsters have been spoofing a solicitor firm’s email address - www.sra.org.uk