1. What is this about?
We are solicitors, so client confidentiality has always been a key part of the ethical code that we work by. The Solicitors Regulation Authority regulates us and penalises breaches of that code.
We also have to comply with laws on data protection. The major requirements on us, as on all businesses across Europe, are under the EU General Data Protection Regulation (GDPR), which gives you extensive rights. These rights help you ensure that information relating to you as an identifiable individual is correct, is used only appropriately, and is available to you on request.
This notice sets out our policies on data privacy and aims to give you clear guidance on these rights.
2. What personal data do we collect about you, and why?
We collect some basic information about you, as our client, in any case. We need your full name and contact details so that we can communicate with you, and there is some further information which we have to collect so that we can verify who you are to comply with legal requirements.
We also collect information, of course, so that we know enough to do whatever job that you instruct us to do for you, and to respond pro-actively if we think we need to do something for you, or discuss something with you, in that light. We carry out our commitments under the contract which you make with our firm by instructing us; and sometimes (although without cost to you, if not within a retainer that you’ve instructed us on at that point) we make contact with you on our own initiative because we think we can help you in some way.
We may collect additional information for related purposes, such as to understand you better, or relating to financial arrangements with you, or simply by the fact that someone happens to tell us something about you (whether we asked them to or not).
Of course, a lot of the information about you that we hold will have come from you. But we gather information also from searching on-line data bases (such as our electronic identity checks, or from Companies House) and we get information from other professional advisers whom we are working with on your behalf.
All that information, wherever it comes from, is your “personal data” under this policy if it is identifiably about you, a specific individual, personally. (If you are a limited company, LLP or other corporate entity then we owe the same professional obligations but the GDPR protection mostly won’t apply directly since it’s all about protection of individuals’ data.)
What do we use your personal data for?
Under data protection laws, we can only use your personal data if we have proper reason for doing so. Principally, that means in our case:
- to enable us to act for you (or prepare to do so);
- in our legitimate interests, to run our business, including for compliance with our legal and regulatory requirements;
- beyond that, only if we have your clear, express, consent to do so.
We don’t maintain a mailing list and we don’t use any personal data for purely marketing purposes – even our own. Just to be clear, we never, ever, sell your personal data to anybody else at all, and we never will. You are (and always have been, regardless of data protection laws) entitled to expect that we will keep all confidential information which we have about you totally confidential at all times, using it (and disclosing it) only in the circumstances bullet-pointed above.
Under the GDPR you have particular rights for any “special category” personal data which we hold about you. That means data revealing your racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership, any genetic or biometric data, and data concerning your health, sex life, or sexual orientation. In the nature of our work we wouldn’t normally handle any such data about you. If we do hold some, we can use it on your behalf with whatever consent is clear from your instructions to us. Otherwise we cannot use it in any way without getting your express, informed, consent. Nor, as solicitors, would we ever think of doing so.
4. Who do we share your personal data with?
In acting for you, we will share personal data with anyone else who in our view is necessary and appropriate in your best interests, within the scope of our retainer with you.
Apart from that, we will (unless with your consent,) share information with others only for our legitimate purposes in running our business. So that might include disclosure to other law firms that we work with in your interests, our insurers, our regulators (principally, the Solicitors Regulation Authority) and of course suppliers involved in our business, such as to provide telephone switchboard services, on-line electronic search facilities, data processing capability and back-up services (such as Microsoft, Norton Symantec and Leap Legal).
We only use suppliers whom we trust to respect full confidentiality just as we do, and all data shared with IT suppliers goes to them in encrypted form. Given the global nature of the internet, and of our IT suppliers, some of the data which we share with them may be stored or processed outside the EU but, if so, those suppliers are pledged to keep to standards of behaviour, as regards both confidentiality and usage of personal data, which are consistent with EU data laws.
5. How long do we keep your data?
We routinely keep all records about our clients, and about our work for them, for at least six years. We are bound by our regulatory code to do at least that much, both in your interests and for good business practice. That is a minimum though, and in fact we tend to destroy data records only when we run out of storage room, so may still have files which are much older.
6. What are your personal data rights here?
You can expect us to treat all personal data that we hold about you with all due privacy.
Under the GDPR you may also have particular legal rights as follows, depending on the type of information, whether we got it from you, and what we use it for. In practice these legal rights should be relevant only if you are not our client, since we would be bound to look after our own client in such respects anyway. Those GDPR rights are, briefly: of access (free of charge) to such data; to have any mistakes about your data rectified; to be “forgotten” in certain circumstances, by such data being deleted; to restrict our processing of the data; to receive a copy of certain of your personal data from us; and to object in certain circumstances to our using the data.
If ever you think we are failing to comply with your rights, please let us know at once and tell us why. We do not want to have let you down in any way and will do our best to put right anything which it turns out that we have done wrong.
You also have a legal right, under the GDPR, to lodge a complaint with the appropriate supervising authority. In the UK that is the Information Commissioner, who may be contacted at https://ico.org.uk/concerns or by phone on 0303 1231113.
The Information Commissioner’s website has further guidance on your legal rights, including under the GDPR, at https://ico.org.uk/your-data-matters/ .
7. How do you contact us about all this?
“R.D.Y. Jennings & Co.” is the trading name of the solicitor’s practice operated by Richard (Dick) Jennings, solicitor. The firm is authorised and regulated by The Solicitors Regulation Authority, firm no. 122895. Dick is the “data controller”, for GDPR purposes.
Our contact details are as follows:
Postal address: 47 York Road, Malton, North Yorkshire, YO17 6AX
Email address: firstname.lastname@example.org
Phone: 0870 011 8155
Fax: 01653 691558