Data Protection Policy

Data Controller: Reed & Co Solicitors Ltd
Address: Office 12 Maghull Business Centre, 1 Liverpool Road North, Maghull, England, L31 2HB
ICO Registration Number: ZA852423
Contact: james.reed@reedandcosolicitors.co.uk

  • Data – information stored electronically, on a computer or on paper.
  • Data subject – any living individual about whom we hold personal data including clients and staff.
  • Data Controller – those who decide the purposes for which and the way in which data is used.
  • Data Protection Legislation – General Data Protection Regulation (EU) 2016/679 (GDPR).
  • Data Processors – any person who processes personal data for a data controller.
  • Data user – employees whose work involves using personal data.
  • Personal information – information relating to an individual who can be identified from that information.
  • Processing – any activity involving the use of the data.
  • Sensitive personal information – personal information relating to a person’s race, ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetics information, biometric information that can be used to identify a person, information relating to a person’s – health, sex life or orientation.

Sensitive personal information – personal information relating to a person’s race, ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetics information, biometric information that can be used to identify a person, information relating to a person’s – health, sex life or orientation.

General

As part of our business we will collect, store and process personal information. This information includes both staff and clients. This information must be treated in an appropriate and lawful manner. All solicitors are required to comply with their legal obligations including those relating to data protection.

The law recognises the following principles – any information must be

  • Processed for specified, explicit and legitimate business purposes.
  • Adequate relevant and necessary for those purposes.
  • Accurate and up to date. Any inaccurate or information must be deleted or corrected promptly. If you become aware that data is inaccurate you should record this and inform your solicitors.
  • Not kept in such a way as to identify data subjects for longer than necessary.
  • Kept secure and protected against unauthorised on unlawful processing and accidental loss, destruction or damage.

Reed and Co solicitors has to demonstrate compliance with these principles and maintain records of activities.

The data subject must be told:

  • Who the data manager is.
  • The purpose for which the data will be processed.
  • The lawful basis for the processing of the data.
  • The identity of any person to whom the data may be disclosed.

Personal data should not be processed unless

  • The data subject has consented or
  • Processing is necessary to
  • Perform a contract,
  • Comply with legal obligation to which we are subject
  • Exercise legal rights
  • To protect the vital interests of the data subject or another person
  • Otherwise in our or the data subject’s legitimate interests. In most cases this will apply to our routine business activities.

Reed and Co solicitors client care information states our commitment to privacy and the purpose for which data is processed. All clients are asked to consent to the obtaining and sharing of data which is necessary to establish or exercise a legal claim. Staff are referred to the firm’s privacy policy.

We will only process sensitive personal data if we have a lawful basis for doing so as set out about above and one of the special conditions relating to sensitive personal data applies

  • The data subject has explicitly consented.
  • Processing is necessary to exercise legal rights or obligations of the firm or the data subject.
  • Processing is necessary in order to protect the vital interests of the data subject and the data subject is incapable of providing consent.
  • Processing relates to data made public by the data subject.
  • Processing is necessary for to establish, exercise or defend a legal claim.
  • Processing is necessary due to substantial public interest.

Personal data must only be used for the specific purpose explained to the data subject. It must never be used for any other purpose unless such purpose is explained to the data subject.

Personal Data must not be kept for longer than necessary. It must be destroyed when no longer required. It is necessary for such data to be retained for periods of time following conclusion of a matter. For guidance you should consult with the data protection manager.

All data subjects have a right to:

  • Be informed of how, why and what basis data will be processed.
  • Obtain access to the data and to make a subject access request to have data corrected if necessary.
  • To have data destroyed if it is no longer required for the purpose for which it was obtained.
  • Prevent the use of data for marketing purposes. Any proposed marketing activity which might involve the use of personal information must be discussed with the data manager.

Security

The firm will use appropriate technical and organisation measures to keep personal information secure. This may include:

Pseudonomising or encrypting personal information,

  • Ensuring the ongoing reliability of processing systems and services,
  • Ensuring that in the event of any technical incident, access to personal information is restored promptly,
  • Regularly testing technical and organisational systems

Outsourcing

The firm will use external organisations to process personal information on its behalf.

Any contracts with such providers will ensure that –

  • Such organisation may only act on our written instructions,
  • Anyone processing the data is subject to a duty of confidentiality,
  • Appropriate security measures are in place,
  • Any sub-contractors are only used with the prior consent of Reed and Co solicitors and subject to a written contract,
  • Such organisation will assist the firm in dealing with a subject access request,
  • The organisation will assist the firm in meeting its obligations in relation to security, notification of breaches and data protection impact assessments,
  • The organisation will delete or return all personal information as requested on conclusion of the contract,
  • Will agree to audits and/or inspections to ensure that it is meeting its contractual and legal obligations.

Any contract with an external organisation must be approved by the data protection manager.

Emails

Most firms now communicate with clients and third parties by email. You must ensure that these are sent securely and in particular –

  1. If the communication involves sensitive information consider sending it in an encrypted format. This should be discussed with the data protection manager and might include, for example, a communication which contains medical records.
  2. Double check the accuracy of an email address. This should include the sending of a routine email containing non-confidential information to confirm the accuracy of the address.
  3. Be very careful when using a group email that you really want to include everyone in a particular email,
  4. You may need to verify the security of the recipient’s server.

Telephone

When discussing personal information by telephone you should –

  1. Check the identity of the caller to ensure that data is only provided to a person entitled to it. This might include asking security questions.
  2. If unsure ask for the request to be made in writing,
  3. Only discuss personal information with a third party where authority has been obtained from the data subject,
  4. If in doubt consult the data protection manager.

Subject Access Requests

Individuals are entitled to request access to information held about them and to the provision of a copy of such information unless provision of a copy would adversely affect the rights and freedoms of others.

Portability

Individuals can request portability of certain kinds of data. This means the right to transfer the data from one processor to another. This is subject to restrictions and any such request should be discussed with the data protection manager.

Your Rights Under GDPR (Data Subject Rights)

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

Right of Access

You have the right to request a copy of the personal data we hold about you. This is commonly known as a Subject Access Request (SAR). We will provide this information free of charge within one month of your request.

Right to Rectification

You have the right to request that we correct any inaccurate personal data we hold about you, and to have incomplete data completed.

Right to Erasure (Right to be Forgotten)

You have the right to request that we delete your personal data in certain circumstances, including:

  • The data is no longer necessary for the purpose it was originally collected
  • You withdraw your consent (where consent was the legal basis for processing)
  • You object to the processing and there is no overriding legitimate interest
  • The data has been unlawfully processed
  • The data must be erased to comply with a legal obligation

Please note that this right is not absolute. We may need to retain your data to comply with legal obligations, to establish, exercise, or defend legal claims, or for other legitimate purposes as permitted by law.

Right to Restriction of Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to our processing.

Right to Data Portability

Where we process your data based on consent or for the performance of a contract, and processing is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

Right to Object

You have the right to object to the processing of your personal data where we are relying on legitimate interests as our legal basis. You also have the absolute right to object to direct marketing at any time.

Rights Related to Automated Decision Making

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

How to Exercise Your Rights

To exercise any of these rights, please contact our Data Protection Manager:

  • Email: james.reed@reedandcosolicitors.co.uk
  • Post: Office 12 Maghull Business Centre, 1 Liverpool Road North, Maghull, England, L31 2HB

We will respond to your request within one month. If your request is complex, we may extend this period by up to two further months, but we will inform you of any extension within the first month.

Right to Complain

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Website: www.ico.org.uk
  • Telephone: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Procedure

We must normally respond to any of the above requests within 28 days. We cannot normally charge for processing such requests. If you should receive any request, you should refer this immediately to James Reed. If you are concerned about any data which we hold about you, this again should be referred to James Reed.

Breaches

Any of the following might constitute a breach of our obligations:

  • Loss or theft of data or equipment such as a laptop computer,
  • Unauthorised use of or access to data by staff or third party,
  • Loss of data due to a systems failure,
  • Human error – e.g., accidental transfer of data,
  • Accidental loss due to fire etc,
  • Deliberate IT attacks such as hacking,
  • Where data is obtained by deceit.

If any breach is likely to result in a risk to the rights and freedoms of an individual