Date Protection Policy

At The Housing Disrepair Experts, our roots and experiences deeply connect us with the communities we serve. Our team is not just a group of professionals; we're individuals who share a unique and genuine understanding of the challenges our clients face.


  • Data – information stored electronically, on a computer or on paper.
  • Data subject – any living individual about whom we hold personal data including clients and staff.
  • Data Controller – those who decide the purposes for which and the way in which data is used.
  • Data Protection Legislation – General Data Protection Regulation (EU) 2016/679 (GDPR).
  • Data Processors – any person who processes personal data for a data controller.
  • Data user – employees whose work involves using personal data.
  • Personal information – information relating to an individual who can be identified from that information.
  • Processing – any activity involving the use of the data.
  • Sensitive personal information – personal information relating to a person’s race, ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetics information, biometric information that can be used to identify a person, information relating to a person’s – health, sex life or orientation.

Sensitive personal information – personal information relating to a person’s race, ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetics information, biometric information that can be used to identify a person, information relating to a person’s – health, sex life or orientation.


As part of our business we will collect, store and process personal information. This information includes both staff and clients. This information must be treated in an appropriate and lawful manner. All solicitors are required to comply with their legal obligations including those relating to data protection.

The law recognises the following principles – any information must be

  • Processed for specified, explicit and legitimate business purposes.
  • Adequate relevant and necessary for those purposes.
  • Accurate and up to date. Any inaccurate or information must be deleted or corrected promptly. If you become aware that data is inaccurate you should record this and inform your solicitors.
  • Not kept in such a way as to identify data subjects for longer than necessary.
  • Kept secure and protected against unauthorised on unlawful processing and accidental loss, destruction or damage.

Reed and Co solicitors has to demonstrate compliance with these principles and maintain records of activities.

The data subject must be told:

  • Who the data manager is.
  • The purpose for which the data will be processed.
  • The lawful basis for the processing of the data.
  • The identity of any person to whom the data may be disclosed.

Personal data should not be processed unless

  1. The data subject has consented or
  2. Processing is necessary to
  • Perform a contract,
  • Comply with legal obligation to which we are subject
  • Exercise legal rights
  • To protect the vital interests of the data subject or another person
  • Otherwise in our or the data subject’s legitimate interests. In most cases this will apply to our routine business activities.

Reed and Co solicitors client care information states our commitment to privacy and the purpose for which data is processed. All clients are asked to consent to the obtaining and sharing of data which is necessary to establish or exercise a legal claim. Staff are referred to the firm’s privacy policy.

We will only process sensitive personal data if we have a lawful basis for doing so as set out about above and one of the special conditions relating to sensitive personal data applies

  • The data subject has explicitly consented.
  • Processing is necessary to exercise legal rights or obligations of the firm or the data subject.
  • Processing is necessary in order to protect the vital interests of the data subject and the data subject is incapable of providing consent.
  • Processing relates to data made public by the data subject.
  • Processing is necessary for to establish, exercise or defend a legal claim.
  • Processing is necessary due to substantial public interest.

Personal data must only be used for the specific purpose explained to the data subject. It must never be used for any other purpose unless such purpose is explained to the data subject.

Personal Data must not be kept for longer than necessary. It must be destroyed when no longer required. It is necessary for such data to be retained for periods of time following conclusion of a matter. For guidance you should consult with the data protection manager.

All data subjects have a right to:

  • Be informed of how, why and what basis data will be processed.
  • Obtain access to the data and to make a subject access request to have data corrected if necessary.
  • To have data destroyed if it is no longer required for the purpose for which it was obtained.
  • Prevent the use of data for marketing purposes. Any proposed marketing activity which might involve the use of personal information must be discussed with the data manager.


The firm will use appropriate technical and organisation measures to keep personal information secure. This may include:

Pseudonomising or encrypting personal information,

  • Ensuring the ongoing reliability of processing systems and services,
  • Ensuring that in the event of any technical incident, access to personal information is restored promptly,
  • Regularly testing technical and organisational systems


The firm will use external organisations to process personal information on its behalf.

Any contracts with such providers will ensure that –

  • Such organisation may only act on our written instructions,
  • Anyone processing the data is subject to a duty of confidentiality,
  • Appropriate security measures are in place,
  • Any sub-contractors are only used with the prior consent of Reed and Co solicitors and subject to a written contract,
  • Such organisation will assist the firm in dealing with a subject access request,
  • The organisation will assist the firm in meeting its obligations in relation to security, notification of breaches and data protection impact assessments,
  • The organisation will delete or return all personal information as requested on conclusion of the contract,
  • Will agree to audits and/or inspections to ensure that it is meeting its contractual and legal obligations.

Any contract with an external organisation must be approved by the data protection manager.


Most firms now communicate with clients and third parties by email. You must ensure that these are sent securely and in particular –

  1. If the communication involves sensitive information consider sending it in an encrypted format. This should be discussed with the data protection manager and might include, for example, a communication which contains medical records.
  2. Double check the accuracy of an email address. This should include the sending of a routine email containing non-confidential information to confirm the accuracy of the address.
  3. Be very careful when using a group email that you really want to include everyone in a particular email,
  4. You may need to verify the security of the recipient’s server.


When discussing personal information by telephone you should –

  1. Check the identity of the caller to ensure that data is only provided to a person entitled to it. This might include asking security questions.
  2. If unsure ask for the request to be made in writing,
  3. Only discuss personal information with a third party where authority has been obtained from the data subject,
  4. If in doubt consult the data protection manager.

Subject Access Requests

Individuals are entitled to request access to information held about them and to the provision of a copy of such information unless provision of a copy would adversely affect the rights and freedoms of others.


Individuals can request portability of certain kinds of data. This means the right to transfer the data from one processor to another. This is subject to restrictions and any such request should be discussed with the data protection manager.


Individuals have the right to request erasure of personal data we hold about them. However, this is subject to our right to retain such information for such period as may be necessary to defend any legal claim against us.


We must normally respond to any of the above requests within 28 days. We cannot normally charge for processing such requests. If you should receive any request, you should refer this immediately to James Reed. If you are concerned about any data which we hold about you, this again should be referred to James Reed.


Any of the following might constitute a breach of our obligations:

  • Loss or theft of data or equipment such as a laptop computer,
  • Unauthorised use of or access to data by staff or third party,
  • Loss of data due to a systems failure,
  • Human error – e.g., accidental transfer of data,
  • Accidental loss due to fire etc,
  • Deliberate IT attacks such as hacking,
  • Where data is obtained by deceit.

If any breach is likely to result in a risk to the rights and freedoms of an individual