GDPR Policies

Privacy Notice

Privacy Notice for Lamb Building Chambers

We want you to know that when you use our organisation you can trust us with your information. We are determined to do nothing that would infringe your rights or undermine your trust. This Privacy Notice describes the information we collect about you, how it is used and shared, and your rights regarding it.

Data Controller

We are registered with the Information Commissioner’s Office (ICO) as a Data Controller for the personal data that we hold and process. Our registered address is [INSERT], our registration number is [INSERT]

 Data Collection

The vast majority of the information that we hold about you is provided to us by yourself when you seek to use our services. We will tell you why we need the information and how we will use it.


Our Lawful Basis for processing your information

The General Data Protection Regulation (GDPR) requires all organisations that process personal data to have a Lawful Basis for doing so. The lawful Bases identified in the GOPR are:

  • Consent of the data subject
  • Performance of a contract with the data subject or to take steps to enter into a contract
  • Compliance with a legal obligation
  • To protect the vital interests of a data subject or another person
  • Performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • The legitimate interests of ourselves, or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

Examples of legitimate interests include:

  • Where the data subject is a client or in the service of the controller;
  • Transmission within a group of undertakings for internal administrative purposes;
  • Processing necessary to ensure network and information security, including preventing unauthorised access;
  • Processing for direct marketing purposes, or to prevent fraud; and
  • Reporting possible criminal acts or threats to public security.

We use your Information to provide legal services. 


We collect and process both personal data and special categories of personal data as defined in the GDPR. This includes:


We may share your personal data with:

  • Our legal advisors in the event of a dispute or other legal matter;
  • Law enforcement officials, government authorities, or other third parties to meet our legal obligations
  • Any other party where we ask you and you consent to the sharing.
  • Barristers instructed to provide you with legal services. 

We do not transfer any personal data to third countries or international organisations

We retain your personal data while you remain a client, unless you ask us to delete it. Our Retention and Disposal Policy (copy available on request) details how long we hold data for and how we dispose of it when it no longer needs to be held. We will delete or anonymise your information at your request unless:

  • There is an unresolved issue, such as claim or dispute;
  • We are legally required to; or
  • There are overriding legitimate business interests, including but not limited to fraud prevention and protecting customers’ safety and security.
Your Rights

The General Data Protection Regulation gives you specific rights around your personal data. For  example, you have  to  be informed about the information we hold and what we use it for, you  can ask  for  a copy  of the personal  information  we hold about  you, you can ask us to correct any inaccuracies with the personal data we hold, you can ask us to stop sending you direct mail, or emails, or in some circumstances ask us to stop processing your details. Finally, if we do something irregular or improper with your personal data you can seek compensation for any distress you are caused or loss you have incurred. You can find out more information from the ICO’s 

Accessing and Correcting Your Information

You may request access to, correction of, or a copy of your information by contacting us at I }.

Marketing Opt-Outs

You may opt out of receiving emails and other messages from our organisation by following the instructions in those messages.

This document contains material that is distributed under licence from OMG Software Ltd. No reproduction or distribution of this material is allowed outside of your organisation without the permission of OMG Software Ltd.

Data Retention and Disposal Policy

Data Retention and Disposal Policy for Lamb Building Chambers


In the course of carrying out various functions, we create and hold a wide range of recorded information. Records will be properly retained to enable us to meet our business needs, legal requirements, to evidence events or agreements in the event of allegations or disputes and to ensure that any records of historic value are preserved.

The untimely destruction of records could affect:

  • the conduct of business;
  • the ability of the business to defend or instigate legal actions;
  • the business’s ability to comply with statutory obligations; and/or
  • the business’s reputation.

Conversely, the permanent retention of records is undesirable and, in certain circumstances, unlawful. Therefore, disposal is necessary to free up storage space, reduce administrative burden, and to ensure that the organisation does not unlawfully retain records for longer than necessary, particularly those containing personal data.

This policy supports our organisation in demonstrating accountability through the proper retention of records and by demonstrating that disposal decisions are taken with proper authority and in accordance with due process.


The purpose of this policy is to provide guidance as to set out the length of time that records should be retained and the processes to review the records as to any further retention or for disposing of records at the end of the retention period. The policy helps to ensure that we operate in compliance with the General Data Protection Regulation and any other legislative or regulatory retention obligations.


The policy covers the records listed in the Data Processed Register, irrespective of the media on which they are created or held, including:

  • paper;
  • electronic files (including database, Word documents, power point presentations, spreadsheets, web pages and e-mails}; and
  • photographs, scanned images, CD-ROMs, and videotapes.

The policy covers all types of records that we create or hold which may include but are not limited to:

  • employee data;
  • customer data;
  • minutes of meetings;
  • data from external parties;
  • contracts and invoices;
  • registers;
  • legal advice;
  • file notes;
  • financial accounts; and
  • the organisation’s publications.

The policy applies equally to all permanent and casual employees, agency staff, and outsourced suppliers.

Unless a record has been marked for ‘permanent preservation’ it should only be retained for a limited period of time. The recommended minimum retention period derives from either:

  • business need;
  • legislation;
  • responding to complaints;
  • taking or defending legal action.

The Data Protection Officer is responsible for ensuring that data is periodically reviewed (at least annually) to determine whether any retention periods have expired. Once the retention period has expired, the data must be reviewed and a disposal action agreed upon. A disposal action is;

  • the destruction of the data; or
  • the retention of the data for a further period; or,
  • alternative disposal of the data.

The disposal action decision must be reached having regard to:

  • on-going business and accountability needs (including audit);
  • current applicable legislation;
  • whether the data has any long-term historical or research value;
  • best practice in the business industry;
  • costs associated with continued storage versus costs of destruction; and
  • the legal, political, and reputational risks associated with keeping, destroying or losing control over the data.

Decisions must not be made with the intent of denying access or destroying evidence.


No destruction of data should take place without assurance that:

  • the data is no longer required by any part of the business;
  • no work is outstanding by any part of the business;
  • no litigation or investigation is current or pending which affects the data; and
  • there are no current or pending Freedom of Information or Data Protection access requests which affect the data.
Destruction of Paper Records

Destruction should be carried out in a way that preserves the confidentiality of the data. Non-confidential data can be placed in ordinary rubbish bins or recycling bins. Confidential data should be placed in confidential waste bins or shredded and placed in paper rubbish sacks for collection by an approved disposal firm. All copies, including security copies, preservation copies and backup copies, should be destroyed at the same time and in the same manner.

Destruction of Electronic Records

All electronic data will need to be either physically destroyed or wiped in keeping with the organisation’s Security Policy. Deletion of the files is not sufficient.

Further Retention

The data may be retained for a further period if it has on-going business value or if there is specific legislation that requires it to be held for a further period. Data should not ordinarily be retained for more than 30 years in aggregate from the date of creation, save for human resources information that may need to be retained for 100 years from date of birth.

Further Information

This document should be read in conjunction with the Data Protection Policy and Data Security Policy.

This document contains material that is distributed under licence from OMG Software Ltd. No reproduction or distribution of this material is allowed outside of your organisation without the permission of OMG Software Ltd.

GDPR Data Protection Policy

GDPR Data Protection Policy

Background to the General Data Protection Regulation (GDPR)

The General Data Protection Regulation 2016 replaces the EU Data Protection Directive of 1995 and supersedes the UK’s Data Protection Act 1998. Its purpose is to protect the “rights and freedoms” of living individuals in relation to their personal data.

Policy Statement

Lamb Building Chambers are committed to compliance with all relevant EU and UK laws in respect of personal data, and the protection of the rights and freedoms of individuals whose information we collect and process in accordance with the General Data Protection Regulation (GDPR).

The GDPR and this policy apply to all of our personal data processing functions, including those performed on clients’, employees’, and suppliers’ personal data, and any other personal data we process from any source.

Mr Bernard Richmond QC is the designated Data Protection Officer (DPO) and is responsible for all data protection matters.

This policy applies to all employees (permanent and temporary), agency, and contract staff. Any breach of the GDPR will be dealt with under our disciplinary policy and may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities.

Partner organisations and third parties working with or for us which have or may have access to personal data will be expected to adhere to all obligations imposed by data protection legislation. No third party may access personal data held by us without having first entered into a Data Sharing Agreement which imposes on the third party obligations no less onerous than those to which we are committed, and which gives us the right to audit compliance with the Agreement.


The GDPR applies to the processing of personal data wholly or partly by automated means (i.e. by computer) and to the processing other than by automated means of personal data (i.e. paper records) that form part of a filing system or are intended to form part of a filing system .

The GDPR applies to all Data Controllers that are established in the European Union (EU) who process the personal data of Data Subjects. It also applies to Data Controllers outside of the EU who process personal data in order to offer goods and services to, or monitor the behaviour of, Data Subjects who are resident in the EU.

Personal data – any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Sensitive personal data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a living person, data concerning health or data concerning a living person’s sex life or sexual orientation.

Data Controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or Member State law, the Data Controller or the specific criteria for its nomination may be provided for by EU or Member State law.

Data Subject – any living individual who is the subject of personal data held by an organisation.

Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation , use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data breach – a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. The data controller is required to report data breaches to the Information Commissioner’s Office (ICO), particularly breaches likely to adversely affect the personal data or privacy of the Data Subject.

Consent – means any freely given, specific, informed, and unambiguous indication of  the Data Subject’s  wishes by which he or she, by a statement or by a clear affirmative action , signifies agreement to the processing of personal data.

Child – the GDPR defines a child as anyone under the age of 16 years, although the UK may lower this to the age of 13. The processing of personal data of a child is only lawful if parental or custodian consent has been obtained. The data controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child.

Third party – a natural or legal person, public authority, agency or body other than the Data Subject, data controller, data processor and persons who, under the direct authority of the data controller or data processor, are authorised to process personal data.

Senior Management and all those in managerial or supervisory roles throughout the organisation are responsible for developing and encouraging good information handling practices within the organisation; specific responsibilities are set out in individual job descriptions.

Our DPO has specific responsibilities in respect of matters such as managing Subject Access Requests and is the first point of call for anyone seeking clarification on any aspect of data protection compliance within the organisation.

Compliance with data protection legislation is the responsibility of everyone in our organisation who processes personal data. Our [Training Policy] sets out specific training and awareness requirements in relation to specific roles and employees generally.

Employees are responsible for ensuring that any personal data about them and supplied by them to us is accurate and up-to-date. 

Data Protection Principles

All processing of personal data must be conducted in accordance with the Data Protection Principles as set out in the GDPR and outlined below. Our policies and procedures are designed to ensure compliance with these Principles.

Principle 1
Personal data must be processed lawfully, fairly, and transparently and lawfully – we need to identify a lawful basis before we can process personal data, for example, consent.

Fairly – in order for processing to be fair, we have to make certain information available to Data Subjects. This applies whether the personal data was obtained directly from Data Subjects or from other sources.

Transparently- the GDPR includes rules on giving privacy information to Data Subjects. These are detailed and specific, placing an emphasis on making privacy notices understandable and accessible. Information must be communicated to the Data Subject in an intelligible form using clear and plain language.

Principle 2
Personal data can only be collected for specific, explicit, and legitimate purposes

The data we obtain for specified purposes must not be used for a purpose that is incompatible with those formally notified to the ICO as part of our GDPR register of processing.

Principle 3
Personal data must be adequate, relevant, and limited to what Is necessary for processing

We cannot collect information that is not strictly necessary for the purpose for which it is obtained.

Principle 4
Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay Data that is stored by us must be reviewed and updated as necessary. No data should be kept unless it is reasonable to assume that it is accurate.

Principle 5
Personal data must be kept in a form such that the Data Subject can be identified only as long as is necessary for processing data. We should only personal for as long as we need it.

Principle 6
Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

Demonstrating Accountability

The GDPR includes provisions that promote Accountability and Governance. These complement the GDPR’s transparency requirements. Accountability requires us to demonstrate that we comply with the GDPR Principles.

We will demonstrate compliance with the GDPR Principles by implementing and adhering to data protection policies, implementing technical and organisational measures

Data Subjects’ Rights

The GDPR provides the following rights for individuals in relation to their personal data:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

Data Subjects may make Subject Access Requests relating to their personal data. Our Subject Access Request Policy describes how we will ensure that our response to the request complies with the requirements of the GDPR.

Our DPO is responsible for responding to requests for information from Data Subjects within one calendar month in accordance with our Subject Access Request Policy. This can be extended to two months for complex requests in certain circumstances. If we decide not to comply with the request, the DPO must respond to the Data Subject to explain our reasoning and inform them of their right to complain to the ICO and seek judicial remedy.

Data Subjects have the right to complain to us about the processing of their personal data, the handling of a Subject Access Request and to appeal against how their complaints have been handled.


We understand ‘consent’ to mean that it has been explicitly and freely given, and it is a specific, informed and unambiguous indication of the Data Subject’s wish that, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The Data Subject can withdraw their consent at any time.

We also understand ‘consent’ to mean that the Data Subject has been fully informed of the intended processing and has signified their agreement while in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information will not be a valid basis for processing.

Consent cannot be inferred from non-response to a communication. As Data Controller, we must be able to demonstrate that consent, where necessary, was obtained for the processing operation.

For Sensitive Personal Data, explicit written consent of Data Subjects must be obtained unless an alternative legitimate basis for processing exists.

Where we provide online services to children under the age of 16, parental or custodial authorisation must be obtained.

 Collection of Data

All data collection forms (electronic and paper-based), including data collection requirements in new information systems, must include a fair processing statement or a link to our Privacy Notice and be approved by the DPO.

Accuracy of Data

Our DPO is responsible for ensuring that all employees are trained in the importance of collecting accurate data and maintaining it.

Employees are required to notify the Senior Clerk of any changes in their personal circumstance’s which may require personal records be updated accordingly.

Our DPO is responsible for ensuring that appropriate procedures and policies are in place to keep personal data accurate and up to date, taking into account the volume of data collected, the speed with which it might change and any other relevant factors.

Our DPO is responsible for making appropriate arrangements where third-party organisations may have been passed inaccurate or out-of-date personal data to inform them that the information is inaccurate and/or out of date and is not to be used to inform decisions about the individuals concerned; and for passing any correction to the personal data to the third party where this is required.

Security of Data

All personal data should be accessible only to those who need to use it. All personal data should be treated with the highest security as set out in our Data Security Policy.

In determining appropriateness of all technical and organisational security measures, the  DPO will consider  the extent  of  possible  damage  or  loss that might be caused to individuals (e.g. staff or customers)  if  a security breach occurs, the effect of  any security breach on our  organisation  itself,  and any likely reputational damage, including the possible loss of customer trust.

It is strictly prohibited to remove personal data from our premises for any reason other than carrying out legitimate processing activities.

Processing of personal data ‘off-site’ presents a potentially greater risk of loss, theft, or damage to personal data and the precautions that must be taken are set out in our Data Security Policy.

All employees are responsible for ensuring that any personal data that we hold and for which they are responsible is kept securely and is not, under any condition, disclosed to any third party unless that third party has been specifically authorised by us to receive that information and has entered into a Data Sharing Agreement.

Disclosure of Data

All requests to provide personal data must be supported by appropriate paperwork and all such disclosures must be specifically authorised by the Data Protection Officer.

We must ensure that personal data is not disclosed to unauthorised third parties, which includes family members, friends, government bodies, and, in certain circumstances, the Police. All employees should exercise caution when asked to disclose personal data held on another individual to a third party.

Retention and Disposal of Data

We shall not keep personal data in a form that permits identification of Data Subjects for a longer period than is necessary in relation to the purpose(s) for which the data was originally collected.

 The retention period for each category of personal data is set out in our Retention and Disposal Policy.

Personal data will be retained in line with our Retention and Disposal Policy and, once its retention date is passed, it must be securely destroyed as set out in this policy.

On at least an annual basis, our DPO will review the retention dates of all the personal data processed by our organisation and will identify any data that is no longer required. This data will be securely archived, deleted or destroyed in line with our Retention and Disposal Policy.

Where personal data is archived it will be minimised in order to protect the identity of the Data Subject in the event of a data breach.

We may store data for longer periods if the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of the Data Subject. 

Data Protection Impact Assessments (DPIA)

Where a type of processing, in particular using new technologies and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of living peoples, we shall, prior to the processing, carry out a Data Protection Impact Assessment of the envisaged processing operations. All DPIAs should lead by or overseen by the DPO.

Where, as a result of a DPIA it is clear that we are about to commence processing of personal data that could cause damage and/or distress to the Data Subjects, the decision as to whether or not we may proceed must be referred to senior management for approval to proceed.

Our DPO shall, if there are significant concerns, either as to the potential damage or distress, or the quantity of data concerned, refer to the ICO for guidance and advice.


This document contains material that is distributed under licence from OMG Software Ltd. No reproduction or distribution of this material is allowed outside of your organisation without the permission of OMG Software Ltd.

Data Security Policy

Data Security Policy for Lamb Building Chambers


In order to meet the requirements of the General Data Protection Regulation, we are obliged to have in place a framework designed to ensure the security of all personal data during collection, processing and disposal. We are committed to complying with relevant data protection legislation.


Scope of the Policy

This policy relates to the retention and storage of all personal data held in hard copy, i.e. on paper, or on physical devices, e.g. USBs, CDs, DVDs, tablets and Smartphones, and the retention and use of electronic data.

This policy applies to all use of information and information technology on our premises, even if we do not own the equipment, to all information technology provided by the business wherever it is used, including by employees working away from our premises, and to all external access to our information technology from wherever this is initiated, including by employees working away from our premises.

This policy applies to all employees, including temporary and casual employees, and agency staff.


Keeping Personal Information Secure

All personal data, whether in hard copy or stored on a USB, CD, DVD, or other physical device, must be kept in a secure environment with controlled access. The level of security applied should be agreed after a basic risk assessment has been carried out as provided for at 5 below. Appropriate secure environments include:

  • locked metal cabinets with access to keys limited to authorised personnel only;
  • locked drawers in a desk (or other storage area) with access to keys limited to authorised personnel only; and
  • locked rooms accessed by key and/or coded door lock where access to keys and/or codes is limited to authorised personnel only.

All staff must receive appropriate, specific induction on data security in general and specific data security requirements in their area of business.

Where access to personal data is required on a frequent basis, and therefore maintaining locked drawers or cabinets at all times is impractical, steps must be taken to ensure authorised personnel are in attendance at all times when the data is in an unlocked environment.

Files containing personal data must never be left unattended while removed from their normal locked storage area. Staff must therefore adopt a clear desk policy, in relation to files and documents containing personal information, at all times when they are out of their offices or away from their work area.


Access to Personal Data

Managers must designate the individual members of staff who, by nature of the post, have been identified as requiring legitimate access to personal data in the course of their duties.

In addition, the designated purposes for which access to personal data will be permitted must also be defined. For some business areas, this will be clear from the function of the business area, e.g. Human Resources. However, in other cases this will require to be specifically defined.

From time to time all staff will have access to personal data about other members of staff or customers and confidentiality must be observed by all staff at all times. When temporary staff are employed in posts which involve access to and processing of personal data, confidentiality agreements should be included within the Terms and Conditions of Employment.

Where a file containing personal data is removed in response to a legitimate request by another authorised member of staff, this must be subject to a strict signing out and return procedure, which is the responsibility of the person holding the file.

The Manager of the relevant area will be expected to designate a member of staff with responsibility for overseeing arrangements for the removal and return of records.

The occasions when personal information is photocopied should be kept to a minimum. Where this is necessary, the provider of the information is responsible for ensuring all copies are returned once the task in question has been completed and subsequently disposed of in accordance with our Retention and Disposal Policy.

Where employees are required to take manual personal data home with them, appropriate security precautions must be taken to guard against theft, loss or inappropriate access. This will include securing data in a locked briefcase, never leaving data unattended in a public place and ensuring that all reasonable precautions are taken to secure data at home and whilst in transit. When working from home staff are required to use secure remote access to electronic records containing personal data and should not copy such records to a home PC. 


Risk Assessment

A data protection/security risk assessment will be carried out as appropriate by business area managers or by an individual designated by them.

The purpose of the assessment is to establish the potential risks for unauthorised access to personal data and to define appropriate actions to eliminate, or at least mitigate, the risk of unauthorised access.

Managers will be expected to consult the Data Protection Officer on steps planned to address any potential risks identified.


Third Parties

Arrangements must be in place to ensure the security of all personal data which may be transferred to, or processed by, a third party.

In advance of any external transfer of personal data, staff should consider whether such a transfer is authorised under any relevant data sharing agreement, or is otherwise required by or permitted under the General Data Protection Regulation. The purpose, fairness and transparency of any transfer must always be considered and staff must ensure that they have consulted the Data Protection Officer prior to any such external data sharing.

Where external data sharing has been considered necessary or is permitted, the appropriate security precautions should be taken to minimise the risks of loss of data and/or accidental third-party disclosure.

All communications should be marked strictly private and confidential and addressed to a named individual.

Physical devices containing personal data, e.g. USBs, CDs, DVDs, should encrypted before being removed from our premises.

The most appropriate secure method of sending the information must be considered, e.g. hand delivery, registered or recorded delivery, courier, encrypted or secure electronic transfers.

Personal data will be retained only for the designated periods in our Retention and Disposal Policy. The Data Protection Officer will provide further advice and guidance on request. All personal data must be disposed of securely and safely in accordance with the Retention and Disposal Policy


Electronic Devices

The electronic storage of personal data requires certain minimum levels of security.

All personal computers/devices used for work must be protected by up to date anti-virus and anti-spyware software, subjected to regular virus scans, and protected by a firewall appropriate for the computer used.

The operating software must be checked regularly to ensure that the latest security updates are downloaded. Access to all computers must be password protected. Particular care must be taken to avoid potential infection by malware, e.g. by downloading software other than from trusted sources.

Work-in-progress should be regularly backed up, and back-up media should be locked away securely.

Computers used for working on personal data at home should be protected from unauthorised and unrestricted access by third parties, including family members. Where practicable, the ideal is a computer used only for work. The use of removable storage media (such as memory sticks, CD-ROMs, removable hard disk drives and PDAs) is prohibited without the express authorisation of the Data Protection Officer/IT Manager, and only in particular circumstances

Laptop computers must be encrypted to such standards as may be approved by the IT manager.


Security Incidents

All incidents where the security of personal data or IT systems has been compromised or where there have been any suspected security weaknesses or threats must be reported immediately to the Data Protection Office. The Data Protection Officer will decide in the particular circumstances of the breach whether it is serious enough to inform the Information Commissioner’s Office.

Any breach of security policies and procedures by a member of staff will be dealt with through the relevant formal disciplinary processes.


Business Continuity and Disaster Recovery

All IT systems have been subject to a formal risk assessment exercise to determine their level of criticality to the organisation and to determine where and at what level business continuity planning is needed. The business has also developed guidance on its vital manual records and the appropriate business continuity measures to be adopted for all electronic and manual data. Designated control measures ensure that manual personal data is kept in an appropriately secure environment where risk of Joss or damage is minimised.

Appropriate arrangements must be made for manual records which are classed as ‘vital records’, including fire-proof storage, off-site storage and backing up in electronic form e.g. by scanning. However, as electronic copies of such records may not provide the same evidential weight as the original document, the Manager with responsibility for such records must consider which arrangements are appropriate and seek advice as necessary from the Data Protection Officer.


Good Practice Guidelines General

The following points represent good practice:

  • Always log off, or lock a workstation before leaving it. This is to ensure that no one else can access your information or has the opportunity to use your workstation without identifying themselves, e.g. to send an abusive email in your name.
  • When confidential work is being carried out ensure no one else can read the screen.
  • Protect equipment from physical theft. This is vitally important for portable equipment.
  • Ensure that all data is backed up regularly and copies kept in a separate secure location. Liaise with the IT Department lf you require assistance.
  • Respect the legal protections for information and software provided under copyright and licenses. Never copy electronic information or computer programmes unless specifically authorised in writing. Never run or install software without a valid licence.
  • All PCs should be patched with the latest security critical and up to date patches.
  • All data storage devices including laptops, USB sticks, CD’s, DVD’s that are brought in to the business must be checked for viruses on every occasion before use.
  • All workstations connected to our network, whether owned by us or not, shall be continually running approved virus-scanning software with a current virus database.
  • Never introduce malicious programs into our network or servers (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.) by any means.

Email and Internet Use

  • Always check the address line before sending a message and check it is being sent to the correct person.
  • Never represent yourself as another person or persons.
  • Delete electronic mail messages when they are no longer required.
  • Do not make comments or express views that could be regarded by others as offensive or libellous.
  • Personal private emails must be saved in a separate folder from work related emails. Clearly mark all emails that are of a personal nature as “personal”.
  • Personal/private postings to blogs, newsgroups or similar which mention our business must contain a disclaimer stating that the opinions expressed are strictly personal and not necessarily those of our business.
  • Do not open e-mail attachments received from unknown senders as these may contain viruses, e-mail bombs, Trojan horse code or some other form of Malware.
  • Do not forward electronic mail messages to other individuals or groups that have been sent to you containing personal data (as defined by the General Data Protection Regulation) without the permission of the originator.



  • All workstations must be protected with a password. 
  • Authorised users are responsible for the security of their passwords and user accounts. Passwords must be kept secure and never shared with anyone else.
  • Passwords should never be displayed on screens.
  • If at anytime you think someone may have discovered your password you must immediately change it or request that it is changed.
  • Passwords should never be “remembered” on the computer but entered by the user on all occasions.

Electronic Devices

  • Access to all computers must be password protected.
  • Particular care must be taken to avoid potential infection by malware, e.g. by downloading software other than from trusted sources.
  • Work-in-progress should be regularly backed up, and back-up media should be locked away securely.
  • Computers used for working on personal data at home should be protected from unauthorised and unrestricted access by third parties, including family members. Where practicable, the ideal is a computer used only for work.
  • Storage mediums and devices such as USBs, external hard drives, flash cards and any other portable drives carry considerable risks in transporting, storing or transferring confidential business information. Therefore the use of removable storage media is prohibited without the express authorisation of the Data Protection Officer, and encryption should always be used.
  • The organisation maintains a log of all computers and devices used for storing or working on personal data. 
  • You have suitable encryption software installed for the storage and transportation of business information.
  • Business information should not be stored or transported using a mobile device unless there is a clear business need to do so and should be retained only temporarily to fulfil that need. The information should then be adequately deleted and unrecoverable from that device.
  • If the device is to be used to handle data provided by a third party it is the device owner’s responsibility to ensure any security or data handling requirements by that organisation are met.
  • Users must ensure they mitigate the risks associated with the environment in which they may be working. 
  • Should the loss, theft or misplacing of any such device occur the Senior Clerk should be immediately informed with as much detail as possible regarding the device, the data it held and whether the loss had been reported to any relevant authorities.
  • If you access e-mails from your mobile telephone or Smartphone, you must ensure that the device is suitably password­ protected and encrypted. 
  • Computers or devices should not be placed so that their screens can be overlooked, especially when working in co-working areas or public places.
  • Extreme care should be taken to ensure that laptops, removable devices, and removable storage media containing personal data are not lost or stolen. In particular, such laptops and other removable devices should never be left unattended in public places or left in a car overnight;

This document contains material that is distributed under licence from OMG Software Ltd. No reproduction or distribution of this material is allowed outside of your organisation without the permission of OMG Software Ltd.