GDPR Data Protection Policy
Background to the General Data Protection Regulation (GDPR)
The General Data Protection Regulation 2016 replaces the EU Data Protection Directive of 1995 and supersedes the UK’s Data Protection Act 1998. Its purpose is to protect the “rights and freedoms” of living individuals in relation to their personal data.
Lamb Building Chambers are committed to compliance with all relevant EU and UK laws in respect of personal data, and the protection of the rights and freedoms of individuals whose information we collect and process in accordance with the General Data Protection Regulation (GDPR).
The GDPR and this policy apply to all of our personal data processing functions, including those performed on clients’, employees’, and suppliers’ personal data, and any other personal data we process from any source.
Mr Bernard Richmond QC is the designated Data Protection Officer (DPO) and is responsible for all data protection matters.
This policy applies to all employees (permanent and temporary), agency, and contract staff. Any breach of the GDPR will be dealt with under our disciplinary policy and may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities.
Partner organisations and third parties working with or for us which have or may have access to personal data will be expected to adhere to all obligations imposed by data protection legislation. No third party may access personal data held by us without having first entered into a Data Sharing Agreement which imposes on the third party obligations no less onerous than those to which we are committed, and which gives us the right to audit compliance with the Agreement.
The GDPR applies to the processing of personal data wholly or partly by automated means (i.e. by computer) and to the processing other than by automated means of personal data (i.e. paper records) that form part of a filing system or are intended to form part of a filing system .
The GDPR applies to all Data Controllers that are established in the European Union (EU) who process the personal data of Data Subjects. It also applies to Data Controllers outside of the EU who process personal data in order to offer goods and services to, or monitor the behaviour of, Data Subjects who are resident in the EU.
Personal data – any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Sensitive personal data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a living person, data concerning health or data concerning a living person’s sex life or sexual orientation.
Data Controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or Member State law, the Data Controller or the specific criteria for its nomination may be provided for by EU or Member State law.
Data Subject – any living individual who is the subject of personal data held by an organisation.
Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation , use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data breach – a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. The data controller is required to report data breaches to the Information Commissioner’s Office (ICO), particularly breaches likely to adversely affect the personal data or privacy of the Data Subject.
Consent – means any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action , signifies agreement to the processing of personal data.
Child – the GDPR defines a child as anyone under the age of 16 years, although the UK may lower this to the age of 13. The processing of personal data of a child is only lawful if parental or custodian consent has been obtained. The data controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child.
Third party – a natural or legal person, public authority, agency or body other than the Data Subject, data controller, data processor and persons who, under the direct authority of the data controller or data processor, are authorised to process personal data.
Senior Management and all those in managerial or supervisory roles throughout the organisation are responsible for developing and encouraging good information handling practices within the organisation; specific responsibilities are set out in individual job descriptions.
Our DPO has specific responsibilities in respect of matters such as managing Subject Access Requests and is the first point of call for anyone seeking clarification on any aspect of data protection compliance within the organisation.
Compliance with data protection legislation is the responsibility of everyone in our organisation who processes personal data. Our [Training Policy] sets out specific training and awareness requirements in relation to specific roles and employees generally.
Employees are responsible for ensuring that any personal data about them and supplied by them to us is accurate and up-to-date.
Data Protection Principles
All processing of personal data must be conducted in accordance with the Data Protection Principles as set out in the GDPR and outlined below. Our policies and procedures are designed to ensure compliance with these Principles.
Personal data must be processed lawfully, fairly, and transparently and lawfully – we need to identify a lawful basis before we can process personal data, for example, consent.
Fairly – in order for processing to be fair, we have to make certain information available to Data Subjects. This applies whether the personal data was obtained directly from Data Subjects or from other sources.
Transparently- the GDPR includes rules on giving privacy information to Data Subjects. These are detailed and specific, placing an emphasis on making privacy notices understandable and accessible. Information must be communicated to the Data Subject in an intelligible form using clear and plain language.
Personal data can only be collected for specific, explicit, and legitimate purposes
The data we obtain for specified purposes must not be used for a purpose that is incompatible with those formally notified to the ICO as part of our GDPR register of processing.
Personal data must be adequate, relevant, and limited to what Is necessary for processing
We cannot collect information that is not strictly necessary for the purpose for which it is obtained.
Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay Data that is stored by us must be reviewed and updated as necessary. No data should be kept unless it is reasonable to assume that it is accurate.
Personal data must be kept in a form such that the Data Subject can be identified only as long as is necessary for processing data. We should only personal for as long as we need it.
Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
The GDPR includes provisions that promote Accountability and Governance. These complement the GDPR’s transparency requirements. Accountability requires us to demonstrate that we comply with the GDPR Principles.
We will demonstrate compliance with the GDPR Principles by implementing and adhering to data protection policies, implementing technical and organisational measures
Data Subjects’ Rights
The GDPR provides the following rights for individuals in relation to their personal data:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Data Subjects may make Subject Access Requests relating to their personal data. Our Subject Access Request Policy describes how we will ensure that our response to the request complies with the requirements of the GDPR.
Our DPO is responsible for responding to requests for information from Data Subjects within one calendar month in accordance with our Subject Access Request Policy. This can be extended to two months for complex requests in certain circumstances. If we decide not to comply with the request, the DPO must respond to the Data Subject to explain our reasoning and inform them of their right to complain to the ICO and seek judicial remedy.
Data Subjects have the right to complain to us about the processing of their personal data, the handling of a Subject Access Request and to appeal against how their complaints have been handled.
We understand ‘consent’ to mean that it has been explicitly and freely given, and it is a specific, informed and unambiguous indication of the Data Subject’s wish that, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The Data Subject can withdraw their consent at any time.
We also understand ‘consent’ to mean that the Data Subject has been fully informed of the intended processing and has signified their agreement while in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information will not be a valid basis for processing.
Consent cannot be inferred from non-response to a communication. As Data Controller, we must be able to demonstrate that consent, where necessary, was obtained for the processing operation.
For Sensitive Personal Data, explicit written consent of Data Subjects must be obtained unless an alternative legitimate basis for processing exists.
Where we provide online services to children under the age of 16, parental or custodial authorisation must be obtained.
Collection of Data
All data collection forms (electronic and paper-based), including data collection requirements in new information systems, must include a fair processing statement or a link to our Privacy Notice and be approved by the DPO.
Accuracy of Data
Our DPO is responsible for ensuring that all employees are trained in the importance of collecting accurate data and maintaining it.
Employees are required to notify the Senior Clerk of any changes in their personal circumstance’s which may require personal records be updated accordingly.
Our DPO is responsible for ensuring that appropriate procedures and policies are in place to keep personal data accurate and up to date, taking into account the volume of data collected, the speed with which it might change and any other relevant factors.
Our DPO is responsible for making appropriate arrangements where third-party organisations may have been passed inaccurate or out-of-date personal data to inform them that the information is inaccurate and/or out of date and is not to be used to inform decisions about the individuals concerned; and for passing any correction to the personal data to the third party where this is required.
Security of Data
All personal data should be accessible only to those who need to use it. All personal data should be treated with the highest security as set out in our Data Security Policy.
In determining appropriateness of all technical and organisational security measures, the DPO will consider the extent of possible damage or loss that might be caused to individuals (e.g. staff or customers) if a security breach occurs, the effect of any security breach on our organisation itself, and any likely reputational damage, including the possible loss of customer trust.
It is strictly prohibited to remove personal data from our premises for any reason other than carrying out legitimate processing activities.
Processing of personal data ‘off-site’ presents a potentially greater risk of loss, theft, or damage to personal data and the precautions that must be taken are set out in our Data Security Policy.
All employees are responsible for ensuring that any personal data that we hold and for which they are responsible is kept securely and is not, under any condition, disclosed to any third party unless that third party has been specifically authorised by us to receive that information and has entered into a Data Sharing Agreement.
Disclosure of Data
All requests to provide personal data must be supported by appropriate paperwork and all such disclosures must be specifically authorised by the Data Protection Officer.
We must ensure that personal data is not disclosed to unauthorised third parties, which includes family members, friends, government bodies, and, in certain circumstances, the Police. All employees should exercise caution when asked to disclose personal data held on another individual to a third party.
Retention and Disposal of Data
We shall not keep personal data in a form that permits identification of Data Subjects for a longer period than is necessary in relation to the purpose(s) for which the data was originally collected.
The retention period for each category of personal data is set out in our Retention and Disposal Policy.
Personal data will be retained in line with our Retention and Disposal Policy and, once its retention date is passed, it must be securely destroyed as set out in this policy.
On at least an annual basis, our DPO will review the retention dates of all the personal data processed by our organisation and will identify any data that is no longer required. This data will be securely archived, deleted or destroyed in line with our Retention and Disposal Policy.
Where personal data is archived it will be minimised in order to protect the identity of the Data Subject in the event of a data breach.
We may store data for longer periods if the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of the Data Subject.
Data Protection Impact Assessments (DPIA)
Where a type of processing, in particular using new technologies and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of living peoples, we shall, prior to the processing, carry out a Data Protection Impact Assessment of the envisaged processing operations. All DPIAs should lead by or overseen by the DPO.
Where, as a result of a DPIA it is clear that we are about to commence processing of personal data that could cause damage and/or distress to the Data Subjects, the decision as to whether or not we may proceed must be referred to senior management for approval to proceed.
Our DPO shall, if there are significant concerns, either as to the potential damage or distress, or the quantity of data concerned, refer to the ICO for guidance and advice.
This document contains material that is distributed under licence from OMG Software Ltd. No reproduction or distribution of this material is allowed outside of your organisation without the permission of OMG Software Ltd.