Data Protection Privacy Notice.
Introduction and definitions
- Allen and Co is committed to protecting your privacy. This policy has been written in order to comply with the UK’s current Data Protection legislation. It is intended to meet the provisions in articles 12-23 of the General Data Protection Regulations 2018 (GDPR) with regards to the right to be informed. It also is intended to comply with our own professional duty of confidentiality.
- If you have any queries or concerns about how we manage your personal data or you wish to exercise any rights under the Act please contact:
Tracey Allen at firstname.lastname@example.org
Telephone number: 01494 870270
Address: 1 Narcot Lane Chalfont St Giles Bucks HP8 4DA
- If you are not satisfied with the response you receive from Tracey Allen you may contact the UK regulator on Data Protection. This is The Information Commissioner’s Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. 0303 1231113 ico.org.uk
- Allen and Co’s principal, Tracey Allen, is registered as a data controller with the ICO under Registration number Z2584969.
- A “data controller” is the person who determines how your personal data is processed and for what purposes.
- A “data processor” is a person or a body/organisation that processes personal data on behalf of a data controller.
- “Personal data” is information about a natural person (Data Subject), which is capable of identifying that person. Identification may be by the information alone or in conjunction with any other information in the Data Controller’s possession or likely to come into such possession.
- “Special category personal data” includes data as to sexual orientation and sex life; race or ethnicity; religion or philosophical beliefs; political opinions; trade union membership; biometrics; health. It does not include data as to age or finances.
- “Processing” is any operation or group of operations performed on personal data (automated or not) including for example; collection; recording; storage; using; disclosure; destruction.
- “Data breach” is any event that could lead to unauthorised disclosure; changing or disclosure of personal data. I.e. hacking; loss of files; misdirected post or emails.
How do we collect your data?
- When you interact with us. We collect personal data when you submit a contact form on our website; make an initial enquiry by email or telephone; or contact us by post. Subsequently, throughout the continuance of your instructions with us.
- When you contact a third party. We could also receive personal data about you from third parties such as;
- the Law Society or Solicitor’s Regulation Authority, if for example, you have contacted either of them seeking out a solicitor to help you;
- another firm of solicitors;
- an SEND adviser or consultant.
Please note that we do not purchase contact lists or personal data nor do we sell lists or personal data.
What data do we collect?
- Data may include:
- your name, address, phone numbers, email address; date of birth;
- information/copy documents as to proof of identity, such as a birth certificate or passport;
- all copy documents relevant to your matter, which may of course include your personal data, in order to provide you with the legal services/advice you have requested.
- We may also need to ask you about more sensitive personal data, if this is required to carry out your work and this may include for example,
- any special educational needs or disability you or your child might have;
- health data;
- your race/ethnicity;
- your religious or philosophical beliefs.
How do we use your data?
- We will use your personal data (in no particular order of importance save for (i))
- primarily to inform you or provide you in general, with the legal services/advice you have requested or enquired about;
- to carry out negotiations and litigation on your behalf or on behalf of the organisation that you represent;
- to prepare legal or other documents on your behalf;
- to submit legal or other documentation, e.g. appeal documentation, complaints or otherwise on your behalf;
- to keep records of any financial transactions we may make on your behalf;
- to maintain our own financial accounts and records;
- to carry out identity, credit, anti-money laundering and fraud prevention checks using data bases kept by other organisations (which may involve giving your details to registered credit reference or fraud prevention agencies) where necessary;
- to help us manage our practice and statutory returns, to meet any regulatory requirements or other requirements imposed by the Law Society/Solicitors Regulation Authority/Professional Indemnity Insurers. (In most instances data would be anonymised.);
- to operate the firm’s website;
- to send you invoices for work done or to chase payment of such invoices;
- for administrative purposes e.g. to enable us to communicate with you effectively;
- to enable us to instruct other professional advisers and expert witnesses in connection with your matter;
- to contact individuals via surveys to garner their opinions of the service provided by Allen and Co;
- to respond to any complaint or any allegation of negligence against us;
- to check for potential conflicts of interest;
- to inform you of news, updates in the law and events being run by Allen and Co (whether alone or in conjunctions with any third party) (i.e. marketing but see below with regards to consent).
- We will only use your personal data for the purposes listed above. Should we find it necessary to use your data for other purposes, we will contact you, prior to commencing the processing, with a new Privacy Notice explaining this new use, and setting out the relevant purposes and processing conditions.
- We will not share or pass on your personal data to a third party unless we:
- need to do so to complete your work/carry out our contractual duties towards you;
- are required to do so by law;
- need to comply with any regulatory requirements or protect our legitimate interests.
- We may therefore share your data, for example, with:
- legal counsel (i.e. barrister) or non-legal experts (e.g. head teachers; educational psychologists; Occupational Therapists; Speech and Language Therapists;) to obtain advice or assistance in your matter
- a Local Authority
- a Court or Tribunal
- Independent Appeal and Review Panels
- The Local Government and Social Care Ombudsman
- The Secretary of State for Education
- The Office of the Schools’ Adjudicator
- The Office of the Information Commissioner
- The Equality and Human Rights Commission
- the solicitors acting for the other party in your matter or the other party direct if representing themselves
- solicitors representing our interests in the event of a claim against us
- SRA or Law Society
- our accountants or other financial advisers
- a prospective purchaser (or their advisers) of this business under a binding non-disclosure agreement
- providers of identity verification and assurance tools who we may appoint to confirm that we can take you on as a client
- relevant authorities in relation to the prevention of financial crime or terrorism, as required by law
Please note this list is not exhaustive. Should we need to share your personal data with a body not on this list we will first discuss the same with you.
- We will only use your personal data for direct marketing purposes if we have your consent (for electronic communications, postal or telephone communications).
- You may decide at any time that you no longer wish to hear from us and in that case you should contact Tracey Allen as above but please see paragraphs 39 and 40 below.
- We do not expect to be sending any of your personal data outside the UK or the EU. The only exception to this is that the cloud used by our IT provider is currently based in the USA. However, we have received assurances that this provision is compliant with GDPR and we will keep this under review annually or more frequently if that becomes necessary.
How do we protect your data?
- Allen and Co uses secure servers when you visit our website. We use our best endeavours to put in place necessary and appropriate measures to ensure your personal data is kept secure, accurate and up to date. However, you will appreciate that the transmission of information via the internet can never be guaranteed to be completely secure.
- Information may be held on computers and/or in manual paper files.
- Personal data is only kept for as long as necessary and it is destroyed securely. We only retain data
- to carry out your work and/or answer any subsequent questions or queries from you;
- to comply with any legal requirement to retain it;
- until the period that you could make a claim against us has elapsed, which is usually six years after a matter has concluded;
- to comply with any client instructions to extend the retention period in relation to their documents
- Allen and Co relies on the services of a data processor (IT provider) for secure cloud storage for emails, word files etc. That provider’s compliance with GDPR has been checked and will be reviewed annually or more frequently if deemed necessary.
- We do not collect or retain excessive amounts of data and we make every effort to protect your data from loss, misuse, unauthorised access and disclosures. We ensure as far as possible that appropriate technical and managerial measures are in place to protect your personal data.
- Please note that our website may from time to time contain links to other third party websites. We do not control those third party websites and you are encouraged to view those third party websites’ own Privacy Policies etc. Allen and Co cannot be responsible for third party websites’ policies or practices.
- Despite all this, should a data breach occur we will ensure that our obligations under the current law are complied with.
What is the legal basis for processing your personal data?
- On the whole, processing is necessary for the performance of a contract with you or to take steps to enter into a contract with you, to provide legal services and advice.
- Processing is necessary in relation to the legitimate interests of Allen and Co, with regards to defending any claims against us and also to our PII insurers for the same reason.
- Processing is necessary in respect of legal obligations imposed by the Law Society or Solicitor’s Regulation Authority or in respect of the Money Laundering Regulations for example.
- Processing with consent, in terms of marketing, where appropriate.
- Your explicit consent in respect of the processing of your special category personal data.
- Processing is necessary for the establishment, exercise of defence of legal claims or where courts are acting in their judicial capacity.
Consent and withdrawing consent for marketing purposes and for special category data
- The GDPR provide you with three rights, the right to object to specific types of processing; the right to be forgotten and the right to restrict processing.
- You may change or withdraw your consent for us to hold your personal data for marketing purposes at any time by contacting Tracey Allen as above.
- You may withdraw your consent for us to hold your special category personal data at any time.
- We will make every effort to make the changes you request as soon possible and in any event within three working days.
- Please note that withdrawal of consent in either case may not necessarily stop us from communicating with you to fulfil any contractual obligation we have towards you. E.g. to deliver advice or documents to you and also, for example, to deliver our invoice to you and to seek payment of the same.
- Depending on the nature of your request we will comply with it to the fullest extent possible but in some circumstances this could mean that we are no longer able to continue to work on your matter. In this case, work would stop at the earliest opportunity but you would remain liable for the fees and disbursements incurred to date.
- A request to restrict processing of your data has the effect of freezing data, so we would continue to store your personal data but could not do anything with it. This might be relevant to you if you had any query or concerns over the way your data was handled. A right to be forgotten would usually apply if data is processed unlawfully or otherwise fails to satisfy the requirements of the GDPR.
Your right of access etc.
- Unless subject to an exception you have the right to (free of charge);
- ask for a copy of the personal data we hold about you;
- request that we correct any personal data, if it is found to be inaccurate or out of date;
- request that your personal data be removed from our records where it is no longer necessary for us to retain such data;
- ask us to stop using your data for a specific purpose (withdraw your consent);
- request a restriction be placed on further processing, where there is a dispute in relation to the accuracy or processing of your personal data;
- take your data elsewhere;
- lodge a complaint with the ICO.
- We will always aim to respond to any such request as quickly as possible and in any event within three days. We will aim to have any inaccuracies etc. resolved within one month of the date of your request. You may exercise these rights by contacting Tracey Allen as above.
Automated Decision making
- Allen and Co does not use any automated decision making or profiling processes.
If your personal details change
- Please contact Tracey Allen as above.
Changes to this policy
- Allen and Co may change this policy when appropriate to do so. You will be advised as soon as possible of any changes if we still hold information about you at the time of the changes.
- This policy will be reviewed annually in any event and perhaps sooner within the first year.
Your consent in respect of special category data, marketing and confirmation that you have read this document
- I/We have read and understood the contents of Allen and Co’s Privacy Notice
I/We hereby consent/do not consent to the processing of my/our special category personal data as set out in that Privacy Notice
I /We consent/do not consent to the use of my/our personal data for marketing purposes as set out in that Privacy Notice1
- We may from time to time wish to send you information, which we think might be of interest to you. This might be information about developments to the law that might be important to you and/or information about our practice. In order for us to do so we need your consent, which may be withdrawn at any time by notifying Tracey Allen. Any consent given to use your data for marketing purposes will need to be renewed every six months.