PRIVACY NOTICE FOR CLIENTS
What is the purpose of this document?
The Firm is committed to protecting the privacy and security of your personal information.
This privacy notice describes how we collect and use personal information about you. It provides you with certain information that must be provided under the General Data Protection Regulation (GDPR).
You have been referred to this privacy notice because you have instructed the Firm to advise you and/or to represent you.
The Firm is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you.
In many instances the vast majority of personal data we collect about you and use will be subject to legal professional privilege and to that extent, such personal data is exempt under the GDPR. We are also a regulated legal professional business, regulated by the Council for Licensed Conveyancers (“CLC”) and are subject to their rules, which include a need to comply with the CLC Code and the CLC Handbook. This does not mean that we will not put in place appropriate protections when handling and processing your personal data or that your personal data will not be kept confidential. As a regulated firm, we owe you a strict professional duty of confidentiality in respect of all information you provide to us and will only use your information when authorised to do so and for the purposes of acting for you, having regard to our overriding duty to the Courts and to certain regulatory authorities.
This notice therefore relates to personal data we hold about you that is not otherwise protected by legal professional privilege.
Data protection principles
We will comply with data protection law. This says that the personal information we hold about you must be:
1. Used lawfully, fairly and in a transparent way.
2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
3. Relevant to the purposes we have told you about and limited only to those purposes.
4. Accurate and kept up to date.
5. Kept only as long as necessary for the purposes we have told you about.
6. Kept securely.
The kind of information we hold about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).There are “special categories” of more sensitive personal data which require a higher level of protection.
The information we collect, store and use about you will vary dependant on the purposes for which you have instructed us to act on your behalf. Generally, such information will include the following:
• Your name and address and contact details (including email address);
• Personal details and information relevant to the matter you have instructed us (including background and ancillary information that we may need to be aware of) about
• Identification information (e.g. passport, driver’s licence, utility bills, companies house details) to comply with money laundering obligations and criminal proceeds checks;
• Details of your bank account and/or credit card details;
• Your financial history and details of your assets if relevant to your matter;
• Records of instructions received and advice given;
• Details of protected characteristics under the Equality Act where relevant to your matter or where required for equality and diversity reporting;
• Personal information regarding your family if relevant to your matter;
How is your personal information collected?
We collect and record personal information about you in your instructions and during your transaction. We may also obtain personal information regarding you on the telephone or by email or through other mediums. We may also obtain personal information regarding you through our own research and/or social media and/or our investigation into your matter or through third parties (where relevant to your matter or in accordance with our regulatory requirements). We will also receive personal information concerning you from parties and/or their solicitors that we may be communicating with for the purposes of acting for you.
We collect this information in hard copy form in client files and electronically by email and on our case management system and using other media. We may also collect information on our mobile phones and/or other computer equipment which we use to enable us to undertake our work for you.
How we will use information about you
We will only use your personal information we collect about you to:
• Advise you;
• To assess your case or matter;
• To take instructions;
• To communicate with third parties as part of acting for you;
• To protect your interests;
• To check your identification for money laundering and criminal proceeds purposes; which includes utilising the services of a credit reference agency where applicable
• To apply with regulatory requirements;
• To comply with the law or any court orders;
• To market our services;
• To pursue your matter on your behalf in accordance with your instructions;
• To invoice you;
• To collect payment from your for our services and any expenses and disbursements;
• To instruct third parties to act for you (e.g. counsel, experts etc) or to advice you (e.g. where we do not have such specialism)
In most instances the personal data we collect about you will be subject to legal professional privilege and therefore sits outside the GDPR and is not subject to the GDPR.
To the extent that the personal data we collect about you does not amount to legal professional privilege, we will rely on one or more of the following legal basis for processing your personal data:
• We have received your consent;
• It is necessary to perform our contract with you;
• It is necessary to comply with a legal obligation;
• It is in needed in the public interest;
• It is necessary for our legitimate interests (our legitimate interests are those of a regulated law firm and business, undertaking work for you and marketing our services to you and others);
• It is needed to protect your interests (or someone else’s interests).
If you fail to provide personal information
If you fail to provide information when requested, which is necessary for the matter we are dealing with for you, we may not be able to continue acting for you. This may mean that we are unable to advise and/or act for you further.
How we use particularly sensitive personal information
“Special categories” of particularly sensitive personal information require higher levels of protection. This information includes the following information: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic/biometric data, health, sex life or sexual orientation.
We will use special categories of personal information in the following ways:
• Where necessary for the purposes of advising you and/or acting for you and where relevant to your matter;
• We will use information about your disability status to consider whether we need to provide appropriate adjustments to our buildings or services;
• We will use information about your race or ethnic origin, religious or philosophical beliefs, or your sex life or sexual orientation, to ensure meaningful equality and diversity monitoring and reporting.
Information about criminal convictions
We may have to collect information about criminal convictions, if relevant to your matter. Such information will generally always be subject to legal professional privilege.
We will ensure that we have in place appropriate safeguards when processing this type of information, and will seek to do so in accordance with our regulatory obligations, and/or our data protection policy (where relevant).
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.
We may have to share your data with third parties for the purposes of acting for you or to deal with regulatory requirements or for professional indemnity insurance purposes. In some situations we may instruct third parties to advise and/or act for you (e.g. counsel, experts, medical professionals etc.).
We require third parties to respect the security of your data and to treat it in accordance with the law and/or our instructions or as part of our regulatory or insurance obligations.
What about other third parties?
We may share your personal information with other employees/consultants employed by the Firm as part of acting for you (but subject to our professional duties of confidentiality) and/or other third parties either for acting for you, representing your interests, to deal with regulatory compliance and for professional indemnity insurance purposes or otherwise to market our services (in the latter where we have your consent to use your details).
We have put in place measures to protect the security of your information. Details of these measures are available upon request.
Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
How long will you use my information for?
We have in place a client file retention and destruction policy. We also have in place a retention policy that sets out the criteria we adopt for retaining your personal information.
The criteria we consider when retaining your personal data includes:
• What our regulators (CLC) instruct us to do with client information;
• Any requirements of our professional indemnity insurers;
• The statutory limitation periods for bringing any claims (including negligence claims) against the Firm;
• Our legal obligations (e.g. holding money laundering ID);
• Any on-going matters we have for you that may be relevant to the work we do for you.
Rights of access, correction, erasure, and restriction
Your rights in connection with personal information
This section only applies to the extent that the personal information we hold about you is subject to the GDPR.
Under certain circumstances, by law you have the right to:
· Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it. Please note that in most instances the personal data we hold about you will be subject to legal professional privilege and will be subject to our professional duty of confidentiality and may be subject to our right of lien.
· Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
· Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
· Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
· Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
· Request the transfer of your personal information to another party.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact initially the Client Care Partner (identified in your client care letter) in writing.
No fee usually required
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive or where such information is outside the GDPR (i.e. information that is subject to legal professional privilege). Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Right to withdraw consent
Where we have relied on your consent for the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the Client Care Partner identified in the client care letter sent to you at the outset of your matter. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law. This may also mean that we have to cease acting for you if this compromises our ability to be able to do so.
Data protection officer
We have appointed Marc Lansdell, Managing Director, as our Data Protection Officer to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact Marc Lansdell on Marc.Lansdell@evolvelaw.co.uk. You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
Changes to this privacy notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
If you have any questions about this privacy notice, please contact Marc Lansdell, Managing Director