Client Privacy Statement
St Helens Law is a law firm dealing with a wide range of legal services. As a result, we need to collect certain information from clients and third parties to enable us to carry out those services. As a holder of that information, we are data controllers and processors and have a duty to you to keep any data we hold about you safe. Further, as a law firm, we are obliged to keep all client information confidential. This notice provides information about the type of data we collect and for what purpose, how we keep it, what you can do in the event of a breach, and how we dispose of it when it is no longer required.
This notice relates to all data collected by us from you, and about you from third parties, by whatever means, eg letter, telephone, electronically.
If you visit our website at www.sthelenslaw.co.uk, please read our Website Privacy Statement which deals with how we collect, process and store your data from your visit to the website.
PLEASE READ THIS NOTICE CAREFULLY If you have any concerns about anything in this notice, please contact Miss Deborah Murphy on 01744 454433 or at email@example.com.
Who we are?
St Helens Law, 19-27 Shaw Street, St Helens, Merseyside WA10 1DF. Telephone: 01744 454433, Fax: 01744 737347, e-mail: firstname.lastname@example.org. Any issues arising regarding this notice or your data privacy should be referred to the person nominated by the firm to deal with privacy as above, Miss Deborah Murphy.
What information do we collect?
We collect the following types of information
Initially: your name, address, date of birth, national insurance number, ID usually from a passport or driving licence, and a utility bill. This information is collected directly from you via a face-to-face meeting, by e-mail or by post. The information collected is held on our database and processed to confirm your identity and to allow us to provide legal services to you at your request.
As your case progresses: we may require copies of records held by third parties, eg doctors, personnel records. If these are required, we will obtain your specific consent to us obtaining these records and will hold them on our database and they will be processed to allow us to provide legal services and for no other reason. We may, providing you consent, provide copies of these records to other people, eg your opponent, a medical professional, in order to provide legal services. If this is the case, we will ensure that the recipient of your records abides by the terms of the GDPR as data processors.
Sensitive personal information: the obtaining of medical or personnel records, and when we ask you for your date of birth, national insurance number and sometimes your bank details, we consider as sensitive personal information. This information is held on our database and used only for the purpose of providing legal services to you at your request. The information is not released to third parties without your specific consent. The information is only available to those members of staff that need to use it to provide you with the legal services you have requested. All information can only be accessed via a password, and only by those authorised.
How do we use personal information?
We use your data as follows:
- to set up your matter on our case management system
- to enable us to progress your matter, for instance, to provide details of a claim you wish to make to your opponent
- to a third party, such as a medical professional, to enable us to obtain evidence for use in a claim
- to enable us to make payment to you of any monies due at the conclusion or otherwise of your matter
- personalisation of content, business information or user experience
- account set up and administration
- delivering marketing and events communication if you consent
- internal research and development purposes
- providing services
- legal obligations (eg prevention of fraud)
- meeting internal audit requirements
What legal basis do we have for processing your personal data?
There are six possible legal grounds for us to process your data:
- legitimate interests
- vital interests
- public task
- legal obligation
We process your personal data, such as your name, address, date of birth, national insurance number and all other information given to us by you on the grounds of consent, as you have freely given us this information for use in the provision of legal services. Further, we have entered into a contract whereby we provide legal services to you, and that is a further ground for us to process your data. We have a legitimate interest in processing your data, in that we need to use your data so that we can provide the legal service that you have asked us to provide.
We sometimes disclose copies of your personal data to third parties, as detailed above, so that we can provide the legal service you have asked us for, for instance, medical records and your personal details, to medical professionals so that we can obtain medical evidence. We have your consent to do that, as set out in the letter of engagement and terms and conditions of business, together with your specific consent obtained at the time we disclose the data.
Should you wish to withdraw, or otherwise manage, your consent, you can contact us via e-mail, post, telephone, or in person, and provide us with your instructions. If you wish to withdraw previously given consent, we would ask that you do so in writing, or we may ask you to confirm this in writing, for our file.
As a law firm, we are obliged to retain data for a certain period (detailed below) as we are subject to legal obligation and regulation by our regulation authority.
When do we share personal data?
We treat all of your personal data, and especially sensitive personal data, confidentially. As outlined above, there are certain circumstances when we might disclose it. We will always obtain your consent to doing so. We will only disclose the data if it is necessary to allow us to provide you with the legal services you have appointed us to provide. If we do share data, it will be done in a secure way such as:
- Recorded delivery
- Encrypted e-mail
- Hand delivery
- Online upload which can only be accessed via password
Where do we store and process personal data?
Ordinarily, we do not transfer data outside the European Economic Area. However, should this become necessary, we will not transfer or disclose any of your data without first entering into a contractual agreement with the third party which will contain safeguarding clauses and data transfer agreements.
How do we secure personal data?
We have in place measures:
- to protect data against accidental loss
- to prevent unauthorised access, use, destruction or disclosure
- to ensure business continuity and disaster recovery
- to restrict access to personal information
- to conduct privacy impact assessments in accordance with the law and your business policies
- to train staff and contractors on data security
- to manage third party risks, through use of contracts and security reviews
How long do we keep your personal data for?
We retain your data for six years after the final transaction in relation to your matter. This is due to legal requirements to defend against any contractual claim that may be made. The data is held securely in archive and can only be accessed by a password holder and only for the purpose of legitimate interest and legal requirements.
Once the data is no longer required, it is archived from our system by utilising the inherent archiving provision within our claims management software.
Your rights in relation to personal data
Under the GDPR, we must respect the right of data subjects to access and control their personal data. You have the right to:
- access to personal information – you can ask to see what information we hold about you at any time. Our Subject Access Request Policy is available on request, and contains an easy to complete form for you to return to us, and information on the procedure that we will follow.
- correction and deletion – if after receipt of your information, or before if you become aware of it from elsewhere, you can ask us to alter or delete any information we hold about you. This is subject to us having to retain data as above to comply with legal and regulatory obligations.
- withdrawal of consent (if processing data on condition of consent)- if you give us consent to process your data, you can withdraw this consent at any time. You will need to contact us via the details at the beginning of this document and we will discuss with you how we are going to stop processing your data, and any restrictions we may have to comply with
- data portability – you have a right to receive the data in an easily transferrable format. Where possible we will provide you with a PDF or Word document, or if the amount of data held is large, by another secured medium such as an encrypted disc or USB stick.
- restriction of processing and objection – there may be a time when we no longer need the personal data but you need us to keep it in order to establish, exercise or defend a legal claim; or. You have objected to us processing your data under Article 21(1). We will need to consider whether our legitimate grounds override those of you, the individual.
- lodging a complaint with the Information Commissioner’s Office – if you are not happy with the way we are handling your data, dealing with an SAR requests, or the way we are dealing with your consent, for instance, you can complain to the Information Commissioner’s Office (ICO). Their helpline is: 0303 123 1113, or by visiting: https://ico.org.uk/make-a-complaint/
How to contact us?
If you have any concerns regarding our privacy practices, your personal information, or if you wish to make a complaint, you should contact us:
By post: FOR THE ATTENTION OF MISS DEBORAH MURPHY, St Helens Law, 19-27 Shaw Street, St Helens, Merseyside WA10 1DF
By e-mail: email@example.com, and use ‘GDPR’ in the subject line, for the attention of Miss Deborah Murphy
Fax: 01744 737347
Telephone: 01744 454433