DATA PROTECTION POLICY
Chambers is required to comply with the law governing the management and storage of personal data, which is outlined in the General Data Protection Regulation 2016 (GDPR) and the Data Protection Act 1998.
Protection of personal data and respect for individual privacy is fundamental to the day-to-day operations of Chambers.
Compliance with the GDPR is overseen by the UK data protection regulator which is the Information Commissioner’s Office (ICO). Chambers is accountable to the ICO for its data protection compliance.
Hogarth Chambers and Hogarth Chambers Services Ltd are committed to compliance with all relevant EU and UK laws in respect of personal data, and the protection of the rights and freedoms of individuals whose information we collect and process in accordance with the General Data Protection Regulation (GDPR).
This policy aims to protect and promote the data protection rights of individuals and of Chambers, by informing members and everyone working for and with Chambers, of their data protection obligations and of Chambers’ procedures that must be followed in order to ensure compliance with the GDPR.
This policy applies to all members, employees (permanent and temporary), consultants, agency, and contract staff. Any breach of the GDPR will be dealt with under our disciplinary policy and may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities.
This policy covers all personal data and special categories of personal data processed on computers or stored in manual (paper based) files.
Partner organisations and third parties working with or for us which have or may have access to personal data will be expected to adhere to all obligations imposed by data protection legislation. No third party may access personal data held by us without having first entered into a Data Sharing Agreement which imposes on the third party obligations no less onerous than those to which we are committed, and which gives us the right to audit compliance with the Agreement
The GDPR uses some key terms to refer to individuals, those processing personal data about individuals and types of data covered by the Regulation. These key terms are:
Processing of Personal Data:
Processing wholly or partly by automated means (i.e. by computer) and to the processing other than by automated means of personal data (i.e. paper records) that form part of a filing system or are intended to form part of a filing system.
Means any information relating to an identified and identifiable natural person (‘data subject’)
This includes, for example, information from which a person can be identified, directly or indirectly, by reference to an identifier i.e. name; ID number; location data; online identifiers etc.
It also includes information that identifies the physical, physiological, genetic, mental, economic, cultural or social identity of a person.
For Chambers’ purposes, Barristers’ clients and Chambers’ staff are data subjects (other individual third parties concerning whom we hold personal data about are also likely to be data subjects).
Means personal data revealing:
- a) racial or ethnic origin;
b) political opinions;
c) religious or philosophical beliefs;
d) trade-union membership;
e) genetic data or biometric data which could be for the purpose of uniquely identifying a natural person;
f) data concerning health or data concerning a natural person’s sex life or sexual orientation.
g) Data relating to criminal convictions and offences.
Means the natural or legal person, public authority, agency or other body who alone or jointly with others, determines the purposes and means of processing the personal data. In effect, this means the controller is the individual, organisation or other body that decides how personal data will be collected and used.
For Chambers’ purposes, this Chambers is a data controller for certain categories of data.
Means any operation which is performed on personal data such as: collecting, recording, organising, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
For Chambers’ purposes, everything that we do with client information (and personal information of third parties) is ‘processing’ as defined by the GDPR. This processing will often be in the capacity as a Data Processor on behalf of a Barrister as a Data Controller.
Any living individual who is the subject of personal data held by an organisation.
A breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. The data controller is required to report data breaches to the Information Commissioner’s Office (ICO), particularly breaches likely to adversely affect the personal data or privacy of the Data Subject.
- Any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.
The GDPR defines a child as anyone under the age of 16 years, although the UK may lower this to the age of 13. The processing of personal data of a child is only lawful if parental or custodian consent has been obtained. The data controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child.
A natural or legal person, public authority, agency or body other than the Data Subject, data controller, data processor and persons who, under the direct authority of the data controller or data processor, are authorised to process personal data.
Hogarth Chambers Services Ltd is a Data Controller under the GDPR and is registered with the ICO under number ZA064629.
The Chair of the Chambers’ Management Committee (CMC) is responsible for monitoring Chambers’ compliance with this policy.
Members of the CMC and all those on committees or in supervisory roles throughout Chambers are responsible for developing and encouraging good information handling practices within Chambers.
The Chair is directly accountable to the CMC for the management of personal data within Chambers and for ensuring that compliance with data protection legislation and good practice can be demonstrated. This accountability includes ensuring the development and implementation of all necessary processes and procedures, including security and risk management, to ensure compliance with the GDPR.
The Chair has specific responsibilities in respect of matters such as managing Subject Access Requests and is the first point of call for anyone seeking clarification on any aspect of data protection compliance within Chambers.
Compliance with data protection legislation is the responsibility of everyone in Chambers who processes personal data.
Employees are responsible for ensuring that any personal data about them and supplied by them to Chambers is accurate and up-to-date.
The DPO will ensure that an annual review of data protection compliance is carried out.
The Data Protection Manager (DPM) responsibilities within this role include:
- Developing and implementing data protection policies and procedures;
- Arranging periodic data protection training for all staff and members which is appropriate to them;
- Acting as a point of contact for all colleagues, staff and Barristers on data protection matters;
- Monitoring Chambers’ compliance with its data protection policy and procedures;
- Promoting a culture of data protection awareness;
- Assisting with investigations into data protection breaches and helping Chambers to learn from them;
- Advising on Data Protection Impact Assessments; and
- Liaising with the relevant supervisory authorities as necessary (i.e. the Information Commissioner’s Office in the UK).
Data Protection Principles
All processing of personal data must be conducted in accordance with the Data Protection Principles as set out in the GDPR and outlined below. Our policies and procedures are designed to ensure compliance with these Principles.
Processed lawfully, fairly and in a transparent manner in relation to the subject (‘lawfulness, fairness and transparency’)
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’)
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which personal data are processed (‘storage limitation’)
- Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures (‘integrity and confidentiality’)
Chambers must be able to demonstrate its compliance with (i) – (vi) above (‘accountability’).
Rights of the Data Subject
The GDPR gives rights to individuals in respect of the personal data that any organisations hold about them. Everybody working for Chambers must be familiar with these rights and adhere to Chambers’ procedures to uphold these rights.
These rights include:
- Right to be informed and to access details about the personal data that is being processed about them and to obtain a copy;
- Right to rectification of any inaccurate personal data;
- Right to erasure of personal data held about them (in certain circumstances);
- Right to restriction on the use of personal data held about them (in certain circumstances);
- Right to portability – right to receive data processed by automated means and have it transferred to another data controller;
- Right to object to the processing of their personal data;
- Rights in relation to automated decision making and profiling.
Data Subjects may make Subject Access Requests relating to their personal data. Our Subject Access Request Policy describes how we will ensure that our response to the request complies with the requirements of the GDPR.
The Chair of the CMC is responsible for responding to requests for information from Data Subjects within one calendar month in accordance with our Subject Access Request Policy. This can be extended to two months for complex requests in certain circumstances. If we decide not to comply with the request, the Chair must respond to the Data Subject to explain our reasoning and inform them of their right to complain to the ICO and seek judicial remedy.
Data Subjects have the right to complain to us about the processing of their personal data, the handling of a Subject Access Request and to appeal against how their complaints have been handled.
We understand ‘consent’ to mean that it has been explicitly and freely given, and it is a specific, informed and unambiguous indication of the Data Subject’s wish that, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The
Data Subject can withdraw their consent at any time.
We also understand ‘consent’ to mean that the Data Subject has been fully informed of the intended processing and has signified their agreement while in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading
information will not be a valid basis for processing.
Consent cannot be inferred from non-response to a communication. As Data Controller, we must be able to demonstrate that consent, where necessary, was obtained for the processing operation.
For Sensitive Personal Data, explicit written consent of Data Subjects must be obtained unless an alternative legitimate basis for processing exists.
Where we provide online services to children under the age of 16, parental or custodial authorisation must be obtained.
Processing Personal Data and Sensitive Personal Data
All personal data must be processed in a manner that is compliant with the GDPR, in short, this means:
- there are legitimate grounds for collecting and using the personal data;
- the data is not used in ways that have unjustified adverse effects on the individuals concerned;
- there is transparency about how the data is intended to be used
- individuals are given appropriate privacy notices when collecting their personal data;
- people’s personal data is handled only in ways they would reasonably expect; and
- nothing unlawful is done with the data.
The following conditions for processing special categories of personal data that are most relevant to our Chambers are:
- Explicit consent from the data subject;
- The processing is at the instruction of a Barrister who is the Data Controller of that personal data;
- The processing is necessary for the purposes of carrying out Chambers’ obligations in respect of employment and social security and social protection law;
- The processing is necessary to protect the vital interests of the data subject or another person;
- The processing relates to personal data that has already been made public by the data subject; or
- The processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
Confidentiality and Data Sharing
The barristers and Chambers must ensure that they share personal information with other individuals or organisations only where they are permitted to do so in accordance with data protection law.
Wherever, possible you should ensure that you have the client’s (or other data subject’s) consent before sharing their personal data, although, it is accepted that this will not be possible in all circumstances, for example if the disclosure is required by law.
Employees are required to notify the DPM of any changes in their personal circumstances which may require personal records be updated accordingly.
It is strictly prohibited to remove personal data from our premises for any reason other than carrying out legitimate processing activities.
Processing of personal data ‘off-site’ presents a potentially greater risk of loss, theft, or damage to personal data and the precautions that must be taken are set out in our Data Security Policy.
All employees are responsible for ensuring that any personal data that we hold and for which they are responsible is kept securely and is not, under any condition, disclosed to any third party unless that third party has been specifically authorised by us to receive that information and has entered
into a Data Sharing Agreement.
Data Protection Impact Assessments (DPIAs)
DPIAs are required to identify data protection risks; assess the impact of these risks; and determine appropriate action to prevent or mitigate the impact of these risks, when introducing, or making significant changes to, systems or projects involving the processing of personal data.
In simpler terms, this means thinking about whether Chambers is likely to breach the GDPR and what the consequences might be, if Chambers uses personal data in a particular way. It is also about deciding whether there is anything that Chambers can do to stop or, at least or minimise the chances of any of the potential problems identified, from happening.
DPIAs will be undertaken annually by the DPM or designated members of staff.
Disclosure of Data
All requests to provide personal data must be supported by appropriate paperwork and all such disclosures must be specifically authorised by the DPM.
We must ensure that personal data is not disclosed to unauthorised third parties, which includes family members, friends, government bodies, and, in certain circumstances, the Police. All employees should exercise caution when asked to disclose personal data held on another individual to a third party.
Retention and Disposal of Data
We shall not keep personal data in a form that permits identification of Data Subjects for a longer period than is necessary in relation to the purpose(s) for which the data was originally collected.
The retention period for each category of personal data is set out in our Retention and Disposal Policy.
Personal data will be retained in line with our Retention and Disposal Policy and, once its retention date is passed, it must be securely destroyed as set out in this policy.
On at least an annual basis, our Chair of the CMC will review the retention dates of all the personal data processed by our organisation and will identify any data that is no longer required. This data will be securely archived, deleted or destroyed in line with our Retention and Disposal Policy.
Where personal data is archived it will be encrypted in order to protect the identity of the Data Subject in the event of a data breach.
The Chair must specifically approve any data retention that exceeds the retention periods defined in our Retention and Disposal Policy and must ensure that the justification is clearly identified and recorded.
We may store data for longer periods if the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the implementation of appropriate technical and organisational measures to
safeguard the rights and freedoms of the Data Subject. Any such retention must be approved in advance by the Chair.
International Data Transfers
Under GDPR transfers of personal data outside of the European Economic Area can only be made if specific safeguards exist.
No employee is authorised to transfer personal data internationally until the Chair of the CMC has confirmed in writing that we have appropriate safeguards in place.
Data Processed Register
We have established a Data Processed Register that records:
- each type of personal data;
- why it is collected;
- the lawful grounds for processing;
- where it is held;
- the Responsible Person for the data;
- its Review Date; and
- how it is kept accurate.
A data protection breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Everybody working in, for and with Chambers has a duty to report any actual or suspected data protection breach without delay to the DPM. ull details of the Chambers’ breach reporting policy can be found in the Chambers Manual.
Breaches will be reported to the Information Commissioner’s Office (ICO) by the DPM without undue delay and, where feasible, not later than 72 hours after having become aware of the breach, unless, Chambers is able to demonstrate that the personal data breach is unlikely to result in a risk to the rights and freedoms of data subjects.
The DPM will maintain a central register of the details of any data protection breaches.
Complaints relating to breaches of the GDPR and / or complaints that an individual’s personal data is not being processed in line with the data protection principles should be referred to the DPM without delay.