Data Protection and Privacy
All references to Regulation (EU) 2016/679 of the European Parliament and the Council of 27th April 2016 are summarised herein to “GDPR” (General Data Protection Regulations).
- The Castle Partnership is committed to protecting the privacy of clients, staff and service suppliers. We understand the importance placed on the privacy and security of any information which personally identifies an individual and their contact with us. For the sake of clarity this policy, where relevant, addresses our commitment to clients, staff and suppliers separately. References to clients, staff and suppliers includes prospective clients, staff and suppliers
- This policy (together with our Terms of Business and any other documents referred to in it) sets out the basis on which any client personal data will be processed.
- Through this Policy the Castle Partnership seeks to ensure full compliance with the GDPR.
- The Castle Partnership does not maintain marketing data or data collected through the website.
- We do not share client information with any individual or organisation save as set out herein. .
- All information (personal client data and data relating to the proceedings for which we are instructed) is held both digitally on our DPS software case management system (DPS)and within a paper file (Hard Copy).
- We collect data about clients in the following way:
- Upon instruction by a client,
- By third party on behalf of the client.
This can include, i) and ii) above;
- Direct contact with the client who corresponds in person, by phone, e-mail or otherwise,
- Information from Police officers or police staff,
- Information from Court staff,
- A representative of the Crown Prosecution Service,
- Any other third party instructed directly by the client to contact us.
- The information given to us may include (but is not limited to) names, DOB, addresses, e-mail address, phone numbers, personal descriptions (including gender, marital status and health) and/or photographs. We may collect information relating to a client’s income, capital and expenditure for funding purposes. In addition, the information relating to the incident/matter/allegation for which we are instructed and any linked/related matter which may arise.
Legal Basis: Contract
- Client information is collected, processed and stored on a contractual basis as defined by and in accordance with GDPR.
- Where clients enter into a contract with us they are advised that the data we receive from them will be kept confidential but in order, for example, to advance their interests and to comply with professional obligations, their data may be shared with other organisations. For example:
- Information regarding gender, marital status etc. MUST be shared with the Legal Aid Agency (LAA) in order to complete a legal aid application,
- Files may be subject to review by the SRA and the LAA.
This information is provided to the clients at the outset of their case and is contained in the Terms of Business. Clients cannot “opt out” of these exceptions.
- The contract with the client allows data to be shared within the Firm and, to advance the interests of the client, with other agencies and service providers who are engaged by the Firm. This will include, for example: Police Station Representatives, Consultants, Forensic Experts, Doctors and barristers.
- Client data will be stored electronically and as hard copies.
- Hard copies refer to actual files. These are retained in filing cabinets within the office.
- Hard copy diaries are destroyed by shredding within six years of their end date. Paper notes that are made ancillary to the files (for example for trial preparation) are shredded confidentially as soon as they are no longer required.
- Access to electronic files within DPS is limited to staff who have a DPS account. This will generally include all fee earners and secretaries. Access to hard copies will be restricted to staff, consultants and agents who require access to advance the client’s interests.
- Those who have access may permit access to others where it is necessary to advance the client’s interests. For example, a file may be passed to a barrister to represent a client at trial.
- The primary reason for using data is to advance the client’s case. Other then as set out here, client data can only be used in other circumstances where the client has given clear, informed and written consent.
- Electronic data will be deleted 6 years from the date on which the client’s folder was closed. The deletion process is managed by the Firm following DPS procedures
- Hard copy data within a file is destroyed at the end of the clients’ case within short period of time, usually no longer then a month. The file is shredded confidentially. If for any reason the file is not shredded, for example at the client’s request, the file will be stored securely.
Subject Access Request
- Clients have the right to be informed about the information we hold about you.
- Any client may make a “subject access request” to the Firm which must be addressed to the head Office of the Firm. In the absence of any exceptional circumstances the Firm will respond within one month. If a request for information is refused a client will be informed of that decision in writing and advised of their right to seek judicial review or to go to the Supervisory Authority.
- There will be no charge for the provision unless there are exceptional circumstance.
- Where a request is made the Firm will, as appropriate:
- Confirm that it holds and/ or is processing personal data,
- Confirm the reasons why that data is help
- Provide the client with a copy of their personal data,
- Correct any errors
- Erase any information that should have been deleted
- Restrict the use of the data
- Allow the client to move, copy or transfer data for their own purposes to another organisation
- Where a request is made objecting to the storage and use of data any such objection will be given consideration but will be subject to a) the Firm’s obligation to retain information for profession and contractual purposes with other agencies such as the SRA and the LAA, and b) the exceptions set out in GDPR. (E.g. public interest, public health, exercise or defence of legal claims).
- Due to the nature of our Business, clients frequently be under the age of 18. This Policy allows for information to be provided by and communicated with third parties such as parents or guardians, on instruction of the client. As such, all parts of our policy can and may be communicated with a nominated appropriate adult in addition to the client directly.
Staff, Partners and Employment Applicants (herein referred to as “Staff”, which shall include prospective staff)
- Data held pertaining to staff will be held on a contractual basis. The information will be provided by the staff and former employers.
- Data held will be on DPS and hard copy files.
- Information regarding staff will generally be limited to Partners and will not be shared with any outside agencies without the consent of the staff member. Situations where this may arise include, for example, the renewal of Health Insurance and the provision of information regarding gender, age, sexual orientation etc. required by the SRA annually. In the case of the SRA we cannot refuse to provide any information at all but where necessary the answer “prefer not to say” can be submitted.
- Data held about staff will be limited to information pertaining to their work, such as qualifications, and next of kin information. No unnecessary data will be stored. The data will be used for management and welfare purposes only.
- Data held on staff will be held securely and will be destroyed within 6 years of the staff member’s departure.
- Prospective Staff (job applicants) who are unsuccessful in their applications will have their data destroyed within a year of their application, unless they specifically request that we hold that information against the prospect of future opportunities
Subject Access Request
- Staff shall have the same rights as clients to make a Subject Access Request.
- Within this context Service Suppliers refers to our Consultants, agents and barristers. The policy refers only to individuals and not to organisations.
- It is not envisaged that there will be any requirement to collect sensitive personal data from these individuals. Data collected will generally be limited to name, contact information and client and staff feed back.
- Data held on Services Suppliers is on the basis of Legitimate Interest as it is considered to be in the interests, specifically the commercial interests, of both the Firm and the Service Supplier for this information to be held and processed. The processing of this date will promote commercial activity between the parties to the advantage; it is hoped, of both.
- Information will be held both electronically and in a hard copy
- Access will generally be limited to staff members however it will be assumed unless we are advised otherwise that Service Suppliers have no objection to their details being provided to, for example, other firms of Solicitors for the purposes of promoting their business, and to Court staff and the Police to expedite work they are undertaking on our behalf.
- Details will not be revealed to clients without the Service Providers express consent, which will usually be verbal.
- Data will be used for work purposes.
- The Firm will only delete data at the request of the Service Provider. There is no time limit for the retention of this data.