The following text is also set out in the attached file.
This policy explains how Carmelite Chambers uses the personal information collected from you for the operation of the company business. It also describes how long that information is kept for and the limited circumstances in which we might disclose it to third parties. The organisation has appointed Data Protection Officer (DPO) with responsibility for data protection compliance within the organisation. Questions about this policy, or requests for further information, should be directed to the Data Controller in the first instance. Email: Orla O'Sullivan email@example.com Contact: 020 79366300
What information do we collect?
This section tells you what personal data we may collect from you when you use our Services. When you register as a client of Carmelite Chambers we will collect:
• Your personal details, including name and address, email addresses, phone number, gender and possibly and image.
• The names and telephone numbers of clients and associates.
• Details of a solicitor or legal representative.
• CCTV images of you may be captured on our premises.
How to access your data
As a data subject, individuals have a number of rights in relation to their personal data. Subject Access Requests (SAR) Individuals have the right to make a Subject Access Request. If an individual makes a subject access request, then Carmelite Chambers will respond to the request within Thirty (30) days and will produce the request in line with the Information Commissioners Office (ICO) guidelines. The data subject will need to prove themselves by a form of identification which will be deemed adequate by the DPO. An SAR should be submitted to: Email: The Data Protection Officer (DPO) DPO@carmelitechambers.co.uk
If a Subject Access Request is manifestly unfounded or excessive, the organisation is not obliged to comply with the request. Alternatively, the organisation can agree to respond but, the data subject may be charged a fee if extra costs are incurred to retrieve data, which will be based on the administrative cost of responding to the request. A Subject Access Request is likely to be manifestly unfounded or excessive where it repeats a request to which the organisation has already responded. If an individual submits a request that is unfounded or excessive, the organisation will notify him/her that this is the case and whether or not it will respond to it. Furthermore, if the organisation cannot facilitate a request based on limitations with its IT functionality the organisation will notify the individual accordingly stating what aspect of the request they can respond to.
We will respond to the request within the Thirty (30) day period however, if this request takes longer than the regulation timeline, then the data subject will be notified and will be updated, and the request provided at the earliest opportunity. It should be noted that due to the business practices and the pure nature of the business model of Carmelite Chambers, that some data may not be requested under a Subject Access Request for legal reasons.
If it is felt that a request may not be granted or fulfilled, then the data subject will be informed, and a representing barrister will be sought for guidance relating to such a request. The organisation will also provide the individual with a copy of the personal data undergoing processing. This will normally be in electronic form if the individual has made a request electronically, unless he/she agrees otherwise.
A data subject has the right to the following regarding the processing of their data:
• Whether or not his/her data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from the individual;
• To whom his/her data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;
• For how long his/her personal data is stored (or how that period is decided);
• His/her rights to rectification or erasure of data, or to restrict or object to processing;
• His/her right to complain to the Information Commissioner if he/she thinks the organisation has failed to comply with his/her data protection rights; and
• Whether or not the organisation carries out automated decision-making and the logic involved in any such decision-making.
Personal data will be retained for the shortest time necessary however, some legal cases will require the chambers to hold your data after a case has been heard or on the direction of a representing barrister. Under GDPR you have the following rights to request information from the company:
• Right of access to the data (Subject Access Request)
• Right for the rectification of errors
• Right to erasure of personal data (please note, this is not an absolute right
• Right to restrict of processing or to object to processing
• Right to portability
Due to legal cases requiring data to be held for a specific time, the erasure of data may not be possible for our legal obligations. Direction will be sought from the representing barrister regarding the erasure of a data subject. Lawful Basis for Processing The General Data Protection Regulation (GDPR) is legislation explaining your rights over the processing of your personal information.
The GDPR requires Carmelite Chambers to identify which of six "lawful reasons" we use when processing your data: we process data on the basis of "consent" when sending newsletters or material relating to Carmelite Chambers and we operate on the basis of "legitimate interest" when communicating with you in other ways (e.g. when responding to your enquiry or case). When processing personal data relating to legal cases then we use “Legal Obligation” and “Contract” for our lawful basis for processing. Consent Carmelite Chambers will only hold and process data that they feel that they have the correct consent for. The data subject has the right at any time to withdraw the consent, this consent can be withdrawn from any department within the organisation.
For those under Sixteen (16) years of age, then consent will be required from an adult to process information relating to that data subject. In relation to case data, then this consent may be obtained by the representing solicitor. Data security The organisation takes the security of HR-related personal data seriously. The organisation has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties. These controls are implemented under the ICO and the Bar Council guidelines.
Where the organisation engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. Our staff, barristers and associates undergo regular Bar Council, Data and GDPR training, to ensure that our policies and procedures are compliant with all aspects of data protection.
Our servers are held in a restricted area and are managed and monitored by IT and cyber data experts. This service is done so by a recognised and accredited service provider. Encryption for our data and emails are used at all times. Our barristers have a responsibility to control and hold data commensurate to our security, data and cyber policies and the Bar Council guidelines. Data may be transferred to a legal representative not located within the United Kingdom or the European Union (EU) however, we ensure that the data held is done so commensurate to our data protection policies and guidelines. Barristers may also store the data on their own personal electronic device, which is suitably protected by password and encryption. This will be commensurate to their own security policy.
Sharing personal information
As an organisation we do not share any information held with third parties unless consent is given by the data subject or is needed to be done so within the conduct of a legal case. We do not conduct profiling or marketing using an individual’s personal details for the conduct of our business. We will only share information with the following organisations is it felt that we have a legal obligation or are instructed to do so from an authority requiring specific information on a data subject.
• Police force within the United Kingdom
• A government department or agencies
• A local authority
• A consultant or medical profession
• Another barrister or legal representative
• A chambers clerk designated to a legal case
Please contact us directly with any questions or complaints as we aim to resolve any questions relating to data privacy with the data subject immediately. Email: The Data Protection Officer (DPO) DPO@carmelitechambers.co.uk All legal rights regarding privacy are the responsibility of the Information Commissioners Office (ICO). More information about their complaints procedure can be found at: https://ico.org.uk/concerns/ ICO Registration – ZA246759
Changes to this Privacy Notice
We reserve the right to make changes to this Privacy Notice from time to time, so please take the time to review periodically. Reviewed: July 2018