Our Privacy Policy

Purpose

We are required to manage the way we hold personal data about people in order to meet our legal, regulatory and operational obligations. We want to reassure all our clients and contacts that we take our responsibilities seriously.

What data do we hold?

As lawyers, we have always held personal data about our clients, staff, suppliers and others. This personal data, whether it is held on paper, on computer or other media, is subject to certain legal safeguards as specified in the Data Protection Act 2018 which gives effect to the General Data Protection Regulation (“GDPR”). The Act contains some very important rights and obligations to protect the integrity, storage, confidentiality and, ultimately, appropriate disposal, of personal data.

Obtaining a copy of this Policy

Copies of this policy can be supplied by email, on paper, on our website and in person at our offices: just ask.

Our Data Protection Manager

This policy tells you what to expect when we collect personal information (personal data). Harrogate Family Law is the data controller for the data we collect: you can find our contact details below. Our Data Protection Manager is Andrew Meehan who can be contacted on 01423 594680 and he is authorised by us to be the contact point in the practice for any concerns or questions about data protection. If you do not understand this document, please contact our Data Protection Manager, who will be able to help you.

If you need to have this information in another format (for example, in a larger font or in another language) to understand it, please let our Data Protection Manager know.

Who is affected by this policy?

This policy applies to information we collect about:

  • clients and former clients
  • job applicants and our current and former employees, contractors, work experience personnel and providers of outsourced services
  • people who make enquiries or requests under the Data Protection Act 2018
  • people who use our services, e.g. those who subscribe to our newsletter
  • visitors to our website

The Data Protection principles

The Data Protection Act 2018 regulates the use of personal information held by us. This means we must comply with six data protection principles which say that personal data needs to be:

  • processed fairly, lawfully and transparently
  • processed only for specified, explicit and legitimate purposes
  • adequate, relevant and limited to what is necessary
  • accurate and, where necessary, kept up to date
  • not kept longer than necessary
  • processed using appropriate security

Meeting these requirements

In order to meet these requirements, we will:

  • observe fully the conditions regarding the fair collection and use of personal data;
  • meet our obligations to specify the purposes for which personal data is used;
  • collect and process appropriate personal data only to the extent that it is needed to fulfil operational or any legal requirements;
  • ensure the quality of personal data used;
  • apply strict checks to determine the length of time personal data is held; ensure that the rights of individuals about whom the personal data is held can be fully exercised under the Act;
  • take the appropriate technical and organisational security measures to safeguard personal data and ensure that personal data is not transferred abroad without suitable safeguards.

Keeping our data up to date

It helps us to keep our data up to date if you:

  • Check that any personal data you provide to us is accurate and up to date when you give it to us.
  • Tell us if anything changes e.g. a change of address.
  • Check that any information we send you is accurate: if we get something wrong, please tell us straight away so we can correct it

Legal basis for processing

We ensure that the data we collect is processed on a specific legal basis, as set out below. We do not transfer any data outside the UK. If you have any questions on the legal basis below, please contact our Data Protection Manager.

Type of data subject:
Clients and former clients

Basis of processing
Consent
Whether this is shared and with whom
We share this with government agencies regulatory bodies and other third parties
When it is destroyed
Retention of data:
We keep some data longer than others. We have a Privacy Policy which enables us to identify which data must be preserved and which data must be erased, to comply with the storage limitation requirements of GDPR.
We will keep your personal data only for as long as is necessary to ensure we can fulfil our business requirements and to comply with our regulatory requirements and will then confidentially destroy that data in line with our Privacy Policy.
We can retain personal data if we need it to meet our legal, regulatory and operational requirements in accordance with our Privacy Policy a copy of which we are happy to send or post to you: just ask our Data Protection Manager

Type of data subject:
Our current and former employees, contractors, work experience personnel

Basis of processing
Contract
Whether this is shared and with whom
When it is destroyed
Standard data destruction practice:
We share this with government agencies regulatory bodies and other third parties

Type of data subject:
Job applicants and people who send us speculative employment letters and CVs

Basis of processing
Our legitimate business interests (establishing the suitability of the candidate or enquirer) but for no other purpose
Whether this is shared and with whom
No
When it is destroyed
Standard data destruction practice

Type of data subject:
Outsourced service providers

Basis of processing
See separate table below
Whether this is shared and with whom
We may have to share this with government agencies regulatory bodies and other third parties
When it is destroyed
Standard data destruction practice

Type of data subject:
People who make enquiries or requests under the Data Protection Act 2018

Basis of processing
Our legitimate business interests
Whether this is shared and with whom
No
When it is destroyed
Standard data destruction practice

Type of data subject:
Visitors to our website

Basis of processing
We do not process this data in any way that could identify the data subject
Whether this is shared and with whom
The website does not automatically store information. In order that we can monitor and improve the Site, we may gather certain information about you when you use it, including details about your domain name and IP address (this is your computer’s individual identification number assigned to your computer when connecting to the Internet), operating systems, browser, version and the website that you visited prior to our Site. We may do this by way of a cookie as described below.
When it is destroyed
N/A

How we store and review data

We operate a central database, which stores all our client, financial, and contact list data. Our Data Protection Manager is responsible for ensuring all data entry is accurate, that the database is secure, confidential and that back-ups are made and appropriately secured. He will also regularly complete data cleansing exercises to check our contacts are up to date e.g. when we are notified of a death, change of address, change of name, withdrawals of consents and opt-outs of mailings.

What information do we collect?

The type of information we may collect and process about you depends on the work we do for you if you are a client. We will need different data if you are one of our workers. Typically we need to know:

  • your name
  • who you are to us (such as a client, employee or a member of the public) and sometimes (for conflict and professional reasons) how/whether you are related to another client or person
  • your e-mail address and contact numbers
  • Your gender (to enable us to address you correctly)
  • Next of kin, bank details and GP’s address if you are a member of staff
  • your current (and occasionally) previous home addresses
  • documents to verify your ID and your bank details for both ID purposes and to make or receive payments
  • CV, if you are a job candidate
  • case-related information, such as information forms we ask you to fill in
  • lifestyle and social circumstances data for certain types of legal work eg Divorce. Some of this data is classified as special categories of personal data. To process this type of date we would need your explicit consent and we will discuss this with you when appropriate.
  • CCTV images (as we monitor our own premises by CCTV)

In addition, because of the wide-ranging nature of our legal work, we may collect other information and data about you and any business you run.

Some information is defined in the Data Protection Act 2018 as special categories of personal data. This is information about you which relates to racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, genetic and biometric data processing, health data, data about sex life or sexual orientation. We can only process this type of data with your explicit consent.

How and why do we process data?

For our clients and former clients

We collect personal information about people who wish us to act for them (our clients) because we need to use that information to progress their work. For example, the type of personal data we normally need might be a client’s name, address, email address, identity documents, family members’ details, and information generated in the course of acting for them.

We will always ask you for consent to use your personal data before we begin our work for you. We will only ask for the details we need and nothing extra.

For job applicants and our current and former employees, contractors and work experience personnel

We collect personal information about people who work with us because we need to use that information to run our business. For example, the type of personal data we normally need might be a person’s name, address, email address, identity documents, family members’ details, and bank details for processing payments. We will use this personal data to administer the contract we have with the people who work with us.

When individuals apply to work with us, we will only use the information they supply to us to process their application. We would obtain their consent to do that. Where we want to disclose information to a third party, for example where we want to take up a reference or obtain a ‘disclosure’ from the Criminal Records Bureau we will not do so without informing them beforehand unless the disclosure is required by law.

Personal information about unsuccessful candidates will be held for 6 months after the recruitment exercise has been completed, it will then be destroyed or deleted.

Once a person has joined us, we will compile a file relating to their employment. The information contained in this will be kept secure and will only be processed for purposes directly relevant to that person’s employment contract. Once their employment has ended, we will retain the file in accordance with the requirements of our data retention policy and then destroy it.

For people who make enquiries or requests under the Data Protection Act 2018

We may be asked by any person (including clients and former clients) what personal information we hold about them and about their rights under Data Protection Act 2018. In order to respond to such enquiries we will normally ask for some personal data (and we may have to establish the person’s ID) for example their name, address and email address.

For visitors to our website

When someone visits our website we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this for example, to show the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.

Processing data via outsourced services that we use

The table below gives details.

Outsourced service provider:
Compliance, auditing and external file reviews

What data is used?
Certain client data from our internal files
Where is it stored?
Minimal data may be retained short term by the outsourced supplier under the terms of a confidentiality agreement
Is it shared further?
No
How is it protected?
Confidentiality agreement
When is it destroyed?
As soon as possible under the confidentiality agreement

Outsourced service provider:
Our professional indemnity insurers

What data is used?
Data relating to claims and notifications
Where is it stored?
By the insurers
Is it shared further?
No
How is it protected?
By their data protection arrangements
When is it destroyed?
Under their data retention policy

Outsourced service provider:
Payroll

What data is used?
We may also share personal information with others who provide services to us, but only where this helps us to fulfil effectively our statutory and regulatory functions
Where is it stored?
By us
Is it shared further?
No
How is it protected?
By their data protection arrangements
When is it destroyed?
Under their data retention policy

Outsourced service provider:
HR functions

What data is used?
To ensure we are an equal opportunities employer we may collect information about age, disability, ethnicity, sex, gender reassignment, sexual orientation, religion or belief, pregnancy and maternity. This information is not used in relation to the application itself and is treated with strict confidence. It does not form part of the job application and is used to monitor our recruitment. We may use the information to help us deliver equal opportunity measures. Successful applicants who secure fixed term or permanent contracts are asked to agree to an appropriate criminal records check.
Once a person is employed by us, we compile a file relating to their employment. We keep this information secure and only use it for purposes directly related to their employment. When a person’s employment ends with us we destroy the file in line with our Data Retention Policy
Where is it stored?
By us
Is it shared further?
No
How is it protected?
By their data protection arrangements
When is it destroyed?
Under their data retention policy

Outsourced service provider:
Professional and other regulatory bodies, quality assurance and regulatory inspections and audits

What data is used?
Personal information may be disclosed to our regulators, the Legal Ombudsman, enforcement or government agencies, other regulators or others with a legitimate interest who may keep a record of that information. We only share information where it is lawful for us to do so, such where it is necessary to do so as part of our, or a third party’s, statutory or public function or because the law permits or requires us to.
Where is it stored?
By us
Is it shared further?
No
How is it protected?
By their data protection arrangements
When is it destroyed?
Under their data retention policy

Holding data about people when we did not obtain it from them

If we hold personal data about you (for example it has been given to us by someone else, rather than by you directly), we have to provide you with some information, unless you hold that information already. That data will be stored in accordance with our Data Retention Policy. It is processed on the basis of our legitimate interest: normally that will be for the purposes of progressing our legal work for the client concerned.

You have a right to know what personal data we hold about you, for it to be corrected if wrong, and you have a right to know where that data came from. You have the right to lodge a complaint with the Information Commissioners Office at ico.org.uk.

How we use cookies, search engines, blogs and E-newsletters

Cookies

Cookies are small text files stored on your computer while you are visiting a website. Cookies help make websites work. They also provide us with aggregated information about how users interact with our site. We use this information to try to improve your experience on our website and the quality of service we provide. Cookies help us do this by allowing us to remember personal settings you have chosen at our website. We do not use cookies in any other way to collect information that identifies you personally. Most of the cookies we set are automatically deleted from your computer when you leave our website or shortly afterwards.

Complete information about the cookies we may set on your browser appears below.

Below is a list of cookies set by our website, along with a brief description of what each is used for. To obtain further information about cookies (including how to set your browser to reject cookies), you can visit the website allaboutcookies.org.

We use Google Analytics to collect information about how people use our website, to make sure it continues to meet our users’ needs and to enable us to improve it.

Name Details Expires
_utma This cookie tracks whether a visitor is new or returning, to determine unique visitor levels. 2 years
_utmb This cookie is a randomly-generated number, to determine and track user sessions. 30 mins
_utmc This cookie works with the _utmb cookie to manage the user’s browser session. When you close your browser
_utmz This cookie is a randomly-generated number and information on how the website was reached (e.g. direct or via a link, organic or paid search). This cookie is updated every time the user visits the website. 6 months

People who email us

Any email sent to us, including any attachments, may be monitored and used by us for reasons including IT security, appropriate use and for monitoring compliance with our office email policy. Email monitoring, system security and blocking software may be used.

Knowing your rights under data protection

As an individual, you have these rights:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

There is a lot more information on these rights on the Information Commissioner’s website at ico.org.uk.

Your rights in more detail

Your right to be informed

You have a right to be informed as a data subject of the data we hold and process about you. This policy document is intended to do that. If you have any questions or if you feel that this Policy does not deal with your concerns or questions, please contact our Data Protection Manager on the contact details below.

Your right of access to personal information

We try to be as open as we can about giving people access to their personal information. Individuals can find out if we hold any personal information by making a request under the Data Protection Act 2018. If we do hold information about you we will:

  • give you a description of it;
  • tell you why we are holding it;
  • tell you who it could be disclosed to; and
  • let you have a copy of the information.

To make a request to us for any personal information we may hold you need to put the request in writing addressing it to our Data Protection Manager (contact details below). If you agree, we may try to deal with your request informally, for example by providing you with the specific information you need over the telephone. We will still need to verify your identity if we do this. We will need to satisfy ourselves as to your identity. Please therefore send us proof of who you are so that we know we are sending the information to the right person. We accept the following as proof:

  • a copy of your birth certificate
  • a copy of your passport
  • a copy of your driving licence

Please do not send original documents.
You will also need to let us have a postal or email address so that we can send you the information. We ask that you mark the covering envelope or email as ‘Confidential’

Your right to rectification

This is a right to ask us to correct any wrong data we hold about you. You can ask us to correct any mistakes by contacting the Data Protection Manager.

Your right to erasure

This is a right to ask us to delete any data we hold about you. You can ask us to do this by contacting the Data Protection Manager. We will not be able to delete data in situations where there is a legal or regulatory need to retain it and we will explain this if it happens. We may also be unable to fully delete computer-held data because of system design restrictions and again we will explain this if it happens.

Your right to restrict processing

This is a right to ask us to restrict the processing of any data we hold about you. You can ask us to do this by contacting the Data Protection Manager.

Your right to data portability

You have a right to ask us to transfer certain data to another organisation. You can ask us to do this by contacting the Data Protection Manager

Your right to object

When and if we process your data based on our legitimate interests, you have a right to object to that processing. You can ask us to do this by contacting the Data Protection Manager.

Your rights in relation to automated decision-making and profiling

You have rights where your data is involved in automated decision making and profiling. As we do not collect or process your data for that purpose, the right will generally not apply to data we hold on you. If it does, then you can ask us to do this by contacting the Data Protection Manager.

Changes to this privacy policy

We keep all our policies under regular review. This privacy policy was last updated in April 2018.

How to contact us

Andrew Meehan can be contacted on 01423 594680 or by email at enquiries@harrogatefamilylaw.co.uk or by post to Harrogate Family Law Ltd, 30 Victoria Avenue, Harrogate, HG1 5PR.

Supporting documents