GDPR – Old Bailey Solicitors Data Protection Policy and Transparency Notice
Updated: 18 MAY 2018
This Notice details how we process the personal data we hold about you, and how you can control the retention and use of that data. When you begin a working relationship with us, the data you provide may be used for different purposes and treated in different ways.
Old Bailey Solicitors Limited is a company registered in England and Wales.
We are a ‘data controller’. This means that we are responsible for deciding how we hold and use personal information about you and explaining it clearly to you. This notice applies to prospective, existing and former clients of Old Bailey Solicitors (including employees), referrers, individuals who request information from us, any person or company who provides services to us, third parties acting for our clients, prosecution witnesses and co-defendants, or parties on the other side of our client matters and lawyers acting for those parties.
We reserve the right to update this notice at any time and recommend that you regularly check our website for updates. This notice should be read in conjunction with other notices or information that we have provided to you.
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during the course of our engagement with you.
The information we hold
Personal data is any information about an individual from which that person can be identified. We collect different information depending on your relationship with us.
We process personal information to enable us to provide legal representation to our clients in anticipated, ongoing or concluded legal proceedings. This includes:
- your name, address and contact details. Such processing is necessary for providing advice and representation in anticipated, ongoing or concluded legal proceedings.
- Anti-Money Laundering and Know Your Client information. We do this to comply with our legal obligations and as necessary for the legitimate interest of understanding who we are contracting with.
- information relating to your legal matter and our instructions. Such processing is necessary for us to provide you with legal advice and representation in anticipated, ongoing or concluded legal proceedings.
- personal information contained in documents reviewed by us as provided to us in disclosure (e.g. from the police, the Crown Prosecution Service, the probation service or the courts). Such processing is necessary for the purpose of providing legal advice, providing representation in legal proceedings and to perform our contract with you.
- background information about you. This may include lifestyle information and information about your family, social circumstances, financial details and education and employment details. This information is to enable us to provide you with legal advice and representation, in particular, in the criminal courts.
- feedback you provide to us on our services. Such processing is necessary for the legitimate interest of managing our business and improving our services.
Individual service providers
- your name, title and business contact information including addresses, telephone numbers and email addresses
- details relating to the performance of the contract between us, including financial information and bank details for payment
Such processing is necessary for performance of the contract between us.
Prosecution witnesses and co-defendants, or parties on the other side of our client matters
We process the details of prosecution witnesses, co-defendants and/ or parties on the other side in Client matters for the purpose of carrying out conflict checks. Such processing is necessary for our legal obligations and the legitimate interest of meeting our compliance requirements.
For third parties involved in Client matters, including lawyers, professionals, witnesses, experts or opposing parties, we will collect your contact details and such information about you as necessary for us to advise our Clients, including personal information contained in documents reviewed by us as provided to us in disclosure. Such processing is necessary for:
- the purpose of establishing, exercising or defending legal claims
- the legitimate interests of our Client in receiving legal advice from us (provided that the other party's interests and fundamental rights do not override our Client's interests)
We may process your bank details. Such processing is necessary where we are required to pay funds to you, for example in obtaining an expert report.
How we collect personal information
We collect personal information direct from you when you enquire about our services, when we establish you as a Client of the firm, or where we enter into a contract to receive services from you. We collect further information from you during the period of our instructions or for the duration of your providing services to us.
We collect information about our Clients, and about third parties, from our Clients and from parties acting on the other side in a criminal case, or from lawyers or other professional advisors acting on their behalf.
We collect information from other third parties, such as other professionals advising our Clients on a matter or working within the Criminal Justice System e.g. the probation service, the police, or the courts.
Our lawful bases
We will use your personal information in the following circumstances:
- where we are providing you with legal advice and representation
- where we need to perform the contract we have entered into with you
- where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- where we need to comply with a legal obligation
- otherwise, with your consent
We may also use your personal information in the following situations, which are likely to be rare:
- where we need to protect your vital interests (or someone else's interests)
- where it is needed in the public interest
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
In order to provide you with legal advice and representation, we may collect, store and use any of the following special categories of information about Clients and prospective Clients and/or about parties on the other side of the matter:
- information relating to criminal convictions and offences
- physical or mental health
- nationality, race or ethnicity
We process this type of information where it is necessary to defend anticipated or ongoing legal proceedings.
We may process particularly sensitive personal information if we are under a legal obligation to do so, or if it becomes necessary to protect your vital interests or those of another person, or for reasons of substantial public interest.
Information about criminal convictions
We use information relating to criminal convictions where the law allows us to do so and where this is necessary in the course of the legal advice and representation we are providing to you. This is essential in advising you in relation to sentence and in relation to the strength of evidence against you (eg if a bad character application is made) if you are facing criminal proceedings.
We may use information relating to criminal convictions where it is necessary in relation to legal proceedings, where it is necessary to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public.
Who do we share your personal information with?
We will share your personal data with third-party service providers who provide services to us and to other third parties who use your information, as data controller, for their own purposes.
If you are a Client, we share your personal information with other data controllers where required by law, for example if we are required to share information in accordance with our Anti-Money Laundering procedures, or to meet our regulatory requirements or as required by our insurers.
We share information with:
- our regulator, the Solicitor's Regulation Authority (SRA), HMRC or other government or law enforcement agencies
- our insurance providers and our professional indemnity insurance broker
- Lexcel (the Law Society's legal practice accreditation service) and other auditors, for the purpose of auditing our compliance with our legal obligations (including Legal Aid Agency requirements) and the SRA rules
As solicitors, we are bound by rules of confidentiality and, unless we are required by law, or if we believe that it is in yours or someone else’s vital interests, we will not share your personal data without your prior consent. We may share your information if we refer you to a third party adviser for specialist advice or if we are prevented from acting for you due to a conflict.
Where we share information with other data controllers, they are responsible to you for their use of your information and compliance with the law.
The following activities are carried out by third-party service providers on our behalf: archiving and records management; confidential waste disposal; IT support and maintenance; hosting our website (including analytics); experts providing reports; counsel providing representation and advice; agents instructed to act at the police station and court.
All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal information for their own purposes. We only permit them to process your personal information for specified purposes and in accordance with our instructions.
How do we keep your personal information safe?
Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We have put in place security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way. Your information is stored on encrypted computers and in paper form, kept securely.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
How long do we keep your personal information?
We will only retain your personal information for as long as is necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
Where a minimum retention period is required by law (such as retaining records for HMRC purposes or for compliance with the SRA requirements, or anti-money laundering law), we comply with that minimum period.
Unless particular circumstances warrant retention for longer periods, we retain most physical Client documents for a period of three years at which stage they are destroyed, unless you request otherwise. Some physical client files are not retained after the conclusion of a case and this includes cases that concluded at the police station and/ or short magistrates’ court proceedings. Access to archived files is restricted. Please contact us if you would like to discuss specific retention periods applicable to your matters.
Our secure server retains your information electronically for an indefinite period. This is because many of our clients are repeat clients and some have been using our services for up to twenty years. It is in our clients’ interests for us to retain information relating to your previous cases in order to properly represent you in new criminal cases. Some clients contact us many years after a case has concluded, requesting information for any number of reasons, e.g. an employer requiring information relating to a conviction, advice in relation to expunging a caution. Access to this information is restricted.
Under certain circumstances, by law you have the right to:
- request access to your personal information. This enables you to receive a copy of the personal information we hold about you
- request correction of your personal information. This enables you to have any inaccurate information we hold about you corrected
- request deletion of your personal information. This enables you to ask us to delete personal information where there is no good reason for us continuing to process it
- object to processing of your personal information where we are relying on a legitimate interest (or those of a third party)
- request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it
- request the transfer of your personal information to another party
- withdraw consent in the circumstances where you have provided your consent to the collection, processing and transfer of your personal information for a specific purpose
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is to ensure that personal information is not disclosed to any person who has no right to receive it.