This policy informs you how Ketley Miller Joels Ltd uses personal information from client’s and other members of the public to ressure you we comply with the Data Protection Act 1988 and the European legislation regarding data protection on the General Data Protection Regulation (GDPR).
The only way in which we process your personal data is as necessary for the provision of our family law service to you as set out in your Terms of Business. (Article 6 (i) (b)) or the processing is necessary for compliance with a legal obligation imposed on us (Article 6 (i) (c)).
Clayton Miller is the firm’s appointed Data Protection Officer (DPO). Although the appointment was not necessary due to the small size of the firm, it was thought it beneficial to appoint one so as to have a central contact.
Information from client’s
When you contact us regarding the provision of legal services to you, we will collect personal information about you. This will include often your name, email address and telephone number. After your initial interview, if you decide to instruct us, then we require your anti-money laundering documents such a copy of photo identity (most often a passport) and a household utility bill dated within the last 3 months. Further in your case we may also need to obtain personal data about you from publically accessible websites such as Company House or HM Land Registry.
Throughout your matter, we may collect information about you and/or other individuals or organisations you tell us about.
We confirm at present Ketley Miller Joels does not presently operate a marketing database. However, in the future we may decide to operate such a database. When you approach us and become a client of Ketley Miller Joels Limited, you are agreeing that we may add your personal data to a marketing database should it become applicable in the future.
Information for marketing
As stated above we confirm we do not use your personal information for any marketing database.
As part of our commitment to GDPR, we are going to be using third party email encryption software Mimecast for ensuring that when we pass electronically your personal data, this is protected. This will include when we email documents such as bank statements or credit card statements, Land Registry documents belonging to either you or the other party, this will all be encrypted using the third party software.
Visitors to our Website
We will collect personal information that you voluntarily provide to us if you fill in a form on a website or fill in our web enquiry form. This form contains contact details. We may also collect information about how you use our website and our cookies policy has information about how cookies are used on our website. Our website is processed by a third party data processor, Sedcom, who will maintain its security and performance as well as dealing with all of our I.T. Our website is also accessed and monitored by Exposure Ninja Trading Limited which is a digital marketing company and to deliver their service they will process IP addresses of visitors to our website. We will not share your information with any other organisation without your prior consent.
Should you contact us directly through social media or through direct or private messaging, then we may also share this information with personnel of Ketley Miller Joels. This is to ensure your queries are dealt with by the appropriate person in our firm.
Provision of Your Personal Data to Third Parties (Article 3 & 14)
In acting on your behalf, we may from time to time need to provide your personal data to a third party in conducting your matter. For example, an Estate Agent may be jointly instructed in your matter to value the matrimonial home. In the process of instructing that person, we will need to provide your name, address, contact number, email address and the address of the property to be valued.
Another example is if you ask us to apply on your behalf for a Marriage Certificate. In these circumstances we obtain from you both the bride’s and the groom’s father’s full names, amongst other information. For this purpose, the Data Controller and Data Protection Officer is Clayton Miller.
We will also tell you the recipients or categories of recipients of the personal data. If it is to a third country or international organisation, we will tell you of the existence or absence of an adequacy decision by the Commission and any suitable or appropriate safeguards and the means by which to obtain a copy of them or where they have been available.
Queries and Complaints
Should you at any time send to us a query or compliant, we will use the personal information you provide to us in order to process and deal with your query or complaint. If deemed necessary by us, we will share this information with third parties such as the Solicitors Regulation Authority.
Your personal data will only be used by us if we determine that if it is lawful and fair to do so for the following reasons:
- You have provided your specific consent for us to use your information for the specific purposes described in this privacy notice.
- In order to perform our contract with you it is necessary.
- In order to comply with the legal obligations.
- For legitimate interests for either us or a third party provided your rights do not override those interests. This may include obligations we have for fraud and crime protection or any other purposes required by law or our regulatory authority.
We confirm that we will never sell your personal data or share it with third parties who might use it for their own personal use.
There will be occasions throughout your matter when we will be required to disclose your information to third parties in conducting your matter. This will include the following:
- Instructing professional advisors such as barristers, accountants or other experts or advisors in dealing with your matter.
- Other necessary third parties to conduct your matter such as searches with Companies House, HM Land Registry, banks and mortgage advisors.
- Where you have consented to us sharing information.
- To third party service providers who provide to the firm operational and technical support through information and technology systems such as account and case management systems, document management, email systems, the monitoring of our website and other technical systems.
- Any other legal or regulatory duty to disclose or share your personal information such as by court order, in relation to annual regulatory orders, Lexcel inspections of any other enquiries by regulatory bodies.
Appropriate measures have been put in place to protect your personal data. We hold data both electronically and in paper form in order to deal with the provision of legal services in the agreement between us. We have an onsite server which has been secured physically onsite. Our network is protected using firewalls and anti-malware software. Our onsite scanner has an encrypted hard drive. We have a backup which is secured in a fireproof location. We are introducing encryption of email using Mimecast that encrypts data in electronic transit to ensure this is secure.
When your file is closed, we have a secure offsite document storage facility provided by Iron Mountain for archiving papers until they are destroyed in accordance with our terms of business. Our offices are secure and only personnel can access areas where personal data is stored. We ensure that your data is deleted or disposed of securely. We ensure that any draft documents which are disposed of during the conduct of your matter are shredded and not placed in general waste disposal. The shredding is conducted by a third party company (Shred-it) who ensure confidentiality.
All of our employees, agents and contractors are aware of their obligations for privacy and data security. All reasonable steps are being taken to ensure employees of third parties working on our behalf are aware of their privacy and data security obligations. Any employees, agents, contractors and other third parties have limited access to client data as far as needed to conduct your matter.
The internet is never completely secure for the transmission of information and data. We do our best to protect your personal data but cannot guarantee this security of electronic information and documentation transmitted to us and any transmission is at your own risk. Should there be any suspected data security breach then we will notify you and any relevant regulator where we are legally required to do so and we have put in place procedures to deal with this.
Processing of Special Categories of Personal Data (Article 9)
The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical benefits, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying an natural person, data concerning health or data concerning a natural person’s sex life of sexual orientation shall be prohibited.
This does not apply if:-
- You have given explicit consent to the processing of that personal data for one or more specified purposes;
- processing is necessary for the purpose of carrying out the obligations and exercising specific rights of you or us in the field of employment and social security and social protection law;
- processing is necessary to protect your vital interests where you are physically or legally incapable of giving consent;
- processing relates to personal data which are manifestly made public by you;
- processing is necessary for the establishment, exercise or defence of legal claims or whenever Courts are acting in their judicial capacity;
- processing is necessary for reasons of substantial public interest;
- processing is necessary for the purpose of preventive or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis or the provision of health or social care or treatment;
- processing is necessary for reasons of public interest in the area of public health;
- processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Transmission outside of the European Economic Area (EEA) of your information
We do not transfer your personal data and information to countries outside of the EEA, except where this transfer is necessary in connection with the legal services we are providing to you. If this is necessary then we will first check if the country in question has been deemed by the EU Commission to have adequate data protection laws and we will provide safeguards as far as possible to ensure your privacy rights remain protected as set out in this notice. If you are outside the EEA, your information may be transferred outside the EEA in order to provide you with our legal services. By providing your personal information to us in this way, you are agreeing to the transferring processing of your information outside the EEA.
We will hold your personal data and information for so long as required by law and our regulatory obligations. As set out in our terms of business, our default retention period for personal data is 6 years from the conclusion of your instructions to us. In the event that your matter is reopened, this period will then run from the date of which the reopened matter came to an end, unless otherwise specified by law.
There may be occasions on which client files are retained for longer periods if necessary to protect our client or third parties legal rights and claims. When your matter concludes it is archived with Iron Mountain and securely stored until such time as it is to be destroyed as set out above. This will also apply to electronically stored information.
Retention periods may be extended or reduced in certain circumstances such as defending legal proceedings or if there is an ongoing investigation.
We will annually review personal data we are holding to ensure it is still relevant to the work we are undertaking and our business. If any information or data is no longer deemed necessary or accurate, we will take reasonable steps to delete or correct this data as required.
By law you have the following rights in relation to your personal data:
- Access – you have the right to request access to your personal information and data. At our discretion, we may require you to provide your identity before providing the requested information for your own privacy and security.
- Rectification – you have the right to have incomplete or inaccurate personal data about you rectified.
- Deletion – you have the right to request that we delete personal data and information that we process about you, accept where we are obliged to retain this information in order to comply with any legal obligations or regulatory bodies and where there is no good reason for us to continuing to hold it.
- Restriction – you have asked us to restrict or suspend the use of your personal information or data where you believe such data to be inaccurate, our processing is unlawful or that we no longer need to process such data for a particular purpose but where we are not able to delete the data due to a legal or other obligation or because you do not wish for us to delete.
- Portability – you have the right to ask us to transfer your personal information to another person or organisation.
- Objection – where the legal justification of our processing of your personal data and information is our legitimate interest, you have the right to objection to such processing on grounds relating to your particular situation. We will abide by your particular request unless there are compelling legitimate grounds which override your interest and rights, or if we need to continue to process the data in the defence, establishment or exercise of a legal claim.
- Withdrawing consent – if you have given your consent for our processing of your personal data, you have the right to withdraw your consent at any time. To withdraw your consent, please contact email@example.com. Once we have received notification that you have withdrawn your consent, we will no longer process your personal information and, subject to our retention policy will dispose of your data securely.
- You also have the right to lodge a complaint at any time to the Information Commissioner’s Office (ICO) who can be contacted as follows:
Telephone +44 303 123 1113
Address: Water Lane, Wyclffe House, Wilmslow, Cheshire, SK9 5AF
Our head of compliance is Clayton Miller who can be contacted at firstname.lastname@example.org. If you are based in or the issue where the complaint takes place is outside of the EEA, you can contact the data protection policy in your place of residence or your country.
Procedure for Data Access Requests
The procedure for data subject access requests are as follows:-
- In writing or by email (email@example.com), you should set out details of your data access request.
- That request will be given to Clayton Miller (or in his absence Philip Cooper) to consider.
- Within 10 days of receipt of your request you will be sent an acknowledgement. We will advise you at that time if we require any identity documents from you before we can process your request.
- No later than 28 days from the date of the initial request (if no identity documentation is required) or within 28 days from the date of receipt of any required identity documents, your client will be dealt with.
- You will need to then sign a document receipt acknowledging receipt of your documentation and/or information.
- The documentation/correspondence relating to this request will then be retained for a period of 12 months before it is destroyed.
- Should your request be to have your information permanently deleted, then no records will be retained other than a spreadsheet containing your name and the first three characters of your postcode only showing your request.
Procedure for Managing & Reporting Data Breaches
What is defined as a breach? A breach is provision of a client’s personal data to an unauthorised third party which is likely to result in a risk to the rights and freedoms of individuals.
The procedure for managing and reporting data breaches is as follows:-
- As soon as practicably possible from the time of identification of the data breach this breach must be reported to Clayton Miller (or in his absence Philip Cooper). The breach report must contain the following:-
- Date of Report and full name of personnel making the report;
- Full details of the breach
- Name/s of client’s or third parties affected by the breach.
The breach must be reported within 24 hours of identification by the personnel to the Reporting Officer. The Reporting Officer is Clayton Miller (or in his absence Philip Cooper). Within 24 hours thereafter the Reporting Officer will consider the potential breach and decide whether this must be reported to the ICO, client or any other. Such Report must be made within 72 hours of the breach. The Reporting Officer must fully document the entire process.
All KMJ personnel have been provided with data protection training and this is renewed annually.