Privacy Notice - General Data Protection Regulation (“GDPR”)

Please read the following information carefully. This privacy notice contains information about the information collected, stored and otherwise processed about you and the reasons for the processing. It also tells you who a Barrister or Chambers share this information with, the security mechanisms Chambers have put in place to protect your data and how to contact us in the event you need further information.   

Who we are?  

5 Paper Buildings on behalf of its Barrister collects, uses and is responsible for personal information about you. Went it does this its Barristers are the ‘controllers’ of this information, Chambers staff are the ‘processors’ of this information for the purposes of the GDPR and the Data Protection Act 2018. 

If you need to contact us about your data or the processing carried out, you can use the contact details at the end of this document.

What do we do with your information?

Information collected

When carrying out the provision of legal services Chambers collects some or all of the following personal information that you provide: 

  1. 1.  personal details
  2. 2.  family details
  3. 3.  lifestyle and social circumstances
  4. 4.  physical or mental health details
  5. 5.  criminal proceedings, outcomes and sentences, and related security measures
  6. 6.  other personal data relevant to instructions to provide legal services, including data specific to the instructions in question. 

Information collected from other sources.

The same categories of information may also be obtained from third parties, such as other legal professionals or experts, members of the public, your family and friends, witnesses, courts and other tribunals, investigators, government departments, regulators, public records and registers.      

How Chambers and a its members use your personal information: Purposes  

They may use your personal information for the following purposes:

  1. 1.  to provide legal services to my clients, including the provision of legal advice and representation in courts, tribunals, arbitrations, and mediations
  2. 2.  to keep accounting records and carry out office administration
  3. 3.  to take or defend legal or regulatory proceedings or to exercise a lien
  4. 4.  to respond to potential complaints or make complaints
  5. 5.  to check for potential conflicts of interest in relation to future potential cases
  6. 6.  to promote and market my services
  7. 7.  to carry out anti-money laundering and terrorist financing checks
  8. 8.  to train other barristers and when providing work-shadowing opportunities
  9. 9.  to publish legal judgments and decisions of courts and tribunals
  10. 10.  as required or permitted by law. 

Whether information has to be provided by you, and why 

If a Barrister is instructed by you or on your behalf on a case your personal information has to be provided to enable them to provide you with advice and to enable me to comply with my professional obligations and to keep accounting records.  

The legal basis for processing your personal information  

Barristers rely on the following as the lawful bases on which they collect and use your personal information: 

  • If you have consented to the processing of your personal information, then a barrister may process your information for the purposes set out above to the extent to which you have consented to them doing so.

  • If you are a client, processing is necessary for the performance of a contract for legal services or in order to take steps at your request prior to entering into a contract.

  • In relation to information which are considered to include particularly sensitive information and which include information about criminal convictions or proceeding they rely on your consent for any processing for the purposes set out in purposes (ii), (iv), (vi), (viii) and (ix) above. A Barrister needs your consent to carry out processing of this data for these purposes. However, if you do not consent to processing for purposes (iv) and (ix) (responding to potential complaints) the Barrister will be unable to take your case. This is because they need to be able to retain all the material about your case until there is no prospect of a complaint and to provide an informed and complete reference.

  • In relation to information in categories which are considered to be particularly sensitive information and include information about criminal convictions or proceedings, Barristers are entitled by law to process the information where the processing is necessary for legal proceedings, legal advice, or otherwise for establishing, exercising or defending legal rights.

  • In relation to information which is not in the above categories, Barristers rely on my legitimate interest and/or the legitimate interests of a third party in carrying out the processing for the Purposes set out above.

  • In certain circumstances processing may be necessary in order that they can comply with a legal obligation to which they are subject.

  • The processing is necessary to publish judgments or other decisions of courts or tribunals. 

    Who will Barristers or Chambers share your personal information with?

    If you are a client, some of the information you provide will be protected by legal professional privilege unless and until the information becomes public in the course of any proceedings or otherwise. As a barrister they have an obligation to keep your information confidential, except where it otherwise becomes public or is disclosed as part of the case or proceedings.

     It may be necessary to share your information with the following:

     data processors, such as my Chambers staff, IT support staff, email providers, data storage providers.

  • other legal professionals

  • experts and other witnesses

  • prosecution authorities

  • courts and tribunals

  • the staff in my chambers

  • trainee barristers

  • lay clients

  • family and associates of the person whose personal information they are processing

  • in the event of complaints, the Head of Chambers, other members of Chambers who deal with complaints, the Bar Standards Board, and the Legal Ombudsman

  • other regulatory authorities

  • current, past or prospective employers

  • education and examining bodies

  • business associates, professional advisers and trade bodies, e.g. the Bar Council

  • the intended recipient, where you have asked me to provide a reference.

  • the general public in relation to the publication of legal judgments and decisions of courts and tribunals Barristers may be required to provide your information to regulators, such as the Bar Standards Board, the Financial Conduct Authority or the Information Commissioner’s Office. In the case of the Information Commissioner’s Office, there is a risk that your information may lawfully be disclosed by them for the purpose of any other civil or criminal proceedings, without my consent or yours, which includes privileged information. 

    Barristers may also be required to disclose your information to the police or intelligence services, where required or permitted by law.   

    Sources of information

    The personal information a Barrister or Chambers could obtain may include information which has been obtained from:

  • other legal professionals

  • experts and other witnesses

  • prosecution authorities

  • courts and tribunals

  • trainee barristers

  • lay clients

  • family and associates of the person whose personal information I am processing

  • in the event of complaints, the Head of Chambers, other members of Chambers who deal with complaints, the Bar Standards Board, and the Legal Ombudsman

  • other regulatory authorities

  • current, past or prospective employers

  • education and examining bodies

  • business associates, professional advisers and trade bodies, e.g. the Bar Council

  • the intended recipient, where you have asked me to provide a reference.

  • the general public in relation to the publication of legal judgments and decisions of courts and tribunals

  • data processors, such as my Chambers staff, IT support staff, email providers, data storage providers.

  • public sources, such as the press, public registers and law reports. 

    Transfer of your information outside the European Economic Area (EEA) 

    This privacy notice is of general application and as such it is not possible to state whether it will be necessary to transfer your information out of the EEA in any particular case or for a reference. However, if you reside outside the EEA or your case or the role for which you require a reference involves persons or organisations or courts and tribunals outside the EEA then it may be necessary to transfer some of your data to that country outside of the EEA for that purpose. If you are in a country outside the EEA or if the instructions, you provide come from outside the EEA then it is inevitable that information will be transferred to those countries. If this applies to you and you wish additional precautions to be taken in respect of your information, please indicate this when providing initial instructions. 

    Some countries and organisations outside the EEA have been assessed by the European Commission and their data protection laws and procedures found to show adequate protection. The list can be found here. Most do not. If your information has to be transferred outside the EEA, then it may not have the same protections and you may not have the same rights as you would within the EEA. 

    A Barrister or Chambers may transfer your personal information to the following which are located outside the European Economic Area (EEA):

  • Cloud data storage services based in the USA who have agreed to comply with the EU-U.S. Privacy Shield, in order to enable me to store your data and/or backup copies of your data so that I may access your data when they need to. The USA does not have the same data protection laws as the EU but the EU-U.S. Privacy Shield has been recognised by the European Commission as providing adequate protection. To obtain further details of that protection see https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en.

  • Cloud data storage services based in Switzerland, in order to enable me to store your data and/or backup copies of your data so that I may access your data when I need to. Switzerland does not have the same data protection laws as the EU but has been recognised by the European Commission as providing adequate protection; see https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en

    If a Barrister decides to publish a judgment or other decision of a Court or Tribunal containing your information, then this will be published to the world.   

    A Barrister will not otherwise transfer personal information outside the EEA except as necessary for providing legal services or for any legal proceedings.  

    If you would like any further information, please use the contact details at the end of this document

    How long will a Barrister and Chambers store your personal data?

    They will normally store all your information: 

  • until at least 7 years from the date of the last item of work carried out, the date of the last payment received or the date on which all outstanding payments are written off, whichever is the latest. This is because it may be needed for potential legal proceedings, such as appeals out of time to an appellate court. At this point any further retention will be reviewed and the data will be marked for deletion or marked for retention for a further period. The latter retention period is likely to occur only where the information is needed for legal proceedings, regulatory matters or active complaints. Deletion will be carried out without further notice to you as soon as reasonably practicable after the data is marked for deletion.

  • They will store some of your information which maybe needed to carry out conflict checks for the rest of my career. However, this is likely to be limited to your name, date of birth and the name of the case. This will not include any highly sensitive material.

  • Information related to anti-money laundering checks will be retained until six years after the completion of the transaction or the end of the business relationship, whichever is the later.

  • Names and contact details held for marketing purposes will be stored indefinitely or until the Barrister or its Clerks become aware or are informed that the individual has ceased to be a potential client. 

    Consent

    As explained above, a Barrister and Chambers are relying on your explicit consent to process your information in highly sensitive categories. You provided this consent when you agreed that I would provide legal services. 

    You have the right to withdraw this consent at any time, but this will not affect the lawfulness of any processing activity they have carried out prior to you withdrawing your consent. However, where they also rely on other bases for processing your information, you may not be able to prevent processing of your data. For example, if you have asked a Barrister to work for you and they have spent time on your case, you may owe them money which they will be entitled to claim.  

    If there is an issue with the processing of your information, please contact the Clerks using the contact details below.  

    Your Rights  

    Under the GDPR, you have a number of rights that you can exercise in certain circumstances. These are free of charge. In summary, you may have the right to: 

  • Ask for access to your personal information and other supplementary information;

  • Ask for correction of mistakes in your data or to complete missing information a Barrister or Chambers hold on you;

  • Ask for your personal information to be erased, in certain circumstances;

  • Receive a copy of the personal information you have provided to a Barrister and to Chambers or have this information sent to a third party. This will be provided to you or the third party in a structured, commonly used and machine readable format, e.g. a Word file;

  • Object at any time to processing of your personal information for direct marketing;

  • Object in certain other situations to the continued processing of your personal information;

  • Restrict my processing of your personal information in certain circumstances;

  • Request not to be the subject to automated decision-making which produces legal effects that concern you or affects you in a significant way. 

    If you want more information about your rights under the GDPR please see the Guidance from the Information Commissioners Office on Individual's rights under the GDPR

    If you want to exercise any of these rights, please:

  • Use the contact details at the end of this document;

  • A Barrister or Chambers may need to ask you to provide other information so that you can be identified;

  • Please provide a contact address so that you can be contacted to request further information to verify your identity;

  • Provide proof of your identity and address;

  • State the right or rights that you wish to exercise.

     You will be responded to you within one month from when your request is received.

    How to make a complaint?

    The GDPR also gives you the right to lodge a complaint with the Information Commissioners’ Office if you are in the UK, or with the supervisory authority of the Member State where you work, normally live or where the alleged infringement of data protection laws occurred. The Information Commissioner’s Office can be contacted at http://ico.org.uk/concerns/.   

    Future Processing

    Chambers and Barristers do not intend to process your personal information except for the reasons stated within this privacy notice. If this changes, this privacy notice will be amended and placed on the website. 

    Changes to this privacy notice

    This privacy notice was published on 24 May 2018 and last updated on 24 May 2018.

    Chambers continually review its privacy practices and may change this policy from time to time. When it is amended it will be placed on the website. 

    Contact Details

    If you have any questions about this privacy notice or the information I hold about you, please write to the Chambers Data Protection lead - Andrew Johnson, 5 Paper Buildings, London, EC4Y 7HB.

     


 

Data Breach Policy

 

5 Paper Buildings are committed to our obligations under the regulatory system and in accordance with the GDPR and maintain a robust and structured program for compliance and monitoring. We carry out frequent risk assessments reports to ensure that our compliance processes, functions and procedures are fit for purpose and that mitigating actions are in place where necessary. However, we recognise that breaches can occur, hence this policy states our intent and objectives for dealing with such incidents.

Although we understand that not all risks can be mitigated, we operate a robust and structured system of controls, measures and processes to help protect data subjects and their personal information from any risks associated with processing data. The protection and security of the personal data that we process is of paramount importance to us and we have developed data specific protocols for any breaches relating to the GDPR and the data protection laws.

Purpose

The purpose of this policy is to provide the Chambers intent, objectives and procedures regarding data breaches involving personal information. As we have obligations under the GDPR, we also have a requirement to ensure that adequate procedures, controls and measures are in place and are disseminated to all members of Chambers and employees; ensuring that they are aware of the protocols and reporting lines for data breaches. This policy details our processes for reporting, communicating and investigating such breaches and incidents.

Scope

This policy applies to all Barristers and Staff within the Chambers. Adherence to this policy is mandatory and non-compliance could lead to disciplinary action.

Data Security & Breach Requirements

The Chambers definition of a personal data breach is any incident of security, lack of controls, system or human failure, error or issue that leads to, or results in, the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Alongside our 'Privacy be Design' approach to protecting data, we also have a legal, regulatory and business obligation to ensure that personal information is protected whilst being processed by Chambers. Our technical and organisational measures are detailed in our Data Protection Policy & Procedures.

We carry out information audits to ensure that all personal data processed by us is adequately and accurately identified, assessed, classified and recorded. We carry out risk assessments that assess the scope and impact of any potential data breach; both on the processing activity and the data subject. We have implemented adequate, effective and appropriate technical and organisational measures to ensure a level of security appropriate to the risks, including (but not limited to): -

  • Pseudonymisation and encryption of personal data

  • Restricted access and biometric measures

  • Reviewing, auditing and improvement plans for the ongoing confidentiality, integrity, availability and resilience of processing systems and services

  • Disaster Recovery and Business Continuity Plan to ensure up-to-date and secure backups and the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

  • Audit procedures and stress testing on a regularly basis to test, assess, review and evaluate the effectiveness of all measures in compliance with the data protection regulations

  • Frequent and ongoing data protection training programs for all employees

  • Staff assessments and regular knowledge testing to ensure a high level of competency, knowledge and understanding of the data protection regulations and the measures we have in place to protect personal information

  • Reviewing internal processes to ensure that where personal information is transferred, disclosed, shared or is due for disposal; it is rechecked and authorised by the Data Protection Officer

Objectives

    • To adhere to the GDPR and UK Data Protection laws and to have robust and adequate procedures and controls in place for identifying, investigating, reporting and recording any data breaches
    • To develop and implement adequate, effective and appropriate technical and organisational measures to ensure a high level of security with regards to personal information
    • To utilise information audits and risk assessments for mapping data and to reduce the risk of breaches
    • To have adequate and effective risk management procedures for assessing any risks presented by processing personal information
    • To ensure that any data breaches are reported to the correct regulatory bodies within the timeframes set out in any regulations, codes of practice or handbooks
    • To use breach investigations and logs to assess the root cause of any breaches and to implement a full review to prevent further incidents from occurring
    • To use the Data Breach Incident Form for all data breaches, regardless of severity so that any patterns in causes can be identified and corrected
  • To protect consumers, clients and employees; including their information and identity.

  • To ensure that where applicable, the Data Protection Officer is involved in and notified about all data breaches and risk issues.

  • To ensure that the Supervisory Authority (ICO) is notified of any data breach (where applicable) with immediate effect and at the latest, within 72 hours of the Data Protection Officer becoming aware of the breach.

Data Breach Procedures & Guidelines

Chambers has robust objectives and controls in place for preventing data breaches and for managing them in the rare event that they do occur. Our procedures and guidelines for identifying, investigating and notification of breaches are detailed below. Our documented breach incident policy aims to mitigate the impact of any data breaches and to ensure that the correct notifications are made. 

Breach Monitoring & Reporting

Chambers has appointed a Data Protection Officer who is responsible for the review and investigation of any data breach involving personal information, regardless of the severity, impact or containment. All data breaches are reported to this person with immediate effect, whereby the procedures detailed in this policy are followed.

All data breaches will be investigated, even in instances where notifications and reporting are not required, and we retain a full record of all data breaches to ensure that gap and pattern analysis are available and used. Where a system or process failure has given rise to a data breach, revision to any such process is recorded in the Change Management and Document Control records.

Breach Incident Procedures

Identification of an Incident

As soon as a data breach has been identified, it is reported to Head of Chambers, Senior Clerk and Data Protection Officer immediately so that breach procedures can be initiated and followed without delay.

Reporting incidents in full and with immediate effect is essential to the compliant functioning of Chambers and is not about apportioning blame. These procedures are for the protection of the Chambers, Barristers, its staff, clients and third parties and are of the utmost importance for legal regulatory compliance.

As soon as an incident has been reported, measures must be taken to contain the breach. Such measures are not in the scope of this document due to the vast nature of breaches and the variety of measures to be taken; however, the aim of any such measures should be to stop any further risk/breach to the organisation, customer, client, third-party, system or data prior to investigation and reporting. The measures taken are noted on the incident form in all cases.

Breach Recording

Chambers utilises a Breach Incident Form for all incidents, which is completed for any data breach, regardless of severity or outcome. Completed forms are logged in the Breach Incident Folder (electronic) and reviewed against existing records to ascertain patterns or reoccurrences.

In cases of data breaches, the Data Protection Officer is responsible for carrying out a full investigation, appointing the relevant staff to contain the breach, recording the incident on the breach form and making any relevant and legal notifications. The completing of the Breach Incident Form is only to be actioned after containment has been achieved.

A full investigation is conducted and recorded on the incident form, with the outcome being communicated to all staff/barristers involved in the breach, in addition to the Head of Chambers. A copy of the completed incident form is filed for audit and documentation purposes.

If applicable, the Supervisory Authority and the data subject(s) are notified in accordance with the GDPR requirements. The Supervisory Authority protocols are to be followed and their 'Security Breach Notification Form' should be completed and submitted. In addition, any individual whose data or personal information has been compromised is notified if required, and kept informed throughout the investigation, with a full report being provided of all outcomes and actions.

Breach Risk Assessment

Human Error

Where the data breach is the result of human error, an investigation into the root cause is to be conducted.

A review of the procedure(s) associated with the breach is conducted and a full risk assessment completed in accordance with the Chambers Risk Assessment Procedures. Any identified gaps that are found to have caused/contributed to the breach are revised and risk assessed to mitigate any future occurrence of the same root cause.

Resultant outcomes of such an investigation can include, but are not limited to: -

  • Re-training in specific/all compliance areas

  • Re-assessment of compliance knowledge and understanding

  • Suspension from compliance related tasks

System Error

Where the data breach is the result of a system error/failure, the IT support providers are to work in conjunction with the Data Protection Officer to assess the risk and investigate the root cause of the breach. A gap analysis is to be completed on the system/s involved and a full review and report to be added to the Breach Incident Form.

Any identified gaps that are found to have caused/contributed to the breach are to be revised and risk assessed to mitigate and prevent any future occurrence of the same root cause. Full details of the incident should be determined and mitigating action such as the following should be taken to limit the impact of the incident: -

  • Attempting to recover any lost equipment or personal information

  • Shutting down an IT system

  • Removing an employee from their tasks

  • The use of back-ups to restore lost, damaged or stolen information

  • Making the building secure

  • If the incident involves any entry codes or passwords, then these codes must be changed immediately and members of staff informed

Assessment of Risk and Investigation

The Data Protection Officer should ascertain what information was involved in the data breach and what subsequent steps are required to remedy the situation and mitigate any further breaches.

The lead investigator should look at: -

  • The type of information involved

  • It's sensitivity or personal content

  • What protections are in place (e.g. encryption)?

  • What happened to the information/Where is it now?

  • Whether there are any wider consequences/implications to the incident

    The appointed lead should keep an ongoing log and clear report detailing the nature of the incident, steps taken to preserve any evidence, notes of any interviews or statements, the assessment of risk/investigation and any recommendations for future work/actions.

Breach Notifications

Chambers recognises our obligation and duty to report data breaches in certain instances. All staff and Barristers have been made aware of the Chambers responsibilities and we have developed strict internal reporting lines to ensure that data breaches falling within the notification criteria are identified and reported without delay.

Supervisory Authority Notification

The Supervisory Authority is to be notified of any breach where it is likely to result in a risk to the rights and freedoms of individuals. These are situations which if the breach was ignored, would lead to significant detrimental effects on the individual.

Where applicable, the Supervisory Authority is notified of the breach no later than 72 hours after the Chambers becoming aware of it and are kept notified throughout any breach investigation, being provided with a full report, including outcomes and mitigating actions as soon as possible, and always within any specified timeframes. 

If for any reason it is not possible to notify the Supervisory Authority of the breach within 72 hours, the notification will be made as soon as is feasible, accompanied by reasons for any delay. Where a breach is assessed by the DPO and deemed to be unlikely to result in a risk to the rights and freedoms of natural persons, we reserve the right not to inform the Supervisory Authority in accordance with Article 33 of the GDPR.

The notification to the Supervisory Authority will contain: -

  • A description of the nature of the personal data breach

  • The categories and approximate number of data subjects affected

  • The categories and approximate number of personal data records concerned

  • The name and contact details of our Data Protection Officer and/or any other relevant point of contact (for obtaining further information)

  • A description of the likely consequences of the personal data breach

  • A description of the measures taken or proposed to be taken to address the personal data breach (including measures to mitigate its possible adverse effects)

     

Breach incident procedures are always followed and an investigation carried out, regardless of our notification obligations and outcomes, with reports being retained and made available to the Supervisory Authority if requested.

Where the Staff acts in the capacity of a processor, we will ensure that the data controller ‘Barrister’ is notified of the breach without undue delay. In instances where Barristers act in the capacity of a controller using an external processor, we have a written agreement in place to state that the processor is obligated to notify us without delay after becoming aware of a personal data breach.

Data Subject Notification

When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we will always communicate the personal data breach to the data subject without undue delay, in a written, clear and legible format.

The notification to the Data Subject shall include: -

  • The nature of the personal data breach

  • The name and contact details of our Data Protection Officer and/or any other relevant point of contact (for obtaining further information)

  • A description of the likely consequences of the personal data breach

  • A description of the measures taken or proposed to be taken to address the personal data breach (including measures to mitigate its possible adverse effects)

We reserve the right not to inform the data subject of any personal data breach where we have implemented the appropriate technical and organisational measures which render the data unintelligible to any person who is not authorised to access it or where we have taken subsequent measures which ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise.

If informing the data subject of the breach involves disproportionate effort, we reserve the right to instead make a public communication whereby the data subject(s) are informed in an equally effective manner.