This Privacy Notice explains how we at GN Law will collect and process any data that you give us. It also sets out your rights under the General Data Protection Regulations (GDPR).
This notice will mainly address issues that affect our relationship with our clients. However, it also covers current staff, potential staff and any other third parties who we might come into contact with during the operation of the firm.
Your personal data
What we need and why we need it
Guile Nicholas Ltd are what’s known as the ‘controller’ of the data that you provide to us in order for us to follow your instructions on the legal matter that you have asked us to help you with or that we need as your employer, prospective employer or for the operation of our business relationship with you.
We will only ask you for data and personal information that we need, either to enable us to comply with our professional obligations (such as needing ID for Money Laundering checks) or to enable us to run your case, respond to complaints, receive payment from you or to pay money to you.
The meaning of ‘personal data’ is any data that allows someone else to identify you. This can include paper documents, electronic documents or e-mails, and photographs or video.
For clients, we will need your personal details (full name, address, DOB, NI number, etc) as well as other data that is pertinent to your case and that we need in order to understand your instructions and/or to ensure that we have fully explored the instructions that you have given us to ensure that we provide you with the best and most accurate advice that we can. This additional data might include sensitive medical information and/or details of previous convictions.
What we do with your data
The data that clients provide to us is kept in a number of different places as follows:
- On your paper file if you are a client
- On our cloud-based file management system (Osprey Approach – from Pracctice Ltd – their Privacy notice can be found at http://ospreylegalcloud.co.uk/privacy-and-cookie-policy/.
- In e-mails kept on our e-mail server based in our office at 43 Lodge Lane, London, N12 8JG.
- Once a client matter has concluded, your paper file is stored with Oasis. Their privacy notice can be found at https://www.oasisgroup.com/terms-of-use.230.html.
- In client cases funded by ‘Legal Aid’, the Legal Aid Agency will also have your data (i.e. all data provided on your funding application form together with any additional information – barrister’s advices, medical reports, etc) which they will store in both paper and digital formats.
It is inevitable that we will need to share/process some of the data we have been given by clients with other parties during the conduct of your case. These parties may include:
- Solicitors on acting for our opponents
- Barrister(s) that we have instructed to help with your case
- Medical experts/companies that we have instructed on your behalf
- Costs draftsmen
You will see from this list that these are all agencies that we necessarily need to be in contact with in order to advance your case and follow your instructions and/or to deal with claiming our costs at the conclusion of the case. In instructing us, you are consenting to use using your data for the purpose of advancing your case and following your instructions. However, we will always explain to you what steps we are taking in your case and will only ever pass on the minimum amount of data that is necessary to achieve that end.
You will see from the section below entitled ‘Your Rights’ that you can withdraw your consent to use processing your data at any time, e.g. you could instruct us in writing not to disclose your medical records. However, please be aware that any withdrawal of consent may prevent us from being able to follow your instructions or may cause us professional embarrassment. In those circumstances, it may be that we will be unable to continue to act for you.
Cookies and Website Use
Please also be advised that when you visit this website, cookies will be used to collect information about you such as your Internet Protocol (IP) address which connects your computer or mobile device to the Internet, and information about your visit such as the pages you viewed or searched for, pages response times, download errors etc. We do this so that we can measure our website’s performance and make improvements in the future. Cookies are also used to enhance this website’s functionality and personalisation, which includes sharing data with third party organisations. You can control this by adjusting your cookies settings.
If you download any of our free guides from the website, none of the data we may collect to facilitate that download will be processed by us or shared with any third parties.
Under the GDPR, you have a number of rights that you are able to exercise when it comes to your data. These are set out below with a brief description of each one and an explanation as to how that right operates so far as your data with us is concerned.
Lawful, fair and legitimate purposes
Right - You have the right only to have your data controlled (kept and stored) and processed (used and/or disclosed to others) for lawful, fair and legitimate purposes.
Our approach - You have brought your case to us and asked us to help you with your legal matter. Most (if not all) of the data we control and process will have been given to us by your for this purpose, with your full knowledge and consent.
The purpose limitation principle
Right - data should only be processed for a specific purpose and must not be used for an incompatible purpose for which it was given/obtained.
Our approach - we will only collect and process data that we need to advise you and follow your instructions. We will not use your data for any other purpose without your express consent unless we are compelled to do so by a professional obligation. For example, we will not use your data for direct marketing unless you have expressly given your consent for that.
Data quality and proportionality
Right - the data held should be accurate and kept up to date and we should only hold that which we need.
Our approach - we will try to ensure that all data we hold is accurate. If you discover that it is not, please notify the person responsible for your file in writing and we will rectify the error. We will only store the data that we need to run your file and, once the matter is concluded, we will only archive, store and keep the data that is necessary.
Security and confidentiality
Right - your data must be controlled and processed securely and guarded against unlawful and unauthorised processing and accidental loss, destruction or damage.
Our approach - we have taken all reasonable steps to try to ensure that the data we hold for you is as safe as it can be both in relation to the paper file and digital format. Our IT System security is reviewed annually as part of our annual review of our Data Protection Policy and is subjected to penetration testing. The systems we have in place to keep your data safe are too numerous to set-out in this Privacy Notice. A copy of our Data Protection Policy is available on request.
The transparency principle
Right - you have the right to be given information by GN Law about who your data will be processed in a clear and accessible way that’s easy to understand. You should be told the purpose of the processing, who the data controller is, your rights and any other information you need to make the processing fair.
Our approach - we believe we have followed this principle in the drafting of this Privacy Notice. We will also endeavour to follow it in all our communications and correspondence with you during the life of your case. All our staff receive regular training on the principles under the GDPR.
Right of access, rectification and the right to be forgotten
Right - you have the right to access any data held by us, to have it rectified if it’s inaccurate and to have it destroyed (to be forgotten) if you no longer want us to keep it.
Our approach Access - if you want access to or copies of any data that we hold, you need to contact the solicitor in charge of and/or supervising your case and tell them in writing what documents or data you are seeking – you must be specific. You also have the right to ask to receive the data in a specific format. We have one calendar month to respond to that request that request, or three months if the request is complex. We will not charge for providing the data unless the request is unfounded or excessive or repetitive. If a charge is made, it will be a sum to cover the administrative cost of providing the data.
Rectification – if you believe that any of the data we hold for you is inaccurate, please contact the solicitor/supervisor in charge of your file and set out, in writing, the specific detail of what you believe to be inaccurate. We have one month to rectify any mistakes, including ensuring anyone that we have sent the data in question to also rectifies what they are holding. If the rectification is complex, we may take as long as three months. If we refuse to rectify the data in question, we will explain why and you will have the right to complain (within one month) to the ICO (see below under ‘Complaints’).
Right to be forgotten – while you have the legal right to have your data removed or destroyed, we have a competing right to keep certain data for certain reasons including maintaining insurance cover that protects both the firm and our clients. We cannot, therefore, guarantee that we will agree to remove/destroy your data on request. We are entitled to keep your file, once the matter is concluded, for a minimum period of six years, this being the period during which a negligence claim could be brought against us. Where our client was a child, this six-year period runs from the date of their majority, i.e. their 18th birthday and not the date of the conclusion of the case. In Legal Aid cases, we also have a duty to retain your file for audit. However, consideration will be given to the papers we hold at the conclusion of your case to what data we need to keep and in what format (i.e. paper and/or digitally). We will only retain that which we feel is necessary. In addition, a minimum amount of data (i.e. less than we would keep for the purposes of defending a claim against us) may need to be kept for a longer period of time to ensure that we are able to comply with our professional duty not to act for a client in circumstances where there may be a conflict of interest. We cannot perform that check if we no longer have data about whom we have previously acted for and in what circumstances, i.e. what type of case it was.
For unsuccessful job applicants, we will hold your date for six months to comply with our regulatory duties to retain this information for equality and diversity purposes.
In all the above circumstances (access, rectification and destruction) your request needs to meet the requirements below:
- It must be in writing
- It must be specific to what data is sought
- It must be specific to how you want the data to be provided to you
- You must provide ID at the time of the request
- You must pay the administration fee sought if the payment of a fee is required
Notification of breaches
If you believe that there has been a breach by us of your rights in relation to your data then please contact our Data Controller immediately and set out in writing what you believe the breach was, when it occurred and any impact the breach has had upon you.
Our legal duties in relation to breaches that we become aware of are to report these, within 72 hours, to the ICO if we believe that the breach is likely to result in a risk to your rights or your freedom. Additionally, we have a duty to tell you of the breach if we believe that the risk to your rights and freedoms is high.
If you have any complaints about the way that your data is controlled and/or processed by us then you have the right to complain to the Information Commissioners Office (ICO). The address if the ICO is:
Tel: 01625 545 745
If you do wish to complaint to the ICO then you must do so within one month.