Privacy Policy - Donaghy Carey Solicitors

Introduction
This policy summarises the key points about how Donaghy Carey Solicitors collects, uses and discloses personal data and ensures compliance with the GDPR and Data Protection Act.
Clients should read this policy alongside the Terms and Conditions of Engagement that we issue to you.

Definitions
Data Controller:  means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The Firm is the Data Controller of all Personal Data relating to our staff and Personal Data used in our business for our own commercial purposes;
Data Subject: Any living individual who is the subject of Personal Data;
Personal Data : means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person and includes data held electronically or in a Relevant Filing System;
Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Relevant Filing System: any paper filing system or other manual filing system which is structured so that information about an individual is readily accessible according to specific criteria;
Special Categories of Data: Data that relates to racial or ethnic origin of the data subject, political opinions, religious beliefs or other beliefs of a similar nature, trade union membership, physical or mental health or condition, sex life or sexual orientation, genetic data and biometric data.
Data in relation to criminal offences and proceedings is not included in the definition of Special Categories of Data but similar safeguards will apply in relation to processing such data;

Responsibilities
The Firm is the data controller of the personal data we process and therefore is responsible for ensuring our systems, processes, suppliers and staff comply with data protection laws in relation to the information we handle.
All staff must abide by this policy and our Data Protection Policy when handling personal data and must take part in any required data protection training. Any breach will be taken seriously and may result in disciplinary action.
Principles of Data Protection
The Firm has adopted the principles below to govern our use, collection and disclosure of personal data. Data will be:
(a)      processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b)     collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (‘purpose limitation’);
(c)      adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (‘data minimisation’);
(d)     accurate and, where necessary, kept up to date; every reasonable step will be taken to ensure that personal data which is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay (‘accuracy’);
(e)      kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; (‘storage limitation’);
(f)      processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Collection, Use and Disclosure
As a Firm the type of data we collect and process falls into one of the following categories: –

personal data obtained and created in relation to providing legal services;
personal data relating to our staff;
personal data relating to suppliers of goods and services to the Firm;
personal data relating to subscribers to our bulletins and other promotional materials;

Personal data will only be processed where one of the following conditions is met:

the processing is necessary for the purposes of the legitimate interests of the Firm (which are the provision of legal services to clients & the effective management of the Firm);
the processing is necessary for compliance with any legal obligation to which the Firm is subject;
the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
the data subject has consented; or
the processing is necessary to protect the vital interests of the data subject or another person;

Where the provision of personal data is a statutory or contractual requirement or a requirement relating to entering into a contract, if you fail to provide that data it might affect our ability to enter into a contract with you or to continue to provide services to you.
The table below provides a summary of how we collect and use personal data:
Providing legal services

Types of data	Collection	Use	Disclosure
Information processed for relationship management and file opening procedures such as name, business information and identification documentation. Additional personal data will be processed when individuals are named in matters on which we are advising	Relationship management and file opening information is collected from the client directly and further information (e.g. to verify identity) may be collected from third parties, such as publicly available sources. All additional personal data is collected when supplied to us or created by us in connection with a particular matter on which we are advising. e.g. through clients or other law Firms	Relationship management and file opening data is used for providing legal services, administration, commercial purposes (e.g. creditworthiness) and as required by law (e.g. anti money laundering). All other personal data will be used for the purposes of providing legal services and to comply with our legal/ professional/statutory/ regulatory obligations/internal compliance/ security	Personal data: – may be transferred to service providers; – which is shared with service providers will be limited to that which is required for providing the service and will be adequately protected; -may be disclosed to Courts /Tribunals/legal representatives; -may be disclosed to our clients in the course of providing legal services; – may be disclosed to regulatory bodies, such as the Law Society NI; -may be disclosed to other third parties including, but not limited to, National Crime Agency, professional indemnity insurers, brokers, auditors, Lexcel/ISO inspectors and other professional advisors.

Staff, Work Experience, Placement Students, Contract Workers & Job Applicants

Types of data	Collection	Use	Disclosure
Personal data such as name, address, contact details, education and employment history; information relating to next of kin/ dependants; financial information including bank details and identifiers (e.g. National Insurance numbers); records of your use of the Firm’s IT and information services (e.g. LexisNexis); Also, we may process information revealing sensitive information such as health details, racial origin, religious beliefs and information about offences/ alleged offences.	Personal data will be collected from a number of sources including staff application form/CV; tracking use of the Firm’s IT and information services; notes and records kept throughout employment including absences, annual appraisals and details of any grievances/ disciplinary action;	Personal data will be used for: human resources administration; to assess your suitability for the role; to ensure the Firm’s information and offices are secure; to comply with legal obligations and management purposes. Photographs, education and career information may be used in marketing and promotional material for the Firm including our website, brochures, bids and tenders.	Personal data: – which is shared with service providers will be limited to that which is required for providing the service and will be adequately protected. -will be disclosed where required to comply with legal obligations. -will be shared with tendering bodies so far as required to comply with the tender requirements – will be disclosed for Chambers/Legal 500 submissions in so far as required to market the Firm and member of staff

Suppliers of goods and services

Types of data	Collection	Use	Disclosure
Personal data such as name, address, contact details, financial information including bank details	Personal data will be collected from a number of sources including invoices and contracts	Personal data will be used for: administration and management purposes. All other personal data will be used for the purposes of providing legal services to our clients and to comply with our legal/ professional/statutory/ regulatory obligations/internal compliance/ security	Personal data: – which is shared with service providers will be limited to that which is required for providing the service and will be adequately protected. -will be disclosed where required to comply with legal obligations.

Subscribers to our bulletins and other promotional material

Types of data	Collection	Use	Disclosure
Information such as name and business information (email address, job title, Firm/company ).	Data is collected in our system when you register to receive legal updates. You will also be provided with the option to opt out and/ or be removed from the database with each marketing communication you receive from us.	Personal data will be used to: – contact you with communications about legal updates, breaking news, newsletters and event invitations which we think are relevant to your interests;	Personal data: – which is shared with service providers will be limited to that which is required for providing the service and will be adequately protected; – will not be given to other third parties, apart from in limited circumstances such as, where we run a joint seminar and you book onto it.

Partnership Organisations (e.g. nominated charities, partner training organisations etc.)

Types of data	Collection	Use	Disclosure
Personal data such as name, address, contact details, financial information including bank details	Personal data will be collected from a number of sources including invoices and contracts and directly from the Partnership Organisation.	Personal data will be used for: administration and management purposes and to comply with our legal/ professional/ regulatory obligations/internal compliance/ security	Personal data: – which is shared with third parties will be limited to that which is required for a specific purpose and will be adequately protected. -will be disclosed where required to comply with legal obligations.

Individuals’ Rights
Personal data must be processed in line with individuals’ rights, including the right to:

request access to their Personal Data;
receive certain information about the Firm’s processing activities;
request that their inaccurate Personal Data is corrected;
restrict processing in specific circumstances;
erasure;
object to processing;
rectify inaccurate data;
to withdraw consent to processing if that is the basis on which the data is processed;
be notified of a Data Breach which is likely to result in high risk to their rights and freedoms; and
complain to the Information Commissioners Office

Should you wish to make a request in line with your rights as an individual, please forward it to the Director of Donaghy Carey Solicitors. Further information on these rights is available at the Information Commissioners website https://ico.org.uk/.
Staff must notify or inform the Director immediately if they receive a request in relation to personal data which the Firm processes.
Data Retention
The Firm operates the following data retention periods:

Manual files are destroyed after 10 years save for property transaction files which are destroyed after 15 years (in exceptional circumstances, files may be kept indefinitely e.g. at the client’s request);
Staff personnel files are retained for 7 years after a member of staff has left the Firm;
Job applicant’s data will be kept for no longer than is necessary, usually 12 months from the recruitment exercise (fair employment monitoring information for 3 years) ;
Partners files are retained indefinitely;
Electronic files are retained indefinitely;
Anti- Money Laundering information is retained indefinitely.

How to Make a Complaint
You should direct all complaints relating to how the Firm has processed your personal data to the Director.
Staff must inform the Director immediately if they receive a complaint relating to how the Firm has processed personal data so the Firm can respond to the complaint.
Security
Information security is a key element of data protection. The Firm takes appropriate measures to secure personal data and protect it from loss or unauthorised disclosure or damage.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.