GDPR

GDPR

Data Protection Policy - Martin A Harvey & Company Solicitors


Introductory Statement

The firm's data protection policy is set out below. It explains how personal data on clients, staff and other parties are kept and how the data is protected. It also sets out the circumstances in which this data may be processed.

The firm's data protection policy was formulated upon commencement of the EU General Data Protection Regulation.

Scope

The policy applies to the keeping and processing of personal data, both in manual form and on computer, including personal data held on clients and staff and other parties.

Data: means information in a form which can be processed. It includes automated data (information on computer or information recorded with the intention of putting it on computer) and manual data (information that is kept as part of a relevant filing system, or with the intention that it should form part of a relevant filing system).

Relevant filing system: means any set of information that, while not computerised, is structured by reference to individuals, or by reference to criteria relating to individuals, so that specific information relating to a particular individual is readily accessible.

Personal data: means data relating to a living individual who is or can be identified from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.

Data Controller: A data controller is the individual or legal entity which controls the contents and use of personal data. Data Processor: A person or entity who processes Personal Data on behalf of a Data Controller on the basis of a formal, written contract, but who is not an employee of the Data Controller, processing such Data in the course of his/her employment.

The policy applies to all of the firm's clients, staff and other parties insofar as the measures under the policy relate to them.

Rationale

It is necessary to devise a data protection policy at this time as the firm is obliged to comply with the EU General Data Protection Regulation.

Goals/Objectives

The objectives of the data protection policy include the following:

To ensure that the firm complies with the General Data Protection Regulation.

To ensure that the data protection rights of clients, staff and other third parties are safeguarded

Policy Content

Details of all personal data which will be held, the format in which it will be held and the purpose(s) for collecting the data in each case

Staff records: These may include:

  • Name, address and contact details, PPS number
  • Original records of application and appointment
  • Record of appointments to promotion posts
  • Details of approved absences (career breaks, parental leave, study leave etc.)
  • Details of work record (qualifications, roles, cases worked on, etc)
  • Details of complaints and/or grievances including consultations or competency discussions, action/improvement/evaluation plans and record of progress.
  • These records will be kept in the format of manual records (personal file within filing system), computer records (database) or both.
  • Purpose for keeping staff records may include: to facilitate the payment of staff, to facilitate pension payments in the future, a record of promotions made etc.


Client records: These may include:

  • Information which may be sought and recorded at engagement, including:
  • name, address and contact details (phone numbers, email addresses, etc), PPS number
  • religious belief
  • racial, ethnic or national origin
  • membership of the Traveller community, where relevant
  • any relevant special conditions (health issues etc.) which may apply
  • Information on previous case record
  • Medical assessments and records, including psychological or psychiatric reports and correspondence
  • Attendance notes
  • Bank account details
  • These records will be kept in the format of manual records (personal file within filing system), computer records (database) or both.


Purpose for keeping client records may include:

  • to enable the firm to act for and represent the client in the provision of legal services by having all the necessary information to do so, to comply with legislative or administrative requirements,


Other records: These may include:

  • Name, address and contact details of witnesses and expert witnesses
  • Records in relation to qualifications and engagement of expert witnesses
  • Records of meetings and correspondence with the firm which may include references to particular individuals.
  • These records will be kept in the format of manual records (personal file within filing system), computer records (database) or both.


Purpose for keeping other records may include:

  • to enable the firm to act for and represent the client in the provision of legal services by having all the necessary information to do so,
  • to comply with legislative or administrative requirements,


Details of arrangements in place to ensure compliance with the rules of data protection

The policy set out the arrangements in place to ensure that all personal data records held by the firm are obtained, processed, used and retained in accordance with the following rules of data protection (based on Data Protection legislation, including the GDPR):

1.Obtain and process information fairly:
Procedures are in place to ensure that clients, staff members and other parties are made fully aware when they provide personal information of the identity of the persons who are collecting it, the purpose in collecting the data, the persons or categories of persons to whom the data may be disclosed and any other information which is necessary so that processing may be fair

Personal information is processed fairly in accordance with Data Protection legislation, including the GDPR, with consent being obtained from clients, staff members and other parties where required.

Sensitive personal information is processed fairly in accordance with the Data Protection legislation, including the GDPR, with explicit consent being obtained from clients, staff members and other parties, where required.

2. Keep it only for one or more specified, explicit and lawful purposes:
Persons whose data is collected should know the reason(s) why it is collected and kept

The purpose for which the data is collected and kept is a lawful one

3. Use and disclose it only in ways compatible with these purposes:
Data is to be used only in ways consistent with the purpose(s) for which it was obtained

Data should be disclosed only in ways consistent with that purpose

Procedures are in place, which is in accordance with the Data Protection legislation, including the GDPR, to facilitate the transfer of information to another firm should the client transfer,

The circumstances in which personal data will be disclosed to third parties, including the Courts Service, the GardaĆ­, etc., should be in accordance with the Data Protection legislation, including the GDPR.

4. Keep it safe and secure:

  • Appropriate security measures should be taken against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction.
  • Access to the information (including authority to add/amend/delete records) is restricted to authorised staff on a need to know basis? Computer systems are password protected
  • Information on computer screens and manual files should be kept out of view of callers to the office
  • Back-up procedures are in operation for computer held data, including off-site back-up
  • All reasonable measure is taken to ensure that staff are made aware of the security measures, and comply with them
  • All waste papers, printouts etc. should be disposed of carefully
  • A designated person is responsible for security
  • There are periodic reviews of the measures and practices in place
  • The office premises are secure when unoccupied


5. Keep it accurate, complete and up-to-date: 6. Ensure that it is adequate, relevant and not excessive:

  • The information held is adequate in relation to the purpose(s) for which it is kept
  • The information held is relevant in relation to the purpose(s) for which it is kept
  • The information held is not excessive in relation to the purpose(s) for which it is kept


7. Retain it for no longer than is necessary for the purpose or purposes:

  • A defined policy is in place for the retention periods for all items of personal data kept
  • In general, personal data should not be kept for any longer than is necessary to fulfil the function for which it was first recorded. Retention times cannot be rigidly prescribed to cover every possible situation and the firm will exercise its individual judgement in this regard in relation to each category of records held.
  • In this regard a key consideration is that the firm is required to retain files in accordance with law and court rules for defined periods of time.
  • In compliance with data protection legislation and the EU GDPR in particular, the firm will endeavour not to retain files and data beyond that which we are obliged to do so. Thereafter to protect your privacy and in compliance with data protection legislation the firm will shred same. The firm is specifically obliged not to retain data beyond what is a necessary time frame.
  • Under data protection legislation you have the right to access your personal data as collected, processed and held by us. In this context we also reserve the right to keep your original file, and not to provide you with a copy, as security for any costs in the event that we have not been paid for our services. This is called the Solicitors lien.


8. Give a copy of his/her personal data to that individual on request On making an access request any individual (subject to any restrictions in law, the Data Protection legislation, including the GDPR) about whom you keep personal data, is entitled to:

  • a copy of the data which is kept about him/her
  • know the purpose/s for processing his/her data
  • know the identity of those to whom the data is disclosed
  • know the source of the data, unless it is contrary to public interest
  • a copy of any data held in the form of opinions, except where such opinions were given in confidence.
  • To make an access request, an individual must:
  • apply in writing
  • give any details which might be needed to help identify him/her and locate all the information you may keep about him/her pay an access fee as charged by the firm for administrative costs.
  • Handling access requests:
  • The Partner of the firm, Mr. William Harvey, is responsible for handling access requests
  • Proof of identity is required in order to access personal data
  • Clear coordinated procedures are in place to ensure that all relevant manual files and computers are checked for the data in respect of which the access request is made
  • A procedure is in place to rectify or erase any inaccurate information as identified by the individual on whom the data is kept, within one month of the request being made
  • Information should be supplied promptly and within one month of receiving the request
  • Information should be provided in a form which is clear to the ordinary person