Privacy Policy

Introduction

This policy summarises the key points about how Elliott Duffy Garrett collects, uses and discloses personal data and ensures compliance with the GDPR and Data Protection Act.
Clients should read this policy alongside the Terms and Conditions of Engagement that we issue to you.

Definitions

Data Controller:

means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The Firm is the Data Controller of all Personal Data relating to our staff and Personal Data used in our business for our own commercial purposes;

Data Subject:

Any living individual who is the subject of Personal Data;

Personal Data:

means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person and includes data held electronically or in a Relevant Filing System;

Processing:

means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Relevant Filing System:

any paper filing system or other manual filing system which is structured so that information about an individual is readily accessible according to specific criteria;

Special Categories of Data:

Data that relates to racial or ethnic origin of the data subject, political opinions, religious beliefs or other beliefs of a similar nature, trade union membership, physical or mental health or condition, sex life or sexual orientation, genetic data and biometric data.
Data in relation to criminal offences and proceedings is not included in the definition of Special Categories of Data but similar safeguards will apply in relation to processing such data;

Responsibilities:

The Firm is the data controller of the personal data we process and therefore is responsible for ensuring our systems, processes, suppliers and staff comply with data protection laws in relation to the information we handle. 
All staff must abide by this policy and our Data Protection Policy when handling personal data and must take part in any required data protection training. Any breach will be taken seriously and may result in disciplinary action.

Principles of Data Protection

The Firm has adopted the principles below to govern our use, collection and disclosure of personal data. Data will be:

1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (‘purpose limitation’);
3. adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (‘data minimisation’);
4. accurate and, where necessary, kept up to date; every reasonable step will be taken to ensure that personal data which is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay (‘accuracy’);
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; (‘storage limitation’);
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Collection, Use and Disclosure

As a Firm the type of data we collect and process falls into one of the following categories:

• personal data obtained and created in relation to providing legal services;
• personal data relating to our staff;
• personal data relating to suppliers of goods and services to the Firm;
• personal data relating to subscribers to our bulletins  and other promotional materials;

Personal data will only be processed where one of the following conditions is met:the processing is necessary for the purposes of the legitimate interests of the Firm (which are the provision of legal services to clients & the effective management of the Firm);

• the processing is necessary  for the purposes of the legitimate interests of the Firm (which are the provision of legal services to clients & the effective management of the Firm);
• the processing is necessary for compliance with any legal obligation to which the Firm  is subject;
• the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• the data subject has consented; or
• the processing is necessary to protect the vital interests of the data subject or another person;

Where the provision of personal data is a statutory or contractual requirement or a requirement relating to entering into a contract, if you fail to provide that data it might affect our ability to enter into a contract with you or to continue to provide services to you.

The table below provides a summary of how we collect and use personal data:

Providing Legal Services

EDG Staff, Work Experience, Placement Students, Contract Workers & Job Applicants

Suppliers of goods and services

Subscribers to our bulletins and other promotional material

Partnership Organisations (eg. nominated charities, partner training organisations etc)

Individuals’ Rights

Personal data must be processed in line with individuals’ rights, including the right to:

• request access  to their Personal Data;
• receive certain information about the Firm’s processing activities;
• request that their inaccurate Personal Data is corrected;
• restrict processing in specific circumstances;
• erasure;
• object to processing;
• rectify inaccurate data;
• to withdraw consent to processing if that is the basis on which the data is processed;
• be notified of a Data Breach which is likely to result in high risk to their rights and freedoms; and
• complain to the Information Commissioners Office

Should you wish to make a request in line with your rights as an individual, please forward it to the Managing Partner of Elliott Duffy Garrett. Further information on these rights is available at the Information Commissioners website https://ico.org.uk/.
Staff must notify or inform the Managing Partner or Partner responsible for Data Protection immediately if they receive a request in relation to personal data which the Firm processes. 

Data Retention

The Firm operates the following data retention periods:

• Manual files are destroyed after 10 years save for property transaction files which are destroyed after 15 years (in exceptional circumstances, files may be kept indefinitely e.g. at the client’s request) ;
• Staff personnel files are retained for 7 years after a member of staff has left the Firm;
• Job applicants  data will be kept for no longer than is necessary, usually 12 months from the recruitment exercise (fair employment monitoring information for 3 years) ;
• Partners files are retained indefinitely;
• Electronic files are retained indefinitely;
• Anti- Money Laundering information is retained indefinitely.

How to Make a Complaint

You should direct all complaints relating to how the Firm has processed your personal data to the Managing Partner.
Staff  must inform the Managing Partner or Partner responsible for Data Protection  immediately if they receive a complaint relating to how the Firm has processed personal data so the Firm can respond to the  complaint.

Security

Information security is a key element of data protection.  The Firm takes appropriate measures to secure personal data and protect it from loss or unauthorised disclosure or damage.