Data Protection Policy

Introduction

Higgins & Co Lawyers Limited maintain certain personal data about individuals for the purposes of satisfying operational and legal obligations. The new *General Data Protection Regulations (GDPR) (soon to be incorporated in the Data Protection Act 2018) provides Articles that should be complied with from 25th May 2018 for the processing of people’s personal information or data. Personal data is any information which identifies a living person. Some information is defined as sensitive personal data, and special conditions for processing apply. Sensitive personal data include details of racial origin, health, criminal proceedings or convictions. Processing data covers just about everything that can be done with information held electronically or manually, including obtaining, retrieving, organising and sorting, disclosing or simply holding or storing. Higgins & Co Lawyers Limited recognises the importance of the correct and lawful treatment of personal data.

Examples of personal data which Higgins & Co Lawyers Limited may require from clients include the following and for the reasons ascribed to each:

Name and address of client and date of birth

• To undertake legal services on the client’s behalf
• To comply with regulatory and anti-money laundering procedures
• For marketing purposes Paper and computer records of legal services work undertaken by the firm on behalf of clients
• To enable us to undertake those legal services
• To comply with recommended practices as to the retention of files
• To enable us to respond to enquiries from clients at a later date
• To enable us to respond to complaints and claims Legal documents of record
• For safe keeping purposes and at the strict instruction of the client Names and addresses of business contacts e.g. Barristers, Agents
• To enable the firm to carry out instructions on behalf of the client
• For marketing purposes

Higgins & Co Lawyers Limited fully endorses and adheres to the provision of GDPR. Employees and others who obtain, handle, process, transport and store personal data for the firm must comply with GDPR, and adhere to Article 5 ‘Principles relating to the processing of data’.

1. Personal data shall be:

a. Processed fairly and lawfully and in a transparent manner in relation to the data subject.

b. Collected for a specific, explicit and legitimate purpose and not further processed in a manner that is incompatible with those purposes.

c. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

d. Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without undue delay.

e. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.

f. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).

2. The business shall be responsible for the above and able to demonstrate compliance with 1.a to 1.f above.

Satisfaction of Article 5 Principles Relating to the Processing of Data.

Higgins & Co Lawyers Limited shall:

• Observe fully Articles 1.a to 1.f regarding the fair collection and use of personal data;
• Meet its obligation by the purposes for which personal data is used;
• Collect and process appropriate personal data only to the extent that it is needed to fulfil operational and legal requirements;
• Ensure the quality of personal data used;
• Apply strict checks to determine the length of time personal data is retained;
• Ensure that the rights of individuals about whom the personal data is held, can be fully exercised under GDPR;
• Take the appropriate technical and organisational security measures to safeguard personal data; and
• Ensure that personal data is not transferred abroad without suitable safeguards.

We only collect data as necessary to carry out lawful processing as detailed in our table of legal basis for processing at the end of this Data Protection Policy.

Information Compliance Manager

The Information Compliance Manager for Higgins & Co Lawyers Limited is responsible for compliance with GDPR and implementation of this policy on behalf of the firm. The Information Compliance Manager is Paul Higgins. Any questions or concerns about the interpretation or operation of this policy should be taken up in the first instance with the Information Compliance Manager.

Status of the Policy

Any breach of this policy will be taken seriously and may result in disciplinary action. Any employee who considers that the policy has not been followed in respect of personal data about themselves should raise the matter with their manager or the firm’s Information Compliance Manager.

Employee Responsibilities

If as part of their responsibilities, employees collect personal data (e.g. about clients or about employees), they must comply with this policy. All employees are responsible for;

• Checking that any personal data which they provide to Higgins & Co Lawyers Limited is accurate and up to date;
• Informing Higgins & Co Lawyers Limited of any changes to information which they have provided e.g. changes of address;
• Checking any information that Higgins & Co Lawyers Limited may send out from time to time, giving details of information that is being kept and processed.

Data Security

The need to ensure that personal data is kept securely means that precautions must be taken against physical loss or damage, and that both access and disclosure must be restrictive. All staff are responsible in ensuring that:

• Any personal data which they hold is kept securely;
• Personal data should not be disclosed either orally or in writing or otherwise to any unauthorised third party.

Rights to access information

Employees and other subjects of personal data held by Higgins & Co Lawyers Limited have the right to access any personal data that is being kept about them on computer and also have access to paper-based data held in certain manual filing systems. Any person who wishes to exercise this right should make the request in writing to the firm’s Information Compliance Manager.

Higgins & Co Lawyers Limited reserves the right to charge the maximum fee payable for each subject access request up to 25th May 2018; thereafter all requests will be provided without charge unless a request is determined to be either unreasonable or excessive.

If personal details are inaccurate they can be amended upon request.

Higgins & Co Lawyers Limited aims to comply with requests for access to personal information as quickly as possible and within 40 days of receipt of a completed request up to 25th May 2018; thereafter within 30 days unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the individual making the request.

Subject Access

All individuals who are the subject of personal data held by Higgins & Co Lawyers Limited are entitled to:

• Obtain a copy of information held about them and why;
• Ask how to gain access to it;
• Be informed how to keep it up to date; and
• Be informed about how we comply with our obligations to GDPR

Subject Consent

The need to process data for specified purposes should be communicated to all data subjects and is further available in the table provided below. If we intend to market data subjects in the future we will only do so where we have ‘provable consent’ acquired by way of either a verbal recorded agreement or a preference opt-in from our website form. Consent will be specific to marketing individuals about mis-sold pensions, investments, SIPPs and other similar investment products.

If an individual could not reasonably foresee how their data will be used it is important that further information be supplied to the individual concerned. Care should be taken not to collect personal data of which the individual is unaware.

Consent must be obtained if the purpose changes. In some cases, if the data is sensitive, for example information about health, race or gender, express consent to process the data must be obtained. Processing may be necessary by way of legitimate interest for example; to operate Higgins & Co Lawyers Limited’s policies such as health and safety and equal opportunities.

Retention of Data

Higgins & Co Lawyers Limited will keep some forms of information for longer than others. All staff are responsible for ensuring that information is not kept for longer than necessary.

Quality of Data

Personal data should be adequate, relevant and not excessive in relation to the purpose or purposes for which the data is processed. Data should be kept to the minimum necessary to meet the stated purpose. Personal data should also be adequate and up to date.

LEGAL BASIS FOR PROCESSING TABLE – Higgins & Co Lawyers Limited