The person responsible for this policy is Fred Perrin, Managing and Quality Partner with the assistance of the Head of Data Protection, Sanjeev Shah. It is subject to an annual documented review for accuracy, appropriateness to the practice’s operations and compliance with the law, the General Data Protection Regulations and the Solicitors Regulation Authority regulations as part of the Annual Monitoring Review which takes place after year end (March 31) by the Managing Quality Partner or by Stacey Atkins as the Compliance Officer.
This policy provides an information management and data protection policy for the effective, efficient and secure processing and storage of Perrin Myddelton’s data, both in electronic and paper formats.
The policy aims to obviate the mismanagement of data which can result in the following various consequences:
- Proceedings under the General Data Protection Regulation 2018.
- Inability to offer services.
- Reputational and/or financial damage.
- Proceedings for negligence.
- Breach of confidentiality.
- Breach of the Solicitors Code of Conduct 2011.
The following policy document:
- Outlines its scope.
- Describes the various categories and types of data held by and for Perrin Myddelton in respect of clients, employees and relevant third parties.
- Describes the roles, responsibilities and rights of the different types of user in relation to the data.
- Identifies risks associated with the data held.
- Gives an overview of procedures for safeguarding the integrity of electronic and paper data.
It is supported by the Identified Information Storage Assets (Appendix 2) which identifies information storage assets within Perrin Myddelton and/or held by or accessible to external providers, their mode of storage and measures designed for their protection.
Information management principles
The management and use of the information assets described in this policy should follow the six information management principles below.
The General Data Protection Regulation introduced by the Data Protection Act 2018 sets out the following six data principles. Put briefly these principles require that personal data (information) must be:
- Processed fairly and lawfully in a transparent manner.
- Obtained and processed only for specified and legitimate purposes.
- Adequate, relevant and limited to what is necessary.
- Accurate and kept up to date with inaccurate data being rectified or erased.
- Kept for no longer than is necessary.
- Protected against unauthorised or unlawful processing, accidental loss or damage.
Information management responsibilities and roles in Perrin Myddelton
Much of the data that should be kept confidential is information about people. We hold details of our clients and of all employees. The new Act, the Data Protection Act 2018, came into force on the 25th May 2018 and replaces the previous Data Protection Act 1998. It refers to the “processing” of “personal data” but it may be clearer to refer to “information” rather than “data” and to talk about handling information rather than processing data.
Lead responsibility for electronic data is that of the Head of Data Protection with the paper data also being the responsibility of the Head of Data Protection. He will also ensure that the practice is accredited against Cyberessentials on an annual basis.
Financial Systems Management
Management of the financial systems within Perrin Myddelton is the responsibility of the Finance Director reporting regularly to the Managing Partner chiefly via the monthly meetings of the Management Committee.
Responsibilities of Controllers include:
- Overall management of all data at Perrin Myddelton and ensuring that the data conforms to this policy.
- Ensuring that company records are created, maintained and archived in accordance with the policy.
- Managing all records and attendant management risks in line with the firm’s procedures.
- Ensuring that sufficient resources are devoted to these tasks.
- Ensuring that all staff are aware of their responsibilities and developments in information management via appropriate internal or external training organised on a needs basis or via the staff and departmental meetings cycle or email.
- Ensuring that appropriate information management and data protection training form part of the new staff induction process.
- Ensuring that all aspects of Information Management and Data Protection are kept under constant review, mainly via the Management and Business Development Committees.
Processors (fee earners and support staff) are responsible for:
- Processing of information in both electronic and paper form within their areas of work, including creation, capture, storage, dissemination, retrieval and for ensuring that it is kept securely and conforms to this policy.
- Ensuring that information in both electronic or paper form is stored immediately within the appropriate storage facilities and is immediately accessible to other appropriate users by using appropriate Perrin Myddelton codification and documentation, notably in the area of case management.
- Using only Citrix and Quill when processing and storing information, whether within the office or externally and no other IT media.
- Ensuring that unwanted or inaccurate material is disposed of in a timely and appropriate manner, whether electronically (Quill and Outlook) or by contracted shredding facilities with a reputable company. An appropriate controller should be consulted in any case of doubt over retention of information. As staff are aware we have recently installed a number of lockable shredding bins where all unwanted and surplus paper must be deposited. In addition all staff must be aware that if anyone is working at home on clients matters or Perrin Myddelton matters and as a result papers are generated which need to be shredded those papers must be brought into the office and placed in the office shredding bins and not shredded at the staff members home.
- Reporting immediately to information controllers (see above) the receipt or intrusion of any unexpected or suspect material which could be detrimental to the interests of the firm, clients or relevant third parties.
- Ensuring that sensitive information is never exposed to scrutiny by persons not part of the firm, (e.g. by leaving documents exposed in the office or outside the firm, by careless conversations, by inappropriate use of e-mail or social media). Obvious examples here are making sure that at no time is confidential client information with the naming of names conducted on mobile phones on public transport or in public areas and if you are using a laptop on public transport you must take great care to ensure that no one can also look at that information. In addition if you are walking to a meeting with a file in your hand you should ensure that the file faces inwards to you so that no passerby can see the name and details of the case matter which are always displayed on the front of our files. This may seem to be basic commonsense but Cabinet Ministers walking to meetings at number 10 have been caught out with this and breaches of confidential information can occur with the simplest of errors.
- Reporting any possible breach of data to the information controllers, whether belonging to the firm, clients or other third parties.
- Compliance with required statutory duties and responsibilities, including the General Data Protection Regulations 2018.
N.B. See also security section below.
The IT system
The firm’s IT provision is kept under constant review by outside consultants Instanton IT who in addition to weekly visits by a technician to correct faults and conduct updates, will also carry out major revisions to software or hardware as required by Perrin Myddelon. They can also be contacted at any other time during the working day.
They are responsible for the system which stores Perrin Myddelton’s electronic data off-site/in cloud and maintain close monitoring of the firm’s IT provision against the intrusion of any inappropriate software and malware.
Detailed provisions for this are set out in the Identified Information Storage Assets (“Appendix 2”) (which is itself periodically reviewed by Instanton in relevant areas).
Categories of data:
- Perrin Myddelton’s corporate data (information).
- Data (information) on Perrin Myddelton staff.
- Clients data (information).
- Other third parties’ data (information).
Any of this data can be held and managed in written or electronic form.
Equal care must be given to the use and safeguarding of all types and forms of data.
All staff have signed a Data Consent form (see Appendix 1).
Types of data to be held
The following types of data are to be held in the Information Storage Assets (“Appendix 2”) used by Perrin Myddelton:
- PM Corporate documentation (e.g. partnership agreements, shareholdings, confidential agreements) are held in secure files only accessible to relevant partners, the Finance Director and the Office Manager.
- Practice administration documentation (standard forms, policies and plans, compliance manual, risk management documentation, central records, minutes etc.,) stored electronically in the Shared Folder. Management of practice related documentation is the responsibility of the Office Manager who monitors and updates the Compliance Manual and prepares reviews.
- Accounting information (client and office ledgers, time recording, management reports etc.,) stored electronically using the Quill accounting system. The Quill system is not accessible by any external provider and input, apart from time recording, is limited to Accounts Staff. The only other access to client and office accounts is by the Perrin Myddelton Bank, Barclays Bank.
- Payroll and pensions are stored electronically and partly in paper form under lock and key and only accessible to the Finance Director (and Managing Partner as required) – (See below : Information held on employees).
- Reviews (file reviews, risk reviews, annual reviews, etc.,) stored both in paper and electronic form in the Shared Folder.
- Website: controlled by MB Interactive, the firm’s website provider. Content can only be amended by them with partner authorisation, with the exception of news items submitted by the Marketing Administrator with partner approval – See also Deal Room below under Client.
- Case management documentation (files, standard forms, attendance notes etc.,) managed and stored using the Quill case Management system, supported by Outlook diary system and paper files. Paper files are stored within lockable cupboards in the office and when closed are archived and stored securely by external providers Stephens and retrieved by them for Perrin Myddelton once a week or as required.
- Client support documentation (client care letters, terms and conditions of business, complaints, surveys, etc.,) are stored electronically in central records (with limited access if confidential).
- Website – Deal Room – participant clients are able to track the progress of matters via the website Deal Room facility. This is only accessible to approved members of client staff using a password exclusive to that client and to approve third party users.
- Human Resources staff documents (contracts, holiday and sickness records, appraisals, details required for payroll and pension, relevant correspondence etc.,) are held in paper and scanned electronic form only accessible to the Managing Partner, Finance Director and Office Manager.
See Information held on employees (below) for further detail.
Third Party Providers:
- Agreements with external contractors and providers and associated correspondence (e.g. IT support, paper supply and shredding, cleaning, file storage, fire protection, photocopiers, website management etc.,) are held securely by the Office Manager or Finance Director as relevant and appropriate.
Dissemination and security of information
- Staff who receive information not relevant to their own business area will pass it to someone within the firm who can determine whether it should be retained and stored.
- Staff should consider whether information should be shared or if in doubt consult their head of department.
- Staff should ensure that any confidential matters, typically client files, should not be readily accessible or viewable by visitors or contractors within the office, especially when leaving the office for a long period or concluding work for the day.
- If client files or other confidential documents are taken from the office, either for external visits or for homeworking, they must be made secure at all times and not accessible or viewable by other parties.
- If working in the office or at home, fee earners must only use remote access to CITRIX for the use of OPSIS and Outlook and no other devices external to the Perrin Myddelton system in the management of matters. (See also Disposal of paper).
- Care must be exercised at all times in conducting telephone or face-to-face conversations to avoid confidential information being disclosed.
- Care must be exercised at all times in the use of e-mails or social media to avoid disclosing confidential information or making comments damaging to the interests of the firm, clients or other parties. Solicitors in particular are reminded that they are under the Solicitors Regulation Authority’s regulation at all times, not just within business hours and that freedom of speech is a limited right.
- Staff should be alert at all times to attempts to breach the firm’s IT systems and alert a senior member of staff to any suspicious communication. No suspect e-mail should be opened.
Four Key Questions
To ensure compliance on a day to day basis staff should always keep in mind the following four key questions:-
- Is the information needed?
- Is it accurate?
- Is it suitable for a person to see?
- Is it secure?
Commenting on each of the following:
- Is the Information needed?
The information you record about people you are dealing with must be relevant and appropriate and not excessive – relevant for the legitimate business that you are carrying out or the service you are providing.
- Is the information accurate?
The personal information we hold should be correct and up to date within the bounds of what is practical. You must update the information you hold on people promptly whenever the opportunity arises. By way of example if a single client gets married and does not tell you, you cannot be blamed. However if the client has informed you of their change of marital status and you have failed to update your records that is a breach of the General Data Protection Regulations.
- Is the information suitable for the person to see?
The General Data Protection Regulations gives everyone the right known as “subject access” free of charge. Individuals can request to see all the information an organisation holds on them and check facts and read any notes or remarks. The proviso is that the requests must not be clearly unfounded, excessive or repetitive.
- Is the information secure?
Personal information must not be made available to people who have no right to see it and that may include other staff members.
Disposal of unwanted paper
All waste paper, regardless of its nature, must be placed in the locked shredding bins (not general waste bins). These will be collected twice a month by specialist outside contractors SHRED-IT, shredded, recycled securely and the destruction certified to the Office Manager.
N.B. This also applies to any unwanted documents generated during home working on files. These must also be disposed of in the office.
Helpful Guidelines for Staff
With regard to hard copy data (information):
- Try to work on a “clear desk” basis – store hard copy personal information securely when not in use.
- Collect documents from printers and copiers immediately so that they are not left for others to see and avoid printing more copies than needed.
- As indicated use the secure locked shredding bins to dispose of all surplus, unwanted waste paper.
Personal Information online
- Log or log off your computer when away from your desk to protect confidential information.
- Before forwarding information check the recipient is authorised to see it. If you use auto-complete for email recipients make sure you select the intended address.
- Keep your passwords secure. Change them regularly and don’t share them with colleagues.
- Ensure laptops are password protected and not left in “sleep” mode.
- Never send work related information via a personal email account.
- If you use your own smart phone or tablet for work ensure that screen access is time locked. If you also have a lock on your SIM please lock that as well.
Different retention periods and criteria apply to the various categories of data specified above. Those are specified in Appendix 2 to this policy, the Identified Information Storage Assets under Retention. The Management Committee and the Head of Data Protection will review those criteria on an ongoing basis in their monthly meetings on a needs basis but not less than annually.
Subject Access Requests
The General Data Protection Regulations gives everyone the right known as ‘subject access’ free of charge, as long as requests are not clearly unfounded, excessive or repetitive. Individuals can ask to see all the information an organization holds on them and check facts and read any notes or remarks. Subject access takes in any documents or emails on the system that contain the person’s name, as these can be located using a search of the network.
Under the General Data Protection Regulations individuals can have their personal data rectified if it is inaccurate or incomplete. If no action is taken on this, they have the right to be informed how to seek redress through the courts.
N.B. Special categories of data
The General Data Protection Regulations also specifies some kinds of information as special categories of personal data, where extra care must be taken before releasing it, and even before recording it in the first place.
The General Data Protection Regulations defines these special categories as aspects you might expect people to be sensitive about:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic and biometric data
- Physical and mental health and medical history
- Sexual orientation or activity
- Criminal offences – convicted or alleged; current past or prospective
An organisation must have a valid and legitimate reason for recording any such data and exercise great care in recording and storing it. This would only be done with the express permission of the individual concerned. (See Information held on employees below).
Subject Access Requests – The Process
Subject access requests from any individual must be addressed in writing to the Managing Partner, Fred Perrin.
He will respond to such requests, normally within one week but at the latest within one month (as per the General Data Protection Regulations).
If a request is not met or the individual feels that their rights have not legitimately been safeguarded or upheld, they have the right to appeal:
- To the Head of Data Protection, Sanjeev Shah, or, if this is not held to be satisfactory.
- To an appropriate supervisory body where they feel their objections have not been adequately met, such as the Solicitors Regulation Authority, the Law Society or the Information Commissioners Office.
N.B. Requests from Third Parties not being Clients
A third party’s entitlement to personal data held by the firm or their entitlement to be informed whether or not we hold it is subject to an exemption that it cannot be disclosed where it identifies a third party without the consent of that third party. There is also some personal data that attracts legal professional privilege. Legal professional privilege includes communications between lawyers and clients for the purposes of giving advice and communications between lawyers and clients arising in the context of actual or contemplated litigation. Such personal data is exempt from the obligation to provide information.
Exemptions from the General Data Protection Regulations
The listed General Data Protection Regulations provisions do not apply to personal data where disclosure of the data:
- Is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings);
- Is necessary for the purpose of obtaining legal advice; or
- Is otherwise necessary for the purposes of establishing, exercising or defending legal rights, to the extent that the application of those provisions would prevent the controller from making the disclosure.
Given the complexity of the legal requirements here, if a request is received it should be passed immediately to Fred Perrin for his consideration.
Business Recovery Plan
The firm has in place a Business Recovery Plan which is enacted in the event of the office or its systems being inoperable. The Quill case management system is at all times available remotely should the office be out of action. All electronic data is stored in a remote server and does not rely on the use of the office. All staff are contacted by a senior member of staff in such an eventuality. If paper files were lost, it should still be possible to continue to conduct client matters.
Reporting of Data Breaches
If anyone in the firm feels that data has been breached* (belonging to a client, an employee or other party conducting business with the firm), and reports this to the Head of Data Protection, it is the duty of the Head of Data Protection to report that breach to the party whose data may have been compromised and also to the appropriate supervisory body, in most cases the Solicitors Regulation Authority but possibly the Information Commissioners Office.
This report must be made within 72 hours of the firm becoming aware of the breach or possible breach.
*A breach occurs when it is felt that the data has been unlawfully accessed and not merely lost.
N.B. Please note that inadvertently sending an email to the wrong person is not necessarily of itself a data breach. We have data recall procedures in the office to deal with such situations. However if the staff member who has made the mistake thereafter considers that the data sent by mistake is being unlawfully used then that suspicion must be reported to the Head of Data Protection.
Data Breach – Impact Assessment
In the event of a data breach occurring, it is imperative that appropriate and prompt action is taken by the management to assess the potential impact on the party whose data has been breached and on the firm.
If a breach of data or possible breach of data is made to the Head of Data Protection, he will convene a meeting with the Managing Partner/ Compliance Office for Legal Practice and Finance Director/ Compliance Officer for Finance and Administration to consider the possible outcomes and impact of the breach. This meeting must take place within 72 hours of the report being made. The Head of Data Protection will also in that period report the matter to any parties affected and any supervisory body where appropriate. (See Reporting of Data Breaches above).
They will consider whether there could be financial, regulatory, legal, reputational or personal impacts of the breach and consider what steps to take to remedy or mitigate those impacts. They will assess whether a claim could potentially be made against the firm and whether in that case a report should be made to the firm’s insurers.
They will also consider what procedural measures in terms of systems or training may be necessary to avoid a repetition of such a breach.
The Managing Partner will consider whether there are any disciplinary issues arising from the breach, consulting with appropriate staff as necessary.
It is important that all staff are aware of the General Data Protection Requirements 2018, this policy and issues arising from it, and therefore training will be provided:
- As part of the induction process; and
- From time to time for all staff through all mediums such as seminars, the meetings cycle and internal email.
Any employee who is found to be responsible for failing to respect the confidentiality of the firm, a client, a fellow employee or a third party connected with the firm, as set out by this policy and/or as required by the General Data Protection Regulations, will be subject to disciplinary action up to and including dismissal.
Information held on employees
The firm holds personal information on employees in the following forms:
- Information provided at the time of their employment (application form; references; evidence of qualifications)
- Checks on registration with professional bodies; criminal record checks;
- Records of employment (including disciplinary records, performance reviews);
- Details required for payroll purposes (See below).
Note re: 1. and 3. These are held securely in both paper and electronic form by Stacey Atkins, Office Manager, on behalf of the Managing Partner, Fred Perrin. The electronic versions are held in a private folder accessible only to the Office Manager.
Requests by staff for access to their personal data must be addressed in writing to the Managing Partner. (See Personal Data Rights).
In no circumstances are these data made available to any other employees in the firm, unless the Managing Partner has to discuss a specific aspect of an employee’s performance with a line-managing/supervising partner.
Staff records for employees who have left the firm’s employment are archived and retained for as long as is deemed advisable by the Managing Partner. It is felt that this is legitimised by the eventuality of references being requested, employees returning to the firm or issues arising from previous employment.
Note re: 4. Payroll and Pensions
The only exception to the above are the payroll and pensions systems which are held securely and administered by the Finance Director.
The payroll and pensions information is held in electronic form solely within the Finance Director’s computer and cannot be accessed from the cloud. The current month’s payroll is also held in paper form by the Finance Director and is kept securely locked and is only accessible by the Finance Director. No personal bank account information is held within the payroll system, only within Barclay’s Bank’s system which can only be accessed by personalised card and password protection.
The pensions system is run by Aegon, the firm’s pension provider, and is password protected. There is no access to individual pension funds or the details of investments relating to each employee. This information is reissued to our pensions advisor Cartlidge Morland for the purpose of providing pensions advice to each employee.
Provision of employee data to third party organisations
In normal circumstances, confidential, non-anonymised data on employees is not provided to any outside individuals or organisations.
Periodically, the firm is required to provide data to the Solicitors Regulation Authority or the Law Society for statistical surveys, notably for diversity monitoring. This is always provided voluntarily by our employees and in anonymised form, usually via an anonymous on-line data provision service commissioned by the Solicitors Regulation Authority. It is then only accessible to the firm in aggregate form.
Staff profiles would only be provided to third parties, typically for promotional or conference purposes or in connection with Tenders, with the consent of those concerned. These would not contain any information beyond that provided voluntarily/vetted by the staff for website profiles.
Under no circumstances will the firm provide any personal data to social media sites, even those which are business orientated (e.g. Linked In) without the individual’s written permission. Any information appearing on those sites about an individual will have been offered by the individual concerned or by a third party and without the firm’s collusion or permission.
Automated decision making and profiling
The firm uses no systems or processes which would come under this heading in its dealings with employees.
Personal Data Rights and Protection
As far as individual data under the General Data Protection Regulations individual employees of the firm have the right to:
- Be kept informed (about data held and for what purpose);
- Give explicit consent to the use of their data (and to withdraw that consent if they feel their rights are infringed);
- Access their personal data upon request (see note below);
- Have personal data rectified where justified;
- Have personal data removed where justified;
- Restrict the processing of that data where justified;
- Portability of personal data (i.e. being provided with their data in accessible form for uses outside the firm, e.g. when they have left its employ);
- Object to an inappropriate response to any of the above requests – (See below).
Employees will be made aware of these rights and subsequent additional information or modification to those rights via staff briefings and the Personal Data: Staff Consent Form (See Appendix 1).
Requests for access/modification to personal data – (See ‘Subject Access Requests’ above):
Originated: June 2019