About Us

Privacy Policy

Introduction

You can download our Privacy Policy as a PDF or read it below.

This Chambers must comply with the law governing the management and storage of personal data, outlined in the General Data Protection Regulation 2016 (GDPR) and the Data Protection Act 2018.

For this reason, the protection of personal data and respect for individual privacy is fundamental to the day-to-day operations of Chambers.

The UK data protection regulator oversees compliance with the GDPR of the Information Commissioner’s Office (ICO). This Chambers is accountable to the ICO for its data protection compliance.

Purpose

This policy aims to protect and promote the data protection rights of individuals and Chambers by informing members and everyone working for and with Chambers of their data protection obligations and Chambers procedures that must be followed to ensure compliance with the GDPR.

Scope

This policy applies to all members of chambers, pupils, staff, consultants and any third party to whom this policy has been communicated. Any breach of the GDPR will be dealt with under our disciplinary policy and may be a criminal offence, in which case the matter will be reported to the appropriate authorities. This policy applies to members when they are processing data on behalf of 4 Brick Court by their membership of Chambers, sitting on a Chambers Committee or for other internal matters associated with their membership.

This policy covers all personal data and special categories of personal data processed on computers or stored in manual (paper-based) files.

Responsibility

Clive Barrett, Senior Finance and Operations Manager, monitors Chambers’ compliance with this policy.

Everyone in Chambers (and any third party to whom this policy applies) is responsible for ensuring that they comply with this policy. Failure to do so may result in disciplinary action/termination of third-party contracts.

Data Protection Manager (DPM)

Chambers has appointed the Chambers Senior Finance and Operations Manager, Clive Barrett, as its Data Protection Manager (DPM). This is not a statutory role. His responsibilities within this role include: 

  • Developing and implementing data protection policies and procedures;
  • Arranging periodic data protection training for all staff and members which is appropriate to them;
  • Acting as a point of contact for all colleagues, staff and barristers on data protection matters;
  • Monitoring Chambers’ compliance with its data protection policy and procedures;
  • Promoting a culture of data protection awareness;
  • Assisting with investigations into data protection breaches and helping Chambers to learn from them;
  • Advising on Data Protection Impact Assessments and
  • Liaising with the relevant supervisory authorities as necessary (i.e. the Information Commissioner’s Office in the UK).

 

GDPR

The GDPR is designed to protect individuals and personal data held and processed by Chambers or other individuals.

The GDPR uses some key terms to refer to individuals, those processing personal data about individuals and types of data covered by the Regulation. These key terms are:

Personal Data

This means any information relating to an identified and identifiable natural person (‘data subject’)

This includes, for example, information from which a person can be directly or indirectly identified by reference to an identifier, i.e. name, ID number, location data, online identifiers, etc.

It also includes information identifying a person’s physical, physiological, genetic, mental, economic, cultural or social identity.

For Chambers’ purposes, Barristers’ clients and Chambers’ staff are data subjects (other individual third parties concerning whom we hold personal data are also likely to be data subjects).

Controller

It means the natural or legal person, public authority, agency or other body who, alone or jointly with others, determines the purposes and means of processing the personal data. This means the controller is the individual, organisation or other body that decides how personal data will be collected and used.

For Chambers’ purposes, this Chambers is a data controller for specific categories of data.

Processing

This means any operation performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

For Chambers’ purposes, everything we do with client information (and personal information of third parties) is ‘processing’ as defined by the GDPR. This processing will often be in the capacity of a Data Processor on behalf of a Barrister as a Data Controller.

Special categories of personal data

This means personal data revealing:

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade-union membership;
  • the processing of genetic data or biometric data to uniquely identify a natural person;
  • data concerning health or data concerning a natural person’s sex life or sexual orientation

The special categories do not include NB data on criminal convictions and offences. However, there are additional provisions for processing this type of data (see Regulation 10 of GDPR)

Data Protection Principles

The GDPR is based on eight principles, the starting point to ensure compliance with the Regulation. Everybody working in, for and with Chambers must adhere to these principles in performing their day-to-day duties. The codes require Chambers to ensure that all personal data and sensitive personal data are:

  1. Processed lawfully, fairly and in a transparent manner concerning the subject (‘lawfulness, fairness and transparency)
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’)
  3. Adequate, relevant and limited to what is necessary about the purposes for which they are processed (‘data minimisation’)
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
  5. Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which personal data are processed (‘storage limitation’)
  6. Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage using appropriate technical or organisational measures (integrity and confidentiality)

Chambers must be able to demonstrate its compliance with (1)–(6) above (‘accountability’).

Consent

We understand ‘consent’ to mean that it has been explicitly and freely given, and it is a specific, informed and unambiguous indication of the Data Subject’s wish that, by a statement or by an explicit affirmative action, signifies agreement to the processing of personal data relating to them. The Data Subject can withdraw their consent at any time. 

We also understand ‘consent’ to mean that the Data Subject has been fully informed of the intended processing and has signified their agreement while in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or based on misleading information will not be a valid basis for processing. 

Consent cannot be inferred from non-response to a communication. As Data Controller, we must demonstrate that consent, where necessary, was obtained for the processing operation. 

For Sensitive Personal Data, explicit written consent of Data Subjects must be obtained unless an alternative legitimate basis for processing exists. 

Where we provide online services to children under 16, parental or custodial authorisation must be obtained.

Processing personal data and sensitive personal data

You must process all personal data in a manner that is compliant with the GDPR; in short, this means you must:

  • have legitimate grounds for collecting and using the personal data;
  • not use the data in ways that have unjustified adverse effects on the individuals concerned;
  • Be transparent about how you intend to use the data and give individuals appropriate privacy notices when collecting their data;
  • handle people’s data only in ways they would reasonably expect, and
  • Make sure you do not do anything unlawful with the data. 

You must ensure that you know the difference between personal data and special categories of personal data and that both data types are processed according to the GDPR.

The conditions for processing special categories of personal data that are most relevant to our Chambers are:

  • Explicit consent from the data subject;
  • The processing is at the instruction of a Barrister who is the Data Controller of that personal data;
  • The processing is necessary for carrying out Chambers’ obligations in respect of employment and social security and social protection law;
  • The processing is necessary to protect the vital interests of the data subject or another person;
  • The processing relates to personal data that has already been made public by the data subject or
  • The processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

If you have any concerns about processing personal data, please get in touch with Clive Barrett, who will be happy to discuss matters with you.

Rights of the data subject

The GDPR gives rights to individuals regarding the personal data organisations hold about them. Everybody working for Chambers must be familiar with these rights and adhere to Chambers’ procedures to uphold these rights.

These rights include:

  • Right of information and access to confirm details about the personal data that is being processed about them and to obtain a copy;
  • Right to rectification of any inaccurate personal data;
  • Right to erasure of personal data held about them (in certain circumstances);
  • Right to restriction on the use of personal data about them (in certain circumstances);
  • Right to portability – right to receive data processed by automated means and have it transferred to another data controller;
  • Right to object to the processing of their data.

Suppose anybody receives a request from a data subject (a client or other third party concerning whom we hold personal data) to exercise any of these rights. In that case, the request must immediately be referred to Clive Barrett, Data Protection Manager, or to Isabelle Watson, Head of Chambers, in his absence.

Data Subjects may make Subject Access Requests relating to their data. Our Subject Access Request Policy describes how we will ensure that our response to the request complies with the requirements of the GDPR. 

Our DPO/DPL is responsible for responding to requests for information from Data Subjects within one calendar month by our Subject Access Request Policy. This can be extended to two months for complex requests in certain circumstances. If we decide not to comply with the request, the DPO/DPL must respond to the Data Subject to explain our reasoning, inform them of their right to complain to the ICO and seek judicial remedy. 

Data Subjects have the right to complain to us about processing their data, handling a Subject Access Request and appeal against how their complaints have been dealt with.

Accuracy of Data

Our DPM is responsible for ensuring all employees are trained to collect and maintain accurate data. 

Employees are required to notify the Senior Clerk of any changes in their circumstances, which may require personal records to be updated accordingly. 

Our DPM is responsible for ensuring that appropriate procedures and policies are in place to keep personal data accurate and up to date, considering the volume of data collected, the speed with which it might change and any other relevant factors. 

Our DPM is responsible for making appropriate arrangements where third-party organisations may have been passed inaccurate or out-of-date personal data to inform them that the information is incorrect and out of date and is not to be used to inform decisions about the individuals concerned and for passing any correction to the personal data to the third party where this is required. 

Security of Data

All personal data should be accessible only to those who need to use it. All personal data should be treated with the highest security set out in our Data Security Policy. 

Our DPM will conduct a risk assessment no less than annually, considering all the circumstances of our data controlling and processing operations. 

In determining the appropriateness of all technical and organisational security measures, the DPM will consider the extent of possible damage or loss that might be caused to individuals (e.g. staff, clients or members) if a security breach occurs, the effect of any security breach on our organisation itself, and any likely reputational damage, including the possible loss of customer trust. 

Removing personal data from our premises for purposes other than legitimate processing activities is strictly prohibited. 

Processing personal data ‘off-site’ presents a potentially greater risk of loss, theft, or damage to personal data. The precautions must be taken are in our Data Security Policy and Remote Working Policy. 

All employees are responsible for ensuring that any personal data that we hold and for which they are responsible is kept securely and is not, under any condition, disclosed to any third party unless we have expressly authorised that third party to receive that information and has entered into a Data Sharing Agreement. 

Disclosure of Data

All requests to provide personal data must be supported by appropriate paperwork, and the Data Protection Manager must expressly authorise all such disclosures. 

We must ensure that personal data is not disclosed to unauthorised third parties, which includes family members, friends, government bodies, and, in certain circumstances, the Police. All employees should exercise caution when asked to disclose personal data held on another individual to a third party. 

Retention and Disposal of Data

We shall not keep personal data in a form that permits the identification of Data Subjects for a more extended period than is necessary for the purpose(s) for which the data was initially collected. 

The retention period for each category of personal data is set out in our Retention and Disposal Policy. 

Personal data will be retained in line with our Retention and Disposal Policy, and once its retention date is passed, it must be securely destroyed as set out in this policy. 

On at least an annual basis, our DPM will review the retention dates of all the personal data processed by our organisation and will identify any data that is no longer required. This data will be securely archived, deleted or destroyed in line with our Retention and Disposal Policy. 

Where personal data is archived, it will be [minimised/ encrypted/ pseudonymised] to protect the identity of the Data Subject in the event of a data breach. 

Our DPM must approve any data retention exceeding the retention periods defined in our Retention and Disposal Policy and ensure that the justification is identified and recorded. 

We may store data for more extended periods if the personal data is processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of the Data Subject. Any such retention must be approved in advance by the DPM.

Confidentiality and data sharing

The barristers and Chambers must ensure that they share personal information with other individuals or organisations only where they are permitted to do so by data protection law.

Wherever possible, you should ensure the client’s (or other data subject’s) consent before sharing their data. However, it is accepted that this will not be possible in all circumstances, for example, if the disclosure is required by law.

Any further questions about data sharing should be directed to Clive Barrett.

Data Protection Impact Assessments (DPIAs)

DPIAs are required to identify data protection risks, assess the impact of these risks, and determine appropriate action to prevent or mitigate the effects of these risks when introducing or making significant changes to systems or projects involving the processing of personal data.

In simpler terms, this means considering whether Chambers is likely to breach the GDPR and the consequences if Chambers uses personal data in a particular way. It is also about deciding whether there is anything that Chambers can do to stop or at least minimise the chances of any of the potential problems identified from happening.

DPIAs will be undertaken by Clive Barrett, Data Protection Manager, or other designated persons.

International Data Transfers

Under GDPR, transfers of personal data outside of the European Economic Area can only be made if specific safeguards exist.

No employee is authorised to transfer personal data internationally until the DPO/DPL has confirmed in writing that we have appropriate safeguards in place. 

Data Processed Register

We have established a Data Processed Register that records:

  • each type of personal data;
  • why it is collected;
  • the lawful grounds for processing;
  • where it is held;
  • the Responsible Person for the data;
  • its Review Date; and
  • how it is kept accurate.

 

Breaches

A data protection breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

Breaches will be reported to the Information Commissioner’s Office (ICO) by the person who created the breach within 72 hours of becoming aware of the breach unless Chambers can demonstrate that the personal data breach is unlikely to risk the rights and freedoms of data subjects.

Everybody working in, for and with Chambers must report any actual or suspected data protection breach without delay to Isabelle Watson, Head of Chambers (isabelle.watson@4bc.co.uk) and Clive Barrett, Data Protection Manager (clive.barrett@4bc.co.uk).

Hard copies of this policy and Chambers’ Data Protection Breach Reporting Procedure (DPBRP) are located in the Chambers Library on First Floor West and the Clerks Room on the Ground Floor East. Electronic versions of both documents have been emailed to every member of the chambers, pupil, and staff in any event.

The DPBRP explains how to report a breach to the ICO 

The Data Protection Manager will maintain a central register of the details of any data protection breaches.

Complaints

Complaints relating to breaches of the GDPR and complaints that an individual’s data is not being processed in line with the data protection principles should be referred to Isabelle Watson, Head of Chambers and Clive Barrett, Data Protection Manager, without delay.

Penalties 

Everybody working for Chambers must understand the implications for Chambers if we fail to meet our data protection obligations. Failure to comply could result in:

  • Criminal and civil action;
  • Fines and damages;
  • Personal accountability and liability;
  • Suspension/ withdrawal of the right to process personal data by the ICO;
  • Loss of confidence in the integrity of the business’s systems and procedures;
  • Irreparable damage to the business’s reputation.

Note: Chambers could be fined up to €20,000,000, or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.