Data Protection Policy
This policy states the law in general terms in order to be practical for the individual to read. More information can be obtained about the DPA and the meaning of terms under the DPA at the Information Commissioners web site. Hypertext links below link to relevant parts of that site as at October 2012.
The DPA is designed to
- Regulate the processing of personal information about living people held by third parties when it’s in electronic form and some paper forms. The paper form is relevant where the data is held in a structured way that makes retrieval of specific information easy.
- To give individuals rights in relation that information including finding out what information is held, what it is used for and whether its accurate.
The DPA sets out 8 Principles for the use of data
- Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless
- (a) at least one of the conditions in Schedule 2 is met, and
- (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
- Personal data shall be accurate and, where necessary, kept up to date
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes
- Personal data shall be processed in accordance with the rights of data subjects under this Act
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The DPA sets out the conditions for processing personal data in Schedules 2 and 3. At least one of the following conditions must be met whenever we process personal data:
- The individual who the personal data is about has consented to the processing.
- The processing is necessary:
- in relation to a contract which the individual has entered into; or
- because the individual has asked for something to be done so they can enter into a contract.
- The processing is necessary because of a legal obligation that applies to the individual (except an obligation imposed by a contract
- The processing is necessary to protect the individual’s “vital interests”. This condition only applies in cases of life or death, such as where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road acciden
- The processing is necessary for administering justice, or for exercising statutory, governmental, or other public function
- The processing is in accordance with the “legitimate interests” condition. To be covered by this the legitimate interest must be lawful and fair, comply with the other principles and not be unwarranted
Where we process “sensitive personal data” we must also meet one of these conditions
- the individual who the sensitive personal data is about has given explicit consent to the processing
- The processing is necessary so that we can comply with employment law
- The processing is necessary to protect the vital interests of:
- the individual (in a case where the individual’s consent cannot be given or reasonably obtained), or
- another person (in a case where the individual’s consent has been unreasonably withheld)
- The processing is necessary in relation to legal proceedings; for obtaining legal advice; or otherwise for establishing, exercising or defending legal rights
- The processing is necessary for administering justice, or for exercising statutory or governmental functions
- The processing is necessary for monitoring equality of opportunity, and is carried out with appropriate safeguards for the rights of individuals
- The individual has deliberately made the information publicIf we relied on the right to process because it is “necessary” we would have to show that there isn’t a way of achieving our aim without this.
The DPA provides that
Personal Data is information about a living person who is identified or the data allows to be identified and
Sensitive Personal data is information about
- his political opinions,
- his religious beliefs or other beliefs of a similar nature,
- whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
- his physical or mental health or condition,
- his sexual life,
- the commission or alleged commission by him of any offence, or
- any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
Relating to Clients and third parties –
Details as below are provided to clients in the Standard Terms of Acting and on our web site.
Purpose for which we obtain personal data and the amount held Principle 1, 2 & 3
- In the course of our work we obtain from clients and others personal data to use in the provision of legal services. By providing this data clients consent to that use. Our work for clients may require us to disclose information to third parties such as expert witnesses and other professional advisers. Other related uses of such data include:updating and enhancing client records;
- analysis for management purposes and
- statutory returns; and
- legal and regulatory compliance.
- Our use of clients’ personal data is subject to our client’s instructions, the Data Protection Act 1998 and our duty of confidentiality. Clients are told they may obtain a details of the types of data that we maintain and use for these purposes and a copy of this policy by writing to the firm’s Data Protection Officer Kirsten Moon at Applewood House the Hill Charing Kent TN27 0LU.
- We aim to ensure that the amount of data we hold is adequate, relevant and not excessive for the purpose it was obtained.
Keeping personal data accurate and up to date and no longer than necessary. Principle 4 & 5
- In the course of a matter for a client we will ask that they update us if information becomes out of date.
- After a matter has finished, or in the case of contacts who are not clients, we may continue to contact clients or contacts based on the personal contact information they provide to us. In the event that we are unable to contact them through that data we may retain that data unless we are told that the data is out of date and inaccurate (or they no longer wish us to hold the data), remove that data from our systems or use other methods e.g. search engines to try to contact that client.
- After completing work relating to a particular matter we will be entitled to keep all a client’s papers and documents while there is still money owing to us for charges and expenses.
- We may destroy our file of papers six years after the matter has been completed. After completion of any matter we may microfilm or scan the file of papers in which case the papers may then be destroyed after they have been microfilmed or scanned. We will not destroy documents you ask us to deposit in safe custody
- We will retain your contact details as referred to in 1.15 above.
The Rights of Individuals Principle 6
- Subject to the terms of the Data Protection Act, clients and contacts are entitled to know what personal data Moon & Co. holds about them and the reasons for it being retained. If they want to have access to their personal data they should write to the Kirsten Moon as the Data Protection Officer. More information about this is on the Information Commissioners Website
- Currently those making an information request may be charged a maximum of £10 per request for access to their personal data.
- An individual has a right to object to processing only if it causes unwarranted and substantial damage or distress. In some circumstances we must comply with that request. Such a request to require us to stop (or not to begin) the processing in question must be made in accordance with the DPA. Such a request must be put in writing to Kirsten Moon at Applewood House, The Hill, Charing, Kent TN27 0LU Details of the circumstances in which a request can be made and whether we are required to comply with the request can be seen on the Information Commissioners website or by telephoning Information Commissioners office on .
- We also aim to provide clients and contacts with regular updates on areas of law that may be of interest to them and with other information about this firm and the services we provide. To meet these aims we use and maintain contact and other personal data about our clients and contacts. If clients do not wish their data to be used for these purposes they are asked to notify us accordingly by writing to the partner dealing with their work. In the absence of such notification we will assume that we have their consent for these activities. We comply with the SRA rules with regard to marketing.
- In the case of contacts when obtaining their details (e.g. on business cards) we ask them if they are happy for us to contact them and put them on our mailing lists.
- When information about the law or events etc is e-mailed to clients or contacts they are told that they have the right to be taken off the mailing list and that they can do so by e-mailing the partner who has e-mailed them
- We aim to only hold accurate personal data but if a client or contact considers that personal information we hold is inaccurate they should contact Kirsten Moon with details of what they consider inaccurate and if we accept it is inaccurate we will amend it. If there is a dispute about whether it is accurate you may refer to the Information Commissioner.
- In the event that you consider you may have suffered damage owing to some breach of the DPA you may be able to claim compensation through the courts.
Protection of Data Principle 7
- We take appropriate technical and organisational measures to avoid unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Details of our data security will be provided upon application to appropriately interested parties.
Sending data outside the European Economic Area “EEA” Principle 8
Clients are asked to agree to the use of email. No guarantee is given about data protection in its passage over the internet will not go outside the EEA and this is not a breach of the DPA. We do not specifically process outside in the UK.
For more about what we can do, see
Other Legal Regulation
Questions about Data Protection – call
Kirsten Moon – Solicitor Partner
Or write to me at Moon & Co Solicitors, Applewood House, The Hill, Charing, Kent TN27 0LU