This Policy is intended only for our clients and prospective clients.
1. Who are we?
Veitch Penny LLP is a limited liability partnership, authorised and regulated by the Solicitors Regulation Authority under number 523544.
We collect store process and use data and so are known as Data Controllers. We are registered with the Information Commissioner’s Office under ref: Z7565550.
Our Data Processing officer is Andrew Harris who can be contacted on 01392 288 355 or by email to DPO@vplaw.co.uk
We may update this policy from time to time by publishing a new version on our website. We may also notify you of changes to this policy by email or letter.
Our website and services are not aimed at children because lawyers generally work for children only upon the instruction of their parent(s) or legal guardian(s). If you are a child and need advice or explanation about the use by us of your data please email Andrew Harris on DPO@vplaw.co.uk including our reference (if known) or information about you so that he knows who you are.
3. What is “Data”?
The type of work you ask us to undertake will usually dictate the type of data we need to secure and hold. However, there are three main types of personal information that we may hold about you:
• Information purely needed to complete and evidence ID checks.
• General Personal Data: general information such as your name, address, gender, date of birth, National Insurance no. & email or telephone contact details.
• Sensitive Personal data: this may be more sensitive than above, such as your racial or ethnic origin, religion, health, criminal convictions, work history or financial affairs.
4. Using your personal data
We may preserve and process data about your personal status and circumstances, including date of birth, married state, gender, National Insurance number, personal contact details and information about your contacts such as family members, GP, Hospital, Broker, Estate Agent, Lender, employer, etc.
Sometimes we will need to process information about your finances or your health. The precise nature and extent will depend upon the type of work you ask us to undertake for you. Your file handler will happily expand on this in your particular matter – just ask.
Personal data will be used when undertaking the task you have entrusted to us.
Some legislation requires us to secure and retain personal data – such as when undertaking an ID check. Our profession also requires that we preserve records for a minimum period after the end of the transaction. We normally provide the intended “destroy date” at the end of each matter.
Core personal data will be preserved so that we can identify you as a former client of the firm. This will help us avoid taking on new work which would conflict with your interests and may reduce the cost of new work for you.
Where necessary we may pass data to others such as a Lender, Barrister, Court, Government Body or opponent.
Other processing may be the result of ordinary business practice such as ensuring the security of our website and services, polling for customer feedback, and maintaining regular back-ups of our databases – as well as simply enabling us to communicate with you.
We may process your card or bank account details during financial transactions between us.
We will ask you to consent (opt in) to our approaching you with information about developments in the law or our available services. We will not share sell or pass your data to any marketing company (save only for the purpose of seeking your feedback at the conclusion of our work for you.)
5. Where does our data come from?
Data may reach us from yourself or persons on your behalf, or from organisations or on-line sources during the course of our work for you.
Our website software may also track your IP address, location, browser information, operating system, referral source, and length of visit.
6. The legal basis for this processing
We are permitted by one or more of the following, as appropriate:
o Your valid consent;
o Your legitimate interests – including the need to undertake the work you require of us;
o Legislative or Professional obligation;
o Our own legitimate interests, namely the proper administration of our business.
7. Providing your personal data to others
We may disclose personal data in the course of working for you when needed and in your best interests. This may include disclosing financial, health and employment data insofar as reasonably necessary.
We may also need to disclose data to your or our insurers and/or professional advisers in regards insurance cover, compliance reporting, auditing, securing professional advice and/or the operation of our complaints process.Banking, card payments and Paypal transactions will require that we share transaction data with our service provider necessary in processing payments or refunds, and queries regarding those payments.
We may disclose your personal data where needed to comply with a legal or professional obligation or in order to protect your vital interests or the vital interests of another person.
8. International transfers of your personal data
It is not our practice to transfer or process data outside the UK and EEA. However, we cannot control whether banks or email providers route data outside those zones. We will try but cannot prevent the use (or misuse) of such personal data by others.
9. Retaining and deleting personal data
We must comply with our legal and professional obligations in relation to the retention and deletion of personal data. This may require a minimum file retention period (eg: 6 years for an Adult or Business instruction).
Sensitive Personal data received in paper format during the course of undertaking your matter (such as financial or healthcare information) will normally be returned to you or (if copies) shredded upon the conclusion of the matter entrusted to us. Digital versions held by us can be identified within our case management system as “data sensitive” but may be retained for longer. For example, our periodic digital back-ups are preserved for up to a year on a rotation basis.
Paper files are normally assigned a destruction date at the conclusion of the matter. We aim to inform you of that date when known.
Other (digitally held) personal data may be retained for business monitoring, to increase efficiency if re-instructed by you or you make later enquiries, and to ensure we can identify any conflicts of interests should we be instructed by others in a matter where you are involved.
Any computer hardware drives which may once have contained your data will be destroyed after replacement.
10. Your rights
Before processing a request relating to personal data we hold about you; we may require any permitted fee, and evidence confirming your identity (a certified photocopy of your passport or photo driving license plus an original copy of a utility bill showing your current address will normally suffice).
Your principal rights under data protection law include:
• the right to access; We may normally withhold personal information that you request to the extent permitted by law, manifestly unfounded or excessive.
• the right to rectification;
• the right to erasure;
• the right to restrict processing;
• the right to object to processing;
• the right to data portability;
• the right to complain to a supervisory authority; and
• the right to withdraw consent.
You may also instruct us at any time not to process your personal information for marketing purposes.
11. Email security
Emails generated from our offices via our mail servers use SSL certificates
12. Further information
May be obtained from https://ico.org.uk/ or by asking your file handler at Veitch Penny LLP.