Data Protection and Confidentiality Policy
The 1998 Data Protection Act came into force on 1 March 2000. The purpose of the Act is to protect the rights of individuals about whom data (information) is obtained, stored, processed and disclosed.
What is data protection?
Data protection is essentially that area of the law that governs what may, and what may not, be done with personal information. Such personal information may be in electronic (eg stored on computer hard drive) or manual form (in a manual filing system).
The Data Protection Act is mandatory and Law Centre (NI) is therefore required under law to comply with the Act. This means that we must:
- Notify the Information Commissioner’s (IC) Office
- Adhere to the eight data protection principles below
- Educate and train staff in the correct use of data
Consequences of breaching the Data Protection Act:
- Staff can be criminally liable if they knowingly or recklessly disclose personal data in breach of the Act.
- A serious breach of data protection is also a disciplinary offence and will be dealt with under the Law Centre’s disciplinary procedures. If a member of staff accesses another employee’s personnel records without authority this constitutes a gross misconduct offence and could lead to summary dismissal.
2. Policy Statement
Law Centre (NI) is committed to fulfilling its legal obligations within the provisions of the Data Protection Act.
The Information Commissioner maintains a public register of data controllers who process data (information) and who are required to notify their details to the Commissioner. Law Centre (NI) has notified the Information Commissioner of the types of processing we undertake since 1996 and have been placed on the register.
4. The Eight Data Protection principles
There are eight principles of data (information) processing with which the data controller must ensure compliance. In this instance the Law Centre is the ‘data controller’.
Personal data shall be:
Principle 1: processed fairly and lawfully
Principle 2: obtained only for the purpose stated
Principle 3: adequate, relevant and not excessive
Principle 4: accurate and, where necessary, kept up-to-date
Principle 5: not be kept for longer than is necessary for that purpose
Principle 6: processed in accordance with the rights of data subjects under the Act
Principle 7: appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing personal data and against accidental loss or destruction of, or damage to, personal data
Principle 8: not transferred to countries without adequate protection
5. Employment: Code of Practice
Law Centre (NI) will adhere to the Employment Codes of Practice issued by the Information Commissioner on:
- Recruitment and selection
- Employment records
- Monitoring at work
The Administration Manager (Belfast) has the responsibility for the implementation of these codes.
6. Compliance with data protection principles
Principle 1: Processed fairly and lawfully
This means that when Law Centre (NI) is collecting personal information from individuals:
- that they are made aware of the uses of this information
- individual consent has been obtained for any secondary uses of their personal information
- individuals are made aware of disclosures of their personal information to third parties.
Information held by the organisation include details on the following:
- applicants for recruitment and selection
- training participants
- mailing lists
Sensitive personal information
The Data Protection Act introduces categories of sensitive personal information as to an individual’s:
- Racial or ethnic origin
- Political opinion
- Religious beliefs or other beliefs of a similar nature
- Trade union membership
- Physical or mental health condition
- Sexual life
- Criminal or alleged offences
- Criminal proceedings, convictions or disposal of proceedings
Law Centre (NI) processes sensitive data for the following purposes:
- Advice/legal proceedings
- Employment law obligations
- Vital interests of the data subject
- Legal rights
- Insurance and pensions
Principle 2: Obtained only for the purpose stated
Personal information can only be obtained for one or more specified and lawful purposes and should not be processed in any manner incompatible with those purposes which are described in our Data Protection Register Entry, that is:
- Staff administration
- Administration of membership records
- Realising the objectives of a charitable organization or voluntary body
Principle 3: Adequate, relevant and not excessive
Law Centre will only hold personal information which is adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. This means that the minimum of personal information should be held in order to fulfil its purpose. It is not acceptable to hold information on the basis that it might be useful in the future without a view of how it will be used. The Law Centre has a responsibility to continually monitor compliance with this principle and to audit what information is kept.
Principle 4: Accurate and, where necessary, kept up-to-date
This principle places a duty on the Law Centre to take reasonable steps to ensure the accuracy of the information processed on Law Centre information systems.
In collecting information the Law Centre needs to take all reasonable steps to make sure the information is correct and the source of the information is reliable and to check this, if necessary.
Similarly, third parties who supply personal information to the Law Centre should advise the Law Centre of any corrections or amendments that need to be made.
The significance of the inaccuracy is important, obviously minor inaccuracies which have no impact are of less importance but nevertheless the validity of the system and the training and skills of staff inputting data should be checked.
Any inaccuracies should be corrected as soon as possible in order to limit the damage and distress caused.
Any information should include the source and date and any alterations should be dated.
Principle 5: Not kept longer than is necessary
Law Centre (NI) will ensure that personal information is not retained any longer than is necessary. This will require the Law Centre to undertake regular assessment and deletion. We are legally obliged to keep client files and financial records for a period of six years
Principle 6: Processed in accordance with the rights of data subjects under the Act
Individuals have a general right of access to their own personal information, which is processed by Law Centre (NI) in accordance with established Law Centre Access procedures. They have the right:
- To have a copy of the information
- To stop processing where this is likely to cause distress
- To have information rectified, blocked or erased
- Claim compensation
Principle 7: Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
Law Centre (NI) has a duty to ensure that appropriate security measures are in place when handling personal information. This applies to both information technology and manual files.
Data: means information in a form in which it can be processed (automatically)
Personal data: means data relating to a living individual who can be identified either from the data, or from the data in conjunction with other information in the possession of the data controller
Data controller: is a person who, either alone or with others, controls the contents and use of personal data
Data processor: is a person who processes personal data on behalf of a data controller, but does not include an employee of a data controller who processes such data in the course of his/her employment
Data subject: the individual person who is the subject of any relevant persona data (information)
A personal data-filing system: any structured set of personal data accessible according to specific criteria whether centralised, decentralised or dispersed on a functional or geographical basis
Third party: someone other than the data subject, controller, processor and persons with authority of the controller or processor to process the data
Recipient: is the person to whom data is disclosed. This would include employees. The data subject has to be informed of the recipients of the data.
Data subject’s consent: means any freely given specific and informed indication of his/her wishes by which the data subject signifies his agreement to personal data to him/her being processed. Consent may need further clarification e.g. Should it be in some permanent form? Can it be electronic? Will oral consent do?
Law Centre NI (LCNI) is committed to protecting the privacy and personal data of all our service users. We are registered with the Information Commissioners Office and all personal data we hold is held in accordance with EU General Data Protection Regulation (GDPR). In compliance with GDPR personal data may only be held and processed where there is a lawful basis for doing so. The lawful basis adopted by LCNI will vary depending on the purpose for which you access our services.
This privacy notice has been developed so that we can clearly communicate to our stakeholders and service users the types of personal data we may collect and the lawful basis for doing so. It also explains how we’ll store and handle that data and keep it safe.
LCNI offer a range of services including providing legal advice and representation, a telephone advice line, training, information and communication as well as offering membership.
What type of data do we hold?
In order for LCNI to carry out the various works within each of our services we are required to collect and process certain personal data this may include but is not limited to;
- Your full name
- Your address, post code, telephone number, email address
- Bank details
- Medical records
- Health care professional records
- National Insurance Number
- Employment history
- Monitoring Information including – gender, race, ethnicity, religion, trade union membership.
- Criminal convictions (this will apply to recruitment only)
How do we use your data?
Where you access our services in order to seek legal advice and assistance, we may be required to record details as stated above in addition to some personal sensitive data known as monitoring information. Where sensitive data is collected we will always ask for your consent, this may be gained through verbal consent on our telephone advice line, or written consent where we are acting on your behalf in court proceeding or representing you at tribunals. The data we will collect will only be collected where it is necessary and deemed to be in the legitimate interest of enabling us to progress with your case. We may use your data for the purposes of providing you with legal advice, assistance and where appropriate, representation and for reasons directly associated with those services (i.e. providing information to quality auditors; the Legal Services Agency etc.) Where we represent you in Court and Tribunal proceedings we will use your data, where required for the purposes of these proceedings.
Law Centre NI is a registered charity which is funded through government departments, statutory bodies and philanthropic organisations. Some of the organisations that fund our services ask us to report to them on how we have used their money. They may also ask us to undertake equality monitoring for the purpose of identifying the key demographics of the legal need we are meeting and servicing. We call this “Monitoring Information”. We keep this information securely and confidentially and we only ever use it for statistical and monitoring purposes. Where we disclose it to a funder we do so anonymously. We never disclose information about your case or you personally.
As part of our funding and auditing requirements we may also provide your name and contact details to third parties for the purposes of auditing the quality of our legal services. This information will only be used for auditing the effectiveness of our legalservices.
LCNI is a membership organisation. Data collected for the purposes of availing of our membership will be done so through an application form. We will ensure this data is maintained up to date through annual renewals. The data held for membership purposes will be held on the basis of legitimate interest. The data collected (name, address, email) will be processed for the purpose of maintaining your membership. This may include issuing you with updates on the work we are carrying out and to notify you of events or training. We may also contact you in relation to other Law Centre activities which we feel you may benefit from as a member. Your data is stored on our internal database and details will not be shared with any third parties.
Where you access our services to attend training we will store the following details, name, address, postcode, telephone, email, invoicing details. These details will be held for the purpose of entering into a contract of service with you to provide training. Where your course is an accredited course will be required to share your information with the awarding organisation. This is currently Open College Network (OCN).
As a user of our service we may also use this information on a legitimate interest basis to contact you about any future training and events which may be of interest to you.
Information and Communications
Where you have subscribed to our newsletters via our website www.lawcentreni.org, we will store your contact details including your name and email address. This data will be given through a web form and will require your consent. This data will only be used for the purposes of contacting you with newsletters or upcoming training/event bulletins containing updates and other information that may be of interest to you in the context of the work of Law Centre (NI). We will never share or sell personal data with third parties outside of Law Centre (NI) unless use of a third party is required for the administration of a service, for example, use of MailChimp to send e-newsletters. You may opt out of receiving any, or all, of these communications from us by emailing email@example.com.
Information we collect for the recruitment process will be from your application form. The information provided will be used for the purpose of recruitment only. We will never share any of your data with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information you provide will be held securely by us. We will use the contact details you provide to contact you to progress your application and including where appropriate Access NI applications. We will use the other information you provide to assess your suitability for the position you have applied for. Where we may seek references for the appointment of a post we will seek your consent.
How do we store your data?
The various data we store will be held electronically on our own internal servers as well as by hard copy. Where data is held in hardcopy they will be stored in secure filing systems and no unauthorised personnel will have access to them. Electronic data will be stored in password protected databases on our internal servers. The casework management system we use to store client details is Advice Pro. This is a protected online portal. This data is stored securely in the UK within a robust, secure operations centre compliant with Information Security Code of Practice ISO27001.
How do we protect your data?
We take protecting your data very seriously. The data you give us may be subject to Legal Professional Privilege and is often extremely sensitive and confidential.
With this in mind we will treat your data with the utmost care and take all appropriate steps to protect it. We have clear data protection and information security policies and procedures in place (along with Regulatory and other legal obligations to keep your data safe) and these are regularly assessed as part of our Quality Standards and compliance processes.
We take all necessary measures to protect our IT system to safeguard against potential cyber threats.
How long will we keep your data?
We only keep your data for as long as is necessary for the purpose(s) for which it was provided. For the purposes of providing legal services this is for 6 years after your case or matter ends unless you are a minor in such instances we may keep your data for 6 years after you reach the age of 18. This is because we are required to keep client files for that period by our Regulator and / or by the Law Society of Northern Ireland.
For our training services we will hold data for a period of up to 3 years after the date of training in accordance with awarding body requirements.
Any data we hold in order to process financial information for example, in the processing of training and membership fees will be retained for 7 years in accordance with auditing requirements.
All data will be securely destroyed /deleted.
Who do we share your personal data with?
We sometimes share your personal data with trusted third parties. We only do this where it is necessary for providing you legal services or for the effective operation of our organisation.
For example, we may share your data with barristers; experts; conciliators; health care professionals; translators; costs drawer;
This data will only be shared where there is a legitimate interest to do so. If we do share your information with any of these trusted parties we will always ensure that your data and privacy is protected.
We also outsource some of the activities of our organisation this includes IT support, Access NI search, auditors and data storage. Where we engage the services of other organisations we will always ensured that
- We will only provide the information they need to perform their specific services.
- They may only use your data for the exact purposes we specify in our contract with them.
- We work closely with them to ensure that your privacy is respected and protected at all times.
- If we stop using their services, any of your data held by them will either be deleted or rendered anonymous.
Where is your data processed?
Your data is stored and processed within the European Economic Area (EEA). If we ever have to share your personal data with third parties and suppliers outside the European Economic Area (EEA) we will seek your specific consent to do so. The EEA includes all EU Member countries as well as Iceland, Liechtenstein and Norway.
What are your rights?
You have the right to request:
- Access to the personal data we hold about you, free of charge in most cases.
- The correction of your personal data when incorrect, out of date or incomplete.
- The deletion of your personal data, for example, when you withdraw consent, or object and we have no legitimate overriding interest, or once the purpose for which we hold the data has come to an end.
- That we stop any consent-based processing of your personal data after you withdraw that consent.
You have the right to request a copy of any of the information that we hold about you at any time, and also to have that information corrected if it is inaccurate.
To request a copy of the information we hold on you , please contact Director of Law Centre (NI), Middleton Building, 10-12 High Street, Belfast, BT1 2BA or telephone 028 90 244 401 Requests will be dealt with within a 30 day period.
If we choose not to action your request, we will explain to you the reasons for our refusal.
You’re right to withdraw consent
Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent.
In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.
If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.
You can contact them by calling 0303 123 1114.
Or go online to www.ico.org.uk/concerns (opens in a new window; please note we can't be responsible for the content of external websites)