DATA PROTECTION POLICY OF CHIMA UMEZURUIKE
May 1st 2018
Review date: May 2019
- I am a Data Controller under the General Data Protection Regulation, and am registered with the Information Commissioner’s Office as a Data Controller.
- This policy applies to all the data that I hold relating to identifiable individuals.
- In case of any queries or questions in relation to this policy please contact me, Chima Umezuruike at Great James Street Chambers, 37 Great James Street, London WC1N 3HB or at email address: firstname.lastname@example.org.
- I recognise that I control and am personally responsible for compliance with the GDPR in relation to the personal data that I control, which is all the personal data coming to me in the course of my practice. I recognise and embrace this as a non-delegable responsibility. I do not process data for clients.
- Employees of and contractors employed by Great James Street Chambers will have access to some of the data which I control. Although I recognise the non-delegable nature of my responsibility, having Great James Street Chambers own policies I consider that those policies are adequate and appropriate. I therefore do not intend to lay down any further or different policies in respect of such employees and contractors.
- Data controlled by me will sometimes be shared with other data controllers, such as solicitors and other barristers. Where such other professionals are under a regulatory obligation of their own to comply with the GDPR, I will not investigate their compliance but will assume it unless there is any reason not to do so.
- In the case of data processors who are not employees of Great James Street Chambers or are not professionals subject to their own regulation as aforesaid, I will ensure that everyone processing personal data which I control understands that they are responsible for following best data protection practice, are appropriately trained to do so and are appropriately supervised. Where appropriate, I will enter into data processing agreements to promote best data protection practice by those to whom I entrust data.
General Data Protection Policy
- Terms used in this policy which are defined terms in the GDPR have that defined meaning.
- I will process personal data lawfully within the meaning of Art 6, and fairly and transparently.
When instructions have been received and work upon them is not yet complete, I will collect, retain, access, use and communicate the data for the purpose of delivering my services.
When instructions have been fulfilled, I will retain the data only for one or more of the Art 6 reasons: essentially to meet my business needs (to enable me to provide a better service if instructed again in relation to the same or a related matter), to comply with legal requirements, to provide evidence in the event of disputes and to ensure that any records of historic value are preserved.
- I will collect data only for the purpose of delivering legal services in my practice as a
- I will not further process data in a manner incompatible with that purpose.
- I will collect and process adequate and relevant information, and only to the extent that it is needed for the purpose identified above.
However I will take a practical approach to this. I will not sift every document delivered to me and delete those parts which are not strictly necessary for the case on which I am working. It would not be practicable to do so. I will trust professionals and lay clients providing me with data to provide only what is reasonably necessary.
- I will ensure that so far as it is necessary and within my reasonable power to do so, the personal data is kept up to date.
- I will keep personal data only so long as the purposes identified above persist.
- I will take appropriate technical and organisational security measures to safeguard personal data
- I will not transfer information outside the UK except by communicating it to a client or his/her/its authorised representative abroad.
- I will set out clear procedures for responding to requests for information
- I will ensure that the rights of people about whom information is held, can be fully exercised under the GDPR.
Data Storage and access
- The data I control may be divided into the following groups, according to how and where it is kept. This categorisation is not intended to be exhaustive but is intended to assist in achieving the objectives identified in paragraph 24 below:
- Hard copy documents
- Electronic files (pdf, Word, spreadsheets, jpegs, PowerPoint etc) stored securely on my laptop.
- Documents open for the purpose of working on them, and therefore visible on a screen.
- Emails – Emails to and from clients which will often include case information and correspondence. I receive, send and store emails in Outlook on my PC and using the Mail app on my phone.
- Contact details of clients including personal data such as name/address and financial information relating to billing. This data is kept for me by Great James Street Chambers.
- The devices which I use to access this data are:
- A Surface laptop which I often carry with me when out of chambers and away from home.
- A Samsung mobile phone which is always with me.
- I occasionally receive data from solicitors or lay clients on external media such as USB sticks. Very occasionally I may wish to copy data to external media.
- The only third parties with which I share data are Great James Street Chambers and its staff. I do not have a formal data sharing agreement with my chambers because I have total confidence in the integrity of its systems.
- My security objectives are to ensure:
- Confidentiality of information – access to information is restricted to those persons with appropriate authority to access it.
- Integrity of information – information shall be complete and accurate.
- Availability of information – information shall be available and delivered to the right person at the time when it is needed.
Hard copy documents
- I usually need papers with me wherever I am working, which might be in chambers, at home, in court, at others’ offices, while travelling or in hotels.
- All papers will be moved securely between these locations. On public transport they will not be left unattended out of my brief case. Papers left in an unattended car will be stored out of sight. This will only occur where necessary and for brief periods of low risk. Case files will not be left in a car overnight.
- Papers will never be left freely available in any common area in circumstances where there is a real risk that they may be read by unauthorised individuals. They will never be opened in circumstances where there is such a risk.
- I take papers home where I often work. They are kept in my private study to which only members of my immediate family have access. Given the nature of my practice, I am satisfied beyond any doubt that no member of my family has any interest in these papers or will look at them.
- The house that I live is always locked and secured. Given the nature of my practice, I am satisfied that the house is most unlikely to be targeted for the purpose of stealing personal data and that my case papers are unlikely to be of interest to a casual burglar.
Files being accessed and/or accessible from my devices
- Electronic files will never be opened on a screen in circumstances where they can be read by members of the public.
- All two devices identified above will be kept secure at all times within the limits of reasonable practicability.
- The phone is password protected and encrypted and will not be left unattended away from home.
- The laptop is encrypted (Apple Mac-Book Pro) to FIPS 140-2 or CCTM (CESG Claims Tested Mark) standards. It will not be left unattended and on view. It will only be left unattended at all where this is not reasonably avoidable.
- My laptop is protected by up to date anti-virus and anti-spyware software, subjected to regular virus scans and protected by an appropriate firewall.
- Operating software is checked regularly to ensure that the latest security updates are downloaded.
- Removable storage media such as memory sticks will be occasionally used. I do sometimes accept documents on such media and from time to time may load documents onto them. On such occasions the memory stick will be guarded as carefully as all other devices containing personal data.
- This policy covers all personal data irrespective of the media on which they are created or held and includes
- client documents;
- notes of meetings;
- instructions received and advice given.
- My policy is to retain electronic data for at least 7 years. I consider it proportionate to retain for that period since the possibility of a dispute may endure for 7 years from the date of the last work undertaken.
- As to paper documents, these will be returned to instructing solicitors or other professional clients when I no longer need to keep them for the purposes of working on the case. The solicitors are entitled to their return and will have their own professional obligations and retention policies.
- In public access cases, documents will be retained for at least 7 years and then destroyed.
- However none of the above three paragraphs is definitive. I will keep individual cases under review. The ultimate disposal decision will have regard to:
- on-going business and accountability needs (including audit);
- current applicable legislation;
- whether the record has any long-term historical or research value;
- best practice in the profession;
- costs associated with continued storage.
- No destruction of data will take place unless:
- the data is no longer required for the purpose of my practice;
- no work is outstanding;
- no litigation or investigation is current or pending which affects the data;
- there are no current or pending FOIA or GDPR subject access requests which affect the data.
- All data subjects have the right to access the information I holds about them, except where specific exemptions apply.
- I will deal with subject access requests in accordance with the Subject Access Request Policy of Great James Street Chambers.
- I may share data with other agencies such as government departments and other relevant parties.
- The data subject will be made aware in most circumstances how and with whom their information will be shared. There are circumstances where the law allows disclosure (including of sensitive data) without the data subject’s consent.
Data Protection Training
I will ensure that I am appropriately trained in Data Protection.