Lucy Stone KC Privacy Notice

 

This privacy notice relates to the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR).

 

As my client you are advised to read the following information carefully. This privacy notice is addressed to individuals whose personal data I process, and it contains information about: the data I collect, record, store and use; the reasons for this processing; who I share these data with; the security mechanisms I have put in place to protect them; and how to contact me in the event you need further information.

  1. Who am I? 
    1. I, Lucy Stone KC, collect, record, store, use and am responsible for personal information about you.
    2. When I do this by automated means or a filing system and, alone or jointly with others, determine the purposes and means of the processing, I am a “controller” of this information for the purposes of the DPA and the GDPR.
    3. When I do this by automated means or a filing system on behalf of another data controller and without determining the purposes and means of the processing, I am a “processor” of this information for the purposes of the Data Protection Act 2018 and the GDPR.
    4. This privacy notice relates to processing carried out by me as a data controller.
    5. If you need to contact me about your data, or the processing I carry out, you can use the contact details at the end of this privacy notice.
  2. What do I do with your information?
    1. Information collected from you will be used to provide legal services, advice or references.

      This data may also be used for the operation and management of my chambers, recruitment and supervision of clerks and staff, mentoring and recruitment of its mini-pupils, pupils and members and the delivery of its marketing and training programmes. I may collect personal information in the following categories from you:

      1. biographical information;
      2. biometric data;
      3. criminal convictions, disposals, offences, proceedings and sentences and related security measures;
      4. education, training and employment details;
      5. family details;
      6. financial details;
      7. genetic data;
      8. goods and services;
      9. lifestyle and social circumstances;
      10. other personal data relevant to instructions to provide legal services, including data specific to the case or instructions in question;
      11. personal details;
      12. physical or mental health details;
      13. political opinions;
      14. racial or ethnic origin;
      15. relationships;
      16. religious, philosophical or other beliefs;
      17. trade union membership;
      18. sex life or sexual orientation.
    2. Information collected from other sources

       

      I may also collect information in the same categories from third parties, such as:

      1. clerks, members, mini-pupils, pupils and staff in/of my and other chambers;
      2. current, past or prospective employers or referees;
      3. education and examining bodies;
      4. government departments and other public authorities, including investigators,
      5. ombudsmen, prosecutors and regulators;
      6. lay and professional clients and their staff;
      7. members of the public;
      8. other legal professionals or experts;
      9. publicly accessible sources of information, including databases, law reports,
      10. records and registers and the mainstream and social media;
      11. the intended recipient, where you have asked me to provide a reference;
      12. the members and staff of courts, tribunals and inquiries;
      13. professional advisers, associations and trade bodies, e.g. Bar Associations, the Bar Council or the Inns of Court;
      14. witnesses;
      15. your associates, family and friends.
    3. Purposes

       

      I may record, store and use your personal information for the following purposes:

      1. as permitted or required by law and by my professional obligations, including under the Bar Standards Board Handbook and Code of Conduct;
      2. to carry out anti-money laundering and terrorist financing checks;
      3. to check for actual or potential conflicts of interest in connection with actual or potential cases or instructions;
      4. to keep accounting and professional records and carry out office administration;
      5. to participate in the operation and management of my chambers,
      6. the assessment, recruitment and supervision of clerks and staff, mentoring and recruitment of mini-pupils, pupils and members and the delivery of marketing and training programmes (in such circumstances, I may be acting as a data processor on behalf of my chambers);
      7. to participate in the operation and management of professional associations and trade bodies, e.g. Bar Associations, the Bar Council or the Inns of Court (in such circumstances, I may be acting as a data processor on behalf of the body in question);
      8. to promote or market my services;
      9. to provide legal services to my clients, including taking instructions and providing legal advice and representation in arbitrations, courts, inquiries, mediations and tribunals;
      10. to publish judgments or decisions of courts or tribunals;
      11. to respond to potential complaints or make complaints;
      12. to respond to subject access requests;
      13. to take or defend actual or potential legal or regulatory proceedings or to exercise a lien;
      14. to train other barristers, mini-pupils and pupils and when providing work experience or work shadowing opportunities;
      15. to train students and qualified or trainee legal professionals or experts using personal information which is already in the public domain;
      16. to respond to requests for references;
      17. when procuring goods and services.
    4. Whether information has to be provided by you, and why

       

      If I have been instructed by you or on your behalf, if you have asked for a reference or if you have applied to be or are a clerk, member, mini-pupil, pupil or staff member in/of my chambers, your personal information may have to be provided, to enable me to:

      1. provide you with legal services or a reference;
      2. participate in the operation and management of my chambers, the assessment, recruitment and supervision of its clerks and staff, the assessment, mentoring and recruitment of its mini-pupils, pupils and members and the delivery of its marketing and training programmes;
      3. comply with my legal or professional obligations;
      4. keep accounting records.
    5. The legal basis for processing your personal information

       

      I rely on the following as the lawful basis on which I collect, record, store and use your personal information:

      1. If you have consented to the processing, then I may carry it out for the purposes set out above to the extent to which you have consented to me doing so.
      2. If you are a client, the processing may be necessary for the performance of a contract for legal services or in order to take steps at your request prior to entering into a contract.
      3. I rely on my legitimate interests and/or the legitimate interests of third parties in carrying out the processing for the purposes set out above as a provider of legal services and references and when participating in:
        1. the operation and management of my chambers, the assessment, recruitment and supervision of its clerks and staff, the assessment, mentoring and recruitment of its mini-pupils, pupils and members and the delivery of its marketing and training programmes;
        2. the operation and management of professional associations and trade bodies, e.g. Bar Associations, the Bar Council or the Inns of Court.
      4. In certain circumstances, the processing may be necessary for the performance of a task in the public interest, e.g. if I am assisting a pro bono organisation.
      5. In certain circumstances, the processing may be necessary in order that I can comply with my legal or professional obligations, including accounting to HM Revenue and Customs, carrying out anti-money laundering or terrorist financing checks, checking for actual or potential conflicts of interest and complying with common law duties of care and other legal or professional obligations and subject access requests.
      6. The processing may also be necessary when publishing judgments or decisions of courts or tribunals.
      7. In relation to information which is in categories (2)-(3), (7), (12)-(14) or (16)-(18) at para.2.1 above, which are considered particularly sensitive:
        1. I rely on your consent for any processing for the purposes set out in Section 2.3 Purposes above. If you do not consent to any of these I will be unable to take your case or instructions or provide legal support, guidance or a reference. This is because I need to be able to retain material about your case until there is no prospect of a complaint, fee dispute, legal or regulatory proceedings or subject access request being made and to provide an informed and complete reference.
        2. I am further entitled to process such information in accordance with data protection. legislative or legal requirements where this is necessary for legal proceedings, legal advice, or otherwise for establishing, exercising or defending legal rights or where it has been manifestly made public by you or for reasons of substantial public interest connected with the administration of justice.
    6. With whom will I share your personal information?

       

      Some of the information I collect as set out above, will be protected by legal professional privilege unless and until it becomes public in the course of any proceedings or otherwise. As a barrister I also have an obligation to keep personal information confidential and private, except where it otherwise becomes public or its publication or disclosure is necessary as part of the case or proceedings. It may be necessary to share your information with the following:

      1. clerks, members, mini-pupils, pupils and staff in/of my and other chambers;
      2. current, past or prospective employers or referees;
      3. education and examining bodies;
      4. the general public in relation to the publication of judgments or decisions of courts or tribunals;
      5. government departments and other public authorities, including investigators,
      6. ombudsmen, prosecutors and regulators;
      7. in the event of complaints, my head of chambers, other members of my chambers who deal with complaints, my clerks and chambers director, the Bar Standards Board and the Legal Ombudsman;
      8. in the event of legal proceedings, my head of chambers, my clerks and chambers director, my insurers and my own legal advisers;
      9. IT support staff, email providers and data storage providers;
      10. lay and professional clients and their staff;
      11. other legal professionals or experts;
      12. the intended recipient, where you have asked me to provide a reference;
      13. the members and staff of courts, tribunals and inquiries;
      14. professional advisers, associations and trade bodies, e.g. Bar Associations, the Bar Council or the Inns of Court;
      15. witnesses;
      16. your associates, family and friends or those of my clients.

      I may be required to provide your information to regulators. such as the Bar Standards Board, the Legal Ombudsman, the Financial Conduct Authority or the Information Commissioner’s Office.

      In the case of the latter, there is a risk that your information may lawfully be disclosed by that Office for the purpose of other civil or criminal proceedings, without my consent or yours, which includes privileged information.

      I may also be required to disclose your information to the police or intelligence services in accordance with my legal or professional obligations.

    7. Transfer of your information outside the European Economic Area (EEA)

       

      This privacy notice is of general application and as such it is not possible to state whether it will be necessary to transfer your information out of the EEA in any particular case or for a reference.

       

      However, if you reside outside the EEA or your case or the role for which you require a reference involves persons or organisations or courts or tribunals outside the EEA, then it may be necessary to transfer some of your personal information to that country outside of the EEA for that purpose.

      If you are in a country outside the EEA or if the instructions you provide come from outside the EEA, then it is inevitable that information will be transferred to those countries. If this applies to you and you wish additional precautions to be taken in respect of your information, please indicate this when providing initial instructions. Some countries and organisations outside the EEA have been assessed by the European Commission and their data protection laws and procedures have been found to provide adequate protection. If your information has to be transferred outside the EEA, then it may not have the same protections and you may not have the same rights as you would within the EEA.

       

      If I decide to publish a judgment or decision of a court or tribunal containing your information then this will be published to the world. I will not otherwise transfer personal information outside the EEA except as necessary for providing legal services or for any legal proceedings.

    8. Security measures
      1. Publication of details about my security arrangements would risk their compromise, but my accounts, equipment, premises and records are all backed-up, encrypted, locked, password-protected, secured and/or subject to anti-virus and firewall protection as appropriate and having regard to Bar Council guidance on IT issues.
      2. Furthermore, where my chambers act as a data processor on my behalf it does so in line with the DPA & GDPR-compliant constitutional, contractual, technical and organisational arrangements, policies and procedures and subject to guarantees and obligations of confidentiality. In this regard, the clerks and staff in my chambers and my chambers’ IT support staff provide me with assistance and support and communicate and liaise with others on my behalf and I also use my chambers’ IT systems, including email servers, fee, diary, practice-management and record-keeping software, internet and intranet, network and other shared drives and servers.
  3. What is my retention policy with respect to your personal data?
    1. I may store your information for up to 30 years from either the date of the last item of work carried out by me on the case; the date on which time for any further appeal expired; the date of the last payment received by me; or the date on which all outstanding payments are written off.
    2. Further retention is likely to occur where: a longer limitation period applies (e.g. the case involved a minor); the case involved an order which remains effective, contains an injunction or undertakings to the court and is subject to a penal notice; or connected complaint, legal or regulatory proceedings are active or in prospect. In such circumstances, I will carry out as much minimisation as is practicable and set a date for a further review on a case by case basis.
    3. Deletion / destruction / minimisation will be carried out (without further notice) as soon as reasonably practicable after the information is marked for this to done.
    4. I will store some of your information which I need to carry out conflict checks for the rest of my career in practice as a barrister. However, this is likely to be limited to your name and contact details, solicitors and outline information relating to the case or instruction. This will not include any information within categories at para.2.1 above. Information related to anti-money laundering checks will be retained until five years after the completion of the transaction or the end of the business relationship, whichever is the later.
    5. Reasons for retaining documents/information beyond the end of a case include:
      1. Case documents may be relevant to an appeal out of time (especially in criminal cases).
      2. Anonymised case documents can be used as precedents.
      3. Case documents may contain the results of research into the law, which may be relevant to a current case. These should be anonymised once no longer required.
      4. Instructions, facts or expert opinions in a previous case may be relevant to a current case. These should be anonymised once no longer required.
      5. Correspondence or instructions contain contact details which may be useful. These will be saved to a list of contacts e.g. in Outlook
      6. Information from case documents or records may be important when carrying out a conflict search. It will not usually be necessary to retain substantial numbers of case files for this purpose, and you may find that it is sufficient for the necessary information to be retained on the Chambers’ system, for those who normally carry out these searches.
      7. Case documents must be retained in the event that a complaint is made against a barrister, or a barrister makes a claim against their insurers or solicitors. The limitation period for such claims should provide guidance as to the appropriate period of retention. You could seek guidance from your insurer as to their requirements for your document retention.
      8. An extended retention period may be required where clients are minors, lack capacity or, in criminal cases, during the defendant’s custody.
      9. Correspondence, such as emails should be deleted when no longer required. If possible, it may be advisable to send emails that do not contain substantive advice in the body of the email, and provide advice as attachments which can then be saved with your case files.
  4. Consent
    1. I am relying on your consent to process your information as set out above. You provided this consent when you agreed that I would provide legal services, you asked me to provide a reference or you applied to be or became a clerk, member, mini-pupil, pupil or staff member in/of my chambers.
    2. You have the right to withdraw this consent at any time, but this will not affect the lawfulness of any processing activity I have carried out prior to you doing so. Furthermore, where I also rely on other legal bases for processing your information, you may not be able to prevent me doing so.
  5. Your rights
    1. Under the DPA and the GDPR, you have a number of rights that you can exercise free of charge in certain circumstances. In summary, and subject to certain legislative exemptions and restrictions, you may have the right to:
      1. ask for access to your personal information and other supplementary information;
      2. ask for correction of mistakes in your data or to complete missing information;
      3. ask for your personal information to be erased;
      4. receive a copy of the personal information you have provided to me or have this information sent to a third party in a structured, commonly used and machine-readable format, e.g. a Word document file;
      5. object at any time to processing of your personal information for direct marketing;
      6. object in certain circumstances to the continued processing of your personal information;
      7. restrict my processing of your personal information;
      8. ask not to be the subject of automated decision-making which produces legal effects that concern you or affect you in a significant way (albeit that I do not myself carry out any such decision-making).

      If you want more information about your rights under the DPA & GDPR, please see the Information Commissioner’s guidance.

    2.  If you want to exercise any of the above rights, please:
      1. use the contact details at the end of this privacy notice;
      2. provide proof of your identity and address;
      3. provide a contact address;
      4. state the right(s) you wish to exercise.
    3. I may need to ask you to provide other information so that you can be identified and, provided I am not on leave, I will respond within one month from receipt of your request.
  6. How to make a complaint
    1. The DPA & GDPR also gives you the right to lodge a complaint with the Information Commissioner’s Office if you are in the UK, or with the supervisory authority of the Member State where you work, normally live or where the alleged infringement of data protection laws occurred.
    2. The Information Commissioner’s Office can be contacted at:

      Information Commissioner’s Office
      Wycliffe House
      Water Lane
      Wilmslow
      SK9 5AF

      https://ico.org.uk/global/contact-us/
      Tel: 0303 123 113

  7. Future Processing
    1.  I do not intend to process your personal information except for the reasons stated within this privacy notice. If these reasons change, this privacy notice will be amended and placed on my chambers website.
  8. Video Conferencing
    1. I am the Data Controller responsible for the personal information you may provide when using video conferencing technology, such as Zoom.
    2. Why I need your personal data.
      1. When using video conferencing technology staff and members may use either their chambers-provided devices when in chambers or a personal device when working from home.
      2. When using video conferencing technology staff and members may use either their chambers provided devices when in chambers or a personal device when working from home.
      3. When using video conferencing technology staff and members may use either their chambers provided devices when in chambers or a personal device when working from home.
    3. The lawful basis for processing is under GDPR, where special category data is discussed, this is processed in particular with regard to the health of staff affected by the Coronavirus under Article 9.2(b) Employment, social security and social protection and/or Article 9.2(g) Reasons of substantial public interest (Contingencies Act 2004).
    4. Your data will be used during the use of the Video Conferencing facility and users are requested not to record meetings.
    5. The meeting organiser should monitor to ensure only invited attendees join the meeting and use the password facility where available to prohibit access by others.
    6. My video conferencing application does not monitor meetings or store them after the meeting ends unless they are requested to record and store them by the meeting host. If there were a need to record a meeting, this would be alerted to the participants via both audio and video when joining the meeting and participants have the option to leave the meeting.
    7. The Video Conferencing facility may record names and emails for login and IP addresses, but there is no need to retain this data and the users are requested to delete this following use.
    8. I will not disclose your personal information to third parties for marketing or sales purposes or for any commercial use, and we will not use your personal data in a way which may cause you harm.
    9. Zoom’s privacy policy confirms that they “only collect the user data that is required to provide Zoom services. This includes technical and operational support and service improvement. For example, we collect information such as a user’s IP address and OS and device details to deliver the best possible Zoom experience to you regardless of how and from where you join”.
    10. They also state that they “do not use data we obtain from your use of our services, including your meetings, for any advertising. We do use data we obtain from you when you visit our marketing websites, such as zoom.us and zoom.com. You have control over your own cookie settings when visiting our marketing websites”.
    11. The user also has the ability to delete any data (such as names and emails for login and IP addresses) after meetings have concluded and at the end of the use of the application.Zoom has stated that; any data stored on US servers is minimal and relates only to the users of the application.
    12. Recordings will be kept for no more than 6 months
    13. You have the right to access your data and correct any inaccuracies. For further details of your rights please contact the Data Protection Officer or go to our website for a more detailed explanation.
    14. Please see our website for our full privacy policy
  9. Mimecast Email Archive
    1. Chambers use MimeCast to provide business continuity to the mail system in the event of a serious incident or event. Mimecast also provides email filtering and protection from malicious emails and content sent to chambers and its members.
    2. Mimecast has a defaolt archive retention period of 10 years for all emails received. This retention period is currently under review and may change without notice.
    3. All data held in Mimecast is in line with our security best practices and is compliant with GDPR and the Data Protection Act and does not affect your rights.
  10. Exemptions

     

    I may rely on the following exemptions under the DPA when processing your information:

    1. Crime and Taxation
    2. Required by law or in connection with legal proceedings
    3. Legal professional privilege
    4. Self incrimination
    5. Disclosure prohibited or restricted by enactment
    6. Immigration
    7. Function designed to protect the public
    8. Audit functions
    9. Bank of England functions
    10. Regulatory functions relating to legal services, the health and children’s services
    11. Parliamentary privilege
    12. Judicial appointments, independence and proceedings
    13. Crown honours, dignities and appointments
    14. Journalism, academia, art and literature
    15. Research and statistics
    16. Health data – processed by a court
    17. Social work data – processed by a court
  11. Changes to this privacy notice
    1. This privacy notice was first published on 1st April 2021 and last updated on 11th May 2021
    2. I continually review my privacy practices and may change this policy from time to time. When I do it will be placed on my chambers website.
  12. Contact details

     

    If you have any questions about this privacy notice or the information I hold about you, please contact my chambers’ Data Protection Officer.

    Ian Bernhardt
    SproutIT
    www.sproutit.co.uk
    T: 020 7036 8530

    My contact details

    Address:
    QEB Chambers of Tim Amos QC
    Queen Elizabeth Building
    Temple
    London
    EC4Y 9BS

    Tel: 0207 797 7837
    Email: [email protected]