GDPR

H.Walmsley (Legal Costings) Ltd

13 Nave Close Darwen

BB3 3JY

                                                   Data Protection Policy

Version updated:-

May 2018

May 2019

We take our obligations under the Data Protection legislation very seriously. The nature of our service means that we receive and process highly confidential information in relation to Solicitor’s clients.

We are registered with the Information Commissioner’s Office (ICO) under registration number

ZA519536

Data Protection Principles

When handling any personal data, this firm does so in compliance with the principles set out in the General Data Protection Act 2018, personal data will be

1.       Processed lawfully

2.       Collected for specified, explicit and legitimate purposes and not to be further processed in a manner that is incompatible with those purposes

3.       Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

4.       Kept in a form which permits identification of data subjects for no longer that is necessary for the purposes for which the personal data is processed

5.       Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction of damage, using appropriate technical or organisational measures.

Conditions for processing data

We process data received only for the performance of our contract/retainer as a Legal Costing Firm in preparing Bills of Costs for assessment by the Court and Legal Aid Agency. Data is not processed for any other reason other than for the performance of the retainer/contract.

Information Management & Security Policy

The information processed is highly confidential, subject to legal professional privilege. Our policy is to protect the information we process from all threats, whether internal, external, deliberate or accidental.

It is our policy to ensure that:

Information is protected against unauthorised access

Information is kept confidential

The integrity of information held is maintained

All breaches of information security, actual or suspected are reported immediately and are investigated and resolved

Maintaining Security

Measures are in place to ensure the information is physically protected.

All equipment is physically protected from threats and environmental hazards

We ensure that only authorised persons who have a justified business need are given access to the data received for processing

We ensure that access controls are maintained at appropriate levels

Data will only be held for the length of time that is required to complete the instructions received.   The Data will then be returned to the instructing solicitor if it is a paper file or will be disposed of if the data was submitted by way of an electronic file.  Completed Bills prepared will be stored securely for no longer than six years.

In providing our service as Data Processors we will ensure that the integrity and the confidentiality of the data received is maintained by:-

Keeping files and information in a secure and locked environment

Transporting files and information securely and

Not leaving files or information unattended in places where they are at risk.

 

Data Protection - Reviews

We have considered and put in place the guidance issued by the ICO and will update our procedures in accordance with any notified updates received from the ICO. A review of our procedures will be completed not less than every 12 months.

We will continue to consider whether a Data Protection Impact Assessment is required in accordance with the ICO’S published screening checklists.

 

As a Data Processor we undertake to:-

1.       Only act on written instructions provided (Unless required by law to act without such instructions)

2.       Ensure that anyone processing the data is subject to a duty of confidence

3.       Take appropriate measures to ensure the security of processing

4.       Only engage a sub-processor with written consent and a written contract

5.       Assist in providing subject access and allowing data subjects to exercise their rights under the GDPR

6.       Ensure that all GDPR obligations are met in relation to the security of processing and if any breach occurs whilst processing the data the Data Controller will be informed immediately

7.       Delete or return all personal data at the end of the contract

8.       Submit to any audits and/or inspections, provide information required to ensure that both parties meet their GDPR obligations.