Turpin & Miller LLP is committed to protecting the privacy and security of your personal information. In accordance with the Data Protection Act 2018 and the General Data Protection Regulation (GDPR), this Data & Privacy Notice explains the types of personal data we may collect about you when you interact with us. It also explains how we’ll store and handle that data and keep it safe. It also explains your rights in relation to your personal data and how to contact us or supervisory authorities in the event you have a complaint.
Turpin & Miller LLP is a ‘data controller’, which means that we are responsible for deciding how we hold and use your personal information. When we say ‘we’, ‘us’ or ‘our’ in this policy, we are referring to Turpin & Miller LLP, its subsidiaries and all affiliated entities.
We are aware that there is a lot of information here, but we want you to be fully informed about your rights, and how our firm uses your data.
Conditions for Processing Data
We will only process your personal information where we have a lawful basis for doing so. The General Data Protection Regulation sets out a number of different reasons for which a law firm may collect and process your personal data. These include:
- Contractual obligations: The main purpose for our holding your data is to provide you with legal services under the agreement we have with you. This agreement is a contract between us and the law allows us to process your data for the purposes of performing a contract (or for the steps necessary to enter in to a contract). We rely on this lawful basis to process your personal information to perform our contract for legal services with you; this also covers our contractual obligations to the Legal Aid Agency where you receive legal aid to fund your case or advice.
- Legitimate Interests: In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests. We rely on this lawful basis where, for example, we are required to provide your personal data under a Court Order or as required by our regulator.
- Legal compliance: If the law requires us to, we may need to collect and process your data. For example, we can pass on details of people involved in fraud or other criminal activity.
- Consent: In some situations, we can collect and process your data with your consent. Where we cannot rely on any other lawful basis, we will request your consent to process your personal information. When collecting your personal data, we’ll always make clear to you which data is necessary in connection with a particular service.
Some of the above grounds for processing can overlap and there may be several grounds which justify our use of your personal information.
Where we rely on our legitimate interest
In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.
When do we collect your data?
We normally collect your personal data from you direct. This can be via email; over the telephone; face to face; or by post. We may also collect information via a third party. Those third party sources include but are not limited to:
- publically accessible sources such as Companies House or HM Land Registry;
- third parties (with your consent) such as your bank / building society, your employer and trade union, your doctors and other health professionals;
- correspondence we may receive from third parties about you or your matters;
- third parties relevant to an application for employment (e.g. referees);
- case management systems;
- automated monitoring of our websites, computer networks, communications systems and connections; and/or
- systems to ensure the security of our premises, including security CCTV footage.
What sort of data do we collect?
Personal data, or personal information, means any information about an individual from which that person can be identified. This may include asking for and keeping a copy of your passport/driving licence and proof of address.
The personal data about you which we collect, store, and use may include but is not limited to the following categories:
- personal contact details such as name, title, addresses, telephone numbers, and personal email addresses;
- work contact details;
- date of birth;
- a copy of your signature including copies of documents you sign in your name or on behalf of a business;
- financial information such as bank details, tax details and source of funds information and details of any relevant sanctions;
- details of your spouse/ partner, dependants, wider family and care givers;
- your employment details, including salary and benefits, misconduct, sickness, performance or grievance;
- your nationality and immigration status and information from related documents;
- details of your pension arrangements;
- any other personal data relevant to our clients’ matters or the operation of our business;
- job application details, e.g. date of birth, employment history, qualifications, references, equality and diversity monitoring information;
- ‘Special category data’, including data relating to health (including disabilities), ethnicity, race, religious beliefs, trade union membership and genetic information and biometric data;
- information about criminal convictions and offences;
- audio, video and CCTV recordings; and/or
- information gathered through the automated monitoring of our websites, computer networks, communication and phone systems and connection.
How do we use your data?
We only use your data for the purposes of providing you with legal advice, assistance and where appropriate, representation and for reasons directly associated with those services (i.e. providing information to quality auditors; the Legal Aid Agency, Home Office etc.).
We may use your data in the following ways:
- to create client and matter records and files to enable us to provide legal services;
- to conduct checks to identify our clients, verify their identity and determine a source of funds and wealth;
- to respond to a request for or query about your personal information;
- to process your application for employment;
- to process your request to provide services to us as a third party supplier and monitor your contractual arrangement with us;
- to process it in accordance with our operational policies and to provide statistical analysis, including checking for conflicts of interests, monitoring client service delivery, recording complaints and claims information and creating archiving records;
- to gather and provide information required by or relating to financial returns, reports and audits;
- to respond to enquiries or investigations by regulatory bodies or law enforcement agencies;
- as part of any report required for external audits and quality checks; and/or
- for the purposes of complying with our professional, legal and regulatory obligations.
How do we protect and hold your data?
We take protecting your data very seriously. We will treat your data with the utmost care and take all appropriate steps to protect it. We have clear data protection and information security policies and procedures in place (along with Regulatory and other legal obligations to keep your data safe) and these are regularly assessed as part of our Quality Standards and compliance processes. We have security measures which strive to prevent personal data from being accidentally lost, or used or accessed unlawfully. We follow strict procedures as to how your personal information is processed, to prevent any unauthorised person obtaining access to it.
We protect our IT system from Cyber Attack and have antivirus and firewall protection in place. All computers and access to your personal data kept is password-protected. All personal information you register on our website will be located behind a firewall and we will use our strict procedures and security features to try to prevent unauthorised access to our systems.
Those processing your information within our business and on our behalf, will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
The majority of the personal data we hold is stored electronically, in our secure IT systems, or in hard copy, either at our secure office premises or at a secure offsite archive provider. It may also be stored by third parties processing your data on our behalf (see who we share your data with).
We retain your personal data in accordance with our Terms of Business and our Retention Policy.
We do so for one (or more) of the following reasons:
- in accordance with regulatory, insurance or statutory requirements
- to respond to any enquiries, complaints or claims made by you or on your behalf; or
- where we have a legitimate interest in retaining your personal data (e.g. to prevent conflicts of interest or where you have indicated you would like to hear from us for marketing purposes).
Different retention periods apply for different types of data. We only keep your data for as long as is necessary for the purpose(s) for which it was provided. Normally this is for 6 years after your case or matter ends.
This is because we are required to keep client files for that period by our Regulator and/or by the SRA. This also protects you should you be unhappy with our services and want to complain after your case ends.
For some cases we may decide that it is proper and appropriate to keep data for longer than 6 years, but we will notify you if we believe that your case falls into this category.
Who do we share your personal data with?
In the course of carrying out our work and your instructions we sometimes need to share your personal data with trusted third parties. We only do this where it is necessary for providing you legal services or for the effective operation of our legal practice.
Examples of third parties may include:
- professional advisers who we instruct on your behalf or refer you to, such as barristers, translators, costs draftsmen, process servers, auditors, secure file storage and destruction companies, case management companies or other experts;
- other third parties where necessary to carry out your instructions;
- our regulator, the Solicitors Regulation Authority;
- insurers and brokers;
- Government departments i.e. Companies House, the Legal Aid Agency, Land Registry, HMP HMRC, DWP, Inland Revenue, Legal Ombudsman; Home Office
- external auditors and accreditors (e.g. SRA, Lexcel);
- our bank
We will only allow third parties to handle your personal data if we are satisfied they take appropriate measures to protect it. We will only provide them with the information they need to perform their services. They will process that data as a data controller or a data processor and in accordance with the data sharing requirements of the GDPR. We work closely with all third parties to ensure your privacy and that it is respected and protected at all times.
Where is your data processed?
Your data is stored and processed within the EEA. If we ever have to share your personal data with third parties and suppliers outside the European Economic Area (EEA) we will seek your specific consent to do so.
The EEA includes all EU Member countries as well as Iceland, Liechtenstein and Norway.
What are your rights?
Under the GDPR you can exercise a number of rights as follows:
- access to the personal data we hold about you, free of charge in most cases
- require us to correct any mistakes in your personal data held
- to delete your personal data – in certain circumstances
- to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations
- to object to your personal data being processed for direct marketing and, in certain other situations, to our continued processing of your personal data.
- the right not to be subject to a decision based solely on automated processing
- that we stop any consent-based processing of their personal data after they have withdrawn consent, or object and we have no legitimate overriding interest, or once the purpose for which we hold the data has come to an end
You also have the right to request a copy of any information about you that we hold at any time.
You will not have to pay a fee to exercise any of your rights, however, we may charge a reasonable fee if a request for access is clearly unfounded or if it is deemed to be excessive. Alternatively, we may refuse to comply with a request in such circumstances. We will ask for proof of identity before we provide any personal information, to prevent any unauthorised access.
Your right to withdraw consent
Where we process your personal data on the lawful basis of having obtained your specific consent, you are welcome to withdraw that consent at any time. Should you wish to withdraw your consent, please contact us to let us know.
For information on how your information is used, how we maintain the security of our information, and to exercise your rights to access information we hold on you, please contact us. Similarly, if you believe that the information we hold is wrong or out of date, please let us know and we will update it.
The person responsible for data protection within the firm is Jayne Parker. All enquires and requests should be sent via email to firstname.lastname@example.org or in writing to Turpin & Miller LLP, 1 Agnes Court, Oxford Road, Cowley, Oxford, OX4 2EW.
The Regulator/How to Complain
We hope that we can resolve any query or concern you may raise about our use of your information. However, if you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.
You can contact them by calling 0303 123 1113 or by going online at www.ico.org.uk/concerns (please note we can’t be responsible for the content of external websites).
Links to other websites
Our website may contain links to other websites of interest.
By using these links to leave our site we do not have any control over any such website. We cannot therefore be responsible for the protection and privacy of any information which you provide whilst visiting such sites. Such sites are not governed by this policy.
This policy will be regularly reviewed and updated.