​

INTRODUCTION

This Chambers is required to comply with the law governing the management and storage of personal data, which is outlined in the General Data Protection Regulation 2016 (GDPR) and the Data Protection Act.

​

Compliance with the GDPR is overseen by the UK data protection regulator which is the Information Commissioner’s Office (ICO). This Chambers is accountable to the ICO for its data protection compliance. 

​

Scope 

This policy applies to all members, staff (including managers), consultants and any third party engaged by Chambers 

This policy covers all personal data and special categories of personal data, processed on computers or stored in manual (paper-based) files. 

 

Responsibility 

Linda Appiah, who is Head of Chambers, is responsible for monitoring Chambers’ compliance with this policy. 

Everyone in Chambers (and any third party to whom this policy applies to) is responsible for ensuring that they comply with this policy. 

 

Data Protection Officer (DPO)

Chambers has appointed Linda Appiah as its Data Protection Officer (DPO). Linda Appiah’s responsibilities within this role include:

 

• Developing and implementing data protection policies and procedures

• Arranging periodic data protection training for all staff and members which is appropriate to them

• Acting as a point of contact for all colleagues, staff and Barristers on data protection matters

• Monitoring Chambers’ compliance with its data protection policy and procedures

• Promoting a culture of data protection awareness

• Assisting with investigations into data protection breaches and helping Chambers to learn from them

• Advising on Data Protection Impact Assessments and 

• Liaising with the relevant supervisory authorities as necessary (i.e. the Information Commissioner’s Office in the UK).    

​

GDPR

The GDPR is designed to protect individuals and personal data which are held and processed about them by Chambers or other individuals.

​

The GDPR uses some key terms to refer to individuals, those processing personal data about individuals and types of data covered by the Regulation. These key terms are:

​

“Personal data”  means any information relating to an identified and identifiable natural person (‘data subject’).

This includes for example information from which a person can be identified, directly or indirectly, by reference to an identifier i.e. name, date of birth, addresses and contact information.

​

It also includes information that identified the financial, physical, physiological, mental, economic, cultural or social identity of a person. 

​

For Chambers’ purposes, Barristers’ clients and Chambers’ staff are data subjects (other individual third parties concerning whom we hold personal data about are also likely to be data subjects) 

 

“Controller”   means the natural or legal person, public authority, agency or other body who alone or jointly with others, determines the purposes and means of processing the personal data. In effect, this means the controller is the individual, organisation or other body that decides how personal data will be collected and used. 

​

For Chambers’ purposes, this Chambers is a data controller for certain categories of data.

​

“Processing” means any operation which is performed on personal data such as: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available.

​

For Chambers’ purposes, everything that we do with client information (and personal information of third parties) is ‘processing’ as defined by the GDPR. This processing will often be in the capacity as a Data Processor on behalf of a Barrister as a Data Controller.

 

“Special categories of personal data” means personal data revealing:

• racial or ethnic origin;

• political opinions;

• religious or philosophical beliefs;

• trade-union membership;

• the processing of genetic data or biometric data for the purpose of uniquely identifying a natural person;

• data concerning health or data concerning a natural person's sex life or sexual orientation.

​

N.B. data relating to criminal convictions and offences are not included within the special categories. However, there are additional provisions for processing this type of data (see Regulation 10 of GDPR)

 

Data Protection Principles 

The GDPR is based around 8 principles which are the starting point to ensure Chambers compliance with the Regulation. Everybody working in and with Chambers adheres to these principles in performing their day-to-day duties. The principles require Chambers to ensure that all personal data and sensitive personal data are:

 

• Processed lawfully, fairly and in a transparent manner in relation to the subject (‘lawfulness, fairness and transparency’)  

• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’) 

• Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’) 

• Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)

• Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which personal data are processed (‘storage limitation’)

• Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures (‘integrity and confidentiality’)

​

Chambers must demonstrate its compliance with the above (‘accountability’).

​

Processing personal data and sensitive personal data 

We process all personal data in a manner that is compliant with the GDPR, in short, this means Chambers:

 

• have legitimate grounds for collecting and using the personal data

• do not use the data in ways that have unjustified adverse effects on the individuals concerned

• be transparent about how we intend to use the data, and give individuals appropriate privacy notices when collecting their personal data

• handle people’s personal data only in ways they would reasonably expect; and

• ensures we do not do anything unlawful with the data.

​

We ensure that we are aware of the difference between personal data and special categories of personal data and ensure that both types of data are processed in accordance with the GDPR. 

 

The conditions for processing special categories of personal data that are most relevant to our Chambers are:

​

• Explicit consent from the data subject

• The processing is at the instruction of a Barrister who is the Data Controller of that personal data

• The processing is necessary for the purposes of carrying out Chambers’ obligations in respect of employment and social security and social protection law

• The processing is necessary to protect the vital interests of the data subject or another person

• The processing relates to personal data that has already been made public by the data subject or

• The processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

​

If you have any concerns about processing personal data, please contact Linda Appiah, who will be happy to discuss matters with you. 

​

Rights of the data subject 

The GDPR gives rights to individuals in respect of the personal data that any organisations hold about them. Everybody working for Chambers is familiar with these rights and adhere to Chambers’ procedures to uphold these rights.

 

These rights include:

• Right of information and access to confirm details about the personal data that is being processed about them and to obtain a copy

• Right to rectification of any inaccurate personal data

• Right to erasure of personal data held about them (in certain circumstances)

• Right to restriction on the use of personal data held about them (in certain circumstances)

• Right to portability – right to receive data processed by automated means and have it transferred to another data controller

• Right to object to the processing of their personal data.

 

If Chambers receives a request from a data subject (a client or other third party concerning whom we hold personal data) to exercise any of these rights, the request must be made by emailing reception@vinecourtchambers.co.uk 

 

Confidentiality and data sharing 

The barristers and Chambers ensure that they only share personal information with other individuals or organisations only where they are permitted to do so in accordance with data protection law. 

 

Chambers ensure that we have the client’s (or other data subject’s) consent before sharing their personal data, although, it is accepted that this will not be possible in all circumstances, for example, if the disclosure is required by law.