This notice explains when and why we collect personal information about you; how we use it, the conditions under which we may disclose it to others, how we keep it secure and your rights in respect of that data. In line with the General Data Protection Regulations and The Data Protection Act 2018, we are committed to designing all of our policies to ensure your privacy, this is called “Privacy by Design”.
For clients of this firm, you should read this notice alongside our general terms and conditions which provide further information on confidentiality, data privacy etc.
This notice does not apply to any websites that may have a link to ours.
Who we are
Data is collected, processed and stored by Bell Lamb & Joynson; and we are what is known as the ‘data controller’ of the personal information you (The Data Subject) provide to us because we need to be able to decide, in agreement with you, how we use, store and process your data to enable us to provide the services you have contracted with us to provide and to meet our legal and statutory obligations.
A Data Controller is “A person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” [Information Commissioners Office].
Bell Lamb & Joynson are a solicitor firm authorised and regulated by the Solicitors Regulation Authority under number 403619.
Our Information Commissioners Office authorisation number is ZA051930.
The partner with responsibility for monitoring and managing Data Protection is Mike Leeman who can be contacted by email – email@example.com
We also use Third Party Partners to deliver our services to you in the most efficient and secure way possible and these partners must meet or exceed our standards of data security and privacy. These providers are defined as Data Processors, who process data on our behalf to enable us to provide the services you require and to meet our legal/statutory obligations.
A Data Processor is “A person, public authority, agency or other body which processes personal data on behalf of the controller” [Information Commissioners Office].
Seven Principles of Data Protection (Data Protection Act 2018)
When controlling and processing your data we will adhere to the principles set out in the Data Protection Act 2018 and GDPR. When we use or hold your data we will make sure:
- We do so lawfully and fairly and transparently (Principle 1: Lawfulness, Fairness and Transparency)
- We use and hold it for the purposes that we have agreed with you, by contract or consent, or where we have a legal or statutory obligation or where we have a legitimate interest (Principle 2: Purpose Limitation)
- We only use or hold the items of data needed for us fulfil the contract with you or our obligations – if we do not need an item of data for these purposes we will not ask you for it or hold it (Principle 3: Data Minimisation).
- The data that we hold on you is accurate, except where you have not updated us or you have provided us with inaccurate data (Principle 4: Data Accuracy)
- We will only hold the data for the time that is reasonable and necessary for us to hold it to deliver the services to you, for us to meet our legal obligations and where we have a legitimate interest to do so (Principle 5: Storage Limitation)
- We do so whilst maintaining the highest standards of data security and confidentiality (Principle 6: Integrity and Confidentiality)
- In addition we expect our staff and any Third Parties to adhere to this policy and all other policies which we implement to enable us to meet the requirements of us under The Data Protection Act 2018 and GDPR and we monitor and review compliance with this policy accordingly (Principle 7: Accountability)
This policy sets out how we will achieve these principles
The legal grounds for us processing, holding, transferring or destroying your data:
If you are considering becoming a client of BLJ to ensure you are provided with accurate costs, we will have had your consent to contact you and to hold your data, by agreeing, you will NOT BE added to any promotional mailing lists. Please note, the personal data that you provide will solely be used for the purposes of providing you with a quote for our conveyancing services or to assist you in your decision on instructing us. It will not be shared with any other party nor will it be used for any other purpose.
If you become a client of BLJ, we do not hold any of your data on the basis of your consent. This is because the grounds that we hold your data under are covered under one or more of the other 5 categories under which we can hold your data.
On occasion we do provide access to your data to third parties for the purposes of quality audit to make sure that the service we deliver to you is to the highest standard and for which we require your consent. Where such access is agreed, it is restricted to secure access to our systems and does not extend to the third party having data transferred to them.
We need your data to provide the services that you have asked us to provide to you. This may be to enable us to correspond with you or others or because we need to include your data in correspondence or in submissions we make to the other side in your matter. In order to progress the matter that you have asked us to assist you with we may also be required to transfer your data to any expert instructed in your case.
Finally when your case is ended we require you to agree to the retention period for your data because we are not willing to act for you if we are not able to hold documentation for a period to protect ourselves against any claim or regulatory investigation that may occur after your case has finished.
We do not require your consent to hold, process, transfer or retain your data if we are relying on contractual necessity.
The vast majority of the reasons for us holding, processing and transferring your data is because we are required by the law to do so. This may be because we need to process your contact details on applications or forms for the legal record relating to the work you want us to do, it may because the regulations we act under from the SRA or Anti-Money Laundering, Diversity, The Land Registry, HMRC or the courts require us to use your data. In short, we would be in breach of our legal duties if we do not use the data you provide to us in this way, once you have instructed us to act in a specific matter.
In addition, under SRA regulations, we must use your data to check that there is no conflict between yourself and other clients who we work with both during and after we work for you.
As we are required by law to act in your best interests and to consider all of your circumstances when assessing this, we may from time use your data to communicate with you where we consider that you may have a need of other services that we offer.
We do not require your consent to hold, process, transfer or retain your data if we are relying on legal obligation.
There may be occasions where we may need to process your data to protect vital interests of yourself or another person. For example, if we consider that you are danger to yourself or to others we may have to use your data to notify medical professionals or the police to protect you or the other person.
We do not require your consent to hold, process, transfer or retain your data if we are relying on vital interests.
If it is in the public interest to retain or transfer your data we are entitled to do so. We cannot foresee any obvious circumstance where we would rely on the right but if we intend to do so we will notify you of our reasons.
We do not require your consent to hold, process, transfer or retain your data if we were to rely on public interest.
Whilst we are entitled to retain or transfer data where we have a legitimate interest the only legitimate interest that we can foresee relying on would be where holding or processing your data enables us to protect both yourself, ourselves or others from fraud.
Types of data held: Clients and third parties involved in client matters
The data we will request from you will depend on what you have asked us to do or what we are contracted to do for you. In general, there are two types of personal data (personal information) that you may provide to us:
such as your name, address, gender, date of birth, contact details, NI Number or financial information etc.
It is defined as “Any information relating to a person (a ‘data subject’) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. “ [ICO]
Sensitive personal data:
For some types of work you ask us to do, the nature of the information we will need to use and hold will be more sensitive. This may include your racial or ethnic origin, religion, sexual orientation, political opinions, health data, trade union membership, philosophical views, biometric and genetic data. Data relating to criminal convictions and offences is also treated with the utmost sensitivity.
In the majority of cases personal data will be restricted to basic information and information needed to:
- Identify you in on our system
- complete ID checks
- to identify you to others within the work that you require us to do for you.
- Enable us to make payments to you and to verify that payments have come from you.
However some of the work we do may require us to ask for more sensitive information in order to do the work for you. For example:
- in accident cases we will have to use your health data, in the form of your medical records, in order to establish the injuries you have sustained and we will have to send this data to both the court and the other side.
- In criminal cases we will have to use your criminal record to make an assessment of the likely sentence you may receive in respect of our current offence.
Due to the varied nature of legal work and the scenarios within the cases we deal with it is not possible to provide a definitive list of the sensitive data that we might need to hold or use in your case but if we do need to use or hold sensitive data we will inform you of this fact.
Where we are dealing with sensitive data you can be assured that the security level that applies to that data will maintain your confidentiality.
Sources of information: Client matters
The majority of data that we will hold and use about you will have been volunteered by yourself in the form of answers to our questions, completion of forms and in conversation or communications with you. We may also hold or use data provided by you about other people (eg your opponent or witnesses). We will also receive and may have to hold and use data received from third parties about you or others involved in your case, in order that we can undertake your legal work on your behalf. Some examples of third parties might be :
- Banks or building societies who might send us your mortgage offer or your deeds which may have data relating to you
- Panel providers or organisations who refer work to us will need to provide us with your contact details in order for us to make the contact you have requested of us
- Medical or financial institutions – who provide your sensitive personal records / information to us where it is needed in your case.
- Your opponent or their solicitor may send data to us relating to you that you have not provided
- Where we are required to make searches against property you own, the agent we use may provide data that we have previously not had in our possession relating to you or your property.
- Agencies of the government like the Land Registry or HMRC may also provide data to us relating to you.
What we use your data for: Client Matters
Predominantly we use your data to identify you in the case we are dealing with for you both internally and externally. We use your sensitive data as required to pursue the matter you have asked us to work on. As set out above, these activities do not require your consent under our Data Protection Policy because our contract with you to carry out the work you have asked us to do, gives your agreement to these activities because without this data we cannot do the job for you. The types of activities where we will use your data to progress your case include:
- Providing you with advice;
- Communicating with you
- carrying out litigation on your behalf;
- attending hearings on your behalf;
- preparing documents or to complete transactions
- Keeping financial records of your transactions and the transactions we make on your behalf
- Seeking advice from third parties; such as legal and non-legal experts
- Obtaining insurance policies on your behalf
- Responding to any complaint or allegation of negligence against us
The following are some examples, although not exhaustive, of other reasons why we may need to use your data and under what power we are authorised to do so:
- Checking that your interests do not conflict with any other of our clients because we cannot act for you where this is the case and for which we have a legal obligation under the Solicitors Code of Conduct
- Verifying your identity and source of funds, which we must do under Anti-Money Laundering regulations
- Verifying your banking details to enable to make payments and verify your account details on any monies received, which we must do under Anti-Money Laundering Regulations
- To establish and maintain funding of your matter or transaction if you are to pursue your case with legal aid, as is required by the Legal Aid Agency
- To monitor the performance of our staff through reports generated from within our case management system which enables us to control the quality of service provided to you and which is a requirement under our regulations.
Who has access to your data: Client Matters
Your personal data and case data will be held on third party secure servers (see Data Security below). You may have provided your contact details to our quotes providers systems (Perfect Portal), our ID verification provider (ThirdFort) and our review portal. They will hold your data on their secure servers. Your data may also be held on our local search provider Infotrack’s servers.
Please note that we reserve the right to change contract providers who hold our data at any time.
On occasion we are required to provide access to third parties for regulatory purposes and have a legal obligation to enable this access.
We also, on occasion provide access to third parties for quality control purposes to ensure that we are providing the correct level of service to clients and to enable us to independently monitor the performance of our staff.
Where third parties have access to your data and are accessing our systems directly they can only do so over our secure platform and only if the device they are using is similarly secure.
Where third parties have data transferred to them, except where we have legal obligation to transfer the data, this is only done either over the third party’s secure platform or using our own secure platform. Examples of occasions where access to your data is required are:
Third Parties holding your data as data processors on our behalf;
- We contract with a third party, LEAP, to provide us with our case management and accounts system. They process your data on our behalf to enable us to manage your case and to produce compliant documentation for you. They will hold all your data on their secure systems under our instructions. LEAP’s cloud infrastructure is provided and maintained by industry leading cloud-platform provider Amazon Web Services. Amazon Web Services demonstrates a commitment to information security at every level of the organisation and complies with internationally recognised standards, the EU Data Protection Directive, and regulations and the Data Protection Act 2018.
- We contract with a third party, Perfect Portal, to provide you with updates in respect of your conveyancing matter. They process your data on our behalf to enable you to receive these updates. When they are holding your data they do so on their secure Cloud Platform. They will have your contact details and the details of the property involved in the transaction. If you received a quote through them they will also hold your contact details which you volunteered to us when you requested the quote.
- We contract with a third party platform to enable you to provide reviews of our service. They will hold whatever contact details you have provided them with on their secure servers. They will transfer your review to us via electronic secure transfer.
- We contract with a third party, Infotrack, to manage our relationships with HMLR (Land registry), HMRC for stamp duty and to arrange local searches and indemnity insurance. In order to provide this service on your case, we will provide them with your contact details and property details and they will hold this data on their secure servers. This is data is transferred electronically via an encrypted medium. They will use this data to update HMLR and HMRC via their secure portals and to order searches and insurances over a secure portal.
- We contract with a third party, ThirdFort, to assist you with ID and proof of funds verification. They will hold the data you volunteered to them on their secure servers and use the data to access documentation, under contractual necessity, to enable us to carry out the Anti-Money Laundering obligations we have by transferring the data to us through their secure portal.
- Each of these third parties have Privacy Policies which have Privacy by Design and which are available on request.
Third parties that we may transfer data to via prescribed secure means:
- HM Land Registry to request searches and to register a property as required by law. We transfer this data using a secure portal called Infotrack, by using the Land Registry’s own secure portal or in hard copy using the Document Exchange. Please note that Infotrack are acting as a data processor for us (see above).
- HM Revenue & Customs for Stamp Duty Liability or Inheritance Tax as required by law. We transfer this data either using Infotrack (see above) or via the government’s secure HMRC portal.
- The Legal Aid Agency (LAA) where we are trying to gain funding for you or you have been granted funding. We will do this via the LAA’s secure government portal.
Other third parties that we may be required to transfer data to:
- The Court or Tribunal as required by law
- Solicitors acting on the other side as required by law
- Asking an independent Barrister or Counsel for advice; or to represent you or to Non legal experts to obtain advice or assistance, as agreed under your contract with us
- Translation Agencies, as agreed under our contract with you
- Contracted Suppliers who we may need to provide additional services to meet your needs as your case progresses, as agreed under our contract with you
- External auditors or our Regulator; e.g. Lexcel, SRA, ICO etc as required by law.
- External auditors who assist us with quality and compliance, as consented by you.
- Bank or Building Society; or other financial institutions to pursue your case.
- Insurance Companies to pursue your case under our contract with you
- Providers of identity verification to meet our legal obligations
- Any disclosure required by law or regulation; such as the prevention of financial crime and terrorism as required by law
- If there is an emergency and we think you or others are at risk as this is a vital interest.
Data for Marketing Purposes
If you are a private individual, we will only contact you for the purpose of direct marketing if you are an existing client and you have a perceived need for other services that we offer. We do not need your consent to send these communication because we have a legal obligation to act in your best interests and if we consider that other legal services are in your best interests, for example, that you should have a will drafted, we need to communicate this to you. If you consider that communications could not have been in your best interest please inform our Data Protection Officer to complain
The direct marketing communications may be provided to you by social media channels, email or post.
We will never pass on or sell your details to a third party.
We reserve the right to communicate with any business for direct marketing purposes and to hold the data to enable these communications. Please note that this does not include a right to hold personal data about individuals from these businesses.
New Business Enquiries and Quotes
You may make an enquiry for a quote or estimate via our web portal, operated by Perfect Portal. Where you do so your contact data will be used to generate the quote or estimate and to enable us to contact you, where you have asked us to do so in relation to the quote requested.
You may also make a general enquiry via live chat on our website and your personal data may be held to enable us to respond to this enquiry.
When you are using our site for enquiries and quotes, we do automatically collect certain non-personally identifiable information when you visit our site – such as the type of browser you are using, the type of operating system you are using, and the domain name of your Internet service provider.
We use non-personally identifiable information to analyse site usage (such as aggregated information on the pages visited by our users), which allows us to improve the design and content of our site.
We do automatically collect certain non-personally identifiable information when you visit our site – such as the type of browser you are using, the type of operating system you are using, and the domain name of your Internet service provider.
A cookie is a piece of data stored on a user’s hard drive containing information about the user. The information below explains the cookies we use on our website and why we use them:
Google Analytics cookies: we use these cookies to collect information about how visitors use our website, including details of the site where the visitor has come from and the total number of times a visitor has been to our website. We use the information to improve our website and enhance the experience of its visitors.
You can enable or disable cookies by modifying the settings in your browser. You can find out how to do this, and find more information on cookies, at: www.allaboutcookies.org.
Any forms which are available on our website are powered by Jotforms also bound by the EU General Data Protection Regulations. When you fill out a form, the data that you submit will be forwarded to Jotforms and will be collated into an email and sent to us.
The data that you submit via the form will not be stored within this website’s own database or in any of our internal computer systems.
Your data will remain within Jotform’s secure database in the EU for as long as we continue to use Jotform’s services or until you specifically request removal by emailing us.
We consider JotForm to be a third party data processor.
For more information, please see https://www.jotform.com/privacy/
What Data will we hold for marketing purposes
We will only use your contact details for marketing purposes (name, email, phone number and address) and only to ensure that we make you aware of other services that it may be in your best interests to use. We will not use other personal data to profile you or target you in any other way.
What are our Sources of Data for Marketing Purposes
Our only sources of data for marketing purposes are those provided by you for matters we are dealing with for you or where you have provided the data to us to enable us to provide a quote for you or to communicate with you prior to you instructing us. For the avoidance of doubt:
- If you instruct us as a client we may use your data for marketing purposes where it is in your best interests to consider other services that we offer because we have a legal obligation to do so
- Data provided by you to marketing companies who you have consented can transfer that data to us in order that we can contact you. We will only use that data to communicate with you to enable you to decide whether you wish to become a client. If you become a client we will hold this data under our legal obligations or through contractual necessity
- Data provided by you to our portals where you have asked to be contacted
For the avoidance of doubt, Bell Lamb and Joynson do not:
- buy or obtain lists of people from anyone with the intention of using them for marketing purposes.
- Communicate with anyone whose personal data we are in possession of as a third party in a client matter, other than because of our legal obligation to do so.
Data Security and Confidentiality
The primary repository for our data is our case management system LEAP. Staff are required to keep all client documents on this system and not anywhere else.
Where documents are to be transferred they should be transferred using our secure encrypted portal, LawConnect.
One of the aspects which the firm is keen to observe is with regard to the security of data. This may mean electronic or physical security, or, as with a laptop computer or both. All personnel must comply with such policies as are from time to time notified to them in respect of the firm’s computer system, and in particular must observe secrecy in respect of any password or user name.
Policies that staff are required to follow to ensure that your data is secure are;
to ensure that they use our systems in a controlled manner to maintain their security and to be vigilant where attempts may be made to hijack our systems and to harvest data.
To ensure that hardware, software and the internet are used in a manner that minimises the risk of data loss. This includes where data is stored, how it can be copied and how it can be transferred. Staff must only use the firm’s equipment to access the network and all laptops have additional two factor authentication technology. Data must not be stored on local devices. It also provides for standards of security on any third party device which requires access to our systems. The network is not available to personal computers or laptops.
Access to any part of the firm’s network or premises must not be given to any unauthorised person and is controlled by the managing partner, Mike Leeman. Additional care is required where someone is teleworking, or carrying out the firm’s work at home.
The use of unauthorised USB devices is prohibited but, due to their use within the legal system by the courts and other government bodies it is not possible to outlaw their use within the firm because it may prevent us from carrying out work on your case.
as a solicitors firm your confidentiality is of primary importance to us and no client data must be given to any unauthorised party at any time.
The firm has also achieved the UK government’s Cyber Essentials accreditation for IT security and is committed to maintaining industry leading standards.
Ordinarily, we will keep your data, both hard copy and electronically, for six years from the date that your case finishes, because you may require information from our file, we are required to by our insurers and, if your case is legally aided because the Legal Aid Agency require us to retain the file for this length of time unless:
- The work we did for you relates to the purchase of property, in which case we will need to retain your file for 15 years because of the possibility that you will need the file when you sell the property
- The work we did for you relates to a probate matter, in which case we will need to retain your files for 15 years because of the possibility of future actions needed to be taken.
- The work relates to financial matters in a divorce, in which case we will need to retain your files for 15 years because of the possibility of future actions needed to be taken.
- We are legally obliged to by law
- You require us to provide storage facilities for you in relation to wills, deeds or other documents because it is good practice to retain copies, in case of loss or damage and your data will be required to search for the document.
- Your case is subject of a complaint, investigation or legal claim against this firm, in which case we will hold it for six years after the action has completed
- Data held by our third party suppliers, Infotrack and Perfect Portal will be held for six years
- Data held by Solicitors Reviews will be held for 3 years
- We must hold any data relating to our Anti-Money Laundering legal obligations for a minimum of 5 years and a maximum of 10 years, however, because this data is almost always required for other purposes on your matter we reserve the right, under our contract with you, to exceed 10 years.
Your agreement to this policy and to our terms and condition will be taken as your agreement to our terms and conditions on file retention on the grounds of contractual necessity. Your file and all electronic data we hold relating to your case and yourself will be destroyed after the deadlines set out above.
Your rights under the Data Protection Act 2018 and GDPR
Right to access
You are entitled to access your personal data (otherwise known as a ‘right to access’). If you wish to make a request, please do so in writing addressed to Mike Leeman; or contact the person dealing with your matter.
A request for access to your personal data means you are entitled to a copy of the data we hold on you – such as your name, address, contact details, date of birth, information regarding your health etc.- but it does not mean you are entitled to the documents that contain this data. We must provide this data to you within 30 days, unless we have good reason to refuse your request or it is reasonable for us to need more time.
This request is called a Subject Access Request (SAR). Any request for personal data will be dealt with under the terms of this policy.
The right to be informed:
This is fulfilled by way of this privacy notice and our transparent explanation as to how we use your personal data.
The right to rectification:
you are entitled to have personal data rectified if it is inaccurate or incomplete. If you wish to make a request, please do so in writing addressed to Mike Leeman; or contact the person dealing with your matter.
The right to erasure / ‘right to be forgotten’:
you have the right to request the deletion or removal of your personal data where there is no compelling reason for its continued processing. This right only applies in the following specific circumstances:
- Where the personal data is no longer necessary in regards to the purpose for which it was originally collected
- Where consent is relied upon as the lawful basis for holding your data and you withdraw your consent
- Where you object to the processing and there is no overriding legitimate interest for continuing the processing
- The personal data was unlawfully processed
- Where you object to the processing for direct marketing purposes
If you wish to make a request, please do so in writing addressed to Mike Leeman; or contact the person dealing with your matter.
The right to object:
you have the right to object to processing based on legitimate interests; and direct marketing. This right only applies in the following circumstances:
- An objection to stop processing personal data for direct marketing purposes is absolute – there are no exemptions or grounds to refuse – we must stop processing in this context
- You must have an objection on grounds relating to your particular situation
If you have established your right to object we must stop processing your personal data unless:
- We can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms; or
- The processing is for the establishment, exercise or defence of legal claims.
If you wish to make a request, please do so in writing addressed to Mike Leeman; or contact the person dealing with your matter.
The right to restrict processing:
you have the right to request the restriction or suppression of your data. When processing is restricted, we can store the data but not use it. This right only applies in the following circumstances:
- Where you contest the accuracy of the personal data – we should restrict the processing until we have verified the accuracy of that data
- Where you object to the processing (where it was necessary for the performance of a public interest or purpose of legitimate interests), and we are considering whether our organisation’s legitimate grounds override your right
- Where processing is unlawful and you request restriction
- If we no longer need the personal data but you require the data to establish, exercise or defend a legal claim
If you wish to make a request, please do so in writing addressed to Mike Leeman; or contact the person dealing with your matter.
Your right to data portability
You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances. We will be required to provide this data to you in an electronic transferable format.
You are not required to pay any charge for exercising your rights.
If you make a request, we have one month to respond to you.
Automated decision making
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. For the avoidance of doubt, BLJ Solicitors do not use any form of automated decision making which might produce legal effect on you.