The firm of Matthews Legal Limited trading as A B & A Matthews and Hunter & Murray, hereinafter referred to as “Matthews”, collects personal information about people with whom it deals in order to carry out its business and provide its services and to comply with legal obligations upon us. The information includes name, address, email address, data of birth, private and confidential information, sensitive information. This personal information must be dealt with lawfully and correctly to ensure compliance with the General Data Protection Regulation (“GDPR”).
The firm of Matthews is a “data controller” in terms of the GDPR and we process information about “data subjects”, which includes all clients (present, past and prospective), employees (present, past and prospective) and other business contacts.
Information covered by the Act
GDPR applies to all personal data processed by us. This means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
In summary, the GDPR sets out that personal data shall be:
- processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
- processed securely, and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Matthews are responsible for, and must be able to demonstrate compliance with, the principles above (‘accountability’).
The six lawful bases on which data can be processed are:-
- The consent of the data subject (note, this basis is not relevant where one of the other basis is applicable)
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
This policy applies to all partners and employees of Matthews.
Roles and Responsibilities
- ensure that there is always one person with overall responsibility for data protection. Currently this person is Peter Murray;
- audit the data that is processed by the firm on a regular basis;
- ensure that we have a lawful basis for all data that we process;
- ensure appropriate contracts are in place with all data processors;
- ensure that appropriate safeguards are in place for all data that we process;
- develop and maintain GDPR procedures to include: roles and responsibilities, notification, subject access requests, training and compliance testing.
- provide training for all staff members;
- provide clear lines of report and supervision for compliance with data protection;
- assess new processing of personal data;
All employees will, through appropriate training and responsible management:
- observe all forms of guidance, codes of practice and procedures about the collection and use of personal data;
- understand fully the purposes and bases for which Matthews processes personal data;
- collect and process appropriate data, and only in accordance with the purposes for which it is to be used by Matthews to meet its legal requirements, service needs or legitimate interests.
- ensure the Matthews retention policy is followed, or the data is destroyed securely if it is no longer required;
- immediately notify their department partner of a subject access request by an individual;
- immediately notify the department partner of any breach of data security;
- understand that breaches of this Policy may result in disciplinary action, up to and including dismissal.
Retention of Data
Matthews will retain all client data indefinitely. This is to ensure ongoing compliance with our legal and professional obligations and to ensure that clients can access their own data when required. It will help us defend ourselves in relation to any claim a client or third party may make. If a client wishes their data revised or erased we will consider whether we can comply with their request in light of our obligations and our legitimate interests.
Matthews will retain all employee personnel data indefinitely. This will include information necessary in respect of pensions, taxation, potential or current disputes or litigation regarding the employment, and information required for job references. If an employee wishes their data revised or erased we will consider whether we can comply with their request in light of our obligations and our legitimate interests.
This document will be circulated round all partners and employees of Matthews after the date of issue, and after every review, and will be retained in 37 Albert Street, Newton Stewart, Dumfries & Galloway DG8 6EG.
This document will be provided to all new employees during the induction process.
Matthews will provide GDPR training to all partners and employees. Training will be reviewed annually.
Compliance with the policies and procedures laid down in this document will be monitored by the partners of Matthews at regular intervals.
Peter Murray is responsible for the monitoring, revision and updating of this document on a 2 yearly basis or sooner if the need arises. We have determined that Matthews do not require a Data Protection Officer.