This notice pertains to the data handling and processing that Paschal O’Hare Solicitors carries out for and on its clients as a Data Controller. A Data Controller is the person, group or organisation that collects and manages data that pertains to data subjects. A data subject is the individual that data pertains to.
Paschal O’Hare Solicitors is compliant with the General Data Protection Regulation (GDPR). GDPR was approved by the EU Parliament on 14 April 2016 and came into force on 25 May 2018 and takes precedence over the Data Protection Act (1998). The focus of the legislation is the strengthening and unifying of data protection for all data subjects.
Personal Data is any information relating to an identified or identifiable person. Although not an exhaustive list, some examples of Personal Data may include:
Special Category Data, more commonly referred to as Sensitive Data belongs to one or more of the following categories:
Although data is defined as information which is being processed or recorded, this document uses the word to mean either or both Personal and Sensitive Data.
In order to best serve our clients and progress their case in a legal, professional and proficient manner, we collect and store data that is relevant to the service that they are receiving. We collect an abundance of information that is freely given to us by consenting clients.
We also, with permission by way of a form of authority or other form of written consent, collect relevant information from third-parties such as HMRC, insurance providers and the NHS on behalf of our clients. This information is integral to the building of a case. We lawfully process data as it is within the legitimate interests of this law firm, our clients and because it is necessary for the performance of the contract between our clients and our firm. We collect and retain personal information relating to our clients such as, but not limited to, names, date of birth, National Insurance number, contact details, addresses, employment details past and present, bank details and other relevant information that is necessary for the progression of each client’s specific case. We are required by the Money Laundering Regulations (2007) to verify client’s identity before we can act or continue to act on their behalf. Clients are therefore required to produce a photocopy or photograph of a passport, driving licence or other official photographic identity document with a recent utility bill or bank statement as confirmation of address which we will make a copy of. The nature of personal injury and medical negligence cases requires us to process sensitive data in the form of medical records and reports pertaining to our clients.
We operate a secure cloud based desktop system at our offices in which we access stored data. This hosted environment is contained within tier 4 secure datacentres in the UK. We access this system remotely, store all data on it and no data ever leaves the UK. The data that we upload to this system is protected by dedicated servers, private networks and a firewall with DDoS protection. The data is encrypted with 256-bit encryption both at rest and in transit. The data storage systems are covered by regularly updated malware protection which is centrally monitored from a Network Operations Centre.
We embody in our actions the principles of data protection as outlined in Article 5 of the GDPR which can be viewed on the website of the Information Commissioner’s Office here. We are committed to our role as Data Controller and aim to consistently demonstrate our accountable, transparent, fair and lawful methods in the way that we handle data. We collect data for specific reasons and only when we have good reason to do so. We only collect data that is adequate, relevant and limited to what is necessary for the good of our clients and our law firm. We do all that we can to keep the data we control both up to date and accurate and therefore encourage all Data Subjects to inform us when the data that we process on them changes. We do not keep data longer than what is necessary and integrity and confidentiality is prioritised, particularly with security measures against unlawful processing of data. All data is stored on secure systems that are password protected and encrypted. Further to the regulations outlined by the GDPR, we as a firm of solicitors in Northern Ireland are bound by the regulations of the Law Society of Northern Ireland, which guarantees that, except in certain circumstances outlined in this document or without seeking client’s prior consent, we operate in complete confidentiality. You can learn more about Solicitors Practice Regulations here.
In the interest of progressing with our client’s cases we share some elements of their data with third-party Data Processors. A Data Processor is a person or group that processes data on behalf of the Data Controller. Data Controllers and Data Processors are both liable for the handling of a Data Subject’s information. Sometimes, we pass client data on to another Data Controller. For example, if we organise a private medical assessment for a client we will provide the medical expert with the client’s data who will then initiate a client / patient relationship with our client. Third-party Data Controllers should have their own data protection policies and notices that our clients can make themselves familiar with prior to engaging in the professional relationship if they request to do so with the relevant expert or organisation. In order to fulfil our contract with clients it is essential that some or all of our Data Processor and Data Controller partners get access to the data of that client. Clients consent to this in their initial paperwork. In most cases, clients are also informed verbally or in writing again prior to the relevant third-party requiring access allowing for an opportunity to withdraw consent should they wish to do so. Our clients are advised that if they do withdraw consent, in certain circumstances, it may prevent us from progressing with their case if the third-party access is absolutely necessary.
We utilise the web hosting services of Big Wet Fish, a Carrickfergus based agency who store our website on their servers in an ISO27001 certified data centre in England. This means they also have access to the data entered freely into the website’s free enquiry form by Data Subjects. Big Wet Fish do not use this data for any purpose.
Paschal O’Hare Solicitors uses high-end case management software by Eclipse Legal. The system is called Proclaim and we use it to collect data, particulars of a case, to manage a case and to communicate in a streamlined and secure manner. Eclipse Legal do not have access to the data within these cases, however for the purposes of tech support, an Eclipse Legal employee may require supervised remote access to our client’s data. Subsequently, Eclipse Legal keep records of when this was accessed and for what purpose. You can read Eclipse Legal’s Privacy Statement here.
We utilise the services of etiCloud’s hosted desktop. Data is secured on this encrypted GDPR compliant system and accessed remotely by our team. At times, etiCloud support engineers may access our hosted desktop for the purposes of security, software updates and tech support. Subsequently, etiCloud keep records of when this was accessed and for what purpose.
We use the services of Duffy & Co who operate as our accountants. At times, a representative of Duffy & Co attends our office and may require access to case files pertaining to our clients that contain data. They do this on site and in a supervised environment and do not remove data from our premises.
Often it is necessary for the purposes of completing the contract between our clients and this firm and with our client’s written permission by way of our initial paperwork, that we share client’s data with third-party experts or third-party expert agencies. Paschal O’Hare Solicitors enjoys ongoing professional relationships with these experts and most often they are in the medical profession, but not always. At times, we may be required to organise appointments with an expert on behalf of our clients and although we pass on data to do so, each expert is a Data Controller should they keep records of this data and any data that they process that resulted from their examination. Our clients are advised that they have the right to the Privacy Notice of any expert that retains data on them. At any stage, clients can ask us which third-party experts we have sent their data to and that we request the expert’s Privacy Notice on their behalf.
Barristers are also considered third party experts. When it is not possible to settle a client’s case out of court we appoint a Barrister to help further our progress. To do so, we send a brief to the Barrister which usually consists of personal and sensitive information pertaining to our clients. Upon the completion of the case, the Barrister returns the data if it was received by hard copy or destroys it if it was digitised.
Paschal O’Hare Solicitors uses call handling services provided by MPL Contact. At times when our phone lines are busy or our office is closed, incoming telephone calls are received by MPL Contact who act on our behalf. These telephone calls are recorded and deleted after 30 days. The call handler records details given freely by the caller and forwards the information, which may include data pertaining to the caller, to us by email.
In order to legally progress a client’s case we are obliged to share data with the defendant of the case, whether it’s an individual, an organisation or a representative of either, including but not limited to, a firm of solicitors and insurance companies. Upon receipt of our client’s details the defendant becomes a Data Controller and are thus obliged to process the data under the guidance of the GDPR. Client’s that wish to do so can request that we obtain a copy of the defendant’s Privacy Notice on their behalf.
At times, we use the services of a variety of courier services to transport documents to and from our various offices and other locations. The courier who transports the documents that may contain data pertaining to Data Subjects is under strict instruction not to look at the content of the documents being transported. Sensitive data is never handled by a third-party courier service.
To optimise how we communicate we give clients the option of using a case management mobile app called inCase. The app is developed and hosted by Lavatech Ltd. Data pertaining to our clients that is uploaded to inCase is secured and encrypted on servers in the UK. Lavatech Ltd cannot see the encrypted data despite it being stored on their servers.
In order to safely, ethically and confidentially dispose of paper documents that may contain information pertaining to our clients we use the services of Shred Bank. Shred Bank visit our office to collect these documents and destroy them whilst still on site prior to processing the now destroyed document for the purposes of recycling.
We use the secure storage services of Iron Mountain for the safe retention of conveyancing files. The safe storage company store these files in a secure location in Northern Ireland. When the relevant amount of time has passed, Iron Mountain will ethically and safely destroy these files following an inspection by one of our solicitors. We no longer offer conveyancing services and Iron Mountain do not receive any new case files from us. You can read Iron Mountain’s Privacy Notice here.
In some cases it is necessary that we calculate the benefits of our clients for the purposes of progressing their case. When we need to do this we contact the Social Security Agency, a government organisation. Clients are notified prior to this.
As a firm of solicitors operating in Northern Ireland we are subject to inspections by the Law Society of Northern Ireland. These inspections may require a representative of the Law Society to look closely at some case files that contain data pertaining to our clients. The Law Society may retain a copy of a file and in the unlikely event of this occurring we will notify the relevant client. You can read the Law Society’s Privacy Notice here.
In some cases, if we believe that our clients are entitled to legal aid, we will include data in an application to the Legal Services Agency. Clients are notified prior to this.
The Compensation Recovery Unit (CRU) is a UK government body that recovers social security benefits in certain compensation cases and NHS costs in certain injury cases. When relevant to do so, we may be required to forward our client’s data to the CRU.
In some cases, if we believe that our clients are eligible for after the event insurance, we will include data in an application to a provider of this type of insurance. Clients that make use of this type of service are entitled to the Privacy Notice of the chosen insurer. Clients are notified prior to this.
At times we utilise the services of VFS Legal Funding to ensure a smooth cash flow. VHS Funding may require our client’s data in instances where they fund the cost of certain elements of that client’s case. Clients are notified prior to this.
In rare instances we may be legally obliged to pass client’s data to third-party authorities. This is usually the case if we encounter suspicious, illegal or criminal behaviour and for this reason the data may be passed on confidentially and without the client’s permission or knowledge. For example, if we suspect a client is engaged in money laundering activities we are legally obliged under the Money Laundering Regulations (2007) to make a confidential report to the Organised Crime Agency.
We may update who we share data with and Data Subjects are advised to revisit our Privacy Notice on our website regularly to remain updated. If we update who we share data with we will seek consent to do so from existing clients.
In instances where an employee of Paschal O’Hare Solicitors is required to travel between locations such as the courts or other Paschal O’Hare Solicitors’ premises for the purposes of their work with documents, an item or device that contains data they exercise additional attentiveness. During longer journeys, data is secured in a case or bag. For shorter journeys, the data is carried by hand. At no stage throughout the journey, is data left unattended nor is it visible to others. Documents and items are either covered by a folder, packaging or case, none of which contain outward facing data. Digital data being transported on a device is secured behind the password of that device, password of our hosted desktop and password of our case management system. In addition, the digital security measures mentioned previously in this document are in place. The data is checked by the employee prior to leaving on the journey and immediately upon arriving at the destination. The document, item or device remains in the team member’s hand at all times throughout the duration of their journey unless they are driving, in which case the document, item or device is securely locked in the boot of the vehicle.
We retain data for as long as is reasonably necessary for the purposes for which it was collected.
When a personal injury or medical negligence matter has completed we normally retain our correspondence file for a period of up to 6 years after completion. Thereafter the file will be destroyed without reference to you unless, before then, you notify us that you wish to retain some part of the file.
In the past, Paschal O’Hare Solicitors offered conveyancing, wills and probate services. Despite this firm no longer offering these services, we maintain data on individuals who made use of these services before we discontinued them. As per the Law Society of Northern Ireland’s recommendations, we keep conveyancing, wills and probate case files, which contain information on Data Subjects, for a period of ten years. As per our contractual agreement, we also keep the actual will of our clients that used our wills and probate service until they pass. Similarly, we hold property deeds on behalf of clients that made use of our conveyancing service until the data subject requests that they are returned to them.
We may retain the data of clients for the purposes of marketing and market research when it is within our legitimate interest to do so. Data Subjects can request the deletion of data and exercise their right to be forgotten (erasure) at any time which we oblige unless prevented by law. Requests must be made in writing by email or post. We may hold some information for a longer period of time so that we can maintain an accurate record of our dealings with stakeholders for the purposes of complaints, challenges or if we believe there is a prospect of litigation against us.
Individuals that we hold data on can request a copy of that data from us. Requests must be made in writing by email or post. The person making the request must provide us with sufficient information to identify they are the Data Subject. Once satisfied by this, we will comply with the request within one month in the same fashion as the request was made, by email or post. If by post, the documents will be marked as special delivery and will require a signature. We provide one copy for free and additional copies may be subject to a reasonable administrative fee.
If we do not intend to comply with a Subject Access Request we will inform the individual making the request without delay but within one month of the request being made and we will explain in full of our reasoning. Clients are advised that they have the right to data held in their case file and to discontinue utilising our services. We will release it for free when required, however the client may be liable for the payment of our fees and costs as per our contractual agreement.
Data Subjects have the right to erasure, more commonly referred to as the right to be forgotten. When there is no compelling reason not to, this firm will comply with requests to exercise the right to be forgotten by any individual that we hold data on. Similar to a Subject Access Request, Data Subjects that request erasure should do so in writing by email or post.
If a Data Subject is unhappy about our conduct regarding their data or feel that we have not acted appropriately as Data Controllers, they should contact us without undue delay. In such instances, we will explain our actions and decisions in full and when necessary, put right any mistakes that we may have made.
All Data Subjects also have the right to register a complaint with the Information Commissioner’s Office (ICO). However, the ICO prefers that complaints are dealt with informally between the Data Controller and Data Subject. More information on this can be found here.
Additionally, as a firm of solicitors operating in Northern Ireland, we are answerable to the Law Society of Northern Ireland. Unhappy clients have the right to make a complaint about their solicitor to this regulatory body. However, in order to process a complaint the Law Society requires clients to go through their solicitor’s internal complaints process first. More information on this can be found here.
Paschal O’Hare Solicitors, 1 Lanyon Quay, Oxford Street, Belfast, BT1 3LG.