Information governance policy
This policy demonstrates how Legal Services Lincolnshire (Trading) Limited, trading as Lincolnshire Public Law aims to ensure compliance with data protection legislation including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA2018) and any other applicable law concerning the processing of personal data and privacy.
Background
Legal Services Lincolnshire (Trading) Limited, trading as Lincolnshire Public Law is a company which is wholly owned by Lincolnshire County Council. It does not employ any staff directly as its services will be provided under contract by staff employed by Lincolnshire County Council's legal services department
The staff employed by Lincolnshire County Council's legal services department shall act under contract to Legal Services Lincolnshire (Trading) Limited, trading as Lincolnshire Public Law and are subject to the contractual obligations, including training and adherence to policies and procedures, of Lincolnshire County Council, as well as professional responsibilities in relation to confidentiality.
The purpose of Legal Services Lincolnshire (Trading) Limited, trading as Lincolnshire Public Law is to be able to provide legal services to the public sector. These services may include
- property and regeneration work
- civil litigation from debt collection and PI work to judicial review proceedings
- education law
- highways & planning law including appeal work
- enforcement including trading standards, environmental health, planning and anti-social behaviour
- information law
- contract and commercial law
- local government law, governance and the ethical regime including election law
- employment law – respondent tribunal work only
Data Protection
We have a legal duty to meets our obligations as set out within data protection legislation when we process personal data. Our data protection registration number is ZB276915.
We shall adhere to the six principles of data protection, which are:
Principle 1: Personal data shall be processed fairly and lawfully and in a transparent manner.
Principle 2: Personal data shall be collected for specified, explicit and legitimate purposes shall not be processed in a manner incompatible with that purpose.
Principle 3: Personal data shall be adequate, relevant and limited to what is necessary for the purpose.
Principle 4: Personal data shall be accurate and, where necessary kept up to date.
Principle 5: Personal data shall be kept in a form that permits identification for no longer than necessary.
Principle 6: Personal data shall be processed in a manner that ensures appropriate security.
In addition, we shall ensure that we comply with the 'accountability principle'. This requires us to have appropriate processes and records in place to demonstrate our compliance with the principles listed above.
Data Protection Manager
David Coleman is the Data Protection Manager (DPM) he is responsible for overseeing data protection strategy and implementation to ensure compliance with the requirements of UK GDPR. In the absence of the DPM, Andrew Crookham (Deputy Data Protection Manager (DDPM)) will deputise.
The DPM has the authority to ensure that the organisation processes the personal data of individuals (also referred to as data subjects) in compliance with all applicable data protection legislation.
Record of Processing Activities
We maintain a written record of our data processing activities.
The record contains all of the following:
(a) the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
(b) the purposes of the processing;
(c) a description of the categories of data subjects and of the categories of personal data;
(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
(e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation.
(f) where possible, the envisaged time limits for erasure of the different categories of data.
(g) where possible, a general description of the technical and organisational security measures.
The DPM will be responsible for creating and maintaining the record of processing activity in conjunction with the DDPM.
Privacy Notice
We shall ensure that we make our privacy notice available to data subjects and that our privacy notice will be clear, concise, and in plain English
Our Privacy Notice provides information about why and how we process personal data about individuals and the lawful basis on which that information is processed. It assists us in meeting data protection obligations and supports an open and transparent approach to the use of personal data.
Individual Rights requests
We recognise that individuals have a number of rights in relation to the information we hold about them including:
- Access - You have the right to ask us for a copy of your personal information.
- Rectification - You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Erasure - You have the right to ask us to erase your personal information in certain circumstances.
- Restriction of processing - You have the right to ask us to restrict the processing of your information in certain circumstances.
- Object to processing - You have the right to object to the processing of your personal data in certain circumstances.
- Data portability - You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
- Automated decisions and profiling – You have the right to prevent your information being processed and decisions being made about you solely by automated means
- To withdraw consent - If you have provided us with a consent to use your personal data you have a right to withdraw that consent easily at any time
Our Privacy Notice provides details of how individuals can exercise any of these individual rights.
Retention Schedule
We are required to retain your information for as long as is necessary, after which it will be securely destroyed.
Retention periods can differ and will depend on various criteria including the purpose of processing, regulatory and legal requirements, and internal organisational need.
We have retention schedules in place that set out in detail how long information will be held for.
Information Security
We recognise that personal data must only be processed in a manner that ensures appropriate security and are satisfied that this obligation is met, as Lincolnshire County Council's legal services department has adopted appropriate organisational and technical measures, as they operate within and apply Lincolnshire County Council's Information security policy statement which demonstrates how they aim to protect information.
This policy is available here and is also supported by a number of policies, procedures and standards.
Data Breaches
A data breach is "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. This includes breaches that are the result of both accidental and deliberate causes"
Examples of a data breach could be a loss or theft of electronic or hardcopy information, sharing of passwords, unauthorised or accidental disclosure of information.
Lincolnshire County Council's legal services department and its staff act under contract to us and are subject to appropriate contractual obligations to report all breaches to the DPM (or DDPM) without undue delay.
We must report all personal data breaches, unless the data breach is unlikely to result in a risk to the rights and freedoms of individuals, to the Information Commissioner's Office (ICO) within 72 hours of becoming “aware” of the breach.
If the breach is likely to also result in a high risk of adversely affecting individuals’ rights and freedoms, we must also inform those individuals without undue delay. We shall inform them of the name and contact details of the DPM (or DDPM), the likely consequences of the breach and any measures we are taking to remedy or mitigate the breach.
Records any all data breaches, comprising the facts and effects of the breach and any remedial action taken (even if we do not need to report) will be are kept by the DPM. These records will be disclosed to the ICO upon request.
Training
All staff employed by Lincolnshire County Council's legal services department are required to undertake mandatory information governance training each year. The e-learning package requires a score of 80% or above to pass and modules will help gain greater understanding of the key information governance principles and how to apply them on a day to day basis.
Confidentiality
We have an obligation under the SRA Code of Conduct to ensure the confidentiality of client information at all times. We must keep the affairs of clients confidential and ensure that we have effective systems and controls in place to enable the identification of risk to confidentiality and mitigate those risks.
We are satisfied that this obligation is met as Lincolnshire County Council's legal services department adopts the following measures to ensure client confidentiality:
- use of locked cabinets for sensitive and personal files
- use of lockable fireproof cabinets for the storage of deeds whilst on site.
- restricted access to the Legal Services Offices at 45-49 Newland Lincoln
- Operating a registration of all visitors to the building and ensuring that they are accompanied by a legal officer whilst in the building.
- building security through the operation of key pads/access control
- ensuring the password protection of its Legal Case Management System and the creation of security levels within that system to restrict access as required.
- whilst working from home staff should take appropriate measures by ensuring paper documents are secured and private meetings undertaken via Microsoft Teams are done using headsets (where appropriate).
- specifically in relation to conflicts of interest, confidentiality will be maintained by configuring the Prescient Plus Case management system to limit access to files to specified fee earners.
Legal Professional Privilege
Communications between clients and their solicitors attract legal professional privilege as either Advice privilege or Litigation privilege.
The following disclaimer will automatically be included at the end of every email sent out:-
The information contained in this message is intended for the named recipients only. It may contain privileged and confidential information and if you are not the addressee or the person responsible for delivering this to the addressee, you may not copy, distribute or take action in reliance on it. If you have received this message in error, please notify the sender(s) immediately by telephone. Please also destroy and delete as soon as possible the message from your computer.
Privilege cannot be waived by the lawyer but only by the client. Loss of legal professional privilege in advice given may be damaging to clients. For the purposes of legal professional privilege, a lawyer includes solicitor, barrister, lawyers and employees.
Legal professional privilege may be waived inadvertently through a number of means including overly wide dissemination of advice within the client organisation and repeating or quoting of advice to non-clients or other clients
We will protect against the inadvertent waiving of legal professional privilege by marking advice when appropriate with legal professional privilege, defining with the client at the outset the scope for dissemination of documents and not releasing legal advice to third parties without the express consent of the client.
We consider that a significant amount of the information we hold, and process is subject to Legal Professional Privilege and therefore may be exempt, information under the Data Protection Act 2018, the Freedom of Information Act 2000, or the Environmental Information Regulations 2004.