Privacy Policy

GDPR rules guide how personal data must be processed. The priority is that processing must be lawful, fair and transparent.

Information must be collected for a specific, explicit, and legitimate purpose and not processed in a manner that is incompatible with this purpose.

Information must be adequate and relevant. It must be limited to what it is needed for.  It must be kept no longer than is needed.  We must employ appropriate security. Hence our systems in place are all SSL secured.

Key accountability

Key accountability and data controller is Mr Jed Nero, Compliance Manager.

Your key accountability 

Knowing what data is held.

Where the data is stored.

Knowing the length of the retention of the data.

Who the data is share with

How secure the data is and keeping it secure.

Data Protection Act

Our responsibilities under the Data Protection Act.

The data protection act covers anything to do with personal data throughout its life cycle including holding and recording this. The duty of caseworkers is to get it right first time, all of the time. This is because personal data must be treated with respect; there must be a guarantee of not disclosure and documents, or information must be used for a specific purpose as given.

The general data we need for processing application is found on lists and questionnaires in our client management system.

The majority of our information is processed by our admin staff who scan and upload the documents to the relevant files. Adviser's therefore can work from notes, tasks and documents uploaded either by themselves, by admin or by the client or data subject.

The implications of not adhering to this regime are very serious. It is therefore imperative that compliance is a priority.

As a business we must comply; our use of data must be for a fair and lawful purpose. As such we must ensure that we act within the guidelines; do not accept or take unnecessary information; process information for a limited reason and not for other reason. The information you take must be adequate and fit for purpose.

Types of data

There are 3 types of data we process. These are non-personal data - which is data which cannot be used to locate or identify and individual. Personal data - which identifies an individual and finally, Sensitive data which identifies the attributes belonging to an individual such as their religious beliefs, medical history or police record.

Why do we process data

We process data for proceeding with legal applications for clients for a specified and limited purpose. Therefore, the information we obtain must be accurate; up to date (no more than 3 months old - including consent forms); clear and legitimate. Client's or data subjects must be informed that the documents will be returned to them after scanning and that the electronic file will be held for 6 years in accordance with industry requirements. Client's must be informed that their data will be processed in line with their individual rights.

Our Staff 

Must identify every person, every time and verify them. Particularly when the contact is by telephone. Identification in person and also crosses over into our anti- money laundering responsibilities and GDPR responsibilities.

We will request the following information when you contact us:

Your name

Your address

Your email address

Your date of birth

Your nationality or immigration Status

GDPR in relation to the OISC Code of Standards

Under rule 27 OISC code, you are under a duty to ensure confidentiality of all of the information you hold relating to each of your clients, subject to legal and regulatory disclosure requirements.

Under rule 28 OISC code, you are under a duty to ensure that discussions or the giving of information is conducted in a confidential manner.

Providing authority for authority for someone to speak on their behalf

Client's must provide written authority if they wish any third-party individuals to access their case details or to speak on their behalf.

Breach of policy – Internal 

If you are aware that there has been a breach of this policy; please report this to your manager or compliance office providing the following details:

The client name.

Case Type.

Method and type of breach.

Transferring information outside of Lawson Hunte

Requests for files by other Solicitors or Immigration Advice Authority or Bar Registered individuals

Information can be released if a letter of authority signed by the client or data subject is received. The case worker must be notified and will make available documents and if necessary, remove access to specific privileged documents on sharing the electronic file. All of our data is shared electronically only. No postage of files is permitted outside of the secure environment. It is the responsibility of the caseworker holding the case to organise the transfer and to add the email address of the requesting firm to the case file.

The OISC deal with transfers at rule 48. This states that where a client requires that their case be transferred to another organisation, irrespective of whether any payment is outstanding, all documents relating to the client’s case and the client’s file must be transferred as soon as possible and, in any event, no later than three working days of the request being made.