Background and introduction
Irvine Thanvi Natas (ITN) are committed to the protection and security of your data and privacy.
In order to provide legal services, including advice to you and representation, we need to collect, process and hold personal data. This includes our client’s personal data, as well as the data of third parties who may arise in matters on which we are instructed.
This privacy notice explains:
- Who we are
- What personal data we collect and store about clients and how we collect it.
- Why we collect personal data and what we do with it.
- How we retain information and how we keep it secure.
- Your rights and how to exercise them.
- How we can be contacted.
This privacy notice will be provided when we send you a care letter. It will also be available on our website. It may be updated and we will write to you should we perform any substantive updates to its terms.
Who we are
ITN Solicitors are a firm of solicitors. The solicitors and the firm act as “data controllers” for the purposes of data protection law. That means we are subject to data protection laws and owe duties to data subjects.
We are registered with the Information Commissioner’s Office (ICO), the relevant supervisory authority for data protection matters. The ICO has oversight over the manner in which we hold, process and respect data. As detailed below, you have rights to complain to the ICO about how we handle your data.
For your information, our relevant registration details with the ICO are as follow:
- Registration number: Z2150162
- Registered address: 19-21 Great Tower Street, London, EC3R 5AQ
If you would like to contact the firm or any of our solicitors about this notice, please contact us at the address above or by email at DPO@ITNsolicitors.com
2. What information do we process from our clients and about our clients?
In the course of offering advice and representations (“legal services”), we process personal data of many types. This may include:
- Personal details, including contact details
- Financial details
- Business information
- Family details
- Education details
We are also likely to process what is known as “special category” data, a term used to indicate that particularly sensitive data might be processed. This includes information as to:
- Criminal offences, convictions and allegations
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Sexual history
- Sexual orientation
We process a range of such data, owing to the range of cases that we are instructed on. If you are interested in knowing the express categories of data processed in your particular case, please contact your solicitor.
3. How do we collect personal data
The primary source of information we receive is directly from clients, to enable us to provide legal services. We also receive information from referral sources, who may have contacted us on behalf of clients and / or prospective clients. Other information may be obtained and collated from public sources, including subscription services. We do so to be able to provide legal services effectively and in full.
5. Whose personal data do we process
We process personal data about our clients, potential clients, individuals who feature in the matters on which we are instructed, witnesses, experts, opponents, counsel (also known as barristers), court staff, members of the judiciary and others ancillary to actual or potential proceedings.
6. Lawful basis for processing data
Data protection laws (including the General Data Protection Regulation (GDPR)) requires data controllers to have a lawful reason (or “lawful basis”) to process personal data. Our lawful basis for processing are set out fully below.
- Consent – The primary basis for processing data is with consent. Where this is the basis, we will make sure you have consented to a processing action we intend to take. As detailed below, where we process “special category” data, we will seek to get your explicit consent save in certain circumstance. You may withdraw your consent at any time.
- Contractual necessity – To fulfil our contractual duties to our clients or to enter into a contract with you.
- Legitimate interests – Our legitimate interests in processing data include:
- To provide legal services, including advice and representation services to our clients.
- If the data subject is not our client, to provide legal services to our client from whom or on whose behalf we have collected that data.
- To carry out billing and administrative services, including collection of fees and disbursements.
- To deal with complaints and concerns that may arise, including any regulatory or legal proceedings.
- To provide training to junior staff, such as paralegals and trainee solicitors.
- To assess our performances and review our files.
- For banking and accounting purposes.
- For marketing purposes. Please note that we will note share information concerning you or from which you can be identified, without your consent or it is already publically available. We may also email you regarding events, services or offers that you may be interested in. If you do not wish to receive such information, please do let us know. An “unsubscribe” button will be provided on any marketing email as well.
- Compliance with the law – We will process your data to comply with our legal requirements, including:
- To comply with regulatory obligations
- To comply with financial regulatory requirements, such as money laundering checks.
- To make statutory returns to HMRC for VAT and income tax purposes.
- In the public interest
- Further basis – Please note that if we are unable to receive your express consent for processing special category data, we may process such data for:
- The establishment, exercise or defence of legal claims or;
- Reasons of substantial public interest.
- The purpose of, or in connection with, legal proceedings (including prospective legal proceedings).
- Obtaining legal advice.
- The purposes of establishing, exercising or defending legal rights.
We will use your data only for the purposes for which it was provided, save where we fairly consider that we need it for another reason. Any such reason will (1) be compatible with the original purpose and (2) ensure that our professional obligations to our clients do not prevent such use.
7. Do we share your personal data?
Yes, we do so in order to offer effective and complete legal services. We would not be able to offer such legal services without sharing your information. We explain who we may share your data with below, as well as the reasons for that sharing (where not self-explanatory).
For the purposes of this notice (and further to our professional obligations of confidentiality and privilege to clients), we may provide your personal data to the following:
- Other members of our firm, within and outside of the department that dealt with your case. We may do so where, for instance, another department may be able to assist with an aspect of your case that the original department may not. Further, there may be follow up work required on your file.
- Barristers, other legal representatives or experts with whom we are working. Note that we will not instruct such a professional without your consent, save where we cannot receive your consent (in which case, we may share your data in any event for the reasons detailed above).
- Management and administrative staff. Such staff will require your data to, for instance, open your case or to manage the firm.
- IT providers, where access to our database is required to solve a technical issue.
- Opposing legal representatives, as part of your case.
- Accountants and banks.
- Judges and court staff.
- Public authorities, where our legal / regulatory obligations require us.
- Our regulators, including the Legal Aid Agency and the Solicitors Regulatory Authority, in the event of a dispute or other legal matter. Our regulators may also conduct audits of files. You can object to your file being passed to our regulators for audits. Please let us know if you object to this when we open your file.
- Any other party where we have your consent to do so.
Please note that we do not make any automated decisions with respect to your cases or management of your file.
8. How long do we hold your personal data
We will not retain your data in any form that identifies you for longer than necessary. Unless the specific circumstances of your case require otherwise or you indicate otherwise, we will delete, destroy and / or anonymise your information around 7 years after the end of your case (or 7 years after the date of last payment / settling of fees).
We may also retain information for longer for audit purposes, or for legal / compliance reasons. However, should you exercise your rights to erasure over this data, we will oblige where necessary.
9. Do we transfer data outside of the EEA?
We are based in the United Kingdom. As such, your data is processed in the jurisdiction of England and Wales.
We do not often transfer data outside of the jurisdiction. However, we may transfer your data to a location outside of the European Economic Area if we consider it necessary to do so (for example, for reasons related to the circumstance of your case or to a secure server).
In such cases, we will only transfer your data to an area to which a European Commission “adequacy decision” applies or will be carried out under standard contractual clauses that have been approved by the European Commission as providing adequate safeguards, or through the protections of the EU-US privacy shield.
10. How do we keep data secure?
We have security measures in place to ensure appropriate security for your personal data. We seek to protect against unauthorised or unlawful processing, as well as protecting against accidental loss, destruction or damage
We take the following measures to protect your data:
- Only authorised staff of the firm will have access to your data as held by us. Staff will have access only to the data necessary for the purposes to which they have been given access.
- All persons who have access within the firm will do so in adherence to the law and this notice. All such persons also understand their professional duties of confidentiality and legal professional privilege.
- We use secure browsers to protect malware or other unintended intrusions into our database.
Although we take such measures we are not liable for losses caused by the acts of third parties, such as a malware attack on external serves which we could not prevent or by loss of information by a third party.
11. Your rights
We passionately believe in the exercise of rights, whether over your data or any other fundamental right. Accordingly it is important for us to know that you understand the rights you have over your data. In particular:
- Right to access – You have a right to ask for the personal data we hold about you. We will ask for proof of identity before acceding to such a request, to preserve your privacy. However, once we are satisfied as to your identity, we will provide you with your data within 30 days (as required by law). If we may take longer, we will let you know and explain the reasons for the same. We will not charge you for such a request, unless we reasonably consider your request to be excessive or repetitive. We will also charge administration fees should, for example, we require to take your information out of storage or archive. We also reserve the right to refuse a request if we reasonably consider it to be unfounded, repetitive or excessive.
- Right to be informed – The notice provides the information you need about how we collect and use your data. If you require any further information, please contact your solicitor or our data protection officer at DPO@ITNSolicitors.com
- Right to rectification – If you consider that any information we hold is inaccurate, please let us know and we will take steps to rectify it.
- Right to erasure – In certain circumstances, you have the right to have personal data that we process blocked, erased and destroyed.
- Right to object and restrict – You can ask for your processing of your personal data to be restricted, for example for marketing purposes. You can also object to the processing of your data entirely but this will affect the service we are able to offer.
- Right to portability – You can request your data to be “ported” to another platform, in certain circumstances.
You should note that these rights are not absolute and can be restricted in certain circumstances. There are instances where the rights will not be available, such as:
- If the request would interfere with our professional obligations to respect legal professional privilege.
- We will also need to consider the effect of any right against the effect on:
- Legal proceedings (including prospective proceedings);
- Obtaining legal advice;
- Defending other legal rights.
Please contact your solicitor or our data protection officer if you have any further questions. Our data protection officer can be contacted at DPO@ITNsolicitors.com
Further information about your rights are available on the ICO website: https://ico.org.uk/
We encourage you to review your cookie policies on our website and any other website you visit.
13. Changes to this notice
This notice is liable to change, as the data protection regime evolves. When we make significant changes, we will notify clients by email. We will also revise the published notice on our website, as well as keeping a record of the changes.
We are hopeful that you will not have a need to complain, as we take your data protection and privacy seriously. Indeed, we trust that you will be pleased by the approach taken in this notice. However, should you find it necessary to complain, we suggest that you contact the solicitor on your case in the first instance.
In the event that you are not satisfied with the resolution from your solicitor, please contact our data protection officer on DPO@ITNsolicitors.com. As above, our current data protection officer is Mr Ravi Naik.
Should Mr Naik be unable to resolve your matter, you have a right to complain to the regulator of information, the ICO. The ICO have online guidance on how to complain to them, here: https://ico.org.uk/make-a-complaint/.
Finally, if you have any queries or would like any assistance with any data protection claims, please contact our data rights department – firstname.lastname@example.org.