Background and introduction
Irvine Thanvi Natas (ITN) are committed to the protection and security of your data and privacy.
In order to provide legal services, including advice to you and representation, we need to collect, process and hold personal data. This includes our client’s personal data, as well as the data of third parties who may arise in matters on which we are instructed.
This privacy notice explains:
- Who we are
- What personal data we collect and store about clients and how we collect it.
- Why we collect personal data and what we do with it.
- How we retain information and how we keep it secure.
- Your rights and how to exercise them.
- How we can be contacted.
A link to this privacy notice will be provided when we send you a care letter. It will also be available on our website. It may be updated and we will write to you should we perform any substantive updates to its terms.
Who are we
ITN Solicitors are a firm of solicitors. The solicitors and the firm act as “data controllers” for the purposes of data protection law. That means we are subject to data protection laws and owe duties to data subjects.
We are registered with the Information Commissioner’s Office (ICO), the relevant supervisory authority for data protection matters. The ICO has oversight over the manner in which we hold, process and respect data. As detailed below, you have rights to complain to the ICO about how we handle your data.
For your information, our relevant registration details with the ICO are as follow:
- Registration number: Z2150162
- Registered address: 19-21 Great Tower Street, London, EC3R 5AQ
If you would like to contact the firm or any of our solicitors about this notice, please contact us at the address above or by email at firstname.lastname@example.org.
What information do we process from our clients and about our clients?
In the course of offering advice and representations (“legal services”), we process personal data of many types. This may include:
- Personal details, including contact details
- Financial details
- Business information
- Family details
- Education details
We are also likely to process what is known as “special category” data, a term used to indicate that particularly sensitive data might be processed. This includes information as to:
- Criminal offences, convictions and allegations
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Sexual history
- Sexual orientation
We process a range of such data, owing to the range of cases that we are instructed on. If you are interested in knowing the express categories of data processed in your particular case, please contact your solicitor.
How do we collect personal data
The primary source of information we receive is directly from clients, to enable us to provide legal services. We also receive information from referral sources, who may have contacted us on behalf of clients and / or prospective clients. Other information may be obtained and collated from public sources, including subscription services. We do so to be able to provide legal services effectively and in full.
Whose personal data do we process
We process personal data about our clients, potential clients, individuals who feature in the matters on which we are instructed, witnesses, experts, opponents, counsel (also known as barristers), court staff, members of the judiciary and others ancillary to actual or potential proceedings.
Lawful basis for processing data
Data protection laws (including the General Data Protection Regulation (GDPR)) requires data controllers to have a lawful reason (or “lawful basis”) to process personal data. Our lawful basis for processing are set out fully below.
- Contractual necessity – To fulfil our contractual duties to our clients or to enter into a contract with you.
- Legitimate interests – Our legitimate interests in processing data include:
- To provide legal services, including advice and representation services to our clients.
- If the data subject is not our client, to provide legal services to our client from whom or on whose behalf we have collected that data.
- To carry out billing and administrative services, including collection of fees and disbursements.
- To deal with complaints and concerns that may arise, including any regulatory or legal proceedings.
- To provide training to junior staff, such as paralegals and trainee solicitors.
- To assess our performances and review our files.
- For banking and accounting purposes.
- For marketing purposes. Please note that we will note share information concerning you or from which you can be identified, without your consent or it is already publically available. We may also email you regarding events, services or offers that you may be interested in. If you do not wish to receive such information, please do let us know. An “unsubscribe” button will be provided on any marketing email as well.
- Compliance with the law – We will process your data to comply with our legal requirements, including:
- To comply with regulatory obligations
- To comply with financial regulatory requirements, such as money laundering checks.
- To make statutory returns to HMRC for VAT and income tax purposes
- Special category data – We aim to keep clients updated with how and why we are processing their data. However, this is not always possible. Please therefore note that if we are unable to receive your express consent for processing special category data, we may process such data for:
- Reasons of substantial public interest.
- The purposes of establishing, exercising or defending legal rights.
We will use your data only for the purposes for which it was provided, save where we fairly consider that we need it for another reason. Any such reason will (1) be compatible with the original purpose and (2) ensure that our professional obligations to our clients do not prevent such use.
If we need to use your personal information for an unrelated purpose, we will advise you of this in advance and either get your consent or explain the alternative legal basis which allows us to do so.
You should be aware that we may process your personal information without your knowledge or consent. However, we will only do so where this is required or permitted by law.
Do we share your personal data?
Yes, we do so in order to offer effective and complete legal services. We would not be able to offer such legal services without sharing your information. We explain who we may share your data with below, as well as the reasons for that sharing (where not self-explanatory).
For the purposes of this notice (and further to our professional obligations of confidentiality and privilege to clients), we may provide your personal data to the following:
- Other members of our firm, within and outside of the department that dealt with your case. We may do so where, for instance, another department may be able to assist with an aspect of your case that the original department may not. Further, there may be follow up work required on your file.
- Barristers, other legal representatives or experts with whom we are working. Note that we will not instruct such a professional without your consent, save where we cannot receive your consent (in which case, we may share your data on the othe lawful bases cited above).
- Management and administrative staff. Such staff will require your data to, for instance, open your case or to manage the firm.
- Typing and secretarial services
- Document Storage companies who we use to archive documents and files off-site pursuant to our professional obligations
- IT providers, where access to our database is required to solve a technical issue.
- Opposing legal representatives, as part of your case.
- Accountants and banks.
- Judges and court staff.
- Public authorities, where our legal / regulatory obligations require us.
- Our regulators, including the Legal Aid Agency and the Solicitors Regulatory Authority, in the event of a dispute or other legal matter. Our regulators may also conduct audits of our files or may require us to employ independent companies to audit us for regulatory and certification purposes. You can object to your file being passed to our regulators for auditing purposes or to any independent auditors we may be required to employ for those purposes. Please let us know if you object to this when we open your file.
- Any other party where we have your consent to do so.
When the Practice engages third parties to process personal data on its behalf, they do so on the basis of written instructions and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
Please note that we do not make any automated decisions with respect to your cases or management of your file.
How long do we hold your personal data
We will not retain your data in any form that identifies you for longer than necessary. Unless the specific circumstances of your case require otherwise or you indicate otherwise, we will delete, destroy and / or anonymise your information around 7 years after the end of your case (or 7 years after the date of last payment / settling of fees).
We may also retain information for longer for audit purposes, or for legal / compliance reasons. However, should you exercise your rights to erasure over this data, we will oblige where necessary.
Do we transfer data outside of the UK?
We are based in the United Kingdom. As such, your data is processed within the jurisdiction of the UK.
We do not often transfer data outside of the jurisdiction. We may however transfer your data to a location outside of the UK if we consider it necessary to do so (for example, for reasons related to the circumstance of your case or to a secure server).
In such cases, we will only transfer your data to an area to which an “adequacy regulation” applies or where the data transfer will be carried out under government approved Standard Contractual Clauses.
How do we keep data secure?
We have security measures in place to ensure appropriate security for your personal data. We seek to protect against unauthorised or unlawful processing, as well as protecting against accidental loss, destruction or damage.
We take the following measures to protect your data:
- Only authorised staff of the firm will have access to your data as held by us. Staff will have access only to the data necessary for the purposes to which they have been given access.
- All persons who have access within the firm will do so in adherence to the law and this notice. All such persons also understand their professional duties of confidentiality and legal professional privilege.
- We use secure browsers to protect malware or other unintended intrusions into our database.
- When the Practice engages third parties to process personal data on its behalf, they do so on the basis of written instructions and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
Although we take such measures we are not liable for losses caused by the acts of third parties, such as a malware attack on external serves which we could not prevent or by loss of information by a third party.
We passionately believe in the exercise of rights, whether over your data or any other fundamental right. Accordingly it is important for us to know that you understand the rights you have over your data. In particular:
- Right to access – You have a right to ask for the personal data we hold about you. We will ask for proof of identity before acceding to such a request, to preserve your privacy. However, once we are satisfied as to your identity, we will provide you with your data within 30 days (as required by law). If we may take longer, we will let you know and explain the reasons for the same. We will not charge you for such a request, unless we reasonably consider your request to be excessive or repetitive. We will also charge administration fees should, for example, we require to take your information out of storage or archive. We also reserve the right to refuse a request if we reasonably consider it to be unfounded, repetitive or excessive.
- Right to be informed – The notice provides the information you need about how we collect and use your data. If you require any further information, please contact your solicitor or our data protection director at enquiries@ITNSolicitors.com
- Right to rectification – If you consider that any information we hold is inaccurate, please let us know and we will take steps to rectify it.
- Right to erasure – In certain circumstances, you have the right to have personal data that we process blocked, erased and destroyed.
- Right to object and restrict – You can ask for your processing of your personal data to be restricted, for example for marketing purposes. You can also object to the processing of your data entirely but this will affect the service we are able to offer.
- Right to portability – You can request your data to be “ported” to another platform, in certain circumstances.
You should note that these rights are not absolute and can be restricted in certain circumstances. There are instances where the rights will not be available, such as:
- If the request would interfere with our professional obligations to respect legal professional privilege.
- We will also need to consider the effect of any right against the effect on:
- Legal proceedings (including prospective proceedings);
- Obtaining legal advice;
- Defending other legal rights.
Please contact your solicitor or our data protection director if you have any further questions. Our data protection director can be contacted at enquiries@ITNsolicitors.com
Further information about your rights are available on the ICO website: https://ico.org.uk/
We encourage you to review your cookie policies on our website and any other website you visit.
Changes to this notice
This notice is liable to change, as the data protection regime evolves. When we make significant changes, we will notify clients by email. We will also revise the published notice on our website, as well as keeping a record of the changes.
We are hopeful that you will not have a need to complain, as we take your data protection and privacy seriously. Indeed, we trust that you will be pleased by the approach taken in this notice. However, should you find it necessary to complain, we suggest that you contact the solicitor on your case in the first instance.
In the event that you are not satisfied with the resolution from your solicitor, please contact our data protection director on enquiries@ITNsolicitors.com. Our current data protection director is Mr Nadeem Thanvi.
Should Mr Thanvi be unable to resolve your matter, you have a right to complain to the regulator of information, the ICO. The ICO have online guidance on how to complain to them, here: https://ico.org.uk/make-a-complaint/.