Data Protection Policy
PART A – Introduction
This policy applies to us all, including managers, consultants and any third party that this policy
has been communicated to.
The policy covers all personal and sensitive personal data, processed on computers or stored in
manual (paper based) files.
This policy aims to protect and promote the data protection rights of individuals and of our firm,
by informing us all of our data protection obligations, of the procedures that must be followed and
of the systems we have adopted to ensure compliance with the Data Protection Act 2018 (DPA)
and the UK General Data Protection Regulation (UK GDPR) 2021.
CQS accredited firms are also required to have a data protection policy.
The Data Protection Officer at BTTJ is John Chadaway, who is a Partner of the firm. John
Chadaway is responsible for this policy and for monitoring our compliance with it.
All staff and Partners of the firm (and any third party to whom this policy applies) are responsible
for ensuring that we comply with this policy. Failure to do so may result in disciplinary action.
Key data protection terms
The UK GDPR and DPA are designed to protect individuals and their personal data. These statutes
use some key terms to refer to individuals, those processing personal data about individuals and
the types of data they cover. These key terms are:
Data Subject Means any living, identified or identifiable individual who is the subject of
personal data, i.e. the person that the personal data is about.
For our purposes, our clients are data subjects (other individual third parties
that we hold personal data about are also likely to be data subjects).
Data Controller Means a person who (either alone or jointly or in common with other persons)
determines the purpose for which and the manner in which any personal data
are, or are to be, processed. Data controllers can be individuals, organisations
or other corporate and unincorporated bodies of persons.
For our purposes, the firm is a Data Controller.
Processing Means obtaining, recording or holding the information or data or carrying out
any operation or set of operations on the information or data, including:
(a) organisation, adaptation or alteration of the information or data;
(b) retrieval, consultation or use of the information or data;
(c) disclosure of the information or data by transmission, dissemination or
otherwise making available; or
(d) alignment, combination, blocking, erasure or destruction of the
information or data.
For our purposes, everything that we do with client information (and personal
information of third parties), is “processing” as defined by the DPA.
Personal Data Means data which relate to a data subject who can be identified or is
identifiable, directly or indirectly:
(a) from those data; or
(b) from those data and other information which is in the possession of, or
is likely to come into the possession of, the Data Controller,
and includes any expression of opinion about the individual and any
indication of the intentions of the Data Controller or any other person in
respect of the individual. Personal data includes sensitive personal data and
pseudonymised personal data but excludes anonymous data or data that has
had the identity of an individual permanently removed.
Examples: name; date of birth; address; employment and education history;
video footage; photographs, IP addresses, mobile device IDs, etc.
Sensitive Personal Data/Special categories of personal data Means personal data consisting of information as to:
(a) the racial or ethnic origin of the data subject;
(b) his or her political opinions;
(c) his or her religious beliefs or other beliefs of a similar nature;
(d) whether s/he is a member of a trade union (within the meaning of the
Trade Union and Labour Relations (Consolidation) Act 1992);
(e) his or her physical or mental health or condition;
(f) any genetic or biometric information (where used to identify an
(g) his or her sexual life or sexual orientation;
(h) the commission or alleged commission by him or her of any offence;
(i) any proceedings for any offence committed or alleged to have been
committed by him or her, the disposal of such proceedings or the
sentence of any court in such proceedings.
PART B – Data Protection and Information Management – Staff Responsibilities
The firm holds a huge amount of confidential information about clients, staff and third parties.
We must all of us comply with data protection law and keep confidential information secure.
Accordingly, all staff must study and observe the precautions set out below.
The firm’s Data Protection Officer John Chadaway, who is a Partner of the firm, has overall
responsibility for data protection and this policy. Questions on or concerns about these issues
should be referred either to him or to Susan Faulkner, Head of Risk and Compliance.
When we hold information about data subjects, this gives rise to obligations under the UK GDPR.
The UK GDPR applies whether such information is held in electronic form or in a paper filing
We may be liable in various ways if we fail to hold data appropriately. This may include liability
in damages for negligence and breach of confidentiality or even criminal liability. We may also
be subject to professional sanctions for breach of the SRA Codes of Conduct. The following is a
summary of our obligations under data protection law but is not a substitute for full research where
The Data Protection Principles: In processing personal data we must be able to demonstrate that
we comply with the “data protection principles”. These require that that personal data must be:
• fairly and lawfully processed in a transparent manner;
• processed for limited purposes;
• adequate, relevant and limited to what is necessary;
• accurate and, where necessary, kept up to date;
• kept for no longer than is necessary;
• made available to the data subjects and processed in accordance with the data
• kept with appropriate security; and
• not transferred to countries without adequate protection.
Grounds for Processing Personal Data: We should only process personal data if we have a
lawful basis for doing so.
At least one of the following six bases must apply whenever you process personal data:
• Consent from the individual. But note that in the case of someone under the age of 16
they cannot give that consent themselves and instead consent is required from a parent,
or other person holding ‘parental responsibility’.
• It is necessary for a contract you have with the individual, or because they have asked
you to take specific steps before entering into a contract.
• It is necessary for you to comply with the law (not including contractual obligations).
• It is necessary to protect someone’s vital interests. Vital interests are those relating to
life and death issues.
• the processing is necessary for you to perform a task in the public interest or for your
official functions, and the task or function has a clear basis in law.
• It is necessary for our legitimate interests or those of a third party, except where
such interests are overridden by the interests or rights of the person concerned.
Sensitive Personal Data: Sensitive personal data (referred to in the UK GDPR as “special
categories of personal data”) can only be processed under strict conditions. Sensitive personal data
includes information about someone’s racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade union membership, health or sex life and sexual orientation, genetic
data and biometric data.
The usual grounds which entitle us to process such sensitive data are the following:
• Explicit consent of the data subject.
• It is necessary to protect the vital interests of a data subject who is physically or legally
incapable of giving consent.
• Data manifestly made public by the data subject.
• It is necessary for the establishment, exercise or defence of legal claims or where courts
are acting in their judicial capacity.
Do not collect or use personal data without a good reason
If clients give us information about themselves, this is rarely a problem, as they will usually expect
us to record that information and use it for usual professional purposes. However, take particular
care with information about third parties, who may be unaware that we hold information about
them. Bear in mind three simple principles.
• Do not record information about people unless you need to do so and have a justification
pursuant to the above-listed grounds.
• Keep it secure.
• Delete it promptly when you no longer need it.
These principles apply especially to information of an embarrassing, secret or sensitive nature,
and where the people concerned have not consented to us holding the information.
Limit the use of the personal data to the purpose it was collected for
You must be clear about what your purposes are for processing personal information from the
start. Do not process the information for a different purpose unless it is compatible with the
original purpose, you have the individual’s consent or you have a clear obligation or function set
out in law. For example, if a client gives you details of his/her family members for the purpose of
their matter you cannot use this data to send them marketing materials without first getting their
Take care when sending personal data to others
You will often need to share personal data and confidential information with others, such as
barristers, expert witnesses and other law firms. However, before doing so, consider these issues:
• Do they really need the information?
• Should we redact documents so that they do not include irrelevant and unnecessary
confidential information and or personal data?
• Can we rely on the recipient to keep the information secure?
• Are you sending the information outside the European Economic Area? If so, you should
check either that the country in question has been designated by the EU Commission as
providing adequate data protection, or that we have appropriate standard contractual
clauses agreed with the recipient in place to protect the data.
• In publications and publicity materials all client identification information must be
removed unless clients have consented.
• Work on the principle of “check twice, send once” to emphasise the importance of
double-checking what information we are sending to others and also that we are sending
any emails and/or other correspondence to the correct address/recipient.
• to emphasise the importance of double-checking what information we are sending to
Keep papers and data secure
• Keep confidential papers in filing cabinets when they are not in use. Bear in mind that
cleaning personnel, temporary staff and others may be present in the building, and that
leaving papers where they can be seen risks a breach of security. When working
remotely, you must treat hard copy documents as you would at work – keep a clear
desk policy and put documents away when you’re not working on them, to ensure
that other household members/ visitors cannot access them.
• Challenge and report at once any unaccompanied stranger you see in any area of the
building except reception.
• Minimise the amount of data taken out of the office – only take client files (or other
confidential information) out of the office when it is necessary to do so and only carry
information that is essential to the task at hand. Take precautions to ensure that such
items are not stolen or lost. For example, do not leave files in an unattended car.
• Be aware that taking paper files out of the office is especially risky. Where possible, take
information in encrypted digital form, e.g. on a laptop.
• Bear in mind that laptops and other electronic devices may be stolen if taken out of the
office. Hence confidential files taken out of the office in electronic form must be
encrypted. It is not enough that the machine on which they are stored is password
protected. Where possible, if you are working outside of the office, access documents
through remote access.
• Ensure confidential papers that are no longer required are disposed of in a confidential
waste bin in the office. If you have papers at home that have confidential information
on them, you should return them to the office for confidential disposal. Never put such
papers in the normal household waste bins.
• If working remotely, bear in mind the additional confidentiality and security risks when
discussing confidential matters during virtual meetings or on the telephone and use
headphones for privacy whenever possible.
Keep IT secure
• Take care with any email you receive from an unknown source. Bear in mind that
clicking on attachments or links may result in viruses being downloaded.
• Follow the firm’s policy on the use of passwords, including the level of complexity, the
frequency with which they should be changed, and other precautions such as not writing
them down in any form which might be intelligible to a third party. Secure passwords
are particularly important with mobile devices, or with logins that would enable people
to access the firm’s systems remotely.
• Log off from/ lock your computer when it is left unattended. This is especially important
to those working in a remote/hybrid working arrangement.
• Be aware of your desk’s positioning and ensure that your computer screen does not show
confidential information to those who are not authorised to see it e.g. to passers-by
through a window. This is particularly important when using a laptop or other device in
public places, when a privacy screen should be used to protect your screen from prying
eyes. Update the software on your computer whenever required to do so. Updates
frequently fix security weaknesses.
• You must not transfer data between the firm’s system and an external system.
• Even if data has been deleted from electronic media, it may be possible for others to
recover it. Hence computer hard drives, data sticks, floppy disks, CD-ROMs, etc. should
either be cleaned by an expert or physically destroyed when no longer required. This
should be carried out by the IT department only.
Take Care with Payments
• The firm has policies in place to protect itself from the risk of funds being diverted.
Those responsible for making payments from our bank account receive separate
guidance, which includes a strict prohibition on divulging account credentials or security
information (including usernames, passwords, PINs and other security codes).
• All staff should be aware of the risk of criminals seeking to divert funds, e.g. by phone
calls or emails to the firm purporting to be from clients, our bank or senior staff, or to
clients purporting to be from the firm, asking for payments to be made to inappropriate
accounts. Staff must report to Samantha Wright (COLP) or Susan Faulkner (Head of
Risk and Compliance) immediately any request they receive for information which
might be used to facilitate fraudulent payments.
Take Care When Dealing with Enquiries
Beware of “blaggers” (people who attempt to obtain confidential information by deception). This
is most commonly done by phone but may also be by email or by calling in person. The following
are examples of the precautions you should take when dealing with enquiries.
• Check the identity of the person making the enquiry.
• Check we are authorised by the client (or other relevant person) to pass on this
• Ask callers to put their request in writing if you are not sure about the caller’s identity
and their identity cannot be checked.
• Refer to your Head of Department, a Partner or the Head of Risk and Compliance for
assistance in difficult situations.
• Take particular care with callers who claim to be from our bank. A number of firms have
had money stolen from their bank accounts after staff gave confidential banking
information out over the phone.
Report any Breaches and Complaints
A personal data breach is a breach of security leading to the accidental or unlawful destruction,
loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or
You have a duty to report any actual or suspected personal data breach without delay to the Data
Protection Officer, John Cahadaway. He will record it in the firm’s breach register.
Please refer to the firm’s Data Breach Reporting Procedure for further details regarding the firm’s
data breach obligations and procedures.
Complaints relating to breaches of the DPA and/or complaints that a data subject’s data is not
being processed in line with the data protection principles should also be referred to the Data
Protection Officer, John Chadaway, without delay.
Data Subject Access Requests and Other Data Subject Rights
Under the UK GDPR and DPA, anyone can request that we provide them with their personal data.
This is known as a data subject access request (DSAR) and can be made orally or in writing. If
you receive a DSAR, you must forward it to the Data Protection Officer (or COLP or HoRC if he
is not available) immediately. It is the responsibility of the Data Protection Officer to consider and
record the request and to respond in a timely manner.
Please refer to the Data Subject Access Request Policy for full details about our data subject access
Data subjects have numerous other rights under the UK GDPR and DPA, including:
? a right to request correction of the personal information we hold. This enables them to
have any incomplete or inaccurate information we hold about them corrected;
? a right to receive a copy of the personal information you have provided to us or have this
information be sent to a third party
? a right to request erasure of their personal information if we have no justification for
? a right to object to the processing of their personal information where we are relying on
a legitimate interest (or those of a third-party) and there is something about their
particular situation which allows them to object to processing on this ground;
? a right to prevent processing for direct marketing;
? a right to object to decisions being taken by automated means;
? a right to complain to a supervisory authority;
? a right to withdraw consent; and
? a right to claim compensation for damages caused by a breach of the DPA.
Requests to exercise any of these rights must also be referred to the Data Protection Officer (or
COLP or HoRC in his absence) immediately.
PART C – Our Approach to Data Protection and Information Management
This section sets out the firm’s approach to data protection and information management,
including how the firm manages confidential information and the precautions the firm takes to
keep information secure.
We encourage a culture of trust where employees feel able to report breaches and potential
breaches without fear of being reprimanded.
The firm has obtained accreditation against Cyber Essentials.
The policy is reviewed and updated annually. Reviews will include considering the data
processing activities of the firm in light of the obligation of data protection by design and
default. A review will also be carried out at the time of any substantial change in the data
processing activities of the firm. A data protection impact assessment will be carried out before
the firm undertakes processing that is likely to result in a high risk to individuals.
Information asset register
The register records our processing activities and the lawful basis for doing so.
Data Protection Impact Assessment (DPIA)
The Data Protection Officer will prepare a DPIA for any major project that is being undertaken
within the firm which requires the processing of personal data. The DPIA must:
• describe the nature, scope, context and purposes of the processing;
• assess necessity, proportionality and compliance measures;
• identify and assess risks to individuals; and
• identify any additional measures to mitigate those risks.
The firm provides information to data subjects by means of privacy notices including on its
website and in its terms of business and employment documentation, including information about
data transfers to third countries.
Protection and security of the information assets
The great majority of the information assets are confidential. We take care to protect confidential
information applying the principles set out in Part B of this Policy.
Retention and disposal of information
We retain information for the periods set out in the Information Asset Register and our Retention
and Disposal Policy. These periods reflect our data protection obligation not to keep personal data
for longer than is necessary, and also our statutory, regulatory and business needs to keep records.
The firm will review these retention periods at least every year, or more frequently if there are
changes in limitation periods or statutory obligations as to the retention of records.
Thereafter information is disposed of securely, by shredding, electronic deletion, or otherwise as
The firm maintains a firewall to prevent unauthorised access to the firm’s network and data.
Procedures to manage user accounts
User accounts are managed by Mark Acton, IT Manager. User accounts can be disabled at any
time, for example on discovering a breach of security. Accounts are disabled when a member of
staff leaves the firm.
Staff responsible for the management of payments (including fee earners and finance staff) are
only recruited or assigned to that function after passing suitable background checks, including
taking references and DBS checks.
Procedures to detect and remove malicious software
If, despite the precautions described elsewhere, malicious software (malware) is present on the
system, this should be detected by the firm’s anti-virus software. It is then the responsibility of
the firm’s IT department to remove the malware according to the nature of the threat and industry
standard procedures at the relevant time.
Register of software used by the practice
Please see the Information Management and Security Policy for details of software which the firm
Training for personnel on data protection and information security
The firm has provided all staff with its rules on data protection and information management (the
current version of which is set out above) and recirculates them to all staff at least annually.
In addition, the firm trains staff on these issues on induction, and thereafter on a refresher basis at
least annually using online materials provided by MBL.
Failure to complete mandatory data protection training may result in disciplinary action.
Updating and monitoring of software
All software used by the firm is supported by external software suppliers who issue routine updates
from time to time. It is the responsibility of the IT Manager to decide whether and when updated
versions are to be installed or new or better software should be obtained.
Review of this policy
This policy is reviewed, at least annually, by the Data Protection Officer
Record of review
Version: 2, Date of review: 11.05.23, Reviewer SF/JC, Comments: n/a, Date of next review: May 2024