J A Taft Conveyancing Limited (the Company) are a firm of Licensed Conveyancers offering conveyancing and related services as detailed on our website (www.jataft.co.uk).
We are a data controller and Jamie Poole is the nominated Data Protection Officer. This means we decide how your personal data is processed and for what purposes.
The Company has created this Privacy Information Policy because we take your privacy very seriously. We always treat any personal details you give us as confidential.
The policy sets out who we are, what information we collect from you, how we use it and your data rights.
We are committed to being transparent about how we handle your personal information, to protecting the privacy and security of your personal information and to meeting our data protection obligations under the General Data Protection Regulation (GDPR) and the forthcoming Data Protection Act 2018. The purpose of this privacy notice is to make you aware of how and why we will collect and use your personal information during and after your working relationship with us. We are required under the GDPR to notify you of the information contained in this privacy notice. This privacy notice applies to all current and former clients, those who make enquiries of us, current and former employees, workers and contractors.
Data Protection Principles
Under the GDPR, there are six data protection principles that the Company must comply with. These provide that the personal information we hold about you must be:-
- Processed lawfully, fairly and in a transparent manner.
- Collected only for legitimate purposes which are clearly being explained to you and not further processed in a way that is incompatible with those purposes.
- Adequate, relevant and limited to what is necessary in relation to those purposes.
- Accurate and, where necessary, kept up-to-date.
- Kept in a form which permits your identification for no longer than is necessary for those purposes.
- Processed in a way that ensures appropriate security of the data.
We are responsible for, and must be able to demonstrate compliance with, these principles. This is called accountability.
"What is personal data"?
Personal data relates to any living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. Personal data can be anything from a name, date of birth, address (including IP address), National Insurance number, sex, medical records, to information retained by us on a file.
Our basis for processing your personal data
Our legal basis for collecting and storing your personal data is to provide legal advice and our right to retain that data is on the grounds of a legitimate interest which is to establish, exercise or defend our legal rights in the event of any claim arising in relation to the legal advice provided.
How do we store your data?
Electronic client data will be stored in our accounting software and our case management software (our Software). These contains all file details including personal data, letters, documents, emails, and account ledgers. This is situated with the European Economic Area (EEA). We meet our obligations by keeping all personal data up-to-date.
Paper based data is kept on files at the office where the work is carried out and kept secure in lockable filing cabinets.
How do we protect your data?
All paper and electronic data is stored securely and also destroyed securely. We protect personal data from loss, misuse, unauthorised use and disclosure with appropriate policies and internal training and technical measures in place to protect personal data which is underpinned by a Data Protection Policy.
As regards electronic data, our servers are stored on site. We operate a secure networked environment with built in firewall protection.
Destruction of data
Paper waste is shredded on site and this is collected and destroyed by a third party waste company.
Paper files archived on site are destroyed securely by the hosting third party company
If you provide personal data about yourself or your company when using our website, it will only be used to give an answer to your enquiry. The personal data collected will be limited to that to enable us to be able to satisfy ourselves this is a genuine enquiry and to answer that enquiry.
The personal data in relation to that enquiry will be retained on our Software for 6 years prior to destruction. It will be retained for that period on the grounds that we have a legitimate interest to do so; namely, to establish, exercise or defend our legal rights arising out of any advice given.
We do not share your personal data with any third party except where necessary to answer to a query raised by you. If we need to communicate with a third party to deal with your enquiry we will request your written consent to do so. However, if we are formally instructed by you to act this will be governed by our Standard Terms of Business (please see hereafter).
Clients (lawful processing)
The Company will process your personal data for the purposes of and so long as we are instructed by you in relation to a matter in which you have signed our Standard Terms of Engagement. The legal work undertaken by us will be as detailed in our initial letter of instruction and the said Standard Terms of Engagement which detail our obligations of confidentiality, your data protection rights and our need to share information with third parties as appropriate in representing your interests.
Communicating with third parties for clients
As part of the conveyancing process we are required to share some of your personal data with a third party, for example, the other parties’ conveyancing firm or your mortgage lender but we will only share the data that is necessary to enable the transaction to proceed. From time to time we may need to share your personal data with a third party to ensure that your legal interests are appropriately represented. All third parties with whom we will have dealings will be required to provide satisfactory evidence that they will ensure that your personal data is kept secure.
Personal data retention policy for clients
We are required by the Council for Licensed Conveyancers and our professional indemnity insurers to retain file records and data where we have acted for you for the necessary establishment, exercise or defence of any possible legal claim against the firm. The relevant periods for which the file will be retained prior to destruction (both paper and electronic) are:-
Conveyancing purchases and re-mortgages – 15 years
Conveyancing sales, transfers of equity and other matters – 6 years
Clients are only sent information about services that we provide where they specifically request us to do so Thereafter we do not provide further information unless we have express informed consent to do so.
Employees and former employees
The Company has a separate privacy notice for employees which by way of illustration details the types of personal information we collect, how we collect it, and why and how we use personal information. This separate notice is available to all existing employees internally and is available on request to former employees.
Any paper data is retained in lockable filing cabinets. Electronic data is stored on IDrive which is an online Portal and hosted within the EEA or secure internal hard drives.
Retention of employee data
This data is retained for 6 years from the date of leaving our employment and is then securely destroyed. Payroll data is retained for 3 years prior to destruction. Specific medical related data maybe held longer.
Retention of applicant’s data
This data for applicants who apply for employment with the Company is retained for 3 months and then is securely destroyed.
Data Subject Access Request and your personal data rights
This written request can be made to anyone at the Company. To ensure the request is effectively and promptly dealt with please state that this is a request to see your personal data.
Before we proceed with your request we will require identification documentation to verify that you are the person making the request. This will be one form of photo ID, such as a current driving licence or passport and a second document verifying your current address, which can be another form of photographic ID with address or a utility bill which is no more than 3 months old. We will need to see originals.
How we will deal with the request
- The data requested will be provided as soon as reasonably practicable and, in any event, within one calendar month subject to provision of your ID verification as referred to above.
- The reply to your request will inform you whether we hold any personal data, a description of the data, copies of the data and the business reason why it has been retained by us.
- If the data is complex or numerous we can extend the initial period by a further 2 months. We will notify you about this within the initial one month period and explain the reason why.
- There will be no fee for the information requested, ie personal data. However, if we decide the request is manifestly unfounded or excessive, particularly if it is repetitive, we have the right to charge a reasonable fee which you will be advised of at the time. We will also charge a reasonable fee where we are asked for further copies of the said information or if you require copies of documents from your file which are not personal data but are copies of documents you have previously been supplied with and have lost. Again you will be advised as to that fee at the time.
- We hope this will not be necessary, but if we decide the DSAR is unfounded or excessive we can refuse to deal with the request.
- We will try to ensure the information provided can be readily understood, and where the request is made electronically, in an electronic format.
- Where we hold a lot of data we may ask you to specify the information the request relates to. If in the circumstances we decide the request is evidentially unfounded or excessive you will be informed accordingly.
- Redaction: if another individual and/or other entity’s data might be disclosed by a DSAR that information will be redacted from the relevant document/s before disclosure.
You have the following additional rights.
1. Right to rectification
You have the right to have your personal data rectified if it is inaccurate or incomplete. We will respond within one calendar month but this can be extended by 2 months if the request is complex.
2. Right to erasure (“right to be forgotten”)
You have the right to request deletion or removal of personal data where there is no compelling reason for its continued processing. This may arise in the following circumstances:
- Where your personal data was no longer required for the purpose for which requested.
- You are withdrawing consent and there is no other legal basis for processing.
- Your personal data was unlawfully processed.
- Your personal data has to be erased to comply with a legal obligation.
- We can refuse the right to erasure in the following circumstances:
- To exercise the right of freedom of expression and information to comply with the legal obligation for the performance of a public interest task or exercise of official authority.
- For public health purposes and in the public interest.
- For archiving purposes and public interest, scientific research, historical research or for statistical purposes.
- The exercise or defence of legal claims.
- In order to comply with our professional obligations.
4. Right to restrict processing
You may block or supress the processing of personal data. When processing is restricted, we are permitted to store the personal data but not to process it further. We can retain enough information about you to show that the restriction is respected in the future.
More particularly we are required to restrict the processing of personal data in the following circumstances:
- Where you contest the accuracy of the personal data, the processing should be restricted until we have verified the accuracy of the personal data.
- Where you object to the processing and we are considering whether our firm has legitimate grounds to override your individual rights.
- The processing is unlawful and you oppose erasure and request a restriction instead.
- We no longer need your personal data but you want the data to establish, exercise or defend a claim.
5. Right to Portability
You have the right to obtain and reuse your personal data for your own purposes across different services. The right of portability is limited to the following:
- To personal data you have provided.
- Where the processing is based on your consent or the performance of a contract and
- When processing is carried out by automated means.
The personal data requested will be provided in a structure commonly used and in a machine readable form. This information will be provided free of charge and without delay and in any event within one calendar month. We can extend this period by 2 months where the request is complex or we receive a number of requests. You will be informed within the initial one month period and why the extension is necessary.
If you ask for the data to be transmitted directly to another organisation, this will be carried out if it is technically feasible. However, we are not required to adopt or maintain processing systems that are compatible with other organisations.
6. Right to object to processing
There are 2 situations where you have the right to object. In both circumstances we must respond to the request within one calendar month. We can extend this period for 2 months on grounds of complexity or numerous requests and you will be informed within one month of the receipt of the request and an explanation will be given.
(a) Processing data for the performance of a legal task or our firm’s legitimate interests
You can object on grounds relating to your particular situation. We must stop processing your personal data unless we can show compelling legitimate reasons for the processing which overrides your interests, rights and freedoms; or the processing is for the establishment, exercise or defence of legal claims.
(b) Processing personal data for direct marketing purposes
We will stop processing personal data as soon as we receive your objection. There are no exemptions or grounds to refuse. This must be done at any time and free of charge.
Breach of your data rights
If you have reason to believe that you have been subject to a breach of your personal data rights please contact Jamie Poole. We have a policy and procedures to deal with any potential breach of data.
A cookie is a small file which asks for permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as a individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
Cookies help to provide you with a better website and service, by enabling us to monitor which pages you find useful and which you do not. A cookie does not give access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you taking full advantage of the Company’s website.
Lodging a complaint with the ICO
You have the right to contact the Information Commissioner’s Office (ICO) on 03031231113 or via email at https://ico.org.uk/global/contact-us/email or at the ICO’s office at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Changes to Privacy Information Policy
By using this website you consent to the collection and use of any personal information in the matter set out above.
24 August 2018