Scott Duff & Co collects and processes personal information, or personal data, relating to its clients to enable us to carry out your requests which will ordinarily be to represent you and carry out your legal work or mediation. This personal information may be held by the Company on paper or in electronic format.
Scott Duff & Co are committed to being transparent about how it handles your personal information, to protecting the privacy and security of your personal information and to meeting its data protection obligations under the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018. The purpose of this privacy notice is to make you aware of how and why we will collect and use your personal information both during and after our service. We are required under the GDPR to notify you of the information contained in this privacy notice.
For clients of this firm, you should read this notice alongside our general terms and conditions. This notice does not apply to any websites that may have a link to ours.
Who We Are
Data is collected, processed and stored by Scott Duff & Co and we are what is known as the ‘data controller’ of the personal information you provide to us.
Scott Duff & Co is a limited company, authorised and regulated by the Solicitors Regulation Authority under number 559663.
Scott Duff & Co Solicitors is registered with the Information Commissioner’s Office under registration reference Z4560500. Our Privacy Officers are Cheryl Corson and Debbie Stalker both of whom can be contacted by email at firstname.lastname@example.org.
Data protection principles
Under the GDPR, there are six data protection principles that the Company must comply with. These provide that the personal information we hold about you must be:
1. Processed lawfully, fairly and in a transparent manner.
2. Collected only for legitimate purposes that have been clearly explained to you and not further processed in a way that is incompatible with those purposes.
3. Adequate, relevant and limited to what is necessary in relation to those purposes.
4. Accurate and, where necessary, kept up to date.
5. Kept in a form which permits your identification for no longer than is necessary for those purposes.
6. Processed in a way that ensures appropriate security of the data.
Scott Duff & Co are responsible for, and must be able to demonstrate compliance with, these principles. This is called accountability.
Our website and services are not aimed specifically at children because in legal work children are generally represented by their parent or guardians. If you are a child and need further advice or explanation about how we would use your data, please email email@example.com.
What we need
The exact information we will request from you will depend on what you have asked us to do or what we are contracted to do for you. This notice is intended for clients and prospective clients only.
Under the EU General Data Protection Regulation (GDPR) there are two types of personal data (personal information) that you may provide to us:
•Personal data: is the general information that you supply about yourself.
•Sensitive personal data: is, by its nature, more sensitive information and may include your racial or ethnic origin, religion, health, political opinions, trade union membership, sexual orientation, genetic or biometric data.
In the majority of cases personal data will be restricted to basic information and information needed to complete ID checks. However some of the work we do may require us to ask for more sensitive information.
Personal information that we’ll process in connection with all of our services, if relevant, includes:
•Personal and contact details, such as title, full name, contact details and contact details history
•Your date of birth, gender and/or age
•Your nationality, if needed for the service
•Details of beneficiaries
•Family members (if relevant to the service)
•Records of your contact with us such as if you get in touch with us online using our online services
•Services details of services we have provided you with as well as services you have been interested in and the associated payment methods used
•Marketing to you and analysing data, including history of those communications, whether you open them or click on links, and information about products or services we think you may be interested in, and analysing data to help target services to you that we think are of interest or relevance to you.
•Vehicle information, such as make and model, faults, repairs and repair costs if relevant to your case
•Personal information which we obtain from Credit Reference Agencies and Fraud Prevention Agencies (see the section on ‘Fraud Prevention Agencies’ below), including public (for example, defaults, CCJs) and shared credit history, financial situation and financial history
•Criminal records information, including alleged offences if relevant to your case
•Information about your health or if you are a vulnerable client
•Information about your property, such as location, value, number of rooms, property type and building work you’ve had done
•Financial details about you, such as your assets\investments and their value, salary and details of other income, details of your savings, details of your expenditure, and payment method(s)
•Details about all of your existing borrowings and loans, if relevant
•Information about your employment status, if relevant
•Information about your property occupier status, such as whether you are a tenant, live with parents or are an owner occupier of the property where you live
•Your residency and/or citizenship status, if relevant, such as your nationality, your length of residency in the UK and/or whether you have the permanent right to reside in UK
•Your marital status, family, lifestyle or social circumstances, if relevant to the service
•Insights about you and our clients gained from analysis or profiling of clients
•Where relevant, information about any guarantor
•Third party transactions; such as where a person other than the client uses the service, information about that person and the transaction
•Tax information, if relevant (for example, for savings accounts)
Why we need it
The primary reason for asking you to provide us with your personal data, is to allow us to carry out your requests – which will ordinarily be to represent you and carry out your legal work or carry out mediation if applicable.
The following are some examples, although not exhaustive, of what we may use your information for:
•Verifying your identity
•Verifying source of funds
•Communicating with you
•To establish funding of your matter or transaction
•Obtaining insurance policies on your behalf
•Processing your legal transaction including:
•Providing you with the correct and appropriate advice; carrying out litigation on your behalf; attending hearings on your behalf; preparing documents or to complete transactions
•Keeping financial records of your transactions and the transactions we make on your behalf
•Seeking advice from third parties; such as legal and non-legal experts
•To share information, as needed, with other organisations (for example, financial services institutions, insurers), account beneficiaries, service providers or as part of providing and administering our services or operating our business
•Responding to any complaint or allegation of negligence against us
•For management and auditing of our business operations including accounting
•To improve the operation of our business
•To follow guidance and best practice under the change to rules of governmental and regulatory bodies
•For market research and analysis and developing statistics
•For direct marketing communications and related profiling to help us to offer you relevant services, including deciding whether or not to offer you certain services. We’ll send marketing to you by email, phone, post, social media and digital channels (for example, using Facebook Custom Audiences and Google Custom Match). Offers may relate to any of our services as well as to any other offers and advice we think may be of interest
•To comply with legal and regulatory obligations, requirements and guidance
•To provide insight and analysis of our clients for the benefit of our business either as part of providing services, helping us improve services, or to assess or improve the operating of our business
What are the legal grounds for our processing of your personal information (including when we share it with others)?
We rely on the following legal bases to use your personal data:
Where it is needed to provide you with our products or services, such as:
•Assessing your case and the required service, including considering whether or not to offer you the service, the price, the payment methods available and the conditions to attach
•Managing the services we provide you with or an enquiry for one
•Updating your records, tracing your whereabouts to contact you about your case and doing this for recovering debt (where appropriate)
•Sharing your personal information with third parties as listed below in the section headed “who has access to it”
•All stages and activities relevant to managing the service you require
•For some of our profiling and to decide whether to offer you a service, particular payment method and the price or terms of this
Where it is in our legitimate interests to do so, such as:
•Managing your services relating to that, updating your records, tracing your whereabouts to contact you about your case and doing this for recovering debt (where appropriate)
•To perform and/or test the performance of our services and internal processes
•To follow guidance and recommended best practice of government and regulatory bodies
•For management and audit of our business operations including accounting
•To carry out searches at Credit Reference Agencies
•To administer our good governance requirements such as internal reporting and compliance obligations
•For market research and analysis and developing statistics
•For direct marketing communications and related profiling to help us to offer you relevant services, including deciding whether or not to offer you certain services. We will send marketing to you by email, phone, post and social media and digital channels (for example, using Facebook Custom Audiences and Google Custom Match)
•For some of our profiling and marketing data analysis
•Where we need to share your personal information with people or organisations in order to run our business or comply with any legal and/or regulatory obligations
To comply with our legal obligations.
With your consent or explicit consent:
•For some direct marketing communications
•For some of our profiling
•For some of our processing of special categories of personal data such as about your health, if you are a vulnerable customer or some criminal records information
For a public interest, such as:
•Processing of your special categories of personal data such as about your health, criminal records information (including alleged offences), or if you are a vulnerable customer
Sources of information
Information about you may be obtained from a number of sources; including:
•You may volunteer the information about yourself for example when you sign-up to receive one of our newsletters, submit an online enquiry, when following/liking/subscribing to our social media channels, take part in one of the competitions or promotions we run on the website or on our social media channels, agree to fill in a questionnaire or survey on our website, when you ask us a question or submit any queries or concerns you have via email or on social media channels, post information to our website or social media channels, for example when we offer the option for you to comment on, or join, discussions or when you leave a review about us on VouchedFor, Google/Facebook Reviews and Yell
•You may provide information relating to someone else – if you have the authority to do so
•Information may be passed to us by third parties in order that we can undertake your legal work on your behalf. Typically these organisations can be:
ο Banks or building societies
ο Panel providers who allocate legal work to law firms
ο Organisations that have referred work to us
ο Medical or financial institutions – who provide your personal records/ information
ο Credit Reference Agencies
What if you fail to provide personal information?
If you fail to provide certain personal information when requested or required, we may not be able to perform the contract we have entered into with you, or we may be prevented from complying with our legal obligations. You may also be unable to exercise your statutory or contractual rights.
Change of purpose
We will only use your personal information for the purposes for which we collected it. If we need to use your personal information for a purpose other than that for which it was collected, we will provide you, prior to that further processing, with information about the new purpose, we will explain the legal basis which allows us to process your personal information for the new purpose and we will provide you with any relevant further information. We may also issue a new privacy notice to you.
Who has access to it?
We have a data protection regime in place to oversee the effective and secure processing of your personal data. We will not sell or rent your information to third parties. We will not share your information with third parties for marketing purposes.
Generally, we will only use your information within Scott Duff & Co Solicitors. However there may be circumstances, in carrying out your legal work, where we may need to disclose some information to third parties; for example:
•Land Registry to register a property
•HM Revenue & Customs; e.g. for Stamp Duty Liability
•Court or Tribunal
•Solicitors acting on the other side
•Asking an independent Barrister or Counsel for advice; or to represent you
•Non legal experts to obtain advice or assistance
•External auditors or our Regulator; e.g. Lexcel, SRA, ICO etc.
•Bank or Building Society; or other financial institutions
•Providers of identity verification
•Any disclosure required by law or regulation; such as the prevention of financial crime and terrorism
•If there is an emergency and we think you or others are at risk
There may be some uses of personal data that may require your specific consent. If this is the case we will contact you separately to ask for your consent which you are free to withdraw at any time.
How do we protect your personal data?
We recognise that your information is valuable and we take all reasonable measures to protect it whilst it is in our care.
We have exceptional standards of technology and operational security in order to protect personally identifiable data from loss, misuse, alteration or destruction. Similarly, we adopt a high threshold when it comes to confidentiality obligations and both internal and external parties have agreed to protect confidentiality of all information; to ensure all personal data is handled and processed in line with our stringent confidentiality and data protection policies.
We use computer safeguards such as firewalls and data encryption and annual penetration testing; and we enforce, where possible, physical access controls to our buildings and files to keep data safe.
Where your personal information is shared with third-party service providers, we require all third parties to take appropriate technical and organisational security measures to protect your personal information and to treat it subject to a duty of confidentiality and in accordance with data protection law. We only allow them to process your personal information for specified purposes and in accordance with our written instructions and we do not allow them to use your personal information for their own purposes.
Scott Duff & Co also has in place procedures to deal with a suspected data security breach and we will notify the Information Commissioner’s Office (or any other applicable supervisory authority or regulator) and you of a suspected breach where we are legally required to do so.
We securely store paper files in each of our offices and at a secure off site storage facility.
Any paper documents containing personal data will be destroyed securely at our off site facility.
How long will we keep it for?
Your personal information will be retained, usually in computer or manual files, only for as long as necessary to fulfil the purposes for which the information was collected; or as required by law; or as long as is set out in any relevant contract you may hold with us. For example:
Paper and Digital Files
•As long as necessary to carry out your legal work or mediation
•For a minimum of 6 years from the conclusion or closure of your legal work or mediation; in the event that you, or we, need to re-open your case for the purpose of defending complaints or claims against us
•For the duration of a trust
•Some information or matters may be kept for 15 years – such as commercial transactions, property sales and leases, matrimonial matters (financial orders or maintenance agreements etc.)
•Personal injury for a minimum of 6 – 15 years depending on the seriousness of the injury and complexity of the case. In some cases if the claim involves children, complex issues e.g. lifetime or provisional damages award and PI Trusts the files may be retained longer or indefinitely
•Probate matters where there is a surviving spouse or civil partner may be retained until the survivor has died in order to deal with the transferable Inheritance Tax allowance
•Property purchase and mortgage files may be kept indefinitely
•Wills and related documents/files may be kept indefinitely and stored onsite in secure cabinets
•Deeds related to unregistered property may be kept indefinitely as they evidence ownership All deeds are stored onsite in secure cabinets
•Medical records obtained for the purpose of a matter are securely destroyed upon closure of the matter
•ID and personal data will be removed from the paper file and destroyed securely. A digital copy will be kept on our secure server in line with the file retention period for that particular matter
Digitally Stored Personal Data
We will keep some of your personal data on our secure Case Management System for an indefinite period such as name, address, D.O.B. National Insurance Number and any other given contact details to enable us to identify clients who have used our services in the past and to ensure we do not act in matter where there might be a conflict of interest
What are your rights?
It is important that the personal information we hold about you is accurate and up to date. Please keep us informed if your personal information changes, e.g. you change your home address, so that our records can be updated. Scott Duff & Co cannot be held responsible for any errors in your personal information in this regard unless you have notified us of the relevant change.
As a data subject, you have a number of statutory rights. Subject to certain conditions, and in certain circumstances, you have the right to:
•request access to your personal information - this is usually known as making a data subject access request and it enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it. This means that a Subject Access Request will not normally result in you getting a copy of your file because you are only entitled to your personal data – not the documents that contain that data.
•request rectification of your personal information - this enables you to have any inaccurate or incomplete personal information we hold about you corrected
•request the erasure of your personal information - this enables you to ask us to delete or remove your personal information where there’s no compelling reason for its continued processing, e.g. it’s no longer necessary in relation to the purpose for which it was originally collected
•restrict the processing of your personal information - this enables you to ask us to suspend the processing of your personal information, e.g. if you contest its accuracy and so want us to verify its accuracy
•object to the processing of your personal information - this enables you to ask us to stop processing your personal information where we are relying on the legitimate interests of the business as our legal basis for processing and there is something relating to your particular situation which makes you decide to object to processing on this ground
•data portability - this gives you the right to request the transfer of your personal information to another party so that you can reuse it across different services for your own purposes.
If you wish to exercise any of these rights, please contact our Privacy Officers Cheryl Corson or Debbie Stalker who will provide you with the appropriate form for completion. We may need to request specific information from you in order to verify your identity and check your right to access the personal information or to exercise any of your other rights. This is a security measure to ensure that your personal information is not disclosed to any person who has no right to receive it.
In the limited circumstances where you have provided your consent to the processing of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. This will not, however, affect the lawfulness of processing based on your consent before its withdrawal. If you wish to withdraw your consent, please contact our Privacy Officers Cheryl Corson or Debbie Stalker. Once we have received notification that you have withdrawn your consent, we will no longer process your personal information for the purpose you originally agreed to, unless we have another legal basis for processing.
Complaints about the use of personal data
If you wish to raise a complaint on how we have handled your personal data, you can contact our Privacy Officers who will investigate further. Our Privacy Officers are Cheryl Corson and Debbie Stalker both of whom can be contacted at firstname.lastname@example.org.
If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law, you can complain to the Information Commissioner’s Office (ICO).
Changes to this privacy notice
We reserve the right to update or amend this privacy notice at any time, including where we intend to further process your personal information for a purpose other than that for which the personal information was collected or where we intend to process new types of personal information. We will issue you with a new privacy notice when we make significant updates or amendments. We may also notify you about the processing of your personal information in other ways.
Any questions regarding this notice and our privacy practices should be sent by email to email@example.com