What is GDPR?
John Welch & Stammers (JWS) is a “data controller” which means we are responsible for deciding how we hold and use personal information about you. We are required under the GDPR to notify you of the information contained within this section of our terms and conditions letter and that we adhere to the “data protection principles” which says that the personal information we hold about you must be:-
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely.
How we collect information about you and why?
JWS collects and uses personal data on the basis that we are required to do so for money laundering purposes, that we require the information in order for us to act for you and that we have certain obligations as far as our regulatory bodies are concerned to enable us to act for you. All the information we collect comes from you personally when we are instructed by you.
Brief information in the form of contact details and the nature of your case is taken on enquiry and more detailed information is taken and stored on our database once we have been instructed to act on your behalf.
Rights of access
You can request access to a copy of the personal information we hold for you at any time. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it. You can also ask us to delete the personal information we hold for you where there is no good reason for us continuing to process it. It is your responsibility to ensure that the personal information we hold for you is correct and up to date.
How long do we keep this information and file storage?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for. If you do not become a client of ours your information is not stored on our database and we will keep your information for a year after we last heard from you. If you are or were a client of ours your personal information and a note of the matters we have dealt with for you are kept on our database indefinitely. This is due to the nature of the work we undertake for you, client conflict and reference for future instructions from you.
As far as the files relating to your individual matters are concerned we are obliged by our insurers and regulatory bodies to keep all files for a period of at least six years although in the case of certain areas of law the retention period is longer so we may be required to keep these files for a longer period of time. We keep all files for at least six years (except for any of your personal papers which you may ask us to be returned to you), Will files are retained until we are reasonably sure that the client has died and the Will has been acted upon. In the case of any work that we undertake on behalf of minors (including Trusts) the files will be stored for six years after the minor comes of age. We are entitled to keep all your papers and documents while there is money owing to us for our charges and expenses. All files are stored at our offices.
We also store documents in the form of original Wills, original Lasting Powers of Attorney, registered and unregistered deeds on behalf of our clients. We will discuss and agree to the retention of these documents during the course of us acting for you. Due to the nature of these documents they will be retained indefinitely and we will not contact you about the documents until such time as they will be required to be used. We have different policies for the release of such documents and these will be explained to you in more detail whilst we are acting for you.
Paper copies of identification documents and bank details will be securely shredded on the completion of your matter. Credit or debit card details taken over the telephone in order to make a payment will not be retained. Any payment receipts that are not required by you as a client will be securely shredded once confirmation of the payment has been received. All cheques, personal or otherwise are banked on the same day if reasonably possible, if not on the same day then the next working day.
Who we share your information with:-
- Our IT providers and service providers in order to maintain the provision of our services you.
- Our auditors, accountants, barristers and other professional advisors, to the extent that they require access to the information to provide advice.
- Our insurers, the Solicitors Regulation Authority, the Information Commissioners Office, or relevant regulatory authority where they are entitled to require disclosure
- We will never lend or sell your data to a third party or use your personal information for marketing purposes.
We use legal software to store your data on a client database. This data and information together with all other software and files are stored in the cloud. There is no physical access to hardware containing your data held in our office.
All data stored in the Cloud is connected by a VPN to a secure firewall located in a remote datacentre in Newbury and our data is separated from other client’s data using VLANS.
All our data is stored in the UK. When choosing our Cloud host and the datacentre all necessary risk assessments were performed to ensure compliance with the physical security of the datacentre, the network security and vulnerability management and the security of the data transmission to include backups.
Access to JWS data is restricted to our office in Witney and JWS office is protected by a gateway firewall in order to prevent unauthorized access via the WAN addresses available. The firewall also manages Wi-Fi connection requests and has a guest network separate to that used by staff and with a password that changes each day.
Connection to the Cloud environment and data is done by using a Microsoft Terminal Server. Connection is password restricted and protected by anti-virus and EgoSecure encryption. If any attempt is made to copy protected data away from a device connected to the JWS network, it will be automatically encrypted and unable to be read by a different device. Any remote/home users are required to connect via a secure SSL VPN tunnel which is managed by a bunker virtual firewall which utilizes individual active directory credential as an extra layer of security.
Any automated alerts generated by the system are received and resolved via the CIS helpdesk and Sophos control portal.
Privacy and Data Compliance Officer
Bernadette Summers and any questions should be marked for her attention.