Data Protection Policy banner

Help

Home / Help / Data Protection Policy

Data Protection Policy

1. Introduction

1.1. We are a data controller under the terms of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 and as such are committed to complying with our legal and professional obligations to manage personal and confidential data in an appropriate manner.

1.2. The law places duties on businesses to abide by the data protection principles and ensure that all personal data is used fairly, lawfully and for the purposes notified to clients. The UK GDPR obligations are supplemented by the Data Protection Act 2018, and although it is EU inspired the regime remains in force notwithstanding Brexit.

1.3. In addition, the practice is legally and professionally obliged to ensure that it sets out clear procedures on the use of information and data, including the content and format of emails and responsible use of the internet. We are also subject to certain contractual commitments in this regard in relation to our access to the HM Land Registry portal for conveyancing work.

1.4. We are also required by the UK GDPR to map out where and how we hold personal data on our clients, in part as there is an obligation to be able to demonstrate that we comply with our obligations and so that we can provide full and accurate responses to any data subject access requests from our clients. This applies regardless of how that request is made, and the enquirer does not need to use the term ‘data subject access request’ for it to be such.

2. Data protection policy statement

We comply with all relevant legislative and regulatory provisions governing the management and storage of data in both electronic and paper formats. We are registered with the Information Commissioner under the UK GDPR and the Data Protection Act 2018. We comply with the data protection principles, i.e. that all data covered by the Act (which includes not only computer data, but also personal data held in a filing system in a systematic manner) is:

a) fairly and lawfully processed.
b) processed for limited purposes.
c) adequate, relevant, and not excessive.
d) accurate.
e) not kept longer than necessary.
f) processed in accordance with the data subject’s rights.
g) secure; and
h) not transferred to non-approved countries without adequate protection.

3. Information management responsibilities and processes

3.1. The person with overall responsibility for data management is our Managing Partner, Mr Richard Land. Richard is referred to as the Data Protection Officer and he can be reached at Richard.Land@owc.co.uk.

3.2. Please refer any concerns on data protection issues to him. He is also responsible for ensuring that an annual review of this policy is conducted, and that data protection and information security issues are given due attention in any risk review carried out as part of the business planning processes.

3.3. Data consists of any information in electronic format, or any hardware or software that makes the storage and use of such information possible. It also includes paper files where they contain information about individuals, for example:

a) databases.
b) externally accessed databases.
c) CDs.
d) video.
e) recorded magnetic media.
f) photographs.
g) digitised information.
h) electronic communication systems; and
i) personnel files.

3.4. Paper files and other records or documents containing personal/sensitive data are kept securely and retained for as long as — but not longer than — necessary. Our privacy policy informs clients of their rights by way of privacy notices. This is included in the client pack sent out at the outset of every matter.

3.5. The data contained in our network, including emails, is backed up and stored off site daily.

3.6. We maintain a register of all the software that we use and have a plan for monitoring and updating software.

3.7. We have procedures for the safe configuration of network devices (these are the components that join our network together and allow us to access files, printers etc). Appropriate firewalls are in place to protect our systems, but if any malicious software should get through these controls there is additional software to detect and remove it.

3.8. Password controls are in place and regular training is conducted for all staff on this topic.