Rogers and Norton are committed to ensuring that the use of personal data we hold is in accordance with the legal requirements of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).
All individuals have rights in relation to the handling of their personal data. Rogers and Norton will collect, process and store personal data and recognises the importance of appropriate and professional actions regarding confidentiality and data handling.
This policy details how we use the information we collect about you and how you can instruct us if you prefer to limit the use of that information. It also details the internal policies and procedures that we have in place to safeguard your privacy.
1. The information we collect and how we use it
1.1. You may give us information by email, post, telephone or via our website. The information you give us may include your name, address, e-mail address, phone number, bank details and other personal information and correspondence when we are instructed to act for you.
1.2. When instructing Rogers and Norton we will require identification in order for us to act for you. This identification will be in the means of photographic identification as well as financial statements. This is in line with Solicitors Regulatory Authority (SRA) requirements.
1.3. By contacting Rogers and Norton you give consent for us to contact you. This may be to obtain a quote or for legal advice. Before advising, clients are sent our Terms & Conditions prior to being instructed by the client. A letter of engagement is a lawful basis for obtaining your data.
1.4. Any information which you give us via this website or otherwise may be added to our database and processed in accordance with the General Data Protection Regulations (GDPR) and the Data Protection Act 2018 (DPA). This database is used by us for the administration of our client contacts, to process matters on your behalf, for payment purposes and for internal marketing.
1.5. By using our website, we may use IP data for analytics which allows us to monitor website traffic, statistics and security. This data helps us with the ongoing management and improvement of our website and is not shared.
1.6. We may also wish to provide you with information about special features of our website or any other of our services or products (such as newsletters, legal updates, and invitations to our events) by email or other electronic communications or post we think may be of interest to you.
1.7. If at any time you no longer wish to receive information on any other service or products by email or other electronic communications or post, or to be removed from our database please email firstname.lastname@example.org and type the word “unsubscribe” in the subject box of your message.
2. How do we hold data and how do we protect your information
2.1. We hold data with the following methods: physical files, documents, emails and accounts information. All information is treated as confidential and held on our case management and accounts software.
2.2. All physical files are securely stored in cabinets with a storage policy in place. We operate file management from start to finish and follow the processes in accordance to SRA guidelines. Once files are closed on the system they are archived and stored in a secure, fire-proof location which has a linked intruder alarm system. See clause 3 for file retention.
2.3. Emails are stored for the relevant period of time and saved to the case management system. We have a policy in which users are to regularly maintain housekeeping with mailboxes so we do not store old emails unnecessarily.
2.4. All information you provide to us is stored on our secure servers and our servers sit behind a firewall security system with encryption.
The internet is not a secure medium. However, we protect information sent to us by use of various in house physical and digital security measures.
3. Data Retention
3.1. Rogers and Norton have a Destruction Policy in place which is kept up to date. Files are kept for a minimum period of six and a half years. After this period they are destroyed by confidential shredding and the database is updated with date of destruction. This internal policy is in accordance to the Solicitors Regulatory Authority (SRA). Certain files such as Wills, Trusts & Probate matters cannot be destroyed under the same policy.
3.2. Our confidential shredding is carried out by a licensed and authorised contractor. They are ISO 9001 & 14001 accredited and have multiple industrial certificates. They have a secure and environmentally-friendly operation where all shredding waste is recycled. See clause 5.3 for Confidentiality Agreements with suppliers.
3.3. Our in-house IT Team monitor mailboxes for regular email deletion to ensure this is being managed by users.
4. Sharing your data
4.1. Rogers and Norton will only share personal data with third parties where certain safeguards and contractual arrangements have been put in place.
4.2. The firm will only share personal data with a third party if:
- They have a need to know the information for the purposes of providing the contracted services
- Sharing the personal data complies with lawful requirements
5. Security & Confidentiality
Rogers and Norton has put the following IT security measures in place to protect personal data that is collected and used by the firm.
5.1. Secure servers. We have multiple virtual servers which are monitored and held onsite in a secure location. These servers are maintained and monitored by an IT solutions company.
5.2. Client Confidentiality. All staff are aware of client confidentiality and are contracted to only use client data when working for and on behalf of Rogers and Norton.
5.3. Confidentiality Agreements. Various professional suppliers and contractors that visit our offices or have access to physical or digital data are required to sign our Confidentiality Agreements annually. These companies include: cleaning, maintenance, shredding and IT services.
5.4. Secure remote access for staff. Using two-factor authentication to access our network remotely.
5.5. Daily back-ups and replication for business continuity or disaster recovery. Data is backed up securely via a dedicated leased line to another office. This leased line has security and service level agreements in place with the provider.
5.6. Password Policy. Rogers and Norton operates a password policy which requires staff to regularly reset new, complex passwords.
5.7. Firewall systems. All of our IT systems run through a firewall system which is maintained and monitored. Firewalls have a failover should the primary firewall fail.
5.8. Virus System. All computers located on our network are updated with the latest anti-virus software.
5.9. Training. Rogers and Norton staff are trained and competent on our IT systems. Training is provided in staff inductions as well as various updates as required.
All fee earning staff train throughout the year for Continued Professional Development (CPD). They each have a training plan and training record. This is to ensure our fee earners are kept informed of any changes to legislation or laws and also for personal development.
6. Financial information
6.1. All financial payments are made through a secure portal with two-factor authentication to the bank. Only authorised members of staff have access to this system and payments are approved and authorised prior to sending.
6.2. Records of transactions and financial information is held securely and in accordance to the Solicitors Accounts Rules (SAR)
7. Sale of business
If our business is sold or integrated with another business your details may be disclosed to any prospective purchasers and their advisers and will be passed on to the new owners of the business subject to terms of confidentiality no less onerous than those contained in this policy.
8. Accessing and updating your details
8.1 If any of the information that you have provided to us changes (for example if you change your email address, name or payment details) in order that we may ensure that your information we hold is accurate and up to date, please let us know the correct details by sending an email to email@example.com or by sending a letter addressed to The Data Protection Officer (DPO): DPO, Rogers & Norton, The Old Chapel, 5-7 Willow Lane, Norwich, Norfolk NR2 1EU.
8.2 You are entitled to see the information we hold about you. If you wish to do this, please contact us by using the methods stated at clause 8.1. OR contact us by emailing firstname.lastname@example.org.
9. Your consent
9.2. When you provide personal information about other individuals, you do so on the basis that the other individual has consented and agreed to the processing of the relevant personal information in accordance with this policy.
9.3. Where we act on an Estate, consent is granted by the Executors. Where a Director of Rogers and Norton is an Executor then they would grant consent if appropriate.
9.5. We contact some third party agencies or contacts with occasional marketing events. We will email those to give the option of opting out of our events. You may also opt out of all marketing communication by emailing email@example.com.
10. Data Protection Officer
10.1. Rogers and Norton has appointed a Data Protection Officer (DPO) who is responsible for ensuring the firm’s compliance with this policy and the data protection laws. The Company’s DPO is Mark Hambling, Director, based at The Old Chapel, 5-7 Willow Lane, Norwich, NR2 1EU. Email: firstname.lastname@example.org.
10.2. You can contact the DPO if you have any questions or concerns about the Company’s compliance with Data Protection Laws.
11. Individual Rights
Data Subjects have rights when it comes to how we handle their Personal Data. These include rights to:
11.1. Withdraw Consent to Processing at any time (if the Company is using Consent as a legal basis for Processing the Personal Data)
11.2. Be informed about the Company’s Processing activities. The Company complies with this right by issuing to Data Subject’s Privacy Notices from time to time
11.3. Request access to their Personal Data held by the Company
11.4. Prevent the Company’s use of their Personal Data for direct marketing purposes
11.5. Ask the Company to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed or to rectify inaccurate Data or to complete incomplete Data
11.6. Restrict Processing in specific circumstances
11.7. Challenge Processing which has been justified on the basis of our legitimate interests or in the public interest
11.8. Request a copy of any agreement under which Personal Data is transferred outside the EEA
11.9. Prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else
11.10. Be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms
11.11. Make a complaint to the Information Commissioner
11.12. In limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used and machine readable format.
11.13. Any request covered by paragraph 11 above should in the first instance be sent to the Company’s DPO with a copy being sent to the Company’s COLP.
12. Access to your Personal Data
12.1. Data subjects have the right to request access to the Personal Data relating to them which is held by the company (“Data Subject Access Request” or “DSAR”)
12.2. The DSAR is the right of the Data Subject to obtain from the company confirmation as to whether or not Personal Data concerning him or her are being processed by the company, and where that is the case, access to the personal data.
12.3. Any DSAR should be made in the first instance to the company’s DPO. That request should be in writing and, where possible set out the details of the Personal Data being sought. In order for a DSAR to be effective, it is useful if any such request is focused or limited to the personal data sought.
12.4. The company is entitled to check the identity of the individual making the DSAR and this may involve the company seeking further information from the Data Subject in order to verify his or her identity
12.5. The company may request that the Data Subject provide more detail about the information he or she wants to obtain. This may help the company deal with the request more efficiently.
12.6. The company will seek to respond to the DSAR without undue delay, and in most instances within one month of receipt of request. However the company may extend this period where necessary depending on the DSAR and the complexity of the request. If an extension is needed, the company will write to the Data Subject within one month of the original request.
12.7. The company may in exceptional circumstances refuse to respond to the DSAR if it considers the DSAR to be unfounded or excessive. If this is the case the DPO will write to the Data Subject explaining reasons for this. The company will also inform the Data Subject that if there is a dispute then he or she can complain to the Information Commissioners Office (ICO).
13. Reporting a Personal Data Breach
13.1. Rogers and Norton are required to notify the Information Commissioner’s Office (ICO) of any personal data breach within 72 hours of becoming aware of the breach.
13.2. All employees, directors, consultants & suppliers are expected to adhere to paragraph 11. Any breach will be taken seriously and may result in disciplinary action in relation to employees and other action in relation to non-employees.
13.3. Any breaches must be reported immediately to the Data Protection Officer at Rogers and Norton. Contact the DPO here: email@example.com.
14. How to contact Rogers & Norton