Fair and transparent processing

In order to process personal data fairly, the processing must be in line with the data subject’s expectations. In other words, only use the data for the purpose you collected it for. Would the data subject be surprised or disturbed if you did something else with it? Can you explain why any unexpected processing is justified, particularly if there an adverse impact on the data subject? And would you be happy to tell the data subject what you are doing with their data?

The transparency principle requires law firms to tell people what they are doing with their personal data. The required information is set out below.

In general, law firms have an obligation to supply all data subjects whose data they are processing with the following information when they are collecting personal data obtained directly from the individual. This information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This is generally provided in a privacy notice or statement. If you are processing the data of a child or vulnerable person, then you must adapt your privacy information to ensure that it is clear and written in a way that will be understood.

Information which must be made available when personal data is collected:

• Identity and contact details of the controller (name of the law firm along with contact details which we recommend are at the start of the notice)
• Contact details of the data protection officer, if you have one
• Purposes of processing and the lawful basis of any processing
• The legitimate interests pursued by the controller or third party (where the processing is based on the legitimate interests processing condition i.e. the data of individuals who are not clients)
• The recipient or categories of recipients of the data – the organisations of type of organisations you are sharing data with i.e. courts, other solicitors, surveyors, banks etc
• Information about transfers to third countries, including information about any relevant adequacy decision or other safeguard in place and how to obtain a copy of them or where they have been made available
• The period for which the data will be stored/criteria used to determine that period
• The right to request access to, rectification of, erasure of, restriction of processing, or to object to processing the data; and the right of data portability
• The right to withdraw consent to processing (where processing is based on consent)
• The right to lodge a complaint with the Information Commissioner
• Where the processing is based on a statutory or contractual requirement, and the consequences of failing to provide such data for the data subject
• The existence of any automated decision making/profiling etc; how it works and the consequences of this processing for the data subject

You have a duty to ensure that the information is delivered in an appropriate manner and you will be the best judge of how to that. A website privacy notice for clients as well as visitors to your website can be used.

There are exemptions for law firms having to comply with this principle where the personal data is subject to a duty of confidentiality. There is more on this exemption below.

If you receive personal information about an individual from a third party and not directly from the data subject, then you have an obligation to provide that third party with fair processing information unless:

• They already have that information, or
• It would be impossible, or it would involve disproportionate effort, or
• The personal data must remain confidential where legal professional privilege applies.

Information must be provided to a data subject in this case within a reasonable time after having received the data, but within one month; or if the data is being used to communicate with the data subject at the time of the first communication; or if the data is to be disclosed to another third party, at that time. Again, that is not required if they already have the information or if the exemption applies.