Data Protection Policy


All staff are required to be mindful of the data that they see and how it is used in order to protect the client. Below is a list of basic rules which all staff must adhere to:


  • Ensure that personal data is accurate, proportionate, up to date and is fit for the purpose it was collected for and only keep it for as long as is necessary.

  • Ensure that anyone providing personal data understands what the information will be used for. If the data is sensitive (race, sexuality, criminal offences, mental or physical health data) you will normally need to get explicit written consent for its disclosure to a third party - the individual must be informed of the reason why that this type of data is being held (if requested). Some disclosures are exempt from this requirement, such as Police and crime agency information requests

  • Review data on a regular basis and update it where necessary.

  • Dispose of manual files that are no longer required or print outs as confidential waste, and check computers do not have personal data on the hard drive before they are decommissioned

  • Any change of address details must be recorded in writing by the way of email, fax or letter.

  • A clean desk policy exists, meaning manual files must be securely locked up, not left on desks overnight

  • A record should be kept of the location of paper files when not in the filing system or taken away from the office.

  • Ensure that any electronic files holding personal data are password protected and that the password is periodically changed

  • Be aware that the individual about whom the information relates to, has a right to see all the information that is held about them. Therefore inserting personal remarks or notes on files should always be avoided, this includes emails

  • Be aware that any breach of the provisions of the Data Protection Act could attract personal criminal liability. This may arise if you knowingly or recklessly, obtain or disclose personal data to another source

  • If you receive a data subject access request, you must deal with the request promptly, within 40 days.

  • Have systems in place for vetting new staff/and or third party suppliers (e.g. IT support/cleaners etc.) who will have access to personal data.

  • Have appropriate controls in place to confirm the identity of any party contacting the firm asking for personal data. E.g. product providers or clients requesting details.

  • Have regular training/updates for staff in data protection requirements.

  • Ensure that the firm has written procedures for dealing with subject access requests and data handling.

Do not:

  • Use data for a different purpose than that for which it was obtained.

  • Disclose information to other staff members unless the use of that data is within their authorised duties

  • Share your passwords with anyone other than your immediate Manager/Julie Curtis or Amy Wilkins.

  • Leave computers logged on and unattended unless you have a password-protected screensaver

  • Forget to record the reason for disclosing any personal or sensitive personal data to a third party

  • Give out personal information over the phone without adequate verification controls or in person without verification of the purposes of any data disclosure.

  • Include any sensitive personal information in any email message or document unless it is protected (encrypted) and sent via a safe network.

  • Forward email messages containing personal data without the sender’s consent.

  • Disclose personal data to a third party without the explicit consent of the data subject (Unless specific exemptions apply).

  • Keep any inaccurate data on record.

  • Forget to annually review and update the purposes and activities for which data is held and registered with the Information Commissioner’s Office.

  • Transfer personal data outside of the EEA, unless equivalent data protection controls exist in the end destination.