At Lester Aldridge, we know how important data protection is to our clients. Solicitors have always been bound by a strict duty of confidentiality to their clients but with the enhanced data protection laws that came into force in May 2018 we have reviewed the systems and procedures that we use to protect your data.
This policy explains our approach to handling, storing and transferring the personal data you provide to us so you can be confident that we apply appropriate measures to the protection of your personal data.
What Information Do We Collect?
LA collects personal data about you, for the following purposes:
- provision of legal services and advice,
- administrative reasons to enable us to provide our services,
- for our marketing, publications, webinars and events, and to understand how visitors to our website interact with it,
- for security reasons, including our system security and at our premises; and
- to meet our legal and regulatory duties, including our duties to know our client and protect against money laundering.
LA will only collect and hold information or disclose it to someone else if we have a lawful basis to do so. LA will explain the basis in the privacy notice that we will send you with our letter of engagement.
The Data Protection Principles
LA is obliged to process all personal data in accordance with the data protection principles set out in the General Data Protection Regulation. This means that when we collect your personal data we will:
- use it to provide you with legal advice and services.
- make sure the data we collect is adequate, relevant and is limited to what is necessary.
- do what is reasonable to keep it up-to-date. If it is inaccurate, out-dated or wrong, we will correct it or delete it. If you think the data is wrong, please tell us.
- only store it for as long as we need it. We will tell you how long we will keep it after your matter has been completed in the privacy notice.
- keep it confidential, secure and available.
- only transfer it to countries outside the European Economic Area (“EEA”) in line with data protection laws.
Our website does not collect location data or other data that can identify you by name unless you input data in order to allow us to contact you. If you register for an event, we can track your location to assist us in assessing the effectiveness of our communications using tools such as Google Analytics.
We also track our email traffic (but not it’s content) to allow us to evaluate our relationships with organisations. Our website privacy statement, which can be viewed at https://www.lesteraldridge.com/privacy-policy, provides further information about how we obtain and use data through our website. We will update our website privacy statement if we change the way in which we collect and use personal data through our website.
We are required to implement appropriate technical and organisational measures to ensure a level of security for personal data that is proportionate to the risk.
LA maintains vigilant focus on security through the use of dedicated information security personnel, deployment of advanced technical controls, and adherence to relevant industry standards and frameworks. LA is in a continual security evaluation and review process and is always improving controls, processes and technical systems in a layered security environment. This guide provides a non-technical overview of LA’s information security management practices, processes, and controls. LA’s information security and risk management activities are designed to ensure the confidentiality, integrity, and availability of LA, and its clients’, information.
LA’s information security management practices, as defined by our policies, standards and procedures, have been implemented in accordance with recognised information security best practices. We intend to move forward with our programme that will meet the quality standard ISO 27001:2013. An information security risk management framework is used to identify, assess, and evaluate information-related risks along with the selection and implementation of related technical, physical, and administrative controls.
Information security process and control documents are approved by management and updated annually to provide guidance on how to prevent, detect, and respond to information security events and weaknesses, as well as documenting the consequences of non-compliance.
All personnel undergo regular mandatory training on LA information security policy as well as relevant technical processes to classify, store, and reproduce sensitive documents, spreadsheets, and legal filings. This training includes the legal, ethical, and contractual importance of protecting private and sensitive client data and personal data. Our staff attend regular training to ensure they are current on the latest and most sophisticated security practices and techniques.
LA deems all data received or produced on our client matters as confidential and electronic records are subject to appropriate security and access control profiles. Physical records are indexed within LA’s records management system and labelled appropriately.
Users are required to maintain the confidentiality of their personal passwords which must meet complexity requirements. Access to applications is security controlled and restricted by need.
Physical and Environmental Security
Visitors are escorted at all times within LA offices and security passes are required for access by authorised personnel. Sensitive areas of the premises (e.g. server rooms) are off-limits to all but authorised personnel. Access to secured areas is controlled via a security badge system and camera monitored by LA’s 24-hour Network Operations Centre.
Sensitive areas where client data is stored, electronically transmitted, or processed are protected by fire detection and suppression, electronic water leak detection, and temperature and humidity controls. We maintain UPS and generator back-up power supplies as well as secondary communications channels.
Documented policies and procedures for information technology operations are maintained, including a formal change management process. All our devices (workstations, laptops) employ endpoint antivirus protection. Regular data snapshots as well as daily full backups are replicated to our Disaster Recovery Centre.
To ensure network protection, LA has implemented a multi-layered defence-in-depth strategy using the latest preventive and detective controls. The network perimeter is secured through firewalls which monitor and control connections into and out of the network as well as the availability of services therein.
IT Supplier Relationships
We evaluate prospective suppliers based on our requirements. Risks associated with the use of any IT supplier for our critical operations are fully analysed and assessed and prior to instructing any (vendor) we enter into an NDA with them as appropriate. All due diligence records created when establishing the (vendor) relationship, including the risk rating, are maintained.
Information Security Incident Management
A centralised and secured architecture provides the foundation for our Business Continuity Plan and Disaster Recovery strategy which aims to allow us to continue to serve our clients in the event of a disaster or other business interruption. A business impact analysis is conducted on an annual basis to ensure proper prioritisation of continuity, recovery, and resumption activities based on defined objects like recovery time objective and recovery point objective.
We have both a Business Continuity Plan for each of our offices and a separate IT Disaster Recovery Plan that is part of our overall Business Continuity Plan. LA’s business recovery strategy includes systems and procedures that allow us to prevent and mitigate potential interruption in our ability to deliver services to clients, such as emergency communication systems, global and local emergency teams.
LA has an internal team which advises us on current and upcoming legal and regulatory requirements and who monitor our compliance with our legal and regulatory obligations.
Additionally, we undergo gap analysis and internal audits to check and maintain compliance with business and industry requirements. Audit results relating to data protection will be summarised in internal reports to our Data Protection Committee to continually improve our practices and strategies.