Our Approach to Data Protection and Information Management
This policy sets out the firm’s approach to data protection and information management, including how the firm manages confidential information and the precautions we take to keep information secure.
The person responsible for this policy is Claire Roberts.
Protection and Security of Confidential Information
Confidential information will not be passed to anyone outside the firm save with the consent of the client (where appropriate) or where client confidentiality does not apply, when that is reasonably necessary for normal business purposes.
In publications and publicity material all client identification information will be removed unless clients have consented.
Retention and Disposal of Information
We retain information for periods that reflect our data protection obligation not to keep personal data for longer than is necessary, and also our statutory, regulatory and business needs to keep records.
Thereafter information is disposed of securely, by shredding, electronic deletion, or otherwise as appropriate.
The firm maintains a firewall to prevent unauthorised access to the firm’s network and data. All messages entering or leaving the firm’s intranet pass through the firewall, which blocks those that do not meet specified security criteria by applying a rule set which establishes a barrier between the trusted secure internal network and the internet or other networks which are not assumed to be secure or trusted.
Procedures to Manage User Accounts
User accounts are managed by Claire Roberts, Director. User accounts can be disabled at any time, for example on discovering a breach of security. Accounts are disabled when a member of staff leaves the firm.
Staff responsible for the management of payments (including fee earners and finance staff) are only recruited or assigned to that function after passing suitable background checks, including taking references and the verification of claimed qualifications.
Procedures to Detect and Remove Malicious Software
If, despite the precautions described elsewhere malicious software (malware) is present on the system this should be detected by the firm’s anti-virus software. It is then the responsibility of the firm’s IT department to remove the malware, according to the nature of the threat and industry standard procedures at the relevant time.
Register of Software Used by the Firm
The firm currently uses the following software:
Training for Personnel on Information Security
The firm has provided all staff with its information security rules (the current version of which is set out below) and recirculates them to all staff at least annually.
In addition the firm trains staff about information security risks and precautions on induction, and thereafter at least annually using the online course provided by Socrates Training. In addition the person responsible for data protection in the firm periodically circulates e-mails reminding staff of current criminal methodologies and risks as well as necessary precautions.
Updating and Monitoring of Software
All software used by the firm is supported by external software suppliers who issue routine updates from time to time. It is the responsibility of the Director to decide whether and when updated versions are to be installed or new or better software should be obtained.