Introduction

In the course of providing legal services Dawson O’ Toole Solicitors will ensure the protection of data stored at the firm and the right of access to this data. This policy is informed by these aspirations and also the Data Protection Acts of 1988 -2018 and the General Data Protection Regulation of 2016/679 (GDPR). The policy applies to all partners, staff, clients, applicants for positions within the firm and service providers with access to practice data.

The Partners are committed to the principles of responsible data protection as outlined in the documents referred to above and to this end they will:

obtain and fairly process personal data
keep data for one or more specified lawful purposes
process only data in ways compatible with the purposes for which it was given initially
securely store personal data
ensure that personal data is accurate and up-to-date
ensure that only relevant data is sought and stored
retain data no longer than is necessary for the specified purpose or purposes for which it was given
furnish a copy of personal data, or sensitive personal data to any individual, on request.

Safeguarding Against Data Protection and Security Risks
This policy helps to protect Dawson O’ Toole from data security risks, including:
Breaches of security and confidentiality. For instance, information being given out inappropriately.
Reputational damage. For instance, the firm could suffer if hackers successfully gained access to sensitive data.
The risk of large fines or sanctions being imposed by the authorities.
The risks of being sued for damages by individuals whose data has been mishandled.

Definitions as they pertain to this Policy
For the purpose of this policy the following definitions apply:

Data means information in a form that can be processed. It includes both automated data (e.g. electronic data) and manual data. Automated data means any information on computer, or information recorded with the intention that it be processed by computer. Manual data means information that is kept/recorded as part of a relevant filing system or with the intention that it form part of a relevant filing system.

Processing data refers to any operation or set of operations performed on personal data. Processing includes storing, collecting, retrieving, using, combining, altering, disclosing, erasing and destroying personal data, and can involve automated or manual operations.

Relevant filing system means any set of information that, while not computerised, is structured by reference to individuals or by reference to criteria relating to individuals, so that specific information relating to a particular individual is readily, quickly and easily accessible.

Personal Data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the Data Controller.

Sensitive Personal Data refers to Personal Data regarding a person’s

racial or ethnic origin, political opinions or religious or philosophical beliefs
political opinions
religious or philosophical beliefs
trade union membership
genetic data
biometric data
physical or mental health condition
sexual orientation

Data Subject means an individual who is the subject of personal data.

Data Controller refers to a person, company or body which determines the purposes and means of processing of personal data. The Data Controller for Dawson O’ Toole is the Partners.

Data Processor in relation to personal data refers to any person who works for or with Dawson O’ Toole who processes personal data on behalf of the Data Controller.
Legal Bases
The legal bases on which we collect process and transfer your information in the manner described above are:

that this is necessary for the performance of a contract with you or in order to take steps at your request prior to entering into a contract;
our legitimate interests in complying with the requirements of the Law Society. We will not process your personal data for these purposes if to do so would constitute an unwarranted interference with your own interests, rights and freedoms;
that this is necessary for compliance with a legal or regulatory obligation that applies to us;
for the proper management and functioning of this firm;
for tasks and duties carried out in the ordinary operation of a law firm;
to perform a task carried out in the public interest.

Responsibilities and Compliance
Everyone who works for or with Dawson O’ Toole has responsibility for ensuring data is collected, stored, and handled appropriately. Each person who handles personal data must ensure that it is handled and processed in line with this policy and data protection principles. Specific responsibilities are outlined in more detail below.

The Managing Partner as Data Protection Officer (DPO) will
ensure that the basic principles of data protection are explained to staff and clients. This will be done during staff induction, staff meetings and via the staff employment contract and the privacy notices and website.
ensure that there are regular updates to data protection awareness so that data protection is a “living” process aligned to the firm’s ethos
periodically check data held regarding accuracy

The Partners as Data Controller will:
inform the person or persons involved if a breach of confidentiality has occurred and that their personal data may have been compromised.
investigate where a breach of security has occurred and invoke appropriate action.
review and update the Data Protection Policy if required.
ensure that only relevant data is processed.
check to see if clerical and computer procedures are adequate to ensure accuracy.
in tandem with the DPO, advise and inform employees of the need to work within the demands of the firm’s Data Protection policy.

Dawson O’ Toole Staff as Data Processors will:
be required to sign off to confirm they have read and understand the Data Protection Policy and Procedures.
check that any information that they provide in connection with their employment is accurate and up to date.
notify the firm of any changes to information they have provided, for example change of address.
ensure that personal information relating to clients is not disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party.

Sanctions and Disciplinary Action
Given the serious consequences that may arise, Dawson O’ Toole may invoke appropriate disciplinary procedures for failure to adhere to the firm’s policy on Data Protection.

In the case of contractors or external service providers serious breaches of the policies and procedures can and will be deemed grounds for termination of contractual agreements.

Compliance Monitoring and Review
Dawson O’ Toole will undertake regular reviews of internal procedures and changes in the legislation to ensure ongoing compliance with General Data Protection Regulation. This will include an annual review.
Data Security

Overview
Access to data will be restricted to authorised staff on a “need-to-know” basis and where it is needed to fulfill their duties and responsibilities.
Data will not be shared informally.
Dawson O’ Toole will provide training to all staff to help them understand their responsibilities when processing data.
Staff will keep all data secure by taking sensible precautions and following the guidelines below.
Strong passwords will be used, and never shared.
Personal data will not be disclosed to unauthorised people, either within Dawson O’ Toole or externally.
Data will be regularly reviewed and if found to be out of date, will be deleted or disposed of according to the guidelines below.
Staff will request help from the DPO or Data Controller if they are unsure about any aspect of data protection.

Data Storage
The security of personal information relating to clients is a very important consideration under the Data Protection Acts and is taken very seriously at Dawson O’ Toole. Appropriate security measures will be taken by the firm to protect unauthorised access to this data and to the data it is collecting and storing on behalf of the Law Society.

A minimum standard of security will include the following measures:
Access to the information will be restricted to authorised staff on a “need-to-know” basis.
Manual files will be stored in a relevant filing system, located away from public areas.
Computerised data will be held under password protected files.
Any information which needs to be disposed of will be done so carefully and thoroughly.
The premises at Dawson O’ Toole are protected by Eircom Phone watch and are monitored on a 24 hour/7 day week basis.

When data is stored on paper, it will be kept in a secure place where unauthorised people cannot see it. This also applies to data that is usually stored electronically but has been printed out for a valid reason:
When not required, the paper or files will be kept in a relevant filing system
All personnel will ensure that personal data, paper and printouts are not left where unauthorised people could see them.
Data will be shredded and disposed of securely when no longer required.

When data is stored electronically, it will be protected from unauthorised access, accidental deletion and malicious hacking attempts:
Data will be protected by strong passwords that are changed regularly and never shared between employees.
If data is stored on removable media (e.g. a USB key), these will be kept locked away (and ideally encrypted) when not being used.
Data will be stored on designated drives and servers and will only be uploaded to approved cloud computing services.
Servers containing personal data will be sited in a secure location.
Data will be backed up frequently.
All servers and computers containing data will be protected by an approved security software and a firewall.

Data Use
Personal data is at often at the greatest risk of loss, corruption, or theft when it is being used or accessed:
To mitigate this risk :-
when working with personal data, all personnel will ensure that the screens of their computers/tablets/apps are always locked when not in use.
personal data shared by email will be downloaded, stored securely, and then deleted.
staff will not save copies of personal data to their own computers.

Data Accuracy
Dawson O’ Toole is cognisant of its duty to take reasonable steps to ensure that data is kept accurate and up-to-date.
Data will be held in as few places as necessary.
Every opportunity will be taken to ensure that data is updated (for example, by updating a client’s contact information).
Dawson O’ Toole will make it as easy as possible for data subjects to update the information held about them, over the phone, or by email.
Data will be updated as and when inaccuracies are discovered (for example), if a data subject can no longer be reached on their stored telephone number, it will be removed from the database.

Data Disclosure to Third Parties
As the Data Controller, the Partners are responsible for any personal data passed to third parties and care will be given to procedures and security.

The only data disclosed to third parties in the normal course of business is as described in Dawson O’ Toole Privacy Notices and this Policy.

The following list includes examples of such organisations but is not exhaustive:
The Law Society
Other Solicitors
The Courts Service
Insurance Companies
Property Registration Authority
Workplace Relations Commission
Revenue Commissioners

Data Retention Period

Client Data will be retained in accordance with Law Society Guidelines.
Data Erasure and Disposal

When documentation or computer files containing personal data are no longer required the information will be disposed of carefully to continue to ensure the confidentiality of the data.

Paper-based files and information no longer required will be safely disposed of in shredding receptacles. A third party data destruction specialist will be employed and vetted staff will collect documents which will be shredded on site by the specialists.

In the case of personal information held electronically temporary files containing personal information will be reviewed regularly and deleted when no longer required.

When personal data reaches the point where the retention period has expired the information will also be securely deleted and removed. In the event that IT equipment containing personal data is no longer required all data stored on the devices will be removed prior to disposal.

Subject Access Request (SAR) Handling Procedure

The Data Protection Acts, 1988 to 2018 and the 2016 GDPR provide for a right of access by an individual data subject to personal information held by Dawson O’ Toole. A person seeking information, the Data Subject, is required to familiarise himself/herself with this policy. This may apply to a client seeking information on his or her own behalf. No information will be supplied that relates to another individual save to the next friend of a minor. Although from time to time an individual may request by telephone details of some elements of their personal data formal SARs must be submitted in writing, either electronically or by post.

Your Rights

You have the following rights, in certain circumstances and subject to certain restrictions, in relation to your personal data:
Right to access the data – You have the right to request a copy of the personal data that we hold about you, together with other information about our processing of that personal data.
Right to rectification – you have the right to request that any inaccurate data that is held about you is corrected, or if we have incomplete information you may request that we update the information such that it is complete.
Right to erasure – You have the right to request us to delete personal data that we hold about you. This is sometimes referred to as the right to be forgotten.
Right to restriction of processing or to object to processing – You have the right to request that we no longer process your personal data for particular purposes, or to object to our processing of your personal data for particular purposes.
Right to data portability – You have the right to request us to provide you, or a third party, with a copy of your personal data in a structured, commonly used machine readable format.
Right to withdraw your consent – Where our processing of your personal data is based on you having provided your consent, you have the right to withdraw such consent.

If you wish to exercise any of the rights set out above, please contact us at
info@dawsonotoole.ie

Steps in Making a Subject Access Request (SAR)
1. The Data Subject applies in writing requesting access to his/her data. The firm reserves the right to request official proof of identity (e.g. photographic identification such as a passport or driver’s licence) where there is any doubt on the issue of identification
2. On receipt of the Data Access Request, the Designated Partner will check the validity of the access request and check that sufficient information to locate the data requested has been supplied.
3. The Designated Partner will log the date of receipt of the valid request and keep a note of all steps taken to locate and collate the requested data.
4. The Designated Partner will ensure that the information is supplied promptly and within one month of first receiving the request.
5. If data relating to a Third Party is involved, it will not be disclosed without the consent of that Third party or alternatively the data will be anonymised in order to conceal the identity of the third party. Where it is not possible to anonymise or conceal the identity of the Third Party to ensure that the Third Party is not identified then that item of data may not be released.
6. The Designated Partner will sign off on the data supplied.
7. The firm reserves the right to supply personal information to an individual in an electronic format e.g. on USB etc.
8. Where a subsequent or similar access request is made after the first request has been complied with, the firm has discretion as to what constitutes a reasonable interval between access requests and this will be assessed on a case-by case basis.
Appealing a Decision in Relation to a Data Access Request
The Partners of Dawson O’ Toole are respectful of the right of the Data Subject to appeal a decision made in relation to a request for data from this firm. To appeal a decision, the Data Subject is advised to write to or email the Data Protection Commissioner explaining the case:-

Canal House, Station Road, Portarlington, Co. Laois
(info@dataprotection.ie)
The correspondence should include
the name of this firm
the steps taken to have concerns dealt with
details of all emails, phone calls, letters between the Data Subject and this firm.
Data Breaches
Definition: A data breach is an incident in which personal data has been lost, accessed, and/or disclosed in an unauthorised fashion.

This would include, for instance, loss or theft of a laptop containing client details, an email with personal information being sent to the wrong recipient, as well as more organised incidents of external hacking.

All Partners and staff have a responsibility to take immediate action if there is a data breach.
If a staff member suspects at any time and for any reason that a breach may have occurred, then there is a need to report it to the DPO/Data Controller as an urgent priority.
Once notification of an actual or suspected breach has been received, the DPO/Data Controller will put the Data Breach Procedure into operation with immediate effect.

Data Breach Handling Procedure

The purpose of the Data Breach Procedure here below, is to ensure that all necessary steps are taken to:
(i) contain the breach and prevent further loss of data
(ii) ensure data subjects affected are advised (where necessary)
(iii) comply with the law on reporting the incident to the Data Protection Commissioner if necessary
(iv) learn from the incident - identify what measures can and should be put into place to prevent similar occurrences in the future

Data Breach Response Plan

The DPO will identify.
Stakeholders
The five-step process below will be initiated, with an evaluation after each stage

The information communicated to data subjects will include information on the nature of the personal data breach and a contact point where more information can be obtained. It will recommend measures to mitigate the possible adverse effects of the personal data breach.

The maximum timeframe for notification to the Office of the Data Protection Commissioner has been set at 72 hours from the time the incident is first discovered.

This policy was ratified by the Partners of Dawson O’ Toole on the 30th January 2019

It will be reviewed every three years or more often should the Partners of Dawson O’ Toole think it necessary in light of changed or amended legislation. Any review will continue to be guided by the firm’s characteristic spirit and commitment to its responsibilities under data protection legislation.

Signed:

Partners of Dawson O’ Toole