1 Hare Court logo
Menu

Data Management Policy

1 Hare Court needs to gather and use certain information about individuals (processing). This can include clients, contacts, employees and other people Chambers has a relationship with or may need to contact.

This policy describes how this personal data is collected, handled and stored to meet the chamber’s data protection standards and to comply with the law.

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4 of the GDPR)

This data management policy ensures 1 Hare Court

  • complies with data protection law and follows good practice.
  • protects the rights of clients, staff and any third parties.
  • is transparent about how it stores and processes individuals’ data.
  • protects itself from the risks of a data breach.

When a barrister has been instructed to advise or represent you or provide any other legal services to you, they may process your personal data for the purpose of providing you with advice, representation or other legal services in accordance with your instructions and the barrister’s professional duties.  This processing will be necessary for compliance with the barrister’s duties to you as the barrister’s client and with the barrister’s obligations under the Bar Standards Board Handbook. In cases where the barrister accepts instructions under a contract with you, the processing will be necessary for the performance of that contract.

Data protection law

The UK General Data Protection Regulation (GDPR) applies in the UK. It outlines that personal data must be:

  • Processed lawfully, fairly and in a transparent manner in relation to individuals.
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered to be incompatible with the initial purposes.
  • Adequate, relevant and limited to what’s necessary in relation to the purposes for which they’re processed.
  • Accurate and, where necessary, kept up to date.
  • Protected – every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.
  • Kept in a form that permits identification of data subjects for no longer than is necessary, and for the purposes for which the personal data is processed.
  • Stored for longer periods. For example, the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. This will also be subject to implementation of the appropriate technical and organisational measures required by UK GDPR in order to safeguard the rights and freedoms of individuals.
  • Processed in a manner that ensures appropriate security of personal data. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
People and responsibilities

Everyone at 1 Hare Court contributes to compliance with UK GDPR. Key decision-makers must understand the requirements and accountability of the organisation to prioritise and support the implementation of compliance.

Rob Andrews, the Head of Finance and Operations will act as the Data Protection Manager [EB1] [RA2] [EH3] and will normally be the first point of contact to deal with any data protection issues. He will report directly to the Compliance, Health & Safety and Environmental Committee. His responsibilities include but are not limited to:

  1. Keeping the Compliance, Health & Safety and Environmental Committee updated about data protection issues, risks and responsibilities.
  2. Documenting, maintaining and developing the chambers’ data protection policy and related procedures, in line with agreed schedule.
  3. Embedding ongoing privacy measures into policies and day-to-day activities, throughout chambers. The policies themselves will stand as proof of compliance.
  4. Sharing the policy across chambers and arranging any appropriate training and advice for staff.
  5. Dealing with subject access requests, deletion requests and queries from clients, stakeholders and data subjects about data protection related matters.
  6. Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
  7. Ensuring chambers IT consultants carry out regular checks and scans to ensure security hardware and software are functioning properly.
  8. Evaluating any third party services the company is considering using to store or process data, to ensure their compliance with obligations under the regulations.
  9. Developing privacy notices to reflect a lawful basis for fair processing, ensuring that intended uses are clearly articulated. This will also ensure that data subjects understand how they can give or withdraw consent or exercise their rights in relation to the company’s use of their data.
  10. Ensuring that marketing and all other initiatives involving processing personal information and/or contacting individuals abide by the UK GDPR principles.
  11. Be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, clients)
Scope of personal information to be processed
  1. The data processed by 1 Hare Court includes:
    • names of individuals
    • postal addresses of individuals
    • email addresses
    • telephone numbers
    • online identifiers
    • any other information relating to individuals.
  2. The data related to chambers professional work is collected through telephone calls from lay and professional clients and from Instructions received in chambers. Data collected about employees and other individuals providing a service to chambers is collected direct from those individuals or from agencies acting on their behalf.
  3. Most data is collected by the Clerks who are trained to understand the importance of ensuring that all data collected is accurate and relevant to the purpose. Data is kept up to date and not collected for any longer than necessary (refer to the Data Retention and Disposal Policy).
  4. Explicit written consent of Data Subject must be obtained unless an alternative legitimate basis for processing exists. Where we store data of children under the age of 16, their solicitor, parent or guardian must provide authorisation.
  5. Sensitive special categories of personal information that it’s necessary for chambers to process is kept on the chambers computer system which is secure and securely backed up. Any such data on paper can be stored in a safe situated in the clerks room if appropriate.
  6. It is prohibited to remove personal data from our premises for any reason other than carrying out legitimate processing activities.
Purpose of processing
  • Provide services (including legal advice and representation), quotations, and information.
  • Communicate with you.
  • Facilitate the billing of services.
  • Direct enquiries to the appropriate member of chambers.
  • Investigate and address complaints.
  • Investigate, address or defend legal proceedings relating to your use of our services.
  • Meet our legal obligations and regulatory requirements, including obligations to maintain Equality and Diversity monitoring statistics.
  • Carry out activities necessary for the process of employing members of staff, and our pupillage and mini-pupillage application processes.
  • Carry out activities necessary for the performance of employment or other contracts to which 1 Hare Court is a party.
Consent

We have a lawful basis and a legitimate interest for collecting data and we understand ‘consent’ to mean that it has been explicitly and freely given, and it is a specific, informed and unambiguous indication of the Data Subject’s wish that, by statement or by a clear affirmative action, it signifies agreement to the processing of personal data relating to that individual. A Data Subject can withdraw their consent at any time.

We have a legitimate interest because the data is required to enable the barrister to provide advice and representation requested by the client. Employee data is required to enable the employment to take place.

Consent cannot be inferred from non-response to a communication. As Data Controller, we must be able to demonstrate that consent, where necessary, was obtained for the processing operation.

Disclosure and Data Sharing

Where it is lawful and necessary, disclosure of certain personal data to other persons or entities may take place including:

  • courts and tribunals;
  • the solicitors acting on your behalf;
  • other barristers acting on your behalf;
  • other parties or their representatives;
  • witnesses or experts in proceedings, and potential witnesses or experts;
  • clerks employed by 1 Hare Court
  • support staff employed by 1 Hare Court
  • pupils and mini-pupils, and persons shadowing barristers or attending Chambers on educational visits;
  • external service providers;
  • in the event of complaints, the Heads of Chambers and Members of Chambers who deal with complaints, and professional regulatory bodies such as the Bar Standards Board and the Legal Ombudsman;
  • providers of professional indemnity insurance;
  • the general public in relation to the publication of legal judgments and decisions of courts and tribunals;
  • in certain circumstances and to the extent required by law, the Bar Standards Board, the Financial Conduct Authority and the Information Commissioner’s Office.  It is possible that those authorities may process or disclose information obtained by them, for the performance of their lawful duties.
Security measures

Chambers employs a multi-layered approach to information security, incorporating both network-level and endpoint-level protections.

A boundary firewall is in place at the network perimeter, with advanced security features enabled, including Gateway Antivirus, Anti-Spyware, and Intrusion Prevention. In addition, software firewalls are enforced on all devices that connect to Chambers resources.

Multi-Factor Authentication (MFA) is required for all user sign-ins to Chambers systems. Conditional Access Policies, managed through Microsoft, enforce key security requirements, including the use of up-to-date antivirus software, enabled software firewalls, and encryption at rest for all macOS and Windows devices. Devices that have been jailbroken or rooted are automatically blocked from accessing Chambers systems. Further, password protection and compliance policies are enforced across iOS and Android devices.

Email communication is safeguarded by Mimecast, which provides comprehensive filtering of all inbound and outbound messages. This includes protection against malicious content and spoofing, as well as enforcement of SPF, DKIM, and DMARC protocols, and real-time checks against public block lists.

Microsoft Defender provides real-time threat detection on end-user devices and within the Microsoft 365 environment. Any security alerts are automatically escalated to the IT provider’s dedicated security team for investigation and response.

Automated processing

We do not normally carry out automated processing of data.

Subject access requests

All individuals who are the subject of data held by your organisation are entitled to:

  • ask what information 1 Hare Court holds about them and why.
  • ask how to gain access to it.
  • be informed how to keep it up to date.
  • be informed how the company is meeting its data protection obligations.

Subject Access Requests should be made to Rob Andrews, the Head of Finance and Operations.

The right to be forgotten

Data subjects have the right to be deleted from our database if the data is no longer required for the purpose, it was originally collected, was collected as a minor or was collected unlawfully.

Certain basic data may be kept indefinitely to allow for conflict checks to take place.

Privacy notices

1 Hare Court [EB4] aims to ensure that individuals are aware that their data is being processed, and that they understand:

  • who is processing their data
  • what data is involved
  • the purpose for processing that data
  • the outcomes of data processing
  • how to exercise their rights

Chambers have a privacy statement, setting out how data relating to individuals is used. This policy covers all members of Chambers; however, some members may have their own individual statement. The policies may be viewed on the chambers website.