McCAY LAW LIMITED T/AS “McCAY SOLICITORS”
McCay Solicitors is a data controller for the purposes of data protection law. This Notice provides information on how we process the personal data you provide us with and we receive from others. This Notice complies with our obligations under the General Data Protection Regulation 2016/679 (GDPR) and domestic data protection law. It describes the individual rights you have under GDPR as a client or user of our services.
What is personal data?
Personal data includes any information which directly identifies you for example your name; photographic ID. It also covers information from which you can be identified for example an identification number, IP address, swipe card. As long as you can be identified from the data then it is personal data and covered by GDPR.
What is special category data?
Greater care must be taken when processing “special category data” and this covers information about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data (e.g. a biological sample), biometric data (e.g. facial image), and data concerning your health, sex life or sexual orientation.
What is processing?
GDPR protects data processing and “processing” is very broadly defined in that it covers almost anything done with your personal data; for example collection; storage, providing to others, alteration or destruction.
It covers the processing of personal data wholly or partly by automated means. Therefore sending emails; entering information into a computer file or data base or using a GPS tracking device is covered by GDPR. If you attend one of our training courses we will keep a record of your name and contact details on an electronic file and this is an example of processing.
If the personal information it is not automated it will be covered if it forms part, or is intended to form part, of a “filing system”. For example a file held about you by your employer in a filing cabinet with your name on it. If you are a client of McCay Solicitors we will process your data when we open a file for you. If information about you is held in an unstructured way for example documents in a drawer in a desk with other random documents about other matters then that will likely not be processing.
What are the Data Protection Principles?
The Data Protection Principles require that personal data is:-
• used lawfully, fairly and in a transparent way
• collected only for valid purposes that are clearly explained and not used in any way that is incompatible with those purposes
• relevant and limited to the purposes we have collected it for
• accurate and kept up to date
• kept only as long as necessary for the purpose
• kept securely.
These Principles underpin the GDPR regime and they are imbedded into all our dealings with you.
McCay Solicitors is both a processor and a “data controller” and this means that we are responsible for deciding how we hold and use personal information. We are committed to ensuring that the Data Protection Principles are applied to your personal data and any personal data you supply to us about any third party. We have taken demonstrable steps to ensure that our systems, processors and staff comply with the law in terms of the information we handle. GDPR, confidentiality and respect for your privacy is fundamental to our core values.
We will protect and respect the privacy of clients and others using our services and website.
What is our Legal Basis for processing your data?
We are required to tell you the legal basis upon which we are processing your data. There are a number of lawful grounds contained in the GDPR. In McCay Solicitors we will be processing your data on one or more of the following grounds:-
• You have consented in writing to the processing for that purpose: (e.g. you have asked us to send your data to a particular body or person eg a different solicitor’s firm or a member of your family).
• It is necessary for the performance of a contract you are entering into; (e.g. we need your contact details for invoice purposes).
• It is necessary for compliance with a legal obligation to which we are subject; (e.g. we must comply with money laundering legislation by obtaining and storing proof of your identity).
• It is necessary for the purposes of our legitimate interests: (e.g. we need to enter your details into a new computer software package).
What personal information might we collect from you?
If you are a new or existing client or contact we will collect and process personal information about you. This is information about you that you give us by filling in forms on our website site, by communicating with us by phone, e-mail or otherwise. It includes information you provide when you seek legal advice from us, utilise our training services, participate in discussion boards or other social media functions on our site and when you report a problem with our site. The information you give us may include the following:-
• Personal contact details such as name, title, addresses, telephone numbers and personal email addresses.
• Date of birth
• Marital status and dependants.
• National Insurance number,.
• Bank account details, payroll records and tax status information.
• Salary, annual leave, pension and benefits information.
• Start date.
• Location of employment or workplace.
• Recruitment information (including copies of right of work documentation, references and other information included in a CV or cover letter or as part of the application process)
• Employment records (including job titles, work history, working hours, training records and professional memberships).
• Compensation history
• Performance information/appraisals.
• Disciplinary and grievance information.
• Information about your use of our information and communications systems.
• We may also collect, store and use the following “special categories” of more sensitive personal information concerning you when you are seeking advice
• Information about your race or ethnicity, religious beliefs, community background, sexual orientation and political opinions.
• Trade union membership
• Information about your health, including any medical condition, health and sickness records.
• Genetic or biometric data.
• Information about criminal convictions and offences.
• Information in relation to security vetting and AccessNI
• These lists are for illustrative purposes only and is not exhaustive.
Information obtained about you from others
During the course of providing our services we may obtain further personal information about you from third parties. For example in litigation we may obtain discovery of documents which contain personal information about you. We will normally provide you with either hard or electronic copies of that information. On occasions if the information has been provided in hard copy it may be agreed with you that you will inspect the originals rather than receive a copy.
Personal information about third parties
The information you provide to us or we receive from others may include personal data about third parties for example, employees, colleagues, employers, job applicants, workers, service providers. The information provided to us will be treated confidentially. The principal GDPR obligations including in relation to privacy notices do not apply to information in respect of which a claim to legal privilege could be maintained in legal proceedings. Documentation received about you or others is subject to the general duty to use these only for the purposes of the proceedings or potential proceedings. You may for example receive personal information about third parties in response to a statutory questionnaire in discrimination cases and this must be dealt with confidentially and only used for the purposes of the proceedings or potential proceedings.
Purposes for which we use your information
We use the information held about you for the following purposes:
• to provide legal advice and assistance in accordance with our Terms of Business issued to all clients.
• to provide you with the information and services that you request from us (eg training);
• to provide you with information about other services we offer that are similar to those that you have already enquired about or availed of;
• to carry out administration and regulatory or management purposes (eg billing, Law Society requirements)
• to comply with our legal obligations (eg money laundering)
• notify you about changes to our service;
• to ensure that content from our site is presented in the most effective manner for you and for your computer.
Disclosure of your information
We may need to disclose your personal information to service providers but this is limited to that which is required for providing the services. There are two sets of service providers we use.
Service providers who are data controllers
We may need to engage service providers who are data controllers because they exercise professional judgment on your data. These are barristers, accountants, medical professionals, IT and other professional experts. We enter into separate contracts with them to ensure that they comply with data protection law when we are providing them with data.
Service providers who are data processors
We will need to engage service providers who perform a data processing function our behalf but do not determine the means by which we process your personal data. These processors are:-
• our insurers
• IT support
• the Law Society for Northern Ireland in the event of claims
• complaints regulatory activities
• Lexcel quality standard inspectors
Disclosure as required by law
We may need to provide your personal information to third parties where required by law. For example to comply with Court/Tribunal orders, to enforce the terms of our contract; to the National Crime Agency in relation to Money Laundering.
How do we secure your personal data?
We ensure that all information you provide to us is stored securely. We take appropriate measures to secure personal data and protect it from loss or unauthorised disclosure or damage. We apply quality assured software and hardware to secure your data. Our offices are private and appropriately secured.
We limit access to your personal information to those within our Practice who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and the ICO where there is a notifiable breach.
How long will your personal data be kept?
Our Retention Policy is available on request. We will normally hold personal data obtained from clients for 7 years after the relationship has ended or the matter on which advice has been obtained has concluded. This is the appropriate period to ensure the file is available in case there is litigation. We undertake a risk assessment at the closure of every case file and we may need to retain documents for a longer period if indicated by the risk assessment.
You have important rights which you can exercise under data protection law.
The following is a summary of your principal rights:-
Subject Access Requests
You have the right to make a request to us to confirm whether your personal data is being processed and if so you are entitled to a copy of the data. You are entitled to a response to your request as well as detailed information about why the data is being processed. We expect to respond to your request within one month. We may need to extend the period if your request is complex or you have made a number of requests. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
We may withhold or redact information where to do otherwise would involve disclosing personal data of a third party. There are various exemptions from the right to subject access which are contained in Schedule 2 of the 2018 Act. The main exception is that subject access does not apply to information in respect of which a claim to legal professional privilege could be maintained in legal proceedings.
Right to request rectification/correction
Your personal data must be accurate; kept up to date and corrected without delay when inaccurate. We must also add to any personal data that is incomplete. You can therefore request us to rectify or correct your data for example if you have changed contact or bank account details. You are not entitled to rectification of data on the grounds that you do not like what has been recorded; it must be inaccurate for this right to apply.
Right to request erasure
You have the right to request the erasure of your personal data without undue delay if one of a number of conditions applies. This is also known as the “right to be forgotten”. Your information may be erased for example if:
• It is no longer necessary for the purpose we collected it for.
• You have withdrawn your consent to our processing activities (e.g training information)
• We have no other legal justification for processing.
The right to erasure is extremely important but it is not an absolute right as it must be balanced against the necessity to retain the information for reasons such as the public interest, freedom from expression of compliance with a legal obligation. This is a complex area and further details of your rights are available from the ICO.
In the event that we have made the personal data public, we must take reasonable steps, including technical measures, to inform other data controllers who are processing your data about your erasure request. We must remove any links to the personal data as well as any copies of the personal data.
Right to request restriction of processing
You can request the restriction of processing of your personal data under certain circumstances. Again this is not an absolute right. It might arise if we no longer need to process your data but you need it for the establishment, exercise, or defence of legal claims. For example if we are using our involvement in your case as a marketing exercise for our firm but you no longer wish us to do so.
If we are processing the data on the basis of our legitimate interests we must restrict the processing activity while we consider whether our legitimate interests override yours. For example you may have challenged the accuracy of your data and while we are checking this we will not pass the data to the barrister we have instructed in the case.
There are rules regarding how we can continue to store your data while dealing with your request and further details can be obtained from our Data Protection Partner. If we rectify, remove or restrict use of your data we have obligations to notify any person to whom the data has been disclosed.
Right to object to processing
You have the right to object to data processing unless our legitimate grounds for processing override your interests. You have the right to object at any time to direct marketing which includes profiling for that purpose. We do not carry out this type of processing in McCay Solicitors but this may be important in your dealings with others. For example you may object to your employer transferring your personal data to a third party and your employer would have to stop unless it can demonstrate either compelling legitimate grounds for the transfer or a legal basis (e.g. the transfer of the business (TUPE) or defence of a legal claim).
Data portability right
This is a new limited right under GDPR and it means that you have the right to get the personal data you supplied to us in a structured commonly used and machine readable format (e.g. a spreadsheet). It only applies to the personal information you gave to us and therefore does not include the file we have created ourselves about you. You also have the right to send this data to another controller without hindrance.
Right to Withdraw Consent
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the Office Manager. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Right to object to Automated Decision-Making
You have the right not be subject to automated decision-making, including profiling except when this is necessary for the contract, where you have explicitly consented or it is authorised by law. You have the right to have a human intervention to review or contest the decision. For example if you have applied for a job you have the right to object to a decision to appoint the successful candidate by a computer algorithm.
In McCay Solicitors we do not engage in automated decision taking about you.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact our Managing Director in writing. He is available at
Old City Factory
8 North Edward Street
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What happens if there is a Data Breach?
If there is a data breach which is likely to result in a high risk to your rights and freedoms we must notify you as soon as possible. We must tell you clearly what has happened and what we are doing about it. We are also required to notify the Information Commissioner’s Office (ICO) not less than 72 hours of becoming aware of the breach. If there is very little risk to you we would not have to tell you (e.g. if a laptop was stolen but fully encrypted so that your data could not be seen.).
Changes to the Privacy Notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
If you would like to exercise any of your rights or discuss any aspect of this Notice please email, call or write to us at:
Old City Factory
8 North Edward Street
Telephone 02871 371705