Privacy and GDPR

Introduction

Personal data is information relating to an identifiable living individual.  The use of personal data is governed by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Transparency is a key element of the GDPR and this Privacy Notice is designed to inform you:

  • How and why SHU Law uses your personal data,
  • What your rights are under GDPR, and,
  • How to contact us so that you can exercise those rights.

 

Who We Are

SHU Law Limited (herein referred to as SHU Law) is a wholly owned subsidiary of Sheffield Hallam University. It operates as a regulated law firm designed to provide undergraduate and post graduate students with the opportunity to have hands on experience of working on live client files. SHU Law’s services are offered on a not for profit basis and as such SHU Law provides a number of legal services to members of the public. In doing so it complies with the regulations as set down by the Solicitors Regulation Authority.

 

Format of this Privacy Notice

This Notice is divided into sections relating to our different stakeholders and data subjects.  Please see the section relevant to you:

  1. Enquirers, Prospective Clients, Clients
  2. Witnesses
  3. Students

 

There are some general sections at the end of this Notice which apply to all our stakeholders.  These sections relate to:

  • Security
  • Retention
  • Your rights
  • How to contact us

 

1. Enquirers, Prospective Clients, and Clients

Why are we processing your personal data?

We will process your personal data in order to take steps at your request prior to entering into a contract to represent you or act on your behalf. This may include:

  • Reviewing your enquiry and determining if SHU Law can act for you
  • Performing identity, financial and credit searches, screening and checks against third party sources for anti-money laundering, identity verification, client conflicts and anti-trust purposes

 

Where we take on a case and act for you it is necessary for SHU Law to process your personal data in order to fulfil all aspects of our contract with you (i.e. to provide legal services to you). This may include:

  • Setting up a case file on our case management system
  • Liaising with you for instructions
  • Advising on the merits and progress of a case
  • Providing you/your organisation with legal advice, training and other services and/or products you may have requested from us
  • Producing reports and narratives to cover how we have spent our time in relation to your matter(s)
  • Hosting you at our offices and providing hospitality services* (may include access and dietary requirements)
  • Instructing barristers and/or experts relevant to the case
  • Reviewing evidence/data relating to a case, including medical data
  • Obtaining evidence relevant to the case
  • Obtaining witness and expert witness statements
  • Conducting litigation
  • Facilitating dispute resolution

 

It is necessary for SHU Law to process your personal data in order to comply with legal obligations:

  • Complying with the terms of our registration with the Solicitors Registration Authority
  • Complying with instructions, orders and requests from law enforcement agencies, any court or otherwise as required by law
  • Complying with our general regulatory and statutory obligations (including our responsibilities under codes of conduct and anti-bribery laws)
  • Monitoring our systems and processes to identify, record, and prevent fraudulent, criminal and/or otherwise illegal activity.
  • For access and dietary requirements, if you visit our offices or attend our events, and to make reasonable adjustments if you declare a disability
  • To ensure the health, safety and security of our clients, students, staff  and others
  • To monitor and promote equality and diversity

 

It is necessary for SHU Law to process your personal data in order to meet our public tasks as a wholly owned subsidiary company of Sheffield Hallam University formed to support the teaching and learning of the University’s students:

  • Complying with the terms of our registration with the Solicitors Registration Authority
  • Complying with instructions, orders and requests from law enforcement agencies, any court or otherwise as required by law
  • Complying with our general regulatory and statutory obligations (including our responsibilities under codes of conduct and anti-bribery laws)
  • Monitoring our systems and processes to identify, record, and prevent fraudulent, criminal and/or otherwise illegal activity.
  • For access and dietary requirements, if you visit our offices or attend our events, and to make reasonable adjustments if you declare a disability
  • To ensure the health, safety and security of our clients, students, staff and others
  • To monitor and promote equality and diversity

 

It is necessary for SHU Law to process your personal data in order to meet our public tasks as a wholly owned subsidiary company of Sheffield Hallam University formed to support the teaching and learning of the University’s students:

  • Facilitate the teaching, supervision and assessment of students

 

It is necessary for SHU Law to process your personal data in order to protect your vital interests or those of another individual:

  • To protect the vital interests of an individual, i.e. in emergencies/life or death situations/where we believe that an individual is at significant risk of harm.

 

There are also a number of legitimate business purposes for which SHU Law processes your data:

  • Managing, planning and delivering our global business and marketing strategies (including recording and reporting on our business development activities)
  • To claim fees from the Court or other parties where applicable
  • To produce anonymised statistical reports
  • To monitor Key Performance Indicators
  • Analysing how our electronic marketing communications are used by you
  • Obtaining client feedback in order to resolve any problems and to review and improve our services
  • Continuously reviewing and improving our products and services
  • Maintaining the security and integrity of our systems

 

With your consent we will also:

  • Send you electronic direct marketing communications
  • Take photographs of participants at our events for use on our website and hardcopy publicity materials

 

Which Personal Data do we Collect and Use?

In order to provide our services we need to collect and use your personal data. Below is a list of what this may include:

 

Contact Information
Name Address Email address
Telephone numbers
Personal Details    
Date of birth Gender Ethnicity*^
Marital or civil partnership details Criminal convictions* Sexual Orientation*^
Disabilities*^ Qualifications Religious beliefs*^
Details of dependants, beneficiaries and/or next of kin
Identity Check/Regulatory Information    
Driving licence number Passport number Bank statement or utility bill
Financial Information
Billing and payment information Banking details Company information
Information relating to your case or matter
Employment details Details of your company/organisation Health data/ Medical records*
Your instructions and statements Witness statements Expert opinions and statements
Any other personal data provided to us by or on behalf of our clients or generated by us in the course of providing legal services to you. This may include special categories of personal data/sensitive personal data.
Marketing Preferences and Technical Information
IP address Details of visits to our website and online services Online registration details
Direct marketing consent Marketing opt-out details Communication preferences
Analysis of how our electronic marketing communications are used (e.g. whether you open them and click through to access their contents)
Information relating to our events
Dietary requirements^ Photographs^ CCTV images
Attendance/registration

 

* Denotes information which may contain data classified as sensitive personal data/special categories of personal data under the GDPR and as such is subject to a greater level of control and protection.

^ Denotes information which you provide on a voluntary basis or where you are given the option of “prefer not to say” or “information refused”.

Please note:

  • The personal data processed will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • If you do not provide us with your Contact Information we may not be able to provide you with any information you request, and if you do not provide us with your Contact Information, information relevant to identity checks/regulatory compliance or certain case/matter and billing Information, we will not be able to act for you.

 

Sources

Directly from you:

  • From your initial enquiry
  • From notes of meetings and telephone calls with you
  • From correspondence with you
  • Any other information that you share with us

 

From third parties:
Information may be received from witnesses, expert witnesses and other third parties. These sources will depend on the particulars of your case.

Via web based services and other public sources:
We may collect data from publicly available sources, e.g. (electoral register, Motor Insurer’s Database, Companies House)

Who do we share your data with?
You should be aware that in order to provide our services we may need to share your personal or sensitive personal data within the company or outside SHU Law. The privacy of your personal data is paramount and will not be disclosed unless there is a justified purpose for doing so.  SHU Law and Sheffield Hallam University The University NEVER sell personal data to third parties.

Please note that in sharing your data the following provisions are in place to ensure that the principles of confidentiality and the rules set out by the Solicitors Regulatory Authority (SRA)are adhered to:

  1. An agreement exists between Sheffield Hallam University and SHU Law to ensure that any data shared will only be done so in accordance with the data sharing principles and so as to ensure that the SRA principles of confidentiality are adhered to
  2. All SHU staff have confidentiality clauses within their employment contracts which mean that they are bund by confidentiality
  3. All staff working in SHU Law are required to enter into an additional statement of terms which requires then to adhere to the Code of Conduct as set down by the SRA
  4. All students who undertake live client casework in SHU Law are required to sign a statement of terms which requires them to be bound by the principles of confidentiality

 

Your data may be shared with:

  • SHU Law staff who need the information for administrative, teaching, assessment, and student support purposes.
  • Sheffield Hallam University staff who need the information
    • for teaching, assessment and course administration purposes.to provide support services for SHU Law e.g. marketing and IT support services
  • Sheffield Hallam University students who are on work placement in SHU Law.
  • Contractors and suppliers, where SHU Law uses external services or has outsourced work which involves the use of personal data on our behalf, e.g. marketing and auditing and accreditation services.
  • Data shared with contractors and suppliers will be limited to what is necessary for the provision of that service/contract. SHU Law will ensure that appropriate contracts and/or data sharing agreements are in place and that the contractors and suppliers process personal data in accordance with the GDPR and other applicable legislation. If we need to transfer your personal information to another organisation for processing in countries that aren’t listed as ‘adequate’ by the European Commission, we’ll only do so if we have model contracts or other appropriate safeguards (protection) in place.
  • The University’s insurers, legal and other professional advisors

 

SHU Law may also share your data with other organisations which are Data Controllers and will have their own privacy notices. These organisations are also under a duty to comply with data protection legislation:

  • Barristers in the context of the legal services that we provide to you
  • Supervising solicitors at the Court Helpdesk
  • Courts and Tribunals in the context of the legal services that we provide to you
  • Other organisations involved in processing claims and proceedings
  • The Solicitors Regulation Authority (SRA) – in the case of complaints, disputes, and general regulatory matters

 

2. Witnesses, Expert Witnesses, Medical Experts, Barristers, Service Providers and other third parties

Why are we processing your personal data? (These purposes will vary depending on your interactions with SHU Law and the nature of the case/matter in question.)

 

It is necessary for SHU Law to process your personal data in order to fulfil all aspects of our contract with you:

  • To manage and administer our relationship with you
  • Instruct you in your role as witness, expert witness, medical expert, Barrister etc. and to obtain evidence relevant to a case
  • Review evidence/data relating to a case, including medical data
  • Conduct litigation
  • Facilitate dispute resolution
  • Hosting you at our offices and providing hospitality services* (may include access and dietary requirements)

 

It is necessary for SHU Law to process your personal data in order to meet our public tasks (learning and teaching, research, knowledge transfer):

  • Facilitate the teaching, supervision and assessment of students

 

It is necessary for SHU Law to process your personal data in order to comply with legal obligations:

  • Perform identity, financial and credit searches, screening and checks against third party sources for anti-money laundering, identity verification, client conflicts and anti-trust purposes
  • Complying with the terms of our registration with the Solicitors Registration Authority
  • Complying with instructions, orders and requests from law enforcement agencies, any court or otherwise as required by law
  • Complying with our general regulatory and statutory obligations (including our responsibilities under codes of conduct and anti-bribery laws)
  • Monitoring our systems and processes to identify, record, and prevent fraudulent, criminal and/or otherwise illegal activity.
  • For access and dietary requirements if you visit our offices or attend our events and to make reasonable adjustments if you declare a disability
  • To ensure the health, safety and security of our clients, students, staff and others
  • To monitor and promote equality and diversity

 

It is necessary for SHU Law to process your personal data in order to protect your vital interests or those of another individual:

  • To protect the vital interests of an individual, i.e. in emergencies/life or death situations/where we believe that an individual is at significant risk of harm.

 

There are also a number of legitimate business purposes for which SHU Law processes your data

  • Managing, planning and delivering our global business and marketing strategies (including recording and reporting on our business development activities)
  • To claim fees from the Court or other parties where applicable
  • To produce anonymised statistical reports
  • Continuously reviewing and improving our products and services
  • Maintaining the security and integrity of our systems
  • Procure marketing assistance and produce marketing material and communications (including the development and maintenance of the websites of SHU Law and SHU

 

With your consent we may also

  • Send you electronic direct marketing communications
  • Take photos of participants at our events for use on our website and hard copy publicity materials

 

Which Personal Data do we Collect and Use?
In order to provide our services we need to collect and use your personal data. Below is a list of what this may include:

 

Contact Information
Name Address Email address
Telephone numbers
Personal Details    
Date of birth Gender Ethnicity*^
Marital or civil partnership details Criminal convictions* Sexual Orientation*^
Disabilities*^ Qualifications Religious beliefs*^
Details of dependants, beneficiaries and/or next of kin
Identity Check/Regulatory Information    
Driving licence number Passport number Bank statement or utility bill
Financial Information
Billing and payment information Banking details Company information
Information relating to your case or matter
Employment details Details of your company/organisation Health data/ Medical records*
Your instructions and statements Witness statements Expert opinions and statements
Any other personal data provided to us in the course of providing legal services to our clients. This may include special categories of personal data/sensitive personal data.
Marketing Preferences and Technical Information
IP address Details of visits to our website and online services Online registration details
Direct marketing consent Marketing opt-out details Communication preferences
Analysis of how our electronic marketing communications are used (e.g. whether you open them and click through to access their contents)
Information relating to our events
Dietary requirements^ Photographs^ CCTV images
Attendance/registration

 

* Denotes information which may contain data classified as sensitive personal data/special categories of personal data under the GDPR and as such is subject to a greater level of control and protection.

^ Denotes information which you provide on a voluntary basis or where you are given the option of “prefer not to say” or “information refused”.

Please note:

  • The personal data processed will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

 

Sources

 

Directly from you

  • From initial engagement
  • From notes of meetings and telephone calls with you
  • From correspondence with you
  • Any other information that you share with us

 

From third parties

  • Money laundering/compliance checks?
  • Regulatory bodies (where appropriate)

 

Who do we share your data with?
You should be aware that in order to provide our services we may need to share your personal or sensitive personal data within the company or outside SHU Law. The privacy of your personal data is paramount and will not be disclosed unless there is a justified purpose for doing so. SHU Law and Sheffield Hallam University NEVER sell personal data to third parties.

 

Please note that in sharing your data the following provisions are in place to ensure that the principles of confidentiality and the rules set out by the Solicitors Regulatory Authority (SRA) are adhered to:

  1. An agreement exists between Sheffield Hallam University and SHU Law to ensure that any data shared will only be done so in accordance with the data sharing principles and so as to ensure that the SRA principles of confidentiality are adhered to
  2. All SHU staff have confidentiality clauses within their employment contracts which mean that they are bund by confidentiality
  3. All staff working in SHU Law are required to enter into an additional statement of terms which requires then to adhere to the Code of Conduct as set down by the SRA
  4. All students who undertake live client casework in SHU Law are required to sign a statement of terms which requires them to be bound by the principles of confidentiality

 

Your data may be shared with:

  • SHU Law staff who need the information for administrative, teaching, assessment, and student support purposes.
  • Sheffield Hallam University staff who need the information
    • for teaching and assessment purposes
    • to provide support services for SHU Law e.g. marketing and IT support services

 

  • Sheffield Hallam University students who are on work placement in SHU Law.
  • Contractors and suppliers, where SHU Law uses external services or has outsourced work which involves the use of personal data on our behalf, e.g.Marketing and auditing and accreditation services. Data shared with contractors and suppliers will be limited to what is necessary for the provision of that service/contract. SHU Law will ensure that appropriate contracts and/or data sharing agreements are in place and that the contractors and suppliers process personal data in accordance with the GDPR and other applicable legislation. If we need to transfer your personal information to another organisation for processing in countries that aren’t listed as ‘adequate’ by the European Commission, we’ll only do so if we have model contracts or other appropriate safeguards (protection) in place.
  • The University’s insurers, legal and other professional advisors

 

SHU Law may also share your data with other organisations which are Data Controllers and will have their own privacy notices. These organisations are also under a duty to comply with data protection legislation:

  • Barristers in the context of the legal services that we provide to you
  • Supervising solicitors at the Court Helpdesk
  • Courts and Tribunals in the contest of the legal services that we provide to you
  • Other organisations involved in processing claims and proceedings
  • The Solicitors Regulation Authority (SRA) – in the case of complaints, disputes, and general regulatory matters

3. Students Undertaking Casework/on Work Experience in SHU Law

Why are we processing your personal data?

It is necessary for the SHU Law to process your personal data in order to fulfil all aspects of our contract with you:

  • Transfer relevant personal data held by Sheffield Hallam University to enable you fulfil the remit of SHU Law
  • Identify you and manage access to buildings and IT systems (e.g. case management systems, client files) where access is restricted to staff and students on placement at SHU Law
  • Enable us to monitor your progress, engagement and attendance

 

It is necessary for SHU Law to process your personal data in order to meet our public tasks:

  • To monitor, review and evaluate the quality, standards and effectiveness of our teaching, research, and other services and facilities
  • Produce reports on students

 

It is necessary for SHU Law to process your personal data in order to comply with legal obligations:

  • Complying with the terms of our registration with the Solicitors Registration Authority
  • Complying with instructions, orders and requests from law enforcement agencies, any court or otherwise as required by law
  • Complying with our general regulatory and statutory obligations (including our responsibilities under codes of conduct and anti-bribery laws)
  • Check for conflicts of interest
  • Monitoring our systems and processes to identify, record, and prevent fraudulent, criminal and/or otherwise illegal activity.
  • For access requirements and to make reasonable adjustments if you declare a disability
  • To ensure the health, safety and security of our clients, students, staff and others
  • To monitor and promote equality and diversity

 

It is necessary for SHU Law to process your personal data in order to protect your vital interests or those of another individual:

  • To protect the vital interests of students and others, i.e. in emergencies/life or death situations/where we believe that a student or another individual is at significant risk of harm

 

There are also a number of legitimate business purposes for which SHU Law processes your data:

  • To plan, deliver and review our services and facilities
  • To protect our premises, facilities and other assets and resources
  • To monitor and manage Internet use

 

With your consent we may also:

  • Take photographs of participants at our events for use on our website and hardcopy publicity materials
  • Publish your personal details, photograph, blog posts, articles

 

Further to the above please see the Student Privacy Notice that applies to all Sheffield Hallam University students: https://www.shu.ac.uk/about-this-website/privacy-policy/privacy-notices/privacy-notice-for-students

  

Which Personal Data do we Collect and Use?

In order to provide our services we need to collect and use your personal data. Below is a list of what this may include:

 

Contact Information
Name Address Email address
Telephone numbers
Personal Details    
Date of birth Gender Ethnicity*^
Marital or civil partnership details Criminal convictions*^ Sexual Orientation*^
Disabilities*^ Qualifications Religious beliefs*^
Academic
Module choices and allocation Assessment records Feedback and comments
Information relating to our events
Dietary requirements^ Photographs^ CCTV images
Attendance/registration

 

* Denotes information which may contain data classified as sensitive personal data/special categories of personal data under the GDPR and as such is subject to a greater level of control and protection.

^ Denotes information which you provide on a voluntary basis or where you are given the option of “prefer not to say” or “information refused”.

 

Sources

Data will be transferred from your Sheffield Hallam University student record to SHU Law or will be collected directly from you.

Feedback and comments may also be provided by SHU Law staff, clients, witnesses, and third party service providers.

 

Who do we share your data with?

You should be aware that in order to provide our services we may need to share your personal or sensitive personal data within the company or outside SHU Law. The privacy of your personal data is paramount and will not be disclosed unless there is a justified purpose for doing so. SHU Law and Sheffield Hallam University NEVER sell personal data to third parties.

 

Please note that in sharing your data the following provisions are in place to ensure that the principles of confidentiality and the rules set out by the Solicitors Regulatory Authority (SRA)are adhered to:

 

  1. An agreement exists between Sheffield Hallam University and SHU Law to ensure that any data shared will only be done so in accordance with the data sharing principles and so as to ensure that the SRA principles of confidentiality are adhered to
  2. All SHU staff have confidentiality clauses within their employment contracts which mean that they are bund by confidentiality
  3. All staff working in SHU Law are required to enter into an additional statement of terms which requires then to adhere to the Code of Conduct as set down by the SRA
  4. All students who undertake live client casework in SHU Law are required to sign a statement of terms which requires them to be bound by the principles of confidentiality

 

Your data may be shared with:

  • SHU Law staff who need the information for administrative, teaching, assessment, and student support purposes.
  • Sheffield Hallam University staff who need the information for teaching and assessment purposes. Contractors and suppliers, where SHU Law uses external services or has outsourced work which involves the use of personal data on our behalf, e.g. marketing and auditing and accreditation services. Data shared with contractors and suppliers will be limited to what is necessary for the provision of that service/contract. SHU Law will ensure that appropriate contracts and/or data sharing agreements are in place and that the contractors and suppliers process personal data in accordance with the GDPR and other applicable legislation. If we need to transfer your personal information to another organisation for processing in countries that aren’t listed as ‘adequate’ by the European Commission, we’ll only do so if we have model contracts or other appropriate safeguards (protection) in place.
  • The University’s insurers, legal and other professional advisors

 

SHU Law may also share your data with other organisations which are Data Controllers and will have their own privacy notices. These organisations are also under a duty to comply with data protection legislation:

  • Barristers
  • Supervising solicitors at the Court Helpdesk
  • Courts and Tribunals
  • Other organisations involved in processing claims and proceedings
  • The Solicitors Regulation Authority (SRA) – in the case of complaints, disputes, and general regulatory matters
  • Other organisations used to assist in collating, auditing and storing data to ensure that SHU Law meets its financial and regulatory obligations

 

Please also see the Sheffield Hallam University Privacy Notice for Students:

https://www.shu.ac.uk/about-this-website/privacy-policy/privacy-notices/privacy-notice-for-students

Security

IT Services are provided to SHU Law by Sheffield Hallam University. The University and SHU Law take a robust approach to protecting the information that they hold. This includes the installation and use of technical measures including firewalls and intrusion detection and prevention tools on the University network and segregation of different types of device; the use of tools on University computers to detect and remove malicious software and regular assessment of the technical security of University systems. University staff monitor systems and respond to suspicious activity. The University has Cyber Essentials certification.

 

Alongside these technical measures SHU Law and Sheffield Hallam University have comprehensive and effective policies and processes in place to ensure that users and administrators of University information are aware of their obligations and responsibilities for the data they have access to. By default, people are only granted access to the information they require to perform their duties. Training is provided to new staff joining SHU Law and the University and existing staff have training and expert advice available if needed.

Retention

We will only retain your personal data for a limited period of time, and for no longer than is necessary for the purposes for which we are processing it for.  This will depend on a number of factors, including:

  • any laws or regulations that we are required to follow;
  • whether we are in a legal or other type of dispute with each other or any third party;
  • the type of information that we hold about you; and
  • whether we are asked by you or a regulatory authority to keep your personal data for a valid reason.

Data Subject Rights

One of the aims of the General Data Protection Regulation (GDPR) is to empower individuals and give them control over their personal data.

The GDPR gives you the following rights:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erase
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

 

For more information about these rights please see https://www.shu.ac.uk/about-this-website/privacy-policy/data-subject-rights

 

Contact Us

Please contact our Data Protection Officer (DPO) if you:

  • Would like to request copies of your personal data held by SHU Law (a subject access request)
  • Would like to exercise your other rights (e.g. to have inaccurate data rectified, to restrict or object to processing)
  • Have a query about how your data is used by SHU Law
  • Would like to report a data security breach (e.g. if you think your personal data has been lost or disclosed inappropriately)
  • Would like to complain about how SHU Law has used your personal data

 

The Data Protection Officer for SHU Law is the same DPO for the Sheffield Hallam University:

Data Protection Officer
Sheffield Hallam University
Governance Services
City Campus
Howard Street
Sheffield
S1 1WB

Email: DPO@shu.ac.uk
Telephone: 0114 225 5555

Further Information and Support

More information about data protection at Sheffield Hallam University can be found on the University Website: https://www.shu.ac.uk/about-this-website/privacy-policy

The Information Commissioner is the regulator for GDPR. The Information Commissioner’s Office (ICO) has a website with information and guidance for members of the public:

https://ico.org.uk/for-the-public/

The Information Commissioner’s Office operates a telephone helpline, live chat facility and email enquiry service. You can also report concerns online. For more information please see the Contact Us page of their website:

https://ico.org.uk/global/contact-us/