First, History BA, University of Bristol

Distinction, PGCE English Language and Literature

Secondary Education, University of Bristol

Distinction, Graduate Diploma in Law, BPP, London

Distinction, Bar Training Course, LLM, BPP, London

Lincoln’s Inn Denning Scholarship

BPP’s academic excellence award

BPP’s career commitment award

Bristol University best dissertation prize

Bristol University Graham Robertson scholarship

Justice

Lincoln’s Inn

Beyond children’s rights Grace is passionate about animal welfare, placing second in A-Law’s 2021 legal essay competition. Outside the realms of rights and advocacy, Grace is an enthusiastic runner, having completed the Edinburgh Marathon to raise money for Alzheimer’s Scotland. During lockdown, she is also sure she has annoyed those she lives with by pursuing her passion for singing and playing amateur piano.

DATA PROTECTION POLICY OF:

PATRICIA GRACE ROBERTSON

 

NEW COURT CHAMBERS, TEMPLE, LONDON, EC4Y 9BE

 

ZB321516

 

29 November 2022

 

Policy became operational on: 4 April 2022

 

Next review date: 1 January 2023

 

 

 

Data Protection Policy

 

Introduction

I need to gather and use personal data about individuals in the course of my practice as a barrister, both for the provision of my professional services and to manage my practice.

I will process personal data relating to a range of individuals. In my capacity as data controller this may include, but is not limited to:

• Clients (whether instructed by a law firm or by direct access);
• Suppliers and support services, including New Court Chambers and its employees;
• Business contacts;
• Employees; and
• Other people I have a professional relationship with or may need to contact.

This policy describes how this personal data must be collected, handled and stored to meet my data protection standards and to comply with the law.

Why this policy exists

 

This Data Protection Policy exists to ensure that I and any staff I may employ:

• Comply with data protection law and implement robust data protection policies and procedures within their practice;
• Protect the rights of all data subjects;
• Am open about how I store and process individuals’ data;
• Protect my practice from the risks of a data breach.

Data protection law

The UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 describe how organisations must collect, handle and store personal information.

These rules apply regardless of whether data is stored electronically, on paper or on other materials.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The UK GDPR is underpinned by six important principles. They say that personal data must be:

1. Processed lawfully, fairly and transparently;
2. Collected for specific, explicit and legitimate purposes;
3. Adequate, relevant and limited to what is necessary for processing;
4. Accurate and, where necessary, kept up to date;
5. Kept in a form such that the data subject can be identified only as long as is necessary for processing; and
6. Processed in a manner that ensures appropriate security of the personal data.

Processing personal data and sensitive personal data

Where I am processing personal data, I must do so in a way which is compliant with the UK GDPR and the principles set out above and which demonstrates my accountability under the legislation.

I must be able to demonstrate:

• a lawful basis for processing personal data;
• transparency with data subjects about how I intend to use their personal data
• that I have processed personal data only in ways the data subject would reasonably expect; and
• make sure I do not do anything unlawful with the data.

Where I am processing special category data, I must ensure that I can evidence an exemption which allows me to process such data. The conditions most relevant to my practice are:

• The processing is necessary to protect the vital interests of the data subject or another person.
• The processing is necessary for the establishment, exercise or defence of legal claims or whenever processing is taking place to enable courts to act in their judicial capacity (including members who act in judicial capacities such as a deputy judge or appointed person).
• Explicit consent from the data subject.

Where I am processing criminal offence data, I must ensure that I can evidence an exemption which allows me to process such data. The conditions most relevant to my practice are:

• Explicit consent from the data subject.
• The processing is necessary to protect the vital interests of the data subject or another person.
• The processing is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), to obtain legal advice or to establish, exercise or defend legal rights.

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the UK GDPR and Data Protection Act 2018.

 

 

People, risks and responsibilities

Policy scope

 

People

This policy applies to:

• Any employee of my practice such as support staff (e.g. typists, secretary) as well as trainees, volunteers and work experience students. It does not include chambers staff who are governed by the chambers’ own policy.

• All contractors, individuals, suppliers and other relevant parties working on behalf of my practice.

• All data my practice holds relating to identifiable individuals. This can include but is not limited to:

• Name
• Email address
• Phone number
• Address
• Payment or bank details
• Date of birth
• Next of kin details
• Details pertaining to education and employment
• Information on your background & current circumstances
• Financial information;

• Special category personal data that reveals:

• Racial or ethnic origin
• Political opinions
• Religious and philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data for the purpose of uniquely identifying a natural person
• Data concerning health
• Sex life and sexual orientation.

Personal information relating to individuals employed by an organisation, company or public body with whom I work is also included.

Responsibilities

Both I and any employees of my practice have responsibility for ensuring data is collected, stored and handled appropriately and in compliance with the law.

Data Protection Policy information

I will, through appropriate management and strict application of criteria and controls:

• Observe fully conditions regarding the fair collection and use of information;
• Meet my legal obligations to specify the purposes for which information is used;
• Collect and process appropriate information, but only to the extent that it is needed to fulfil its operational needs or to comply with any legal requirements;
• Ensure the quality and accuracy of information used;
• Ensure appropriate retention and disposal of information;
• Ensure that the rights of people about whom information is held can be fully exercised under the UK GDPR. These include:

• The right to be informed
• The right of access
• The right to rectification
• The right to erase
• The right to restrict processing
• The right to data portability
• The right to object, and
• Rights in relation to automated decision-making and profiling;

• Take appropriate technical and organisational security measures to safeguard personal information;
• Ensure that personal information is not transferred outside the UK without suitable safeguards;
• Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information;
• Set out clear procedures for responding to requests for information;
• Take appropriate steps to complete due diligence and enter into contractual arrangements with data processors and controllers where personal data is shared;
• Ensure all regulatory requirements are satisfied when processing special category data and criminal information.

Data storage

All personal information or data processed within my practice will be stored securely and will only be accessible to authorised staff and data processors that I appoint.

Information will be stored for only as long as it is needed or as required by statute, for compliance with professional regulatory obligations, professional indemnity requirements and in compliance with my Data Retention Policy. All personal data will be disposed of appropriately and securely in accordance with the Data Retention and Disposal Policy and Data Security Policy.

Where personal data has been shared with third parties for the purposes of providing my services and managing my practice, such data will be retrieved from the third party (data processor) or directions will be given to the third party about safe disposal of such data in accordance my data retention policy.

I will ensure all personal data is non-recoverable from any computer system I use or dispose of.

This policy should also be read in conjunction with the Data Security Policy and Data Retention and Disposal Policy of my practice.

Data access and accuracy

All data subjects have the right to access the information I hold about them, except where specific exemptions apply to me as a legal professional. I will also take reasonable steps to ensure that this information is kept up to date.

In addition, I will ensure that:

• All employees of mine, or third parties with whom I work:
  • understand that they are contractually responsible for following good data protection practice;
  • are appropriately trained to do so and are aware of the process for managing requests for access to data by data subjects; and
  • are appropriately supervised.
• Any data subject who wishes to make enquiries about how their personal information has been processed knows how to make this request.
• Where required, I will work with other parties to facilitate and respond to such requests for data.
• I will ensure that where I share data with a third party, they are contractually bound to assist with requests from data subjects seeking access to their data.

Disclosure

I may share data with third parties, including, but not limited to, instructing solicitors, other agencies such as government departments and other relevant parties. Where this occurs, I will ensure that where appropriate a Data Sharing Agreement is in place.

I will ensure that data will not be shared outside the UK or with unauthorised parties without my specific permission. Data subjects will be made aware in most circumstances about how and with whom their information will be shared.

There are circumstances where the law allows the barrister to disclose data (including sensitive data) withoutthe data subject’s consent.

These are:

1. Carrying out a legal duty or as authorised by the Secretary of State;
2. Protecting vital interests of an individual/data subject or other person;
3. The individual/data subject has already made the information public;
4. Conducting any legal proceedings, obtaining legal advice or defending any legal rights;
5. Monitoring for equal opportunities purposes – i.e. race, disability or religion;
6. Providing a confidential service where the individual/data subject’s consent cannot be obtained or where it is reasonable to proceed without consent: e.g. where we would wish to avoid forcing stressed or ill individuals/data subjects to provide consent signatures.

Data protection training

I will ensure that I and any individuals employed by me are appropriately trained in data protection annually.

If new members of staff commence work with me, they will be provided with data protection training within [the first month] of employment.

I will keep a register of all training completed by me or any employees for ICO audit purposes.

Breaches of personal data

In the event of a data protection breach, which is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”, I will undertake the following steps:

• I will instigate necessary investigation as per the guidance in the Data Breach and Crisis Management plan.

• Where it is determined that the breach has met with the required threshold and is likely to result in a risk to the rights and freedoms of the data subjects involved, I will report the breach to the Information Commissioner’s Office (ICO without undue delay and, where feasible, not later than 72 hours after having become aware of the breach.

• Where it is assessed that the data subjects should be informed of the data breach, I will take the relevant steps to advise the affected parties.

• I will make an assessment whether the data breach merits a report to the Bar Standards Board in accordance with their guidance and code of conduct.

Complaints

Complaints relating to breaches of the UK GDPR and/ or complaints that an individual’s personal data is not being processed in line with the data protection principles should be referred to myself.

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the UK GDPR and Data Protection Act 2018.

Non-conformance

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

In case of any queries or questions in relation to this policy, please contact me as Data Protection Lead:

Name and contact details of the Data Protection Officer: PATRICIA GRACE ROBERTSON

 

pgrobertson@newcourtchambers.com

 

07523611643

PRIVACY POLICY OF: 

PATRICIA GRACE ROBERTSON

NEW COURT CHAMBERS, TEMPLE, LONDON, EC4Y 9BE

ZB321516 

 

29 NOVEMBER 2022

Policy became operational on: 4 APRIL 2022

Next review date: 1 JANUARY 2022

Privacy Policy

In order to provide legal advice and representation, I need to collect and hold personal information. This may be your personal data or information relating to other parties involved in the matter. I will take all possible steps to protect personal information. I will ensure that I do not do anything that may infringe your rights or undermine your trust. This privacy notice describes the information I collect about you, how it is used and shared, and your rights regarding it. 

Data controller

I, P Grace Robertson, am a member of New Court Chambers. I am registered with the Information Commissioner’s Office (ICO) as a Data Controller for the personal data that I hold and process as a barrister. My registered address is New Court Chambers, EC4Y 9BE and my ICO registration number is ZB321516 . If you need to contact me about your data or this privacy notice, you can reach me at pgrobertson@newcourtchambers.com

Data collection

All of the information that I hold about you is provided to, or gathered by, me in the course of your case and/or proceedings. Your solicitor and/or I will tell you why we need the information and how we will use it. In addition to the information you may provide to me or your solicitor, I also obtain information from other sources as follows:

• Information that is available publicly in registers, searches or in the media
• Other legal professionals including solicitors and barristers and their associates, trainees and staff
• Chambers staff
• Expert witnesses
• Prosecution bodies
• Regulatory, public or administrative bodies
• Court staff & officials
• Clients
• References

What data do I process about you?

Depending on the type of work, I collect and process both personal data and special categories of personal data as defined in the UK GDPR. This may include:

• Name
• Email address
• Phone number
• Address
• Payment or bank details
• Date of birth
• Next of kin details
• Details pertaining to education and employment
• Information on your background & current circumstances
• Financial information.

Where relevant, I may also need to process special category personal data that reveals your:

• Racial or ethnic origin
• Political opinions
• Religious and philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data for the purpose of uniquely identifying a natural person
• Data concerning health
• Sex life and sexual orientation.

On occasion, I may also process personal data relating to criminal convictions and offences.

My lawful basis for processing your information

In order that I can provide legal services and representation for you, I must process your personal data. The UK General Data Protection Regulation (the UK GDPR) requires that where I process personal data, I must have a lawful basis for doing so. The lawful bases identified in the UK GDPR that I seek to rely upon are as follows:

• Consent of the data subject –where this required, I will ensure that I have your specific consent for processing your data for the specified purposes. You will also have the right to withdraw your consent at any time. Where you do so this will not affect the legality of data processing which had taken place prior to your withdrawal of consent.
• Performance of a contract with the data subject, or to take steps to enter into a contract.
• Compliance with a legal obligation –to comply with various regulatory and professional obligations, e.g. filing tax returns with HMRC.
• The legitimate interests of my business or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

Examples of legitimate interests include but are not limited to:

• Provision of legal services and advice.
  • For purposes of practice management, accounting and debt recovery;.
• For completion of professional regulatory requirements.
• Processing for direct marketing purposes, or to prevent fraud.
• Reporting threats to public security.
• Such other purposes as set out below.

Special category processing

The UK GDPR specifies that where I process special category data, I must rely upon certain exemptions in order to do so lawfully. The following exemptions are applicable in my practice

1. I have your explicit consent to do so; or
2. It is necessary for the exercise or defence of legal claims or judicial acts.

Criminal data processing

On occasion, I process data relating to criminal offences where it is necessary for:

• The purpose of, or in connection with, any legal proceedings;
• The purpose of obtaining legal advice; or
• The purposes of establishing, exercising or defending legal rights
• Where I have your explicit consent to do so.

Purposes:

 I use your personal information for the following purposes:

• Provide legal advice and representation;
• Assist in training pupils and mini pupils;
• Investigate and address your concerns;
• Communicate with you about news, updates and events;
• Investigate or address legal proceedings relating to your use of my services, or as otherwise allowed by applicable law;
• Make statutory returns as required by [x];
• Assist in any tendering or panel membership applications;
• Assist in any other applications for the purpose of professional development or career progression;
• Communicate legal updates and judgments to other legal professionals;
• For marketing purposes.
• For the management and administration of my practice
• To recover debt
• To manage complaints with regulators
• Communications with regulators
• Where relevant to conduct anti money laundering, terrorist financing or conflict of interest checks

In the course of processing your information to provide legal services to you, I may share your personal data with:

• Instructing solicitors or other lawyers involved in your case;
• A pupil or mini pupil, under my training;
• Opposing counsel, for the purposes of resolving the case;
• Court Officials, including the Judiciary;
• Opposing lay clients
• My chambers’ management and staff who provide administrative services for my practice;
• Expert witnesses and other witnesses;
• My regulator or legal advisors in the event of a dispute, complaint or other legal matter;
• Head of Chambers or complaints committee within my chambers, in the event of a complaint;
• Law enforcement officials, government authorities, or other third parties, to meet any legal obligations;
• Legal directories, for the purpose of professional development;
• Any relevant panel or tendering committee, for the purpose of professional development;
• Accountants and banking officials;
• Regulators or arbitrators, where complaints or disputes arise;
• Any other party where I ask you for consent, and you consent, to the sharing.
• I may also be required to disclose your information to the Police or Intelligence services where required by law or pursuant to a court order

Transfers to third countries and international organisations

[I do not transfer any personal data to third countries or international organisations.]

I retain your personal data while you remain a client unless you ask me to delete it. My Retention and Disposal Policy (copy available on request) details how long I hold data for and how I dispose of it when it no longer needs to be held. I will delete or anonymise your information at your request unless:

• There is an unresolved issue, such as a claim or dispute;
• I am legally required to; or
• There are overriding legitimate business interests to do so.

I will typically retain case files for a period of 7 years following the conclusion of a case/matter or receipt of final payment, whichever is the latest. This reflects the period required by the Bar Mutual Indemnity Fund relating to potential limitation periods.

 

Where various pleadings and documents have been drafted, they may be retained for learning purposes and legal research. Where this is the case, I will anonymise the personal information/redact information which may identify an individual/risk assess the continued retention of the documents.

 

Your rights

The UK GDPR gives you specific rights in terms of your personal data. For example, you have the right of access to the information I hold and what I use it for;

you can ask for a copy of the personal information I hold about you.

You can ask me to correct any inaccuracies with the personal data I hold, and you can ask me to stop sending you direct mail or emails or, in some circumstances, ask me to stop processing your details.

Finally, if I do something irregular or improper with your personal data, you can complain to the ICO if you are unhappy with how I have processed your information or dealt with your query. You may also seek compensation for any distress you are caused or loss you have incurred.

You can find out more information from the ICO’s website:

http://ico.org.uk/for_the_public/personal_information

Accessing and correcting your information

You may request access to, correction of, or a copy of your information by contacting me at pgrobertson@newcourtchambers.com

Marketing opt-outs

You may opt out of receiving emails and other messages from my practice by following the instructions in those messages.

I will occasionally update my privacy notice. When I make significant changes, I will notify you of these pgrobertson@newcourtchambers.com I will also publish the updated notice on my website profile.