Privacy Policy
This policy (together with our Privacy & Data Sharing Policy available on our website at www.plattandfishwick.co.uk sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By submitting personal data to us, you agree to us using your data as follows:
For the purposes of the Data Protection Act 1998 ("the Act"), the Data Controller is Platt & Fishwick Ltd of 47 King Street, Wigan, WN1 1DB. Our email address is info@plattandfishwick.co.uk
It is very important that the information we hold about you is accurate and up to date. Please let us know if at any time your personal information changes by emailing us as above or to any email address you are using as part of an ongoing instruction or matter.
Information we may collect from you
We may collect and process the following data about you:
- Information that you provide by filling in forms on our website www.plattandfishwick.co.uk. This includes information provided at the time of making an initial enquiry or requesting further services.
- A record of any communications received from you, including emails, written communications in hard copy, written records of telephone calls or meetings or photographs supplied.
- Bank account, payment card or other financial details.
- Information contained in documents required for identification purposes including date of birth, national insurance, social security references or employment details.
- Other information which may come into our possession during the necessary course of us providing our services to you.
- We may also ask you for information if you report a problem with our website.
Sensitive Data
We currently do not collect any sensitive data about those who use our services. Should we require this in the future, we will seek your explicit consent for processing sensitive data and will send you further communication asking you to confirm your consent to this processing.
How we collect your personal data
We collect data about you through a variety of different methods involving our interactions with you including when you:
- Request information about our services either via our website or otherwise
- Instruct us to act in a specific matter
- Provide us with feedback
How we store your personal data and keep it safe
- We hold your personal information in electronic and physical files. All information held electronically is held on a cloud-based data centre facility with ISO-27001 certification.
- Physical files are kept securely at our offices where there is no general access for the public beyond reception areas and which are protected by electronic intruder alarms out of hours. All staff are subject to contractual confidentiality obligations. Electronic files are password protected with enhanced level security for partner/director access to sensitive records.
- We will regularly review our IT security systems and ensure that appropriate levels of security are maintained in any IT system, service, product or business practice we introduce or adopt. We will ensure that any third parties having access to your personal data provide sufficient guarantees of their technical and organisational measures for data protection and that such third parties are subject to a duty of confidentiality.
- We are aware of and maintain vigilance in respect of threats to the security of data we hold including malware, viruses or "phishing" attacks. We have an email security protocol for staff and annual refresher training in respect of suspicious electronic communications/emails/attachments. Our IT security systems include various perimeter filtering mechanisms, including "next generation" fire walls.
- All our servers/applications/data are backed up to a secure storage appliance with an additional copy backed up to a remote third party data centre facility. A number of anti-virus/malware solutions are in place, including DMARC, DDoS mitigation and custom threat intelligence.
- Instructions to staff with regard to prohibitions against downloading unauthorised software, use of USB sticks etc. are regularly reinforced. DNS filtering is in place and social media websites are blocked.
- We will review this privacy policy at least annually and update it where necessary to ensure we maintain a "data protection by design and default" approach in connection with dealing with your personal data.
- We have put in place procedures to deal with a suspected personal data breach and will notify you and any applicable regulator of a breach immediately we are legally required to do so.
- The transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to us and any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
Uses made of the information
We use information held about you in the following ways:
- To represent your interests to the best of our abilities in any specific matter where we are instructed by you to act.
- To notify you about any changes to our service.
- To provide you with information, products or services that you request from us or which we feel may be of interest to you.
Communication, marketing and advertising preferences
You may receive marketing communications from us if you have requested information from us or purchased services from us but not if you have opted out of receiving such communications.
Change of purpose
We will only use your personal data for the purposes for which we collected it. If we need to use your personal data for another purpose besides that for which we collected it, we will notify you and explain the need for this and seek your permission.
Data Protection impact assessments
We will be vigilant for the need of any data processing that might result in a high risk to individuals so that a data protection impact assessment is required. Examples might include a requirement to process sensitive data or a change of purpose in the use of your personal data. If any high risk identified in this way cannot be sufficiently mitigated, we will seek the advice of the ICO.
Data retention
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including the purposes of satisfying legal, accounting or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data an whether we can achieve those purposes through other means bearing in mind the applicable legal requirements.
If we feel it appropriate for research or statistical purposes, we may anonymise your personal data so that it can no longer be associated in any way with you, in which case, we may use this information indefinitely without further notice to you.
Disclosure of your information
We may disclose your personal information to third parties:
- Our service providers who provide IT and systems administration services.
- To other professionals for the necessary advancement of your case or matter, all of whom will owe similar duties to you pursuant to the Data Protection Act.
- Legal and regulatory bodies including the Solicitors Regulation Authority, the Legal Ombudsman, the Court Service and the Legal Aid Agency if your case is legally aided or if you apply for Legal Aid.
- If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or to protect the rights, property or safety of us or any of our customers or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
Your rights
In addition to your right to be informed of the grounds for our processing of your data, you also have the rights set out below relating to the processing of your personal data. You can exercise your rights as an individual by emailing us at the address given at the end of this policy.
Accessing your personal data
- You have the right to access and to ask for a copy of the data that we hold about you and to ensure that our grounds for processing your data are legitimate. This right always applies.
- Any information requested will be provided free of charge unless we believe the request to be unfounded, excessive or repetitive in nature. In these circumstances, we can charge a fee which we believe to be reasonable based on the nature of the request. Please also see under "Subject access requests" below.
Correcting and updating your personal data
- You have the right to ask us to correct information we hold that you think is inaccurate or incomplete. This right always applies.
Withdrawing your consent
- Where we rely on your consent as the legal basis for processing your personal data, as set out under "how we use your personal data", you may withdraw your consent at any time by emailing us at info@plattandfishwick.co.uk (please use "data consent withdrawal" as the subject heading of your email).
- If you withdraw your consent, our use of your personal data before you withdraw your consent is still lawful.
- If we are relying on your explicit consent to process Special Category personal data, this may impact our ability to provide legal services to you.
Objecting to our use of your personal data and automated decisions made about you
- Where we rely on our legitimate interests as the legal basis for processing your personal data, except for the purposes for which we are satisfied we can continue to process your personal data, we will temporarily stop processing your personal data in line with your objection until we have investigated the matter. If we agree that your objection is justified in accordance with your rights under Data Protection legislation, we will permanently stop processing your data for those purposes. Otherwise, we will provide you with our justification to continue processing your personal data.
- You may also contest a decision we made about you based on an automated decision.
Erasing your personal data or restricting its processing
- In certain circumstances, you may ask for your personal data to be removed from our systems. Provided we do not have continuing lawful basis to continue processing or holding your personal data, we will make reasonable efforts to comply with your request.
- You may also ask us to restrict processing your personal data where you believe our processing is unlawful, you contest its accuracy, you have objected to its use and our investigation is pending, or you require us to keep it in connection with legal proceedings. We may only process your personal data while its processing is restricted if we have your consent or are legally permitted to do so, for example for storage purposes, to protect the rights of another in individual or company or in connection with legal proceedings.
Data portability
- Where you have provided information to us direct, you have the right to ask us to transfer the information you gave us from one organisation to another or give it to you. This only applies where we are relying on your consent or performance of a contact as a legal basis for our processing.
- We may not provide you with a copy of your personal data in certain circumstances, but we will explain why we are unable to provide the data.
Your right to complain
If you are not happy with any aspect of how we collect and use your data, you have the right to complain to the Information Commissioner's office, being the UK supervisory authority for Data Protection issues. We would be grateful if you would contact us first if you do have a complaint so that we can try to resolve it for you. The ICO can be contacted at www.ico.org.uk.
Subject access requests
A formal request from you with regard to any data we hold about you must be made in writing. Any such request received by any member of staff either by email or in hard copy will immediately be forwarded to the Data Protection Officer. The Data Protection Officer will respond in accordance with ICO guidelines within 28 days unless it is a complex request or numerous requests are made. In these circumstances, we have up to two months to respond to you.
Personal data breach
In the event of any serious data breach which may include data theft, misappropriation, misuse or fraud, we shall report the matter within 72 hours to the ICO. A serious data breach is one which may result in a risk to people's rights and freedoms or where there may be potential serious misuse of such data. Our policy is to record any personal data breaches irrespective of seriousness. You will be advised of any data breach identified which results in a risk to your rights or freedoms.
Training
We will provide training to all individuals about their data protection responsibilities as part of the induction process and at least at 12 monthly intervals thereafter. Individuals (employees or consultants) whose roles require regular access to personal data or who are responsible for implementing this policy or responding to subject access requests under this policy will receive additional training to help them understand their duties and how to comply with them.
Changes to our privacy policy
Any changes we make to our privacy policy whilst we are acting in any ongoing matter for you will be communicated to you and will in any event be posted on our website. This version of our privacy policy was finalised on 31/7/24.
Contact
We are required to have a Data Protection Officer as mandated by Data Protection legislation and any enquiries about our use of your personal data should be addressed to the individual named below:
DPO: Mark Richardson, 01942 243281, mrichardson@plattandfishwick.co.uk. Address: Data Protection Officer, Platt & Fishwick, 47 King Street, Wigan, WN1 1DB