25 February 2016

Privacy policy

This privacy policy sets out how Edinburgh Napier Law Clinic uses and protects any information that you give Edinburgh Napier Law Clinic when you use this website.

Edinburgh Napier Law Clinic is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement.

Edinburgh Napier Law Clinic may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy was last updated: May 2018.

 

Data Protection & Privacy Policy

Edinburgh Napier Law Clinic (“the Clinic”) is compliant with data protection law, being the General Data Protection Regulation (GDPR) 2016/679, Data Protection Act 2018 and all relevant EU and UK data protection legislation, which confer rights to those subject to the collection, processing, storage and disposal of their personal data.

The Clinic is committed to ensuring that the collection, processing, storage and disposal of its clients’ personal data are compliant with data protection law.

 

1. Data Protection Principles

The Clinic ensures that client data in its possession are:

 

1.1 Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).

1.2 Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’).

1.3 Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).

1.4 Accurate and, where necessary, kept up to date and that reasonable steps will be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).

1.5 Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’).

1.6 Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

 

2. “Client data”

2.1 “Client data”, for the Clinic’s purposes, may include:

 

– Client’s full name

– Date of birth

– Address

– Telephone number(s)

– Email address(es)

– National Insurance number

– Photocopies of photo ID (such as passport or driving licence)

– Photocopies of all documents provided by the client which they have deemed relevant to the legal matter they wish to have addressed by the Clinic.

– A file held in a secure online database holding scanned versions of all of the above.

 

2.2 The Clinic will never request bank details from its clients. Should any member of the Clinic, or any person purporting to represent the Clinic, attempt to do so, the matter should be raised with the Clinic’s Management Committee immediately.

 

3. Retention

3.1 Client data are primarily held on an online database which is password-secure and can only be accessed by Clinic Advisers. The Clinic may also retain a hardcopy file containing the same data, which would be held within the Clinic’s secure office.

 

4. Use

 4.1 The Clinic’s lawful basis for processing client data is primarily to assist the client in the resolution of the legal issue for which they have requested the Clinic’s assistance.

4.2 Client data, to the extent of the “Statement of Facts” and “Letter of Advice” documents only, may in addition be used by Clinic Advisers to assist them in their legal research for future cases and for the purpose of improving our services. In that instance, all identifying details relating to clients will be removed from those documents.

4.3 The Clinic may carry out checks to ensure that no conflicts of interest arise between its clients or supporting organisations.

4.4 The Clinic will not share client data unless it is in the client’s interests, is necessary to carry out the Clinic’s activities – first seeking the client’s express permission to do so – or where it is required to do so by law.

4.5 The Clinic will never sell client data.

4.6 All Clinic members will be trained in accordance with the terms of this Privacy Policy in order to ensure compliance with data protection law.

 

5. Disposal

5.1 Client data will be retained for the duration of the client’s matter and will be retained on its database for a minimum period of 1 year following its conclusion.

5.2 Client data may be retained up to a maximum of 3 years following the matter’s conclusion, unless there is a specific need that they be retained for longer.

5.3 Client data are disposed of securely by deletion or destruction in confidential waste provided by Edinburgh Napier University.

5.4 The “Statement of Facts” and “Letter of Advice” documents issued during the process of advising clients may be retained indefinitely for the purpose of improving the Clinic’s service by assisting Advisers with their legal research in future cases. In that instance, all identifying details relating to clients will be removed from those documents.

5.5 All Clinic clients are entitled to specifically request the secure destruction of any data we hold for them.

 

6. Advertising

6.1 The Clinic will not advertise its services to clients by telephone, email or letter.

6.2 The Clinic will not use client data as a means of advertisement unless through testimonials, in which case the client’s express permission to do so will be sought.

 

7. Facebook Privacy Policy

7.1 The Clinic’s primary method of advertising its services is through the use of Facebook. The Clinic will never post client data unless by way of testimonials, in which case the client’s express permission to do so will be sought.

7.2 The Clinic will not provide its services through the use of Facebook messaging. Where a client or prospective client contacts the Clinic by Facebook messaging to that end, the client will be directed to contact the Clinic by its dedicated email address or by telephone.

7.3 Where it is felt that a member of the public or client has shared sensitive personal data on the Clinic’s Facebook page, Clinic Advisers will endeavour to inform the individual then remove the data from its Facebook page.

 

8. Client Rights in Relation to Data

 All Clinic clients retain the right:

8.1 To information, free of charge, regarding the manner by which their data are retained and processed. Any such request will be complied with within a maximum of 1 month of its being made.

8.2 To access, free of charge, to the data the Clinic holds for them. Any such request will be complied with within a maximum of 1 month of its being made.

8.3 To the rectification, free of charge, of any inaccuracies contained in the data held for them. Any such request will be complied with within a maximum of 1 month of its being made.

8.4 To request erasure, free of charge, of the data held for them. Any such request will be complied with within a maximum of 1 month of its being made.

8.5 To request restriction, free of charge, of the manner by which their data are retained or processed. Any such request will be complied with within a maximum of 1 month of its being made.

8.6 To object to the manner by which their data are obtained, retained or processed.

8.7 Not to be subject to subject to data profiling.

 

9. Policy in Event of Breach

9.1 The Clinic will take appropriate steps to rectify any breach as a matter of urgency.

9.2 The Clinic will inform its clients of any data breach where it is likely to result in a high risk to the rights and freedoms of its clients.

9.3 The Clinic will report a data breach to the Information Commissioner’s Office (ICO) within 72 hours where the breach is likely to result in risk to the rights and freedoms of its clients.

 

 10. Complaints Regarding Privacy or in the Event of Breach

 10.1 Any complaints, requests or concerns regarding the manner by which client data is obtained, retained, processed or disposed of, or those in relation to a data breach, should in

the first instance be made to the Clinic’s “data controllers” for the purposes of the General Data Protection Regulation.

10.2 Those controllers are the Clinic’s incumbent Managing Directors at the time the matter occurred or is raised.

10.3 A complaint may then be made to the Clinic’s Management Committee in writing, by email (lawclinic@napier.ac.uk) or by post (Edinburgh Napier Law Clinic, Bright Red Triangle, Room D74, Edinburgh Napier University, Merchiston Campus, 10 Colinton Road, Edinburgh EH10 5DT).

10.4 Should a client continue to be dissatisfied with the outcome of their complaint after the Management Committee’s decision, the client can request a review of this decision by the Board of Directors of the Clinic. The client’s request must be in writing and sent for the attention of the Board of Directors within two weeks of the Management Committee’s decision. The Board of Directors retains ultimate control over the activities of the Clinic and its decisions on all matters concerning the Clinic are final.

10.5 The Clinic may report a data breach to the Information Commissioner’s Office (ICO) where the breach is likely to result in risk to the rights and freedoms of its clients.

 

  1. Website Cookie Policy

11.1 Data collected from website

We may collect the following information:

– Name

– Contact information including email address

– Demographic information such as postcode, preferences and interests

– Client enquiry

11.2 What the Clinic does with the data gathered

This data are require to understand the client’s needs to provide a better service, and in particular for the following reasons:

– Internal record keeping

– Improve our products and services

11.3 What is a cookie?

Cookies are text files containing small amounts of information which are downloaded to your device when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user’s device.

You can find more information about cookies at:

Cookies do lots of different jobs, like letting you navigate between pages efficiently, remembering your preferences, and generally improve the user experience. The cookies used on this website have been categorised based on the categories found in the ICC UK Cookie guide.

Category 1: strictly necessary cookies

These cookies are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website. Without these cookies services you have asked for, like shopping baskets or e-billing, cannot be provided.

Category 2: performance cookies

These cookies collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don’t collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works.

By using our website, you agree that we can place these type of cookies on your device.

Category 3: functionality cookies

These cookies allow the website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features. For instance, a website may be able to provide you with local weather reports or traffic news by storing in a cookie the region in which you are currently located. These cookies can also be used to remember changes you have made to text size, fonts and other parts of web pages that you can customise. They may also be used to provide services you have asked for such as watching a video or commenting on a blog. The information these cookies collect may be anonymised and they cannot track your browsing activity on other websites.

By using our website, you agree that we can place these type of cookies on your device.

A list of all the cookies used on this website by category is set out below:

Cookie NameCookie CategoryDescriptionDuration
wordpress_2WordPress cookie for a logged in user.session
wordpress_logged_in_2WordPress cookie for a logged in usersession
wordpress_test_2WordPress cookie for a logged in usersession
wordpress_test_cookie2WordPress test cookiesession
wp-settings-1Wordpress also sets a few wp-settings-[UID] cookies. The number on the end is your individual user ID from the users database table. This is used to customize your view of admin interface, and possibly also the main site interface. 1 year
wp-settings-time-2Wordpress also sets a few wp-settings-{time}-[UID] cookies. The number on the end is your individual user ID from the users database table. This is used to customize your view of admin interface, and possibly also the main site interface. 1 year
PHPSESSID1To identify your unique session on the websitesession
SESS1To ensure that you are recognised when you move from page to page within the site and that any information you have entered is remembered.session

11.4 Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so. We may use your personal information to send you promotional information about third parties which we think you may find interesting if you tell us that you wish this to happen.

You may request details of personal information which we hold about you under the Data Protection Act 1998.

A small fee will be payable.

If you would like a copy of the information held on you please write to:

Work
Edinburgh Napier Law Clinic
219 Colinton Road
Edinburgh
EH14 1DJ

If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible at the above address. We will promptly correct any information found to be incorrect.