Edinburgh Napier Law Clinic (“the Clinic”) is compliant with data protection law, being the General Data Protection Regulation (GDPR) 2016/679, Data Protection Act 2018 and all relevant EU and UK data protection legislation, which confer rights to those subject to the collection, processing, storage and disposal of their personal data.
The Clinic is committed to ensuring that the collection, processing, storage and disposal of its clients’ personal data are compliant with data protection law.
1. Data Protection Principles
The Clinic ensures that client data in its possession are:
1.1 Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).
1.2 Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’).
1.3 Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).
1.4 Accurate and, where necessary, kept up to date and that reasonable steps will be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).
1.5 Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’).
1.6 Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
2. “Client data”
2.1 “Client data”, for the Clinic’s purposes, may include:
– Client’s full name
– Date of birth
– Telephone number(s)
– Email address(es)
– National Insurance number
– Photocopies of photo ID (such as passport or driving licence)
– Photocopies of all documents provided by the client which they have deemed relevant to the legal matter they wish to have addressed by the Clinic.
– A hardcopy file held securely in the Clinic’s office or in a secure online database holding scanned versions of all of the above.
2.2 The Clinic will never request bank details from its clients. Should any member of the Clinic, or any person purporting to represent the Clinic, attempt to do so, the matter should be raised with the Clinic’s Management Committee immediately.
3.1 Client data are primarily held in files retained securely in the Clinic’s office. The Clinic may also utilise a secure online database, Clio, which is password-secure and can only be accessed by Clinic Advisers.
4.1 The Clinic’s lawful basis for processing client data is to assist the client in the resolution of the legal issue for which they have requested the Clinic’s assistance and to provide the Clinic’s volunteer Advisers with practical legal work experience.
4.2 Client data, to the extent of the “Statement of Facts” and “Letter of Advice” documents only, may be used by Clinic Advisers to assist them in their legal research for future cases and for the purpose of improving the Clinic’s services. In that instance, all identifying details relating to clients will be removed from those documents.
4.3 The Clinic may carry out checks to ensure that no conflicts of interest arise between its clients or supporting organisations.
4.4 The Clinic will not share client data unless it is in the client’s interests, is necessary to carry out the Clinic’s activities – first seeking the client’s express permission to do so – or where it is required to do so by law.
4.5 The Clinic will never sell client data.
5.1 Client data will be retained for the duration of the client’s matter and will be retained on its database for a minimum period of 1 year following its conclusion.
5.2 Client data may be retained up to a maximum of 3 years following the matter’s conclusion, unless there is a specific need that they be retained for longer.
5.3 Client data are disposed of securely by deletion or destruction in confidential waste provided by Edinburgh Napier University.
5.4 The “Statement of Facts” and “Letter of Advice” documents issued during the process of advising clients may be retained indefinitely for the purpose of record-keeping and improving the Clinic’s services by assisting Advisers with their legal research in future cases. In that instance, all identifying details relating to clients will be removed from those documents.
5.5 All Clinic clients are entitled to specifically request the secure destruction of any data held for them.
6.1 The Clinic will not advertise its services to clients by telephone, email or letter.
6.2 The Clinic will not use client data as a means of advertisement unless through testimonials, in which case the client’s express permission to do so will be sought.
7.1 The Clinic’s primary method of advertising its services is through the use of Facebook. The Clinic will never post client data unless by way of testimonials, in which case the client’s express permission to do so will be sought.
7.2 The Clinic will not provide its services through the use of Facebook messaging. Where a client or prospective client contacts the Clinic by Facebook messaging to that end, the client will be directed to contact the Clinic by its dedicated email address or by telephone.
7.3 Where it is felt that a member of the public or client has shared sensitive personal data on the Clinic’s Facebook page, Clinic Advisers will endeavour to inform the individual then remove the data from its Facebook page.
8. Website Data Policy
8.1 Edinburgh Napier Law Clinic’s website is situated at: www.enlc.co.uk
8.2 Prospective clients may contact the Clinic using the online contact form.
8.3 Data collected using the contact form may include:
– Contact information including email address
– Demographic information such as postcode, preferences and interests
– Client enquiry
8.4 Data are gathered for the purposes of:
– Understanding the prospective client’s needs
– Improving the Clinic’s services
– Internal record-keeping
(i) Cookies are text files containing small amounts of information which are downloaded to your device when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user’s device.
You can find more information about cookies at:
(ii) Cookies do lots of different jobs, like letting you navigate between pages efficiently, remembering your preferences, and generally improve the user experience. The cookies used on the Clinic’s website have been categorised based on the categories found in the International Chambers of Commerce UK Cookie Guide:
Category 1: strictly necessary cookies
These cookies are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website. Without these cookies, online services you have asked for, like shopping baskets, e-billing or contact forms, cannot be provided.
Category 2: performance cookies
These cookies collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don’t collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works.
By using the Clinic’s website, you agree that the Clinic can place these types of cookies on your device.
Category 3: functionality cookies
These cookies allow the website to remember choices you make (such as your username, language or the region you are in) and provide enhanced, more personal features. For instance, a website may be able to provide you with local weather reports or traffic news by storing in a cookie the region in which you are currently located. These cookies can also be used to remember changes you have made to text size, fonts and other parts of web pages that you can customise. They may also be used to provide services you have asked for such as watching a video or commenting on a blog. The information these cookies collect may be anonymised and they cannot track your browsing activity on other websites.
By using the Clinic’s website, you agree that we can place these types of cookies on your device.
8.6 Links to other websites
The Clinic’s website may contain links to other websites of interest. However, once you have used these links to leave the Clinic’s website, you should note that Clinic does not have any control over that other website. The Clinic cannot therefore be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
8.7 The Clinic will not sell, distribute or lease personal information gathered from the Clinic’s to third parties unless the Clinic has your express permission or is required by law to do so.
9. Client Rights in Relation to Data
All Clinic clients retain the right:
9.1 To information, free of charge, regarding the manner by which their data are retained and processed. Any such request will be complied with within a maximum of 1 month of its being made.
9.2 To access, free of charge, to the data the Clinic holds for them. Any such request will be complied with within a maximum of 1 month of its being made.
9.3 To the rectification, free of charge, of any inaccuracies contained in the data held for them. Any such request will be complied with within a maximum of 1 month of its being made.
9.4 To request erasure, free of charge, of the data held for them. Any such request will be complied with within a maximum of 1 month of its being made.
9.5 To request restriction, free of charge, of the manner by which their data are retained or processed. Any such request will be complied with within a maximum of 1 month of its being made.
9.6 To object to the manner by which their data are obtained, retained or processed.
9.7 Not to be subject to subject to data profiling.
10. Policy in Event of Breach
10.1 The Clinic will take appropriate steps to rectify any breach as a matter of urgency.
10.2 The Clinic will inform its clients of any data breach where it is likely to result in a high risk to the rights and freedoms of its clients.
10.3 The Clinic will report a data breach to the Information Commissioner’s Office (ICO) within 72 hours where the breach is likely to result in risk to the rights and freedoms of its clients.
11. Complaints Regarding Privacy or in the Event of Breach
11.1 Any complaints, requests or concerns regarding the manner by which client data is obtained, retained, processed or disposed of, or those in relation to a data breach, should in
the first instance be made to the Clinic’s Management Committee in writing, by email (firstname.lastname@example.org) or by post (Edinburgh Napier Law Clinic, Bright Red Triangle, Room D74, Edinburgh Napier University, Merchiston Campus, 10 Colinton Road, Edinburgh EH10 5DT).
11.2 The Clinic’s “data controllers” for the purposes of the General Data Protection Regulation will then endeavour to address the complaint, request or concern as quickly as possible, and within at least one month of its being raised.
11.3 Those controllers are the Clinic’s incumbent Managing Directors at the time the matter occurred or is raised.
11.4 The Clinic’s data controllers will report a data breach to the Information Commissioner’s Office (ICO) within 72 hours where the breach is likely to result in risk to the rights and freedoms of its clients.