The following paragraphs are very important. Please read them carefully.

We would like to explain to you why and when we collect personal data from you, how we use it, the conditions under which we may disclose it to others, how we keep it secure and your rights in relation to your data.

We manage your data in compliance with the GDPR 2016 (General Data Protection Regulations 2016)

Who we are

Data is collected, processed, and stored by Shelley and Co. We are what is known as the ‘data controller’ of the personal information that you provide to us.

We are registered with the Information Commissioner’s Office under registration reference Z9600943. Queries in relation to personal data should be directed to Mark Shelley by email, shelley@shelleyandco.org.uk 

What data do we need?

The exact information that we will request from you will depend on what you have asked us to do for you. As such this information is intended for clients or prospective clients only.

Under the GDPR 2016 there are two types of personal data (personal information) that you may provide to us:

· Personal data: is the general information that you supply about yourself, such as your name, address, gender, DOB and contact details.

· Special categories of personal data: is by its nature, more sensitive and may include your racial or ethnic origin, religion, sexual orientation or physical or mental health condition.

Other sources of your personal data.

In addition to receiving information about yourself from you, we may receive information about you from other organisations. This information is usually provided to us to enable us to conduct your case for you. Typically, we may receive information from:

· Your employer, bank, DWP and other such organisations.

· GP’s, consultants and other healthcare organisations.

· Police, Crown Prosecution Service, Courts and other agencies involved in the criminal justice system.

· Solicitors and other organisations who may have referred your case to us.

Why we need it.

The main reason why we ask you and other organisations for your personal data is to allow us to represent you in your criminal case and for us to carry out your instructions. The following are examples of what we may use your information for:

· To apply for legal aid.

· To verify your identity.

· To obtain expert/medical reports.

· To communicate with you.

· To obtain information from third parties.

· To conduct your case.

Who may we provide your personal data to?

Generally, we will only use your information within Shelley and Co. However, there may be circumstances, in representing you, we may need to disclose some information to third parties. There are other circumstances where we are obliged by law to disclose your information to third parties, for example:

· Courts, Crown Prosecution Service, probation, police and other criminal justice agencies.

· Solicitor agents.

· Independent Barristers.

· External auditors and/or our regulators, e.g. SRA, ICO, LAA, SQM etc.

· Contracted suppliers.

· Providers of identity verification.

· Experts who are asked to assist with your case.

· GP’s, consultants and other healthcare professionals.

· Any disclosure required by law or regulation such as for the prevention of financial crime and terrorism.

· If there is an emergency and we think you or others are at risk.

In the event of any of your information is shared with the aforementioned third parties, we will ensure that they comply strictly and confidentially with our instructions and they do not use your personal information for their own purposes unless you have consented to them doing so.

How we protect your data.

We take all reasonable steps to protect your personal information.

We ensure high standards of technology and operational security in order to protect personally identifiable data from loss, misuse, alteration, unauthorised use or access or destruction. We use computer safeguards such as firewalls and data encryption and we prevent, where possible unauthorised physical access to our premises.

Similarly, we adopt a high threshold when it comes to confidentiality obligations and both internal and external parties have to agree to protect the confidentiality of your information.

How long will we keep it for?

Your personal information will be retained, usually in computer or manual files, only for as long as is necessary for the purpose you gave your information to us for: or as long as it is required by law, regulations or to comply with LAA contracting obligations. Your information will be kept for a period of six years before being deleted. 

Your rights

The GDPR 2016 gives you a number of rights. They are as follows:

· Access to your information.

· A right to correct any errors in your personal information.

· Erasure. In certain circumstances you have the right to ask us to delete your personal information.

· In certain circumstances, you have the right to limit the purpose for which we process your data.

· You have the right to transfer your personal information to another data controller.

· You have the right to object to us processing your information if you believe we are doing it unlawfully.

Automated decision-making

We do not undertake any automated decision making processes.

Marketing

We will never disclose your personal information to any third party for marketing purposes. We will not contact you for the purpose of direct marketing.

Complaints about data protection and confidentiality

Please direct any complaints to Mark Shelley at shelley@shelleyandco.org.uk