Data Protection is the means by which the Privacy Rights of individuals are safeguarded in relation to the processing of their Personal Data. The General Data Protection Regulations (EU) 2016/679 (GDPR) confer rights on individuals as well as placing responsibilities on those persons controlling and processing Personal Data.
We treat Personal Data with the greatest possible care and have a clear policy on Data Protection which is set out herein.
Data Protection definitions are set out in Appendix 1.
- Who are we?
Corrigan & Corrigan is a third generation firm of Solicitors founded in 1906. It is based at 3 St Andrew Street, Dublin 2.
- What Personal Data do we collect?
The Personal Data which we collect in relation to our clients includes name, address, telephone number, email address, PPS number, bank information, copy ID and proof of address, medical records, medical reports accident report forms, details an contact details of next of kin. We are required to collect this Personal Data in order to deal efficiently with cases and pursuant to our legal, statutory and regulatory obligations.
- The Legal Basis for processing the data as well as the purposes of the processing for which the personal data is intended.
We collect Personal Data in order to facilitate us in entering into a contract for the provision of legal services and for the performance of our contractual obligations on foot of same. Different information may be required depending on the type of legal service which is being provided.
We also rely upon consent to retain and process personal data.
Under the GDPR, consent is the least attractive basis for processing data as it can be difficult to maintain, therefore we generally rely on other legal bases. Solicitors need to process the personal data of individuals in order to provide them with legal services under the contract, and may also need to process also certain data to comply with legal obligations as a member of regulated profession and because it is in the legitimate interests of the firm and/or client.
When special categories of data (previously referred to as sensitive personal data, are being processed, more than one condition must be met. Because our law firm handles special category data, it is generally relying on the basis that processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
We shall keep any personal data and information we have confidential, except where disclosure is required by law or by regulation or in other exceptional circumstances.
It may be necessary to disclose information which is confidential, for example disclosures to third parties involved in the work we are undertaking such as Counsel, Engineers, Medical Advisors, Architects, Tax Consultants, Accountants etc.
It may also be necessary for information to be disclosed to, or inspected by, our specialist IT Service Providers, Law Society, Revenue Commissioners, auditors, or other advisors for the purposes of our professional indemnity insurance and/or for the purposes of applying our risk management procedures.
We endeavour to make sure that the providers of services to us are reputable and can provide sufficient guarantees to implement appropriate technical and organisational measures in such a way that your personal rights are protected.
When we store files off site, we will take all reasonable steps to make sure that information is kept confidential.
The following are examples of how we use the Personal data which we hold depending on the type of legal service we are engaged to provide. This list is not exhaustive.
LITIGATION
- Contact details together with statements/details of the accident /incident and any investigation or medical reports/records and wages/salary and employment details will be required to enable us give advice on quantum and/or sending papers to Counsel and the making of a claim and any court proceedings
- PPS numbers may be required to facilitate the submission of a PIAB application
- Medical records may also be required as part of the discovery process.
- Bank details will be required for the payment of any settlement etc.
The period for which personal data will be stored
How long we hold data is subject to legislation and the regulatory rules we must follow, set by the Law Society, the Revenue Commissioners etc. The conclusion of each case, files are archived and routinely destroyed in accordance with Corrigan & Corrigan’s file destruction policy. Litigation files are normally destroyed after a period of 13 years in accordance with the Law Society Guidelines. Litigation files involving a minor Plaintiff are destroyed 7 years beyond the age of majority of the Plaintiff. Files may, in exceptional circumstances, be kept beyond those retention periods in certain instances to include the prevention or detection of fraud and dishonesty.
Rights pursuant to the Data Protection Legislation
Arising out of the GDPR, data subjects have the following rights which we treat with the utmost importance.
(i) A Right to Access
The right to access a copy of their Personal Data
We have discretion with regard to the scope of access sought. That discretion arises in certain instances such as the Prevention Investigation or Prosecution of Criminal Offences, the Prevention, Investigation, Prosecution of Breach of Ethics, the protection of the Data Subject, the enforcement of Civil Law claims in the interest of National Security or public interest.
Data Access Requests
Any such request should be submitted in writing by post and directed to the Solicitor handling your file.
We require evidence of identity to make sure that personal information is not given to the wrong person so we ask clients to assist us by sending in the following:
- A signed Data Access Request with a return address;
- An original or certified copy of a recent utility bill (dated within the last 3 months) with a matching address;
- A certified copy of a current passport or driving licence;
We request as much information as possible to assist us in locating the data that you are interested in accessing to include references etc.
We reserve the right to charge a reasonable fee for the copying of personal data.
(ii) Right to Rectification
Corrigan & Corrigan’s clients have a right to have Personal Data rectified if it is in any way inaccurate of incomplete. Any such request for rectification of Personal Data must be made to the Managing Partner in writing and Corrigan & Corrigan will endeavour to respond to your written requests within a period of one month of the receipt of the request. This might be extended by two further months if requests are numerous or complex.
We will also (subject to any legal constraints) advise to whom the personal Data has been disclosed, if disclosed.
(iii) Right to Erasure
Clients have the right to seek erasure of your Personal Data on foot of a written request in the following scenarios:-
- Where the personal data is no longer necessary in relation to the purposes for which it is collected;
- Where consent has been withdrawn and there is no other legal or regulatory ground for processing the personal data;
- When there is objection to the processing of the personal data and there are no overriding legitimate grounds for the processing;
- The personal data may have been unlawfully processed;
- The personal data has to be erased to comply with and EU or Member State legal obligation
- The personal data has been collected in relation to the offer of information society services to a child under 16 years of age if no parental consent has been given
- Right to restriction of processing. We will endeavour to inform recipients, to whom personal data has been disclosed, of the request for erasure, unless we are legally precluded from doing so, this proves impossible or involves disproportionate effort.
We will endeavour to inform recipients, to whom personal data has been disclosed, of the request for erasure, unless we are legally precluded from doing so, this proves impossible or involves disproportionate effort.
We will further endeavour to erase the data within one month of receipt of the request. We reserve the right to extend this period by a further two months where appropriate
The right to erasure is not an absolute right and for example is not available where we are required by law or regulation to retain certain personal data or where it undermines freedom of expression.
(iv) Right to Restriction of Processing
Clients have the right authorises us to store their personal data but not to process it. This right arises in four scenarios:-
- Where the accuracy of the data is contested, processing can be restricted for a period to enable us to verify its accuracy
- Where the processing is unlawful and the client opposes erasure and requests restriction instead;
- Where we no longer need the personal data, but the client requires the data to exercise or defend a legal claim.
- Where the client has objected to the processing, it should be restricted pending verification of whether our legitimate interest overrides all clients.
Whilst Corrigan & Corrigan’s clients have the right to restrict the processing of their personal data, this may hinder the performance of our contractual obligations to such an extent that we are no longer in a position to act for them.
(v) Right to Data Portability
The right to data portability which enables a client to obtain their data and have it transmitted to another data controller without hindrance, where technically feasible.
(vi) Right to Object to Processing
The right to object to the processing of personal data where it causes unwarranted substantial damage or distress. GDPR does provide a general right for a data subject to object to processing. Data subjects have the right to object to:-
- Processing based on public interest or legitimate interest grounds including profiling
- Direct marketing
- Processing for scientific historical or research purposes.
When a data subject objects to such processing the Controller must stop processing the personal data unless we are obligated by law or regulation to do the same. It should be noted however that objecting to the processing of a client’s personal data may hinder the performance of our contractual obligations to such an extent that we are no longer in a position to act for that client.
(vii) Right to Withdraw Consent
Data subjects have the right to withdraw consent at any time in relation to the retention and processing of personal data with Corrigan & Corrigan. Such withdrawal in relation to consent should be furnished to the managing partner at our offices in writing and will result in the termination of our contractual arrangements with the client. The exercise of this right is not an absolute right and is subject to our legal and regulatory obligations.
If a client wishes to invoke your their data protection rights, they must contact Cora Fitzsimons Managing Partner in writing by post or alternatively by e-mail to [email protected].
Right to Lodge a Complaint with the Supervisory Authority
If a client is unhappy with how we have acted in handling the personal data in any way, please contact Cora Fitzsimons, Managing Partner in writing by post or alternatively by e-mail at [email protected].
Clients also have the right to submit a complaint to the Data Protection Commissioner who can be contacted at Canal House, Station Road, Portarlington, Co. Laois or 32AP23 by e-mail at [email protected] or by telephone at 057 8684800 or 076 104800.
- Data Protection Principles and Accountability
Data subjects are entitled to know that their information and personal data is being processed and controlled for legitimate purposes and disclosed only where permissible by law. We are committed to complying with the following principles of data protection law
- Data must be processed lawfully, fairly and in a transparent manner
- Personal data must be processed for specified explicit and legitimate purposes and cannot be further processed in a manner incompatible with those purposes however processing for archiving purposes in the public interest scientific or historical research purposes or statistical purposes are not considered to be incompatible with the initial purposes
- Personal data must be accurate, relevant and limited to what is necessary only in relation to the purpose for which the data is processed
- Personal data must be accurate and where necessary kept up to date and every reasonable step must be taken to ensure that the personal data which may be incorrect or inaccurate having regard to the purposes for which it was processed, is erased or rectified without delay
- Personal data must be kept for no longer than is necessary for the purposes for which the data is processed however, personal data may be stored for longer periods insofar as it is necessary for archiving purposes in the public interest, scientific or historical research purposes of statistical purposes
- Personal data must be processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage and in that regard we have particular technical and organisational measures in place which will be set out below
- A client is entitled to receive a copy of their personal data upon request. We have set out in our Client Care Policy (which is made available to our clients upon engagement), our Confidentiality and Data Protection Policy. The purposes for which the personal data is being obtained and the fact that it is being obtained is made clear in our policy as are our obligations in certain instances for the use and disclosure of personal data.
- Security Integrity and confidentiality of data
Any personal data that a client provides to us will be treated with the highest standards of security and confidentiality and handled in accordance with the General Data Protection Regulation
We have systems in place to protect clients’ personal data. We have mandatory TLS enabled for emails. When emailing sensitive data it is password protected. Staff with office mobile phones are restricted to using encrypted devices. Our offices are accessed via a secure door with a pass code protected keypad. Only office personnel are permitted beyond reception and the access to our offices is CCTV monitored.
All paper files are retained in cabinets and any files in use outside the office are transported and stored in a locked briefcase which must be attended by Corrigan & Corrigan personnel at all times.
Our computers and laptops are password protected and documentation of a sensitive nature when being transferred to other parties such as Counsel, are delivered by registered post or by courier in tamper proof envelopes.
All of our personnel are fully aware of their obligations in terms of data protection and the GDPR. All office information is treated with the utmost confidence by our personnel.
Any files which are archived off site are archived in a secure facility with a reputable company with whom we have a Data Processing Agreement in place.
Under Data Protection Legislation we are required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented in processing data for our clients. Such measures can include an ongoing review of our processing systems and services by the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident and a process for regularly testing, accessing and evaluating the effectiveness of technical and organisational measures in order to secure the processing of personal data for our clients.
We are also obliged to take steps to ensure that any individuals acting under our authority who have access to personal data do not process it except on very specific instructions and unless required to do so and that obligation has been made clear in our internal policies to our personnel.
- Protecting Personal Data when working remotely
When dealing with personal data the same measures are applied to remote working as working in the office. Personal information must not be accessed by or disclosed to anyone who is not authorised to see it. When working in a mobile manner or remotely, employees must ensure the security of equipment, files and any other information in their possession including transportation of such items when outside of the office building. Wherever possible equipment, paperwork, etc is locked away.
Any employee working remotely must comply with the Data Protection Commissions Guidance on working remotely and conducting video conferencing/video calling, published on the 12th March 2020, contained at Appendix 2.
- Data Protection Tips for Video-conferencing
Where either video-conferencing or video-calling is being used by any employee, the set of tips on video-conferencing for organisations and individuals as published by the Data Protection Commission on the 3rd April 2020, more particularly set out in Appendix 3, are to be read and followed, to ensure that Corrigan & Corrigan is using these technologies in a way that is safe and secure and ensures an adequate standard of data protection.
- Data Breach Reporting
In the event of a data breach, it is our policy to notify the Data Protection Commissioner without undue delay and where feasible not later than 72 hours after becoming aware of it. The breach will be logged in our Data Breach Log.
We consider a data breach to be a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or processed by us.
We have data processing agreements in place with our sub-processers to include our I.T. personnel, shredding personnel, file storage etc and it is also required that our sub-processers notify the breach to us and to the Data Protection Commissioner in the event one occurs.
We will also notify the data subject in the event of a data breach, where the breach is likely to result in high risk to them however notification is not required in some instances such as where we have implemented appropriate technical and organisational measures so that the personal data is unintelligible or where we have taken measures to ensure that the high risk to our customers does not materialise.
- Data transfers outside of Ireland
All personal data collected for the purposes specified in this Statement is processed inside the European Union (EU) or the European Economic Area (EEA) and will never be transferred to countries located outside the EU or EEA unless that Country has an adequate level of data protection or you have explicitly consented to that transfer and it is necessary for the performance of a contract or for public interest reasons and the defence of legal claims or in the vital interests of our customers.
APPENDIX 1
CORRIGAN & CORRIGAN
DEFINITION OF DATA PROTECTION TERMS
(as defined by the General Data Protection Regulation)
- Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Sensitive personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
- Data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
- Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- Profiling means any form of automate automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person in particular to analyse or predict aspects concerning the natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
- Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified of identifiable natural person.
- Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data transmitted, stored or otherwise processed.
APPENDIX 2
CORRIGAN & CORRIGAN
[Protecting Personal Data When Working Remotely as published by the DPC]
Devices
- Take extra care that devices, such as USBs, phones, laptops, or tablets, are not lost or misplaced,
- Make sure that any device has the necessary updates, such as operating system updates (like iOS or android) and software/antivirus updates.
- Ensure your computer, laptop, or device, is used in a safe location, for example where you can keep sight of it and minimise who else can view the screen, particularly if working with sensitive personal data.
- Lock your device if you do have to leave it unattended for any reason.
- Make sure your devices are turned off, locked, or stored carefully when not in use.
- Use effective access controls (such as multi-factor authentication and strong passwords) and, where available, encryption to restrict access to the device, and to reduce the risk if a device is stolen or misplaced.
- When a device is lost or stolen, you should take steps immediately to ensure a remote memory wipe, where possible.
Emails
- Follow any applicable policies in your organisation around the use of email.
- Use work email accounts rather than personal ones for work-related emails involving personal data. If you have to use personal email make sure contents and attachments are encrypted and avoid using personal or confidential data in subject lines.
- Before sending an email, ensure you’re sending it to the correct recipient, particularly for emails involving large amounts of personal data or sensitive personal data.
Cloud and Network Access
- Where possible only use your organisation’s trusted networks or cloud services, and complying with any organisational rules and procedures about cloud or network access, login and, data sharing.
- If you are working without cloud or network access, ensure any locally stored data is adequately backed up in a secure manner.
Paper Records
- It’s important to remember that data protection applies to not only electronically stored or processed data, but also personal data in manual form (such as paper records) where it is, or is intended to be, part of filing system.
- Where you are working remotely with paper records, take steps to ensure the security and confidentiality of these records, such as by keeping them locked in a filing cabinet or drawer when not in use, disposing of them securely (e.g. shredding) when no longer needed, and making sure they are not left somewhere where they could be misplaced or stolen.
- If you’re dealing with records that contain special categories of personal data (e.g. health data) you should take extra care to ensure their security and confidentiality, and only remove such records from a secure location where it is strictly necessary carry out your work.
- Where possible, you should keep a written record of which records and files have been taken home, in order to maintain good data access and governance practices.
APPENDIX 3
CORRIGAN & CORRIGAN
[Data Protection Tips for Video conferencing]
Tips for Individuals
- Make sure that the device you use for video-calling has the necessary updates, such as operating system updates (like iOS or android) and software/antivirus updates (and make sure it has antivirus/online security software in the first place).
- Try to use services which you know and trust, have done some research on, and/or have been vetted and suggested by your employer, etc., for video-conferencing or video-calling.
- Take some time to read over the service’s privacy or data protection policy to be sure who your personal data is being shared with, where it will be stored or processed, and what purposes it will be used for, amongst other information.
- Think twice about what permissions for data or sensors you are being asked for: Do you really need to share your location or your list of contacts for instance? What will that data be used for?
- If the data protection or privacy information is inadequate or too much information, or access to your device is being sought, you should be wary of sharing personal data with this service, and may want to take further steps, or consider another service.
- Ensure your device is used in a safe location, for example keep an eye on what (or who) can be seen from your camera, and be sure to log out, mute, or turn off video, as appropriate, when you leave or take a break.
- Consider the data protection and privacy rights of others before you post or share a picture or video of a video-call that contains their image, voice, and/or contact details.
- Have a read of our general tips on staying safe online during a pandemic
Tips for Organisations
- Employees should be using your contracted service providers for work related communications. Ensure you are happy with the privacy and security features of the services you ask them to use. Ad-hoc use of apps or services by individuals should not be encouraged.
- Try to ensure that employees use work accounts, email addresses, phone numbers, etc., where possible, for work-related video-conferencing, to avoid the unnecessary collection of their personal contact or social media details.
- Make sure that clear, understandable, and up-to-date organisational policies and guidelines are provided to those using video-conferencing, so they know what rules to follow and steps to take to minimise data protection risks. This should include information on the controls the services provide and that are available to them to protect their security, data, and communications.
- Implement, and/or advise employees to implement, appropriate security controls such as access controls (such as multi-factor authentication and strong unique passwords) and limit use and data sharing to what is necessary.
- Where video-conferencing services need to be used for organisational reasons, have a consistent policy regarding which services are used and how, and offer through VPN or remote network access where possible.
- Avoid sharing of company data, document locations or hyperlinks in any shared ‘chat’ facility