The Privacy Notice
1. Who We Are
1.1 We are Lawson Wright LLP (“we”, “us”, “the firm”), a law firm authorised and regulated by the Solicitors Regulation Authority (“SRA”, registration no. 8009409), and a Limited Liability Partnership (LLP) registered in England and Wales (OC453316).
1.2 We offer legal services on the law of England and Wales to international clients, both individuals over the age of 18 and corporate clients. We are based in England.
1.3 We reserve the right to update this notice at any time. The Privacy Notice (“the Notice) will be available on our website, and we will notify those affected by any substantial updates. Should any additional processing become necessary, we will notify those affected.
2. We Are A Data Controller
2.1 This means that we are responsible for deciding how we use and hold personal information about you and explaining it clearly to you.
3. Who This Privacy Notice Applies To
3.1 This Notice applies to all our current, former, and prospective clients.
3.2 For business clients, it applies to their employees, directors, partners, and representatives as applicable.
4. Our Promise
4.1 To do our best to keep your data safe.
4.2 Never to sell, swap, or rent your data to third parties.
4.3 To give you ways to control the use of your data whenever we can.
5. Data Protection Contact
5.1 Lawson Wright LLP has determined that it is not required to formally appoint a Data Protection Officer (DPO) as the firm does not meet the mandatory criteria outlined by the Information Commissioner's Office (ICO). However, Nascia Lee, the Office Manager, has been appointed internally as the Data Protection Manager (DPM) and is responsible for overseeing data protection matters. She will act as the main point of contact on data protection issues and liaise with external support and the firm's COLP as needed.
5.2 If you have any queries about how we use or hold your data or wish to exercise any of your rights below, please contact our DPM at nascia.lee@lawsonwright.com.[NL1]
6. How We Collect Information
6.1 We collect personal information directly from our clients, our referrers (such as estate agents), our business contacts, other parties in the matter, our electronic identity verification service, and contractors, both at the start of the relationship and throughout.
6.2 Where the personal data is not collected directly from the data subject, it will have been obtained from one of the following sources:
6.2.1 The business client – both in relation to individuals in their organisation and any related parties to the matter, the client’s and any third party.
6.2.2 The referrer – credit reference agencies and electronic identity verification systems – used to carry out due diligence on a client in accordance with our Anti-Money Laundering obligations.
6.2.3 Professional or regulatory website – such as the Law Society or the Financial Conduct Authority Registers.
6.2.4 Companies House – for due diligence information on business clients, including individual personal data for Directors, Shareholders, and Persons with Significant Control.
6.2.5 Other parties – during the course of a matter, other parties involved may supply personal data.
6.2.6 Mortgage companies – if your matter involves a mortgage company, they may supply personal data to us.
6.2.7 Other professions – if other professionals are involved in the matter, they may provide personal data, including special category. This includes collection agents, surveyors, accountants, other legal professionals, medical professionals etc.
6.3 We may use public sources, such as online searches, news reports, or social media.
7. Purpose For Processing Personal Data
7.1 We process personal data to discharge our contractual duties towards our clients for the legal matters they have instructed us upon and to give legal advice. We also process personal data in order to run our law firm effectively (such as issuing invoices) and to fulfil our legal and regulatory obligations.
7.2 Nothing in the Data Protection Act 2018 or the UK GDPR overrides our duty of confidentiality to our clients, to which we are bound by our professional bodies.
7.3 The personal data collected for all clients:
7.3.1 Name
7.3.2 Contact details such as: address, email address, mobile number, telephone number
7.3.3 Date of birth
7.3.4 Information required for due diligence checks (such as passport number, driving licence number, nationality, full name, etc)
8. Special Category Personal Data
8.1 There are times when, to progress a matter, we need to collect and process special category personal data.
8.2 We only do this where it is absolutely necessary. The types of information and the reason we need to collect, hold and process them are as follows:
8.2.1 Health information: this may be necessary for employment law matters, family cases, disputes, personal injury or medical negligence matters, the writing of Wills or probate, and any matter for which this personal information is necessary. It may also be necessary to help us make reasonable adjustments for you under the Equalities Act.
8.2.2 Sex life or sexual orientation: this could become relevant in employment matters, dispute matters, family matters, immigration matters, personal injury or medical negligence matters, and drafting Wills and probate matters as necessary.
8.2.3 Religious or philosophical beliefs
8.2.4 Genetic data
8.2.5 Biometric data
8.2.6 Race or ethnic origin
8.2.7 Political opinions
8.2.8 Trade Union membership: this will be processed where relevant in relation to employment matters, immigration matters, dispute matters, or where you have assistance with funding from being a Trade Union Member.
8.2.9 Criminal convictions: this may be processed during employment matters, family matters, dispute matters, immigration matters, personal injury or medical negligence matters, and as necessary. It may also be relevant to dispute matters and Anti-Money Laundering checks.
8.2.10 Children’s Information: we do not offer our services directly to those under the age of 18. However, where a matter involves information relating to a child or children, we only hold and process personal data in relation to children on instruction from a parent, guardian, public authority or a close relative. This may be in family matters, disputes involving the child, immigration matters, or employment matters. Personal data relating to a child in relation to them being the beneficiary of a Will or trust will be given by the client making or executing the terms of a Will or trust. All processing of children’s personal data is on the basis of the contract with the client or legal obligation.
9. Lawful Basis For Processing
9.1 The majority of the processing of personal data we carry out is on a contractual basis, under instruction from our clients for legal advice or legal representation.
9.2 We also process personal data in accordance with our legal obligations. This includes special category personal data as detailed above. Where we do so, it may be without your knowledge or consent as required or permitted by law. This is due to the nature of a legal firm and our obligations under the Anti-Money Laundering Regulations, in addition to our duties to the Courts.
9.3 Occasionally we may carry out processing based on specific consent, such as with marketing.
10. The Legitimate Interests For The Processing
10.1 Occasionally we may process small amounts of personal data (name, contact details) in relation to individuals within potential business clients on the basis of Legitimate Interests. Information would be gained from publicly accessible sources, such as LinkedIn, X, professional register, Companies House, Google, or the company website (in compliance with the terms and conditions of the source).
11. The Recipients Or Categories Of Recipients Of The Personal Data
11.1 We do not sell, swap, or rent personal data to third parties.
11.2 We do not share personal data for marketing purposes.
11.3 We do not pass on or share personal data where there is no legal basis to do so.
11.4 We pass on personal data to third-party suppliers and others in relation to the legal matters or advice we are instructed in relation to.
11.5 To meet our legal obligations, we may pass personal data on to the Courts and Tribunals, Counsel, legal representatives of other parties involved in the matter, Government Agencies, such as the National Crime Agency (NCA) or the Treasury, and other legal professionals.
11.6 Sometimes we use third-party companies and consultants to assist us in fulfilling our instructions or other obligations, including risk and compliance, data processing and security, regulatory support, and operational tasks. We carefully select these third parties, and they act on our instructions as Data Processors or independently as Data Controllers, depending on the services they provide.
11.7 We ensure that all third parties comply with applicable data protection laws, such as the UK GDPR and the Data Protection Act 2018 and maintain appropriate security measures to protect your personal data. This includes implementing safeguards for any international data transfers.
11.8 You retain your rights regarding your personal data processed by these third parties, including the rights to access, rectify, and erase your data. To exercise these rights or for more information about safeguards, please contact us using the details provided below.
12. The Details Of Transfers Of The Personal Data To Any Third Countries Or International Organisations
12.1 Our physical files are stored in the UK.
12.2 Our servers storing electronic data, including personal data, are located in the UK using Microsoft OneDrive and Clio Management, which are cloud-based systems with encrypted access. Data is backed up by PureCyber Limited, a provider of cyber incident response services and an NCSC-approved cyber advisor company. The location of these backups is in the UK.
12.3 The firm has provisions for transferring personal data outside the UK only if one of the legally permitted safeguards is met, such as:
12.3.1 adequate country status,
12.3.2 Standard Contractual Clauses (SCCs),
12.3.3 explicit consent, or
12.3.4 legal necessity.
13. The Retention Periods For The Personal Data
13.1 Due to the types of legal work we carry out on behalf of clients, our retention periods vary. The following is as a general guide:
13.1.1 We will retain your contact details (name, address, telephone numbers, email addresses) for six years after the end of our relationship in both electronic and physical format, unless the matter or advice involves children, then the matter will be retained until six years after the youngest child reaches 18;
13.1.2 Emails are retained in our archive for six years; and
13.1.3 Where there is a complaint or claim against the firm, the archived retention period will begin from the resolution of the complaint or claim.
14. Rights of Individuals Regarding Processing
You have the following rights regarding the processing and holding of your personal data:
14.1 Rights to be informed: This Notice informs you about the processing of your personal data, your rights, and our responsibilities. We will keep you informed of any changes to this Notice and any issues that arise that affect you.
14.2 Right of access: You can contact our Data Protection Manager (“DPM”) to request what personal data is held about you. We will confirm that you are the correct Data Subject, and a full response will be provided within 30 days from the original request.
14.3 Right to rectification: If any of your data is incorrect or requires updating, please notify the DPM, and the data will be rectified with 72 hours.
14.4 Right to restrict processing: You have the right to request that the processing of your personal data be restricted. We may not have to grant this, such as where processing is for the purpose of contractual or legal obligations. Any request for restriction will receive a response within 14 days.
14.5 Right to erasure (be forgotten): You have the right to request that data held on you be erased. Again, we may not have to grant this where it is necessary for contractual, legal obligation, or archiving purposes. We will notify you within 14 days.
14.6 Right to data portability: You have the right to request to take the personal data you have given to us with you. As a client, you have the right, separate to your rights under the UK GDPR, to request your file, as detailed in the Terms of Business. If we hold personal data under our legal obligations or that is confidential to another client, we may restrict the information we send to you.
14.7 Right to object: You have the right to object to the processing of your personal data. Again, we may not have to grant this where it is necessary for contractual, legal obligation, or archiving purposes. We will notify you within 14 days.
14.8 Rights in relation to automated decision making and profiling: You have rights in relation to automated decision-making and profiling. We do not use any automated decision-making or profiling.
14.9 Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw that consent at any time. Your rights in relation to terminating the contract are contained within the Terms of Business.
14.10 Right to lodge a complaint with a supervisory authority:Please inform us if you are dissatisfied with how we have used your personal information, using the details below.
14.11 You also have the right to complain to the ICO. Details of how to complain are available on their website: https://ico.org.uk/concerns/ or you can write to the ICO at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or you can telephone the ICO on 0303 123 1113.
15. The Details Of Whether Individuals Are Under A Statutory Or Contractual Obligation To Provide The Personal Data
15.1 We are under a legal obligation (known as a statutory duty) to request personal data from our clients in relation to due diligence processes for anti-money laundering purposes. If this is not provided, we will not be able to act for the client.
15.2 The personal data we request from a client is required to fulfil our contract to progress your legal matter or give advice, or as a legal obligation.
16. Thank you for taking the time to understand how we will use your data and thank you for trusting us with your personal data. Should you have any reason to contact Lawson Wright LLP regarding this privacy notice, please email us at info@lawsonwright.com or call us on +44 20 8078 9782.
OUR INFORMATION MANAGEMENT AND SECURITY POLICY
1. This document sets out Lawson Wright LLP’s (“we”, “us”, the “firm”) Our Information management and Security Policy (hereafter referred to as “this policy”).
2. Lawson Wright LLP considers that maintaining confidentiality and data security are extremely high priorities, and failure to do so may result in a compliance breach or a criminal offence. All staff in the practice is responsible for information management and security, and this policy and its procedures must be followed carefully. This policy supplements the practice’s Data Protection Policy, Internet & Email Policy, Document Retention Policy, and other relevant policies.
3. The firm has determined that it is not required to appoint a formal Data Protection Officer, as it does not meet the requirements set out by the Information Commissioner’s Office (ICO). However, the firm's Office Manager will assume primary responsibility for overseeing data protection matters in the role of the Data Protection Manager (DPM).
4. Although information management and security concern all practice staff, our Compliance Officer for Legal Practice (COLP) has overall responsibility for this policy and its procedures, compliance with them and relevant legislation, and ensuring all staff are aware of their responsibilities.
5. The COLP will monitor and review this policy and our procedures at least annually to ensure they remain effective, fit for purpose, and compliant with applicable regulation and legislation.
6. All practice staff must ensure that appropriate confidentiality is maintained regarding all personal data, information, and business-related data and information, and that it is accurate and up to date.
7. In addition to our data protection responsibilities, the Solicitors Regulation Authority (SRA) requires us to keep client affairs confidential unless disclosure is required or permitted by law, or the client provides informed consent. The information we hold is sensitive and valuable. If this information is mishandled, there could be serious consequences.
8. The practice’s information is owned by the practice and not by any individual or department, and must be used solely in connection with work being carried out for the practice, and not for other commercial or personal purposes.
9. Any actual or suspected breaches in the policy must be reported immediately to the DPM, who is responsible for monitoring and addressing them. Please refer to our Data Protection ‘Managing Personal Data’ Policy for the reporting procedure.
CONSEQUENCES OF FAILING TO COMPLY
10. We take compliance with this policy very seriously. Failure to comply puts both you and the practice at risk.
11. Given the importance of this policy, failure to comply with any requirement may lead to disciplinary action under the firm’s procedures, up to and including dismissal.
12. If you have any questions or concerns about this policy, do not hesitate to contact the DPM or COLP.
13. Information management relates to spoken and written (paper or electronic) information or data that is held, used, transmitted by, or on behalf of the practice. The information or data may be retained on our Intranet, IT system, case management system, network devices (e.g., printers), laptops, tablets, mobile phones, telephone system, hard copy files, notebooks, meeting notes, central records, and during the transmission of information. This list is not exhaustive.
REGISTER OF RELEVANT INFORMATION ASSETS
14. Our register, which lists our information assets, is a standalone document. We set out our procedures for their protection and security in the register in this policy.
15. The information assets we hold fall into two categories:
15.1 Information relating to our business, for example: employee records, accounts and management data, business plans, meeting minutes, bank statements and correspondence, PAYE.
15.2 Information relating to our clients, for example: identity data, confidential client information held on their files, addresses and contact numbers, email addresses, bank details, documents held in safekeeping and on files, client lists and matter lists.
PROCEDURES FOR PROTECTINGAND SECURING INFORMATION ASSETS
16. We must ensure that all our information assets, including personal and special category (sensitive) data, are protected from all threats, whether internal, external, deliberate, or accidental.
17. Common types of threats from which we need to protect our information assets include:
17.1 Cyberattacks
17.2 Fraud
17.3 Human error or carelessness (resulting in inappropriate disclosure)
17.4 Malicious or deliberate acts (internal or external)
17.5 Theft or loss
17.6 Unauthorised access by non-practice staff to our offices or IT systems
17.7 Misuse or damage
OUR PROCEDURE FOR MAINTAINING THE SECURITY AND CONFIDENTIALITY OF THE INFORMATION WE HOLD INCLUDE
17.8 ensuring that all staff are aware of the requirements of the GDPR and related legislation;
17.9 ensuring that all staff are aware of this Information Management and Security Policy and fully understand their responsibilities;
17.10 creating and maintaining an awareness of the need for information security as part of our culture;
17.11 having an up-to-date and effective Business Continuity Plan;
17.12 having comprehensive measures in place to secure areas of our office and IT systems where information assets are retained, and ensuring that all information assets are secured against loss and unauthorised access, regardless of their location;
17.13 third parties, including barristers, clients, or agents, must not receive data or IT equipment, or be given access to our data or information assets, without specific written consent in every case from the COLP, who will ensure that this policy is fully applied to the use, storage, and transfer of the data.
HUMAN RESOURCES INFORMATION
18. Given the confidentiality and sensitivity of staff files, access to our HR records is limited to the COLP, the HR manager, [NL1] and Office Manager, and no other staff are authorised to access that information.
19. Any staff member in a management or supervisory role must keep their knowledge of staff information confidential.
20. Subject to the provisions of the GDPR and associated legislation, staff may make a data subject access request. Please refer to our separate Data Protection ‘Managing Personal Data’ Policy and Privacy Notice.
ACCESS TO OFFICES AND FILES
21. Access to our offices and files is restricted, meaning that clients and visitors must not walk around them or remain in any area (other than the restroom) unless accompanied by a member of staff or within view of a member of staff. They must be accompanied at all times unless there is no risk of them being able to see or otherwise access confidential information.
22. We have meeting rooms for client visits, and these rooms must be kept clean and tidy, with no materials relating to another client on display or otherwise accessible. If a client needs to be seen at a desk, the same applies, but even greater caution must be exercised, as it is more difficult to ensure that confidentiality for other clients is maintained. For example, a client seeing another client’s name on a folder spine on a shelf or in a diary constitutes both a data breach and a breach of confidentiality.
23. Files, screens, paper documents, diaries, etc., can all display confidential information. Steps must be taken to ensure that clients and visitors cannot see anything that does not relate to them or their matter, or to the purpose for which they are attending the office (exceptions apply regarding our professional, technical, and other suppliers with whom confidentiality agreements have been signed).
24. When not working at a desk, all client, staff, and accounts files and papers, screens, and mobile devices containing confidential information must be stored securely, and all screens must be locked.
25. Keyholders for the office building and individual areas within it must be authorised, and keys must not be given to anyone other than authorised staff. Clients and visitors must not be given keys or unauthorised access. The office building and individual areas within it must be locked, and the alarm set when not in use or occupied.
COMMUNICATION AND TRANSFER
26. Client files or other client information must not be removed from our offices without prior permission from the COLP or Office Manager, except when necessary for purposes such as court appointments, hearings, conferences with counsel, or client meetings. If a staff member wishes to remove confidential client files or information from the office to work from home, they must obtain permission to do so.
27. Client files or papers must be returned to the office immediately after the purpose for which they were removed has been fulfilled. In such circumstances, all reasonable steps must be taken to ensure the integrity and confidentiality of the information.
28. Staff must not:
28.1 transport paper files in a way that allows names to be seen on them, or in an insecure bag or case;
28.2 read or work on client files or documents (paper or electronic) in any location where individuals other than practice staff could also read them, such as at home in the presence of family or friends, at a bus stop, on a train, or in a restaurant or café;
28.3 leave paper files or documents, or any device that provides access to them, anywhere that is unattended or where there is a risk to their security such as in a robing room at court, a waiting area or conference room, a car overnight, an unlocked car, or any location other than the office that is unlocked or where the paper files or documents, or the device is visible; or
28.4 take or make telephone calls, or speak with a colleague or another relevant person, in a manner or location where they could be overheard, potentially causing a breach of data privacy and confidentiality.
29. If it is necessary to transfer a large amount of data, contact the Office Manager for assistance.
30. Staff should double-check addresses (personal and business), DX numbers and towns, email addresses, and fax numbers before sending any information.
31. Email addresses can be problematic, so extra care should be taken with them. Autofill can result in the use of a wrongly entered email address or an incorrect email address (e.g., for a different person with the same forename) could be entered in error.
32. All sensitive or particularly confidential information must be encrypted before being sent by email or be sent by tracked DX or recorded delivery.
BANK DETAILS
33. The firm’s bank details will appear on its invoices.
34. To ensure the security of transactions and prevent fraud, the following procedure will be followed for verifying the banking details of other parties’ legal representatives and other third parties to whom money is sent:
34.1 Initial Verification:
When receiving bank details, the information will be carefully compared with any information held on file for that party. This includes checking with previous invoices, email correspondence, or any other reliable source.
34.2 Independent Confirmation:
If there is any doubt about the accuracy of the bank details, or if it is a new payee, we will take steps to confirm the information independently. This may include:
34.2.1 Telephoning The Recipient: We will call the recipient using a known and verified phone number, which is not the one provided with the bank details, to confirm the account name, number, and sort code.
34.2.2 Checking Online Directories: For legal representatives, we may use publicly available resources such as the Law Society.
34.2.3 Requesting Official Documentation: In some cases, we may request a copy of a recent bank statement or a letter from the bank confirming the account details.
34.3 Dual Control:
For high-value transactions or where there is any remaining uncertainty, a second member of staff will be involved in approving the payment of funds.
34.4 Record Keeping:
A record will be kept of all bank detail verification checks, including the date, time, method of verification, and the names of the staff involved.
34.5 By implementing these procedures, we aim to minimise the risk of fraudulent activity and ensure that all payments are made safely and securely.
SOCIAL ENGINEERING CHALLENGES
35. Staff must be aware of social engineering attempts by external parties to obtain the disclosure of information. Social engineering is the practice of misleading or misdirecting individuals to obtain information through social interaction.
36. The hallmark of a successful social engineer is that they obtain the information without raising suspicion.
37. Staff should not provide information over the phone or by email without verifying the requestor’s identify.
38. Personal email accounts, such as Yahoo, Google, iCloud or Hotmail, and cloud storage accounts and services, such as Dropbox, iCloud, and OneDrive, are vulnerable to hacking. These accounts and services do not provide the same level of security as the services provided by our IT systems.
39. Under no circumstances should personal email accounts or cloud storage accounts be used for work purposes.
Home Working
40. No confidential or other information should be taken home without permission from the COLP or Office Manager, and only then if they are satisfied that the staff member has appropriate technical and practical measures in place to maintain the continued security and confidentiality of that information.
41. Confidential information must not be downloaded or stored on personal devices, such as home computers, PCs, laptops, tablets, or mobile phones.
42. Client files and confidential information must be kept in a secure environment,inaccessible to family members or visitors at home.
CYBERCRIME PREVENTION AND MANAGEMENT
43. Staff must comply with our procedures to protect against cybercrime threats. For example:
43.1 Be vigilant with emails that contain links or request passwords Do not click on links or entre passwords (e.g., an email with a link to Dropbox that asking for email address and password to access the documents) unless it is certain that the link is genuine.
43.2 Staff can always contact the sender to request more information or verify the link. If staff have any doubts or are unsure if an email is genuine, they will contact the Office Manager for assistance or guidance.
43.3 Keep the system passwords confidential and ensure they are difficult to guess, i.e., use strong passwords (refer to section 74). The same password must not be used for multiple accounts.
43.4 USB memory sticks will not be used by staff or clients on our IT systems.
RETENTION AND DISPOSAL OF INFORMATION
44. To run our strictly regulated business, serve our clients, and be an employer, we must keep accurate and up-to-date records, data, and information, stored securely in appropriate locations.
45. We must be able to identify, trace, and access all our records, data, and information, and restrict access as appropriate. To achieve this:
45.1 Electronic or paper files about clients must be kept in accordance with our file management requirements, and their contents must be retained in an orderly manner.
45.2 Client information must be kept up-to-date within clearly identifiable and traceable client files or client management systems.
45.3 Closed files are securely archived in our off-site storage facilities, equipped with appropriate security measures to prevent unauthorised access.
45.4 Physical files are stored in locked cabinets, clearly labelled with the client’s name, matter name, and closing date.
45.5 Electronic records are stored on secure servers with robust access controls and encrypted according to our data encryption and protection procedures. We regularly review our storage solutions to ensure compliance with industry standards and legal requirements.
45.6 After six years, all files can be destroyed according to our document retention guidelines, detailed in our information assets register.
45.7 All paper information to be destroyed is cross-shredded (using a shredder with level DIN 3 security or higher) to ensure confidentiality upon disposal. Particularly sensitive papers must be placed in a locked , limited access receptacle, or storeroom until they can be shredded. The delay between documents being earmarked for shredding and when they are shredded is a risk factor. There must not be inappropriate access to papers awaiting destruction (e.g., in open confidential waste bags in easily accessible areas of the office) or piles of papers awaiting destruction left lying around.
45.8 Storage of non-client documentation is kept to a minimum.
45.9 All work-related information must be stored on the practice’s IT resources, not on personal systems or personal electronic devices, and be accessible only to the individual concerned.
45.10 Strict version control must be adhered to. Superseded versions must be clearly marked. This ensures that the most current version is immediately accessible.
45.11 All client-related emails must be saved on the matter file and must not be stored solely within an individual’s email account.
45.12 Client matter files (paper or electronic) must not be removed from the office unless there is an exception as outlined in this policy, i.e., if a staff member has permission to do so.
45.13 We have clear data retention guidelines, as outlined in our policy, and information and data are to be retained only for as long as necessary.
46. Computer equipment, printers, and facsimile machines may contain confidential information. All confidential information must be removed before disposal of the machine, and the hard drive must be removed and destroyed in a manner that ensures complete destruction of the data.
47. Mobile devices (e.g., phones, laptops, and tablets) may contain confidential information. All such devices should be registered with the practice so they can be GPS-located or remotely wiped in the event of loss or theft. All remote devices must be accessed only by a PIN code or fingerprint. Any loss must be reported to the Office Manager immediately.
48. Data copied to any portable device in an authorised manner must be deleted as soon as possible and stored on our computer network for backup.
49. Backup Of Data:
49.1 We recognise the critical importance of securely backing up electronic data to ensure business continuity, protect client information, and comply with data protection regulations.
49.2 Our backup processes are designed to maintain data integrity and availability while preventing unauthorised access.
50. Automated And Encrypted Backup Process:
50.1 All electronic data is automatically backed up daily on a scheduled basis to secure, encrypted storage solutions.
50.2 Our backup system utilises AES-256 encryption, ensuring that backed-up data is protected from unauthorised access.
50.3 Backups are performed in real-time and incrementally, reducing the risk of data loss while optimising storage efficiency.
50.4 We employ redundant storage mechanisms, ensuring that multiple copies of critical data exist across geographically separated locations.
50.5 Regular integrity checks and restoration tests are conducted by [the Office Manager] to verify that backups remain reliable and recoverable.
51. On-Site Backup Storage:
51.1 Backup media that is temporarily retained on-site before being transferred to an off-site storage facility is securely stored in a locked, fireproof, and access-controlled safe within our office premises.
51.2 Access to the backup media is restricted to authorised senior staff members and the DPM, ensuring it remains protected until transfer.
52. Off-Site And Remote Backup Storage:
52.1 Once backups are completed, data is securely transferred to a remote, UK-based data centre that complies with ISO 27001-certified security standards and GDPR requirements.
52.2 The off-site storage location is maintained at a sufficient distance from our primary data centre to mitigate risks from fire, flooding, or cyberattacks affecting both locations simultaneously.
52.3 Cloud backups are stored with end-to-end encryption and multi-factor authentication (MFA) access controls.
53. Disaster Recovery And Data Restoration:
53.1 In the event of system failure, data loss, or a cybersecurity incident, backups can be restored efficiently using predefined recovery protocols.
53.2 Our disaster recovery procedures ensure that critical business operations can be resumed within an acceptable timeframe. By implementing these robust backup and encryption measures, we ensure that client and business data remains secure, recoverable, and compliant with applicable data protection regulations.
54. For more information regarding our backup and disaster recovery policies, please contact our DPM.
55. FIREWALL
56. A firewall is a program or hardware device that filters the information coming through the Internet connection into the practice’s private network or computer system. If the filters flag an incoming packet of information that would present a risk to our systems, it is not allowed through.
57. The practice has the most recent version of enterprise-grade firewall protection to safeguard against unauthorised access, malware, and cyber threats. This firewall is regularly updated with the latest security patches and threat intelligence to ensure maximum security.
58. Software updates and security configurations are managed automatically to maintain continuous protection.
59. Additionally, network monitoring tools and intrusion detection systems (IDS) are in place to identify and mitigate potential threats in real-time.
60. For more details on our firewall security measures, please refer to our IT security policies or contact our IT department.
61. PROCEDURES FOR SECURE CONFIGURATION OF NETWORK DEVICES AND USER ACCOUNTS
62. Our IT systems and procedures for the secure configuration of network devices are managed by PureCyber Limited, our dedicated cybersecurity partner. We have implemented industry-standard security measures and are working towards Cyber Essentials accreditation to ensure compliance with best practices. The COLP has overall responsibility for overseeing our IT security framework and ensuring adherence to these standards and is the person to contact if staff experience any issues.
63. Network devices (hardware) are physical items that may be integral to another piece of IT equipment (e.g., a printer) or stand-alone and include routers, network hubs, switches, modems, networking cables, repeaters, ISDN terminal adaptors, wireless network access points system (Wi-Fi) routers, servers, mobile phones, and other portable devices.
64. We have measures in place to protect against IT-based information management threats and ensure secure configuration of network devices:
64.1 Up-to-date firewalls
64.2 Encryption of data on hard drives
64.3 Password protection
64.4 Appropriate minimal permissions for different types of user accounts, including two-stage login with a username and password for each, allowing access to respective parts of the IT system’s resources and software programs
64.5 User accounts are assigned to individual staff members and are dependent upon individual roles and responsibilities
64.6 When anyone leaves the practice, is suspended, or is on garden leave, appropriate steps are taken immediately to secure or delete their user account(s)
64.7 Specifications for new software or software upgrades must allow for secure configuration on our network devices
65. In addition to the above:
66. Staff must not insert or load CDs, DVDs, USBs or other removable media into the practice’s IT system (PC, server, portable devices, etc.) without first obtaining authority from the COLP, who will conduct a virus check on a designated secure device before authorising use.
67. Electronic files must not be stored on CDs, DVDs, memory sticks, or other removable media, including laptops, mobile phones, or tablets, for working from home unless encrypted and specifically authorised by the COLP..
68. If staff need to work from home, they are required to gain the permission from the COLP about secure remote access to the firm's systems. Until a firm-owned VPN is implemented, alternative secure access methods, such as Microsoft 365 with multi-factor authentication, must be used to ensure data protection and compliance.[NL2]
69. Staff must not edit, copy, move, update, uninstall, or tamper with system files or applications already installed on the IT system.
70. Staff must not download or copy non-work-related content for personal use, such as pictures, videos, or music, from the internet or other media. Our IT systems must not be used for the production or processing of personal documentation.
71. Not all staff may access all parts of the IT system, so unauthorised parts of it will not be accessed.
72. The IT system may be monitored without any notice, and unauthorised content may be removed without notifying the user.
73. The practice will also maintain monitoring and reporting systems to report unusual copying of files or any other unusual or unauthorised activity.
74. Computers are password-protected, and passwords will be changed according to guidance provided by our IT department or specialists:
74.1 Staff will not use the same password to access other websites or cloud services and must maintain strong passwords. A strong password should have at least 12 characters, with a mix of upper- and lowercase letters, at least one number and at least one non-alphanumeric character, and should not be a dictionary word in any language.
74.2 The password does not have to be a single word.
74.3 To make a password easy to remember, think of a phrase and then change some of the characters to create a strong password.
74.4 Passwords must not be written down or given to others. The only exception is the central record retained by the COLP for emergency access. This record must be stored securely with access limited to authorised staff only.
74.5 All employees must change their passwords immediately after any upgrades, maintenance, or repairs to their systems, or upon direct instruction from the COLP.
74.6 Computers and other devices must be locked and be password-protected when not in use to minimise the risk of accidental data loss or disclosure.
75. Procedures To Detect And Remove Malicious Software
75.1 We have a variety of technical measures to protect us. These include:
(a) firewalls: Microsoft 365 Defender
(b) anti-virus software: Malwarebytes
(c) anti-spam software: Microsoft 365 Defender
(d) automatic or real-time updates on systems and applications
(e) URL filtering
(f) secure data backup
(g) encryption
(h) deleting or disabling unused or unnecessary user accounts
(i) deleting or disabling unused or unnecessary software
(j) using strong passwords
(k) disabling auto-run features
76. Our Register Of Software And Plan For Updating And Monitoring Software
76.1 Installation of new and updated hardware or software must be authorised by the COLP and comply with data protection by design and default.
76.2 Before any new systems are installed, suitable risk assessments including a Data Privacy Impact Assessment will be undertaken by our IT advisers, overseen by our DPM.
76.3 Any new equipment must have appropriate security and be maintained to ensure it works properly and efficiently.
76.4 Software updates must be planned and managed to ensure that risks are mitigated, security patches are current, and software programs are compatible with each other.
76.5 Incompatibility can cause our IT system to malfunction and may lead to a business interruption, requiring implementation of our BCP.
76.6 The COLP is responsible for arranging the download and installation of any necessary software, security patches, or system updates.
76.7 We have a software register that lists all software used by the practice and who has access to different types of software. This is reviewed regularly by the COLP and our IT specialists.
76.7.1 Case Management: Clio [January 2025]
76.7.2 Anti-Money Laundering (AML) Software: Verify 365 [February 2025]
76.7.3 Cybersecurity: PureCyber [January 2025]
76.7.4 Microsoft Office Suite: Word, Excel, Outlook, PowerPoint [January 2025]
76.7.5 Operating System: Windows
76.7.6 Endpoint Detection and Response (EDR): Malwarebytes [January 2025]
77. Our Office Software Was Updated With The Following Implementations:
77.1.1 All PCs were upgraded to Windows 11 Pro.
77.1.2 The Clio case management system was installed and can be accessed by authorised staff.
77.1.3 Access to the Xero accounting software is determined by the role holder’s position in the practice.
77.1.4 The PureCyber security foundation pack was implemented to enhance cybersecurity.
77.1.5 These software solutions are secured through individual logins to an industry-strength cloud service provider, ensuring robust data protection.
78. The COLP conducts an annual review of all software.
79. Currently, besides routine upgrades, there are no immediate plans for further IT software development.
80. TRAINING
81. All staff will receive training on our Information Management and Security Policy. This will be part of the induction process for new staff. Further training will be provided at least every two years, or whenever there is deemed a need, a substantial change in the law, or our policy and procedure.
Lawson Wright LLP
3rd Floor, 1 Ashley Road, Altrincham, Cheshire, United Kingdom, WA14 2DT