Bar Association for Commerce, Finance and Industry (“BACFI”)
Data Protection Policy
Purpose of this policy
BACFI is a specialist Bar Association affiliated to the Bar Council of England and Wales.
Please read this policy carefully to understand how we collect, use and store your information.
The purpose of this policy is to communicate to staff, members and non-members who attend our events, meetings and/or webinars of the approach that BACFI intends to take when handling the personal data of any natural person.
BACFI must comply with data protection law. The law after 25.05.18 is derived from the General Data Protection Regulation (Regulation 2016/679/EU) (“GDPR”) as imported into the Law of England and Wales by s.22 Data Protection Act 2018 which received Royal Assent on 23.05.18.
Compliance with this policy is the responsibility of the BACFI Committee and of all persons associated with BACFI who deal with personal information of others on BACFI business. BACFI is not required to appoint a DPO and has not done so. The contact person for any matter related to data protection is the Secretary whose contact details are as follows: firstname.lastname@example.org, PO Box 4352, Edlesborough, Dunstable, Beds LU6 9EF.
Every person who is employed by or works within BACFI is required to adhere to this policy to the best of their ability. If there are any concerns regarding the application of this policy it is the responsibility of the person with the concern to contact the Committee at the first opportunity either directly or in writing.
This document uses definitions applicable to the GDPR.
The “data subject” is any natural person about whom information is obtained, stored and/or processed by BACFI or any person or organisation acting on BACFI’s behalf for any reason associated with BACFI.
Data subjects include officers, employees, servants and agents of BACFI, the Committee, employed staff, members and non-members attending any event organised by or on behalf of BACFI and any other person whose personal data (see below) is collected and processed by or on behalf of BACFI for any reason.
A living person. A human being. The term “natural person” does not include any “legal person” such as a company, partnership or corporation.
Any information relating to an identified or identifiable natural person is “personal data”. This includes, but is not limited to, name, identification number, location, online identifier or any physical, physiological, genetic, mental, economic, cultural or social identity of a natural person.
“Special Category Data”
Certain data is considered to be sensitive in nature and is referred to as “special category” data. Special category data is any data which reveals the racial or ethnic origin, the political opinions, the religious or philosophical beliefs, any trade-union memberships or any natural person. Any data such as genetic or biometric data which can uniquely identify a natural person or data concerning the sex life or sexual orientation of a natural person is also special category data.
The “controller” for the purposes of this policy is the Secretary of BACFI as appointed from time to time. The controller is the natural or legal person who either alone or jointly with others determines the purposes and means of processing of personal data.
A “processor” is a natural or legal person who processes personal data under the direct and express instructions of a controller.
Any operation which is performed on personal data such as but not limited to collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction amounts to processing of that personal data.
Data Protection Principles
Every person working for, with or on behalf of BACFI must adhere to the following principles when dealing with personal data. Personal data must only be:
(a) Processed lawfully, fairly and in a transparent manner in relation to the subject (‘lawfulness, fairness and transparency’)
(b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’)
(c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
(d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
(e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which personal data are processed (‘storage limitation’)
(f) Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures (‘integrity and confidentiality’)
Data Subject Rights
Every data subject has the following rights which must be upheld in a timely manner in order to comply with the law:
Right of access – the right to obtain a copy of personal data of the data subject and the details of processing carried out by or on behalf of BACFI;
Right of rectification – the right to ensure that errors in data held by BACFI are corrected;
Right to erasure – the right, under certain circumstances, to ensure that personal data held by BACFI on that natural person is erased;
Right to restriction – the right to restrict the processing of personal data under certain circumstances;
Right to portability – the right to obtain a copy of personal data obtained by the controller from the data subject in a portable machine readable form and also to have it transferred to another controller if so desired; and
Right to objection – the right to object to the processing of their personal data under certain circumstances.
Each of these data subject rights is, in effect, a controller obligation. It is incumbent on the controller to facilitate the exercise of these rights. The controller can only charge a fee following a request to exercise the right of access under very limited circumstances.
The controller must respond to a request to access a copy of personal data within one calendar month.
Any employee, servant or agent of BACFI who receives or becomes aware of any request from a data subject must forward that request to the Secretary or a Committee member immediately.
Data subjects seeking to exercise any of the above data subject rights are requested to make their request to the BACFI Secretary to ensure a prompt and effective response.
In addition to the data subject rights, which themselves amount to controller obligations, the controller must comply with other obligations when processing the personal data of natural persons. These include:
BACFI will only collect such personal data as is required to do the required processing. This will differ depending upon whether the data subject is a Committee member, a Member, an employee, or a non-member (but in the case of non-members only in association with BACFI organised or sponsored events at which the said non-member will be in attendance in any capacity) in which case the nature of the data collected will depend on the matter at hand.
BACFI will only retain personal data for as long as is reasonably required by law or good practice following the last contact with the data subject. This retention period differs depending upon whether the data subject is a member or non-member.
BACFI has a policy of carrying out a data cleansing exercise at least annually and as a result data will be retained for no longer than two (2) years following the termination of membership. Otherwise it would be excessively cumbersome for BACFI to manage the data cleansing process effectively.
In the case of non-members any data collected by BACFI is deleted no later than one month following the conclusion of the event/meeting/webinar attended by the said non-member.
Privacy by Design:
BACFI has a responsibility to design and engineer its systems so that personal data is not misused and so that it is stored and processed in a manner which is consistent with minimising the opportunity for data loss and data being processed in a manner which has no lawful basis.
Article 13 and Article 14 notifications:
Where personal data has been obtained from the data subject directly, it is BACFI’s responsibility to provide the data subject with the following information if the data subject does not already have it:
a) The identity and the contact details of the controller;
b) The contact details of the data protection officer if such a person has been appointed;
c) The purposes of the processing and the legal basis for that processing;
d) What, if any, legitimate interest of BACFI or of a third party has relied on as the legal basis of the processing;
e) The recipients of categories of recipients of the personal data, if any;
f) If transfer of the data to a third country or to an international organisation is intended, whether or not there is an adequacy decision of the Information Commissioner in force in respect of that country or any appropriate or suitable safeguards which are relied upon and how the data subject can obtain a copy of those safeguards;
g) For how long the personal data will be stored or the criteria used to determine that period;
h) The existence of the right of the data subject to request from BACFI access to and rectification of or erasure of the personal data or restriction of processing concerning the data subject or to object to the processing as well as the right to data portability;
i) Where the processing is based on the data subject’s consent the fact that the data subject may withdraw that consent at any time unless prevented from doing so by law;
j) The right of the data subject to lodge a complaint with a supervisory authority (regulator);
k) Where the provision of the personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract, the data subject must be informed of this and whether he or she is required to provide the personal data and of the consequences of non-compliance with this requirement;
l) If any automated decision making or profiling is carried out using the personal data then the data subject must be informed about this and provided with a meaningful explanation as to the logic involved and the envisaged consequences of this processing for the data subject;
m) Where BACFI intends to process the data for a purpose other than that for which the data were collected, BACFI must provide the data subject with a further notification including reminding him or her of his or her statutory rights in respect of that processing.
Where BACFI obtained personal data of a data subject other than directly from the data subject BACFI must provide the data subject with the information outlined above together with:
n) The name and contact details of the source of the personal data and, if applicable, whether it came from publicly accessible sources.
In this second case, BACFI must provide this information to the data subject no later than one month after obtaining it or when it is first used to communicate with the data subject (if that is its purpose) whichever is the sooner.
BACFI is also required to communicate the above information to a data subject no later than when it is disclosed to another recipient.
As a matter of policy, BACFI does not disclose personal data to third parties otherwise than for the purposes of processing any monetary payment unless it is required by law to do so.
Where the data subject is attending a BACFI function such as an event or a meeting or a webinar, BACFI may need, in order to facilitate the operation of that function and the attendance of the data subject, to obtain and process personal contact data sufficient to assist the data subject in preparing for and attending the function including post-function follow-up communications (such as but not limited to sending copies of relevant material that was presented) and to comply with any particular health and safety requirements which may be applicable from time to time.
BACFI does not sell or transfer personal data to any organisation for the purpose of direct marketing or for any other purpose other than those outlined above.
BACFI as controller has a responsibility to keep written records (which may be stored in electronic form) in accordance with Article 30 GDPR. These records are (as applicable to BACFI):
a) name, contact details of BACFI as controller;
b) the purposes of the processing;
c) description of the categories of data subjects and of the categories of personal data;
d) categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
e) where applicable, transfers of personal data to a third country (outside of the UK) or an international organisation, including the identification of that third country or international organisation and, in the case of transfers carried out in relation to performance of a contract or agreement between BACFI and the data subject, a description of suitable safeguards in place to protect the rights and freedoms of the data subject;
f) where possible the envisaged time limits for retention of the different categories of data;
g) a general description of the technical and organisational security measures in place to safeguard the rights and freedoms of the data subject.
These records may be made available to the supervisor (regulator) on request.
Information Security Measures
BACFI has put in place and will continue to monitor and maintain a number of systems, processes and procedures to ensure and assure that the personal data of data subjects, be they members or non-members, is kept securely and safely at all times.
Data Protection Breaches
A data protection breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
Any employee, servant, agent of BACFI or any person working with BACFI who becomes aware of a data protection breach or a possible data protection breach is required to inform the Secretary or a Committee Member as soon as possible.
On becoming aware of a breach, the Secretary of BACFI as controller is obliged to inform the regulator within 72 hours.
Data subjects must be informed of any breach affecting their personal data without undue delay unless BACFI is able to demonstrate that the data breach is unlikely to result in a high risk to the rights and freedoms of the affected data subjects.
Everyone working for and with BACFI is reminded that data protection is taken very seriously both by BACFI and by the community as a whole. From 25.05.18 very serious financial penalties may be applied by a competent data protection supervisor (regulator) for breaches of the law and failure to keep personal data safely and securely. These penalties could be sufficiently large to close down BACFI.