Data Protection And Privacy Policy

About

This document describes the ways in which Tees Valley Law Society (TVLS) may gather personal and non-personal data, as well as describing the types of data that may be gathered, where that data may be stored, and what uses TVLS will and will not make of that data. The document goes on to explain how a person can request an audit of any data TVLS holds about them, and how to exercise their 'right to be forgotten' by TVLS.

A printable version of this document can be found here.

Contents

Definitions

"TVLS", "The Society", "we"
Tees Valley Law Society, its Council Members and/or Administrators
GDPR
The General Data Protection Regulation (GDPR) is a regulation intended to strengthen and unify data protection for all individuals within the European Union. GDPR will be in force from 25 May 2018. Any company or organisation that receives, gathers, or in any other way makes use of the personal data of EU citizens must comply with the GDPR.
UK Data Protection Bill
At time of writing (24 May 2018), it is expected that the UK Data Protection Bill 2017-19 will bring the GDPR into UK law, and will remain in-place following the UK's departure from the EU.
Natural Person
The GDPR uses the phrase 'natural person' to describe any person, living or dead.
PII
Personally Identifiable Information; any data or information that can be used to identify a natural person.
Data Subject
Any natural person whose PII has been received by a company or organisation.
Data Controller
Any person, firm or organisastion that is in receipt of PII.
TVLS Council
The governing committee of Tees Valley Law Society
Council Member
Any current member of TVLS Council, who has been elected to the role by the members of TVLS or has been co-opted to the role by TVLS Council. TVLS Council Members are legal professionals whose computer systems and security conform to SRA standards and requirements. A full list of current Council Members is shown on the TVLS website (www.tvls.org.uk), and will be provided on request.
TVLS Administrator
Administrative staff contracted by TVLS Council to assist with the running of The Society. Details of the current TVLS Administrator(s) will be provided on request.
Locally installed computer system
A self-contained computer system located within the same office(s) as the person who is using the system (I.E. not a remote server or cloud-based system).
Pseudonymous Data
Pseudonymous data is data that does not contain any personal information, but that nonetheless does relate to a specific person or entity. Such data is not considered fully anonymous because, under some circumstances, it can be analysed in such a way as to reveal PII.
  1. Email communications with an @tvls.org.uk address

    The following points relate to any email communications that are sent to or exchanged with a TVLS email address (I.E. an email address that ends @tvls.org.uk).

    1. Data that may be collected and/or stored
      1. Sender's name, email address, and the firm/organisation at which the sender works
      2. The content of the email
      3. Any PII of the sender or other natural persons that is contained within the email content
      4. Any names and/or email addresses contained in the email's Carbon Copy (CC) field
    2. Locations at which the data may be stored
      1. The mail servers used by TVLS, which are provided by Hostmedia (www.hostmedia.co.uk). Hostmedia's data centers are located in the UK.
      2. The locally installed computer system(s) or device(s) used by the recipient to collect, open, view and/or archive the email.
      3. The mail servers and locally installed computer system(s) or device(s) of any Council Member or TVLS Administrator with whom the email may be shared.
    3. How TVLS may use the collected / stored data
      1. Any data provided by the sender will be used for handling and/or responding to the email.
      2. The sender's name and email address may be cached by the mail client software used by the recipient(s); any names or email addresses contained in an email's Carbon Copy (CC) field may also be cached. This is part of the standard functioning of mail client software, and no data collected in this way will be actively used or shared by TVLS (for example, the data will not be added deliberately to any address books, mailing lists or similar).
      3. The email may be retained and may be referred to at a future date.
      4. In the case of emails from TVLS Members, information contained in a communication may be added to the TVLS Membership Database, and will then be subject to the policies governing that database (see point 3 below).
      5. In the case of emails received from a person who is also a subscriber to one-or-more TVLS mailing lists (see point 7 below), we may update the mailing list data based on information contained in an email (for example if being informed of a change of email address).
      6. Emails and/or the information they contain may be shared in full or in part amongst Council Members and/or TVLS Administrators.
      7. Emails and/or the information they contain will never be shared with any other parties without the data subject's explicit permission except where TVLS is required to do so in order to comply with a lawful order issued by the proper legal authorities.
    4. Retention period

      TVLS Council has determined that received emails may be retained for a period of up to 18 months. The period is based on the need to be able to refer back to the communication for business and administrative purposes.

  2. Postal communications with TVLS

    The following points relate to any postal communications that are sent to or exchanged with TVLS.

    1. Data that may be collected and/or stored
      1. Sender's name, postal address, and the firm/organisation at which the sender works.
      2. The content of a communication.
      3. Any PII of the sender or other natural person that is contained within the communication.
    2. Locations at which the data may be stored
      1. The postal address to which a communication was sent, and/or the office(s) of the addressed recipient.
      2. The office(s) of any Council Member and/or TVLS Administrator who may be involved in dealing with or responding to a communication.
      3. In the event of a digital scan being taken of a paper communication, that digital scan may be stored...: a) within the locally installed computer system(s) used by the addressed recipient; b) within the mail servers and locally installed computer systems of any Council Member or TVLS Administrator with whom the digital scan may be shared.
      4. In the case of communications received from TVLS Members, information from a communication and/or a digital scan of the communication may be stored alongside the Member's records within the TVLS Membership Database (see point 3 below).
    3. How TVLS may use the collected / stored data
      1. A communication and any data it contains will be used for the purposes handling and/or responding to the communication.
      2. Communications may be retained, and may be referred to at a future date.
      3. In the case of communications from TVLS Members, information contained in a communication may be added to TVLS' Membership Database, and will then be subject to the policies governing that database (see point 3 below).
      4. In the case of communications received from a person who is also a subscriber to one-or-more TVLS mailing lists (see point 7 below), we may update the mailing list data based on information contained in a communication (for example if being informed of a change of email address).
      5. Communications and/or the information they contain may be shared in full or in part amongst Council Members and/or TVLS Administrators.
      6. Communications and/or the data they contain will never be shared with any other parties without the explicit permission of the data subject except where TVLS is required to do so in order to comply with a lawful order issued by the proper legal authorities.
    4. Retention period

      TVLS Council has determined that postal communications may be retained for a period of up 18 months. The period is based on the need to be able to refer back to the communication for business and administrative purposes.

  3. Membership applications and renewals

    In order to operate The Society we need to gather various items of personal data from TVLS Members, and will seek periodically to refresh and update this data. The data protection and privacy policy governing membership data is as follows.

    1. Data that may be collected and/or stored
      1. Member's title, forename(s), surname, preferred salutation, and any name suffix(es) that a member uses.
      2. Member's email address and preferred postal communications address (typically an office or work address).
      3. The firm(s) or organisation(s) at which a member works, and their job title or role at that firm/organisation.
      4. Member's professional or trainee status (as applicable).
      5. Member's professional regulator(s), regulator enrollment ID(s), regulatory status, place of training, or place of study (as applicable).
      6. Member's TVLS Membership history.
      7. Member's communication and data preferences.
      8. Notes and other information relating to the member and/or membership, made during the course of administering the membership.
    2. Locations at which the data may be stored
      1. Membership information is stored in the TVLS Membership Database, which is an electronic relational database stored on the locally installed computer system(s) of the TVLS Administrator. The database is password protected and stored in an encrypted format.
      2. In the event of data extracted from the TVLS Membership Database being shared with Council Members and/or TVLS Administrators, that information may reside on the mail server(s) and locally installed computer system(s) of those Council Members and/or TVLS Administrators.
    3. How TVLS may use the collected / stored data
      1. Information provided during membership application and/or renewal will be stored in the TVLS Membership Database (see 3.2.1 above).
      2. Additional information generated during a term of membership via communications, seminar attendance, and similar engagements between the member and TVLS, may be stored within the TVLS Membership Database alongside other records relating to that member.
      3. TVLS uses the data stored in the TVLS Membership Database for the purposes of operating and administering The Society.
      4. In order to confirm the accuracy of the information stored within the TVLS Membership Database and/or to fill-in gaps in the data we require in order to operate and administer The Society, TVLS may refer to external public sources of information such as The Law Society of England & Wales, Companies House, company websites, regulator registers, etc., and we may update information within the TVLS Membership Database accordingly.
      5. In the case of members who also subscribe to one-or-more TVLS mailing lists, TVLS may update mailing list information based upon information provided during the course of the membership (for example to update an email address or record a change of name).
      6. Information and data extracted from the TVLS Membership Database may be shared amongst Council Members and TVLS Administrators.
      7. TVLS will never share any information or data from within the TVLS Membership Database with any other parties without the explicit permission of the data subject except where required to do so in order to comply with a lawful order issued by the proper legal authorities.
    4. Retention period

      TVLS Council has determined that Membership data will be retained for a period of 7 years. The period is required for accounting and tax purposes.

  4. Booking for and/or attending a TVLS event

    TVLS runs training seminars and other events. In order to organise and administer such events we require various items of PII from people who book places or who have places booked on their behalf, and/or who attend an event. The following points describe the data protection and privacy policy governing this booking and attendance data.

    1. Data that may be collected and/or stored
      1. Name, email address, firm/organisation and job title/role of the person who places the booking.
      2. Name and - where provided - the email address, firm/organisation, professional status, TVLS Membership status, and dietary requirements of persons for whom places are booked or who attend an event.
      3. A record may be kept indicating whether-or-not a person for whom a place was booked actually attended the event.
      4. In the case of bookings placed via email, point 1.1 (above) also applies.
      5. In the case of bookings placed via post, point 2.1 (above) also applies.
      6. In the case of bookings placed via web form, point 6.1 (below) also applies.
    2. Locations at which the data may be stored
      1. Booking and attendance information will be stored in an electronic format (I.E. a document, spreadsheet or relational database) located on the locally installed computer system(s) of the TVLS Council Members and/or Administrators responsible for managing event bookings.
      2. Information required by any Council Member(s) or TVLS Administrator(s) who represent The Society at an event may be stored on the mail server(s) and locally installed computer system(s) of those representatives. In addition, such information may also be printed and kept in the personal possession of the representative(s).
      3. Information required by and supplied to an event's venue will be stored according to that venue's data and privacy policies (see also 4.3.5 below).
      4. In the case of bookings placed via email, point 1.2 (above) also applies.
      5. In the case of bookings placed via post, point 2.2 (above) also applies.
      6. In the case of bookings placed via web form, point 6.2 (below) also applies.
    3. How TVLS may use the collected / stored data
      1. Data provided during the booking process will be used for the purposes of organising and administering the event.
      2. Booking and attendance data may be used for analysis of attendance trends and event popularity.
      3. In the event that a booking is placed either by or for a TVLS Member, information from the booking - including event attendance - may be added to that member's records within the TVLS Membership Database (see point 3 above).
      4. Booking and attendance data may be shared amongst Council Members and TVLS Administrators.
      5. Names, dietary requirements and special access requirements of event attendees may be shared with the event's venue when necessary to allow the venue to make its preparations for the event.
      6. Booking and attendance data will not be shared with any other parties except...:
        a) where explicitly stated and agreed to during the booking process (see point 4.5 below);
        b) where TVLS is required to do so in order to comply with a lawful order issued by the proper legal authorities.
    4. Retention period

      TVLS Council has determined that The Society needs to retain information on event attendance and payments for a period of 7 years. The period is required for accounting and tax purposes. Communications relating to an event will only be retained for the period specified for that form of communication.

    5. Event-specific variations from standard TVLS policy

      TVLS may wish to vary the standard policy shown in points 4.1 to 4.4 above on a per-event basis. When it does so the event-specific variations will be clearly stated on all event booking forms, and people will be free to agree or disagree to those variations.

  5. Viewing pages on the TVLS website (www.tvls.org.uk)
    1. Data that may be collected and/or stored
      1. The IP address from which page requests are made to the TVLS web server, and the date and time at which those requests occur.
      2. The TVLS website may set cookies on a visitor's computer. If and when used, the data stored by these cookies will be...:
        a) website viewing preferences;
        b) a unique but anonymous identifier used for maintaining the visitor's web browsing session with the server;
        c) related to Google services that are deployed on the website (see 5.1.3).
      3. TVLS may deploy on its website the Google Analytics service to gather analytics data about site visits. TVLS may also use Google's ReCaptcha service for securing website forms. Google may track and record your browsing progress between different websites and web pages. Google's privacy policy and terms of use can be viewed at: www.google.co.uk/intl/en_uk/policies/privacy/.
    2. Locations at which the data may be stored
      1. IP address information is stored in the log files of TVLS' web server. This server is provided by Hostmedia (www.hostmedia.co.uk). Hostmedia's data centers are located in the UK.
      2. Data stored in cookies is located on the computer or device that was used to visit the website, and is sent to the web server along with each page request. The web server may also store a copy of the cookie data within its log files.
      3. Any data gathered by the Google Analytics service or the Google ReCaptcha service is stored and handled by Google.
    3. How TVLS may use the collected / stored data
      1. Data about site page requests (I.E. IP address and time of request) will not be studied, shared or analysed in any way other than...:
        a) where TVLS is required to do so in order to comply with a lawful order issued by the proper legal authorities;
        b) to identify potential malicious activity or security breaches;
        c) in the event of an attempt to hack, disrupt, or in some other way to gain access or do harm to TVLS' web servers or the services that run on them, we may analyse page request data in order to identify the source of the attack. In such a situation TVLS may also seek the assistance of - and share the logged data with - specialist cyber security service providers, law enforcement, and/or any other parties assisting with the investigation.
      2. TVLS uses cookies solely for the purposes of improving the user's browsing experience, and will not in any way study, seek to de-anonymise, nor analyse any information that may be stored in cookies generated by the TVLS website.
      3. With regards to any data that may be gathered by the Google Analytics service...:
        a) TVLS can only access anonymised analytics data relating to visits to the TVLS website and its constituent pages.
        b) TVLS will not make any attempt to de-anonymise any of the Google Analytics data.
        c) TVLS may share the Google Analytics data amongst Council Members and/or TVLS Administrators.
        d) TVLS will not share the Google Analytics data with any other parties except where required to do so in order to comply with a lawful order issued by the proper legal authorities.
        e) TVLS may share with selected partners summarised information derived from Google Analytics data. It will not be possible to extract any PII from such summarised data, nor to de-anonymise the data it in any way.
        Google's privacy policy and terms can be viewed at: www.google.co.uk/intl/en_uk/policies/privacy/.
    4. Retention period

      TVLS Council has determined that web log data must be retained for a period of 9 months. The period is to allow for the required analyses to be made in the event of site security breaches.

  6. Submitting forms from the TVLS website

    The TVLS website includes a number of web forms that can be used for contacting us, applying for membership, booking places at events, and so on. All form data is encrypted in transit to help protect any personal data that may be submitted. The following points describe TVLS' policy with regards to such data.

    1. Data that may be collected and/or stored
      1. The name and email address of the person submitting a form, along with any-and-all other data that is submitted via a form.
      2. Web forms are contained within TVLS web pages, therefore point 5.1 (above) applies.
    2. Locations at which the data may be stored
      1. Data entered into a form will be stored in the web server's site database. This site database is hosted by Hostmedia (www.hostmedia.co.uk), alongside the web server. Hostmedia's data centers are located in the UK.
      2. Web forms are contained within TVLS web pages, therefore point 5.2 (above) applies.
      3. Submitted form data is transferred from the web server's site database to the TVLS Administrator(s) via email, therefore point 1.2 (above) applies.
    3. How TVLS may use the collected / stored data
      1. Any data submitted to TVLS via a web form will be used for handling and/or responding to the form submission in an appropriate way dependent upon the purpose of the form. For example, data submitted through an event booking form will be used for administering that booking.
      2. Submitted form data may be retained, and may be referred to at a future date.
      3. In the case of form data submitted by a TVLS Member, submitted form data may be added to the member's record within the TVLS Membership Database and will be subject to the policies governing that database (shown in point 3, above).
      4. Submitted form data may be shared amongst Council Members and/or TVLS Administrators.
      5. Submitted form data may relate to other data sources that are governed by and listed separately in the TVLS Data Protection & Privacy Policy (such as event booking data or membership application data). In these instances, the section(s) of this policy governing that data source will also apply.
      6. Submitted form data will not be shared with any other parties except...:
        a) where explicitly stated and agreed to during the form submission process;
        b) where TVLS is required to do so in order to comply with a lawful order issued by the proper legal authorities.
    4. Retention period

      TVLS Council has determined that website form data will be retained for a period of no longer than 2 months.

  7. Subscribing to a TVLS mailing list

    TVLS operates a number of mailing lists that it uses to circulate information to mailing list subscribers. In order to operate these lists, we collect and use some PII of the list subscribers. The following points describe TVLS' policy with regards to such data.

    1. Data that may be collected and/or stored
      1. Subscriber's name, email address, and the firm or organisation at which they work.
      2. Analytics data about the way in which the subscriber interacts with emails sent via a mailing list (E.G. whether-or-not the email was opened).
    2. Locations at which data may be stored
      1. Within the servers and data centers of mailchimp.com. Mailchimp's privacy policy can be viewed at https://mailchimp.com/legal/.
      2. On the locally installed computer system(s) of Council Member(s) or TVLS Administrator(s).
      3. From time-to-time a 'hard copy' print-out of mailing list data may be made; any such print-outs will be stored in the offices of the Council Member(s) or TVLS Administrator(s) who have produced the print-out.
    3. How TVLS may use the collected / stored data
      1. TVLS uses mailing list data solely for the purposes of circulating information campaigns via email to mailing list subscribers.
      2. In the event of TVLS becoming aware via a different data source of a change to a mailing list subscriber's email address, name or the firm/organisation at which they work, we may update the mailing list subscriber information accordingly.
      3. TVLS may share mailing list data amongst Council Members and TVLS Administrators.
      4. TVLS will not share mailing list data with any other parties except where required to do so in order to comply with a lawful order issued by the proper legal authorities.
    4. Retention period

      PII relating to mailing list subscriptions will be retained only for as long as a data subject is subscribed to any of TVLS' mailing lists, plus 5 days to allow for administration of the unsubscribe event.

  8. Exercising your GDPR data rights

    The GDPR gives data subjects the right to request a copy of all PII held about them by a data controller, as well as the right to be forgotten by a data controller. If you wish to exercise either of these rights in relation to the data that TVLS may hold about you then please complete and return the Personal Data Audit and Deletion Form. The form can be found on our website at www.tvls.org.uk/sites/tvls/assets/Files/TVLS_PIIAuditAndDeletionRequestForm.pdf. Alternatively, you may request a copy of the form via email, telephone or web contact form (see www.tvls.org.uk/index.cfm/contact/).