Privacy Policy

Last updated: 5 May 2023

The Costs Lawyer Standards Board (CLSB) collects personal data from a variety of sources. This policy is designed to help you understand how we obtain, use, share and store data about you. We are required by law to provide you with the information in this policy.

Personal data is any information about an individual from which that individual can be identified. It does not include anonymised data. There are special categories of more sensitive personal data, which require a higher level of protection.

We comply with the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and other data privacy laws that apply to us from time to time. We are a data controller for the purposes of the GDPR, which means that we are responsible for deciding how personal data we hold is used and kept safe.

A. About us

Costs Lawyer Standards Board Ltd is the approved regulator of the Costs Lawyer profession under the Legal Services Act 2007, on delegated authority of the Association of Costs Lawyers (ACL). We are independent from ACL, so ACL is treated as a third party for the purposes of sharing personal data.

Everything we do at the CLSB is related to, or is for the ultimate purpose of, regulating Costs Lawyers in England and Wales. We do not have any representative functions and do not carry on other business. We therefore collect and process personal data only in the exercise of our regulatory functions under the Legal Services Act 2007 and for related purposes, such as meeting our legal and reporting obligations.

More information about the CLSB can be found on the Who We Are page of our website.

B. Using your personal data

We will not collect or use personal data unless it is lawful for us to do so. This means that your personal data must be:

• processed fairly
• collected only for valid purposes that have been explained to you
• relevant to those purposes and not used in a way that is incompatible with those purposes
• kept no longer than is necessary to fulfil those purposes
• adequate, not excessive, accurate and kept up to date
• processed in line with your rights
• kept secure

You can expand the headings below to learn more about how we collect and use your personal data, depending on whether you are a Costs Lawyer, a member of the public or part of our staff.

This part of the privacy policy applies to Costs Lawyers who are currently regulated by us, as well as those who were previously regulated or who are seeking authorisation, those who have qualified as a Costs Lawyer, and those who have contacted us in the course of considering whether to qualify as a Costs Lawyer or whilst on the Costs Lawyer Qualification.

Sources of personal data

We collect your personal data from a range of sources, including:

• yourself, as the data subject, when you:
– apply for a practising certificate
– complete the annual regulatory return
– update your details with us or make an enquiry
– submit, or contact us about, evidence of completion of Qualifying Experience
– apply for Accredited Costs Lawyer status
– make a disclosure as required under the Practising Rules
– provide information in response to a complaint or in the context of disciplinary proceedings
– respond to our consultations or non-anonymised surveys
• your clients or members of the public who wish to provide feedback about your service or make a complaint in relation to your conduct
• your organisation if they tell us you have left their employment, or are on leave, including information provided on automatic email replies
• the Association of Costs Lawyers, including ACL Training, in relation to your qualification as a Costs Lawyer
• training providers, when carrying out a CPD audit
• the Legal Ombudsman and other approved regulators under the Legal Services Act 2007 in relation to your professional conduct
regulators outside of England and Wales under sections 9 and 10 of the Professional Qualifications Act 2022

We occasionally collect data about Costs Lawyers from other third parties, such as current or former employers, social media platforms, credit rating agencies, background check agencies and official bodies, where there is a particular need to verify information we hold about you or to carry out other investigations.

Types of personal data

The types of personal data that we handle in relation to Costs Lawyers include:

• your contact details, including details of the organisation where you work
• your professional details, such as your CL number, qualifications and accreditation status
• your practising status and history, including Qualifying Experience, career breaks and previous employers
• your age and experience level
• details about your practice and clients, as submitted in the regulatory return
• feedback and complaints about your conduct
• evidence of your compliance with our regulatory rules, such as your insurance details and complaints procedure
• details of CPD activities you have carried out
• disciplinary records, including data collected or created during disciplinary proceedings, disciplinary outcomes and sanctions
• details of events you have disclosed to us under the Practising Rules
• your personal opinions, responses and enquiries

How and why we use your personal data

We use your data in order to provide effective regulation of the Costs Lawyer profession in England and Wales, in fulfilment of our role under the Legal Services Act 2007 and always in the public interest. You can read more about the regulatory objectives that we must promote, and the day-to-day regulatory activities that we carry out, on the Who We Are page of our website.

We need to process personal data to fulfil our regulatory role because we need to understand the profession that we regulate, including:

• each individual practitioner’s ongoing competency, fitness to practice and compliance with our regulatory rules
• the nature of the profession as a whole, including its effectiveness and diversity
• the experience of consumers and the public in interacting with the profession

The situations in which we will process your personal data include:

• communicating with you about regulatory matters, such as inviting your views through consultations, informing you of changes to our rules, or offering support and guidance
• contacting you in relation to specific issues, such as complaints or audits
• dealing with your enquiries or requests
• processing your applications, including for a practising certificate, for Accredited Costs Lawyer status or for a Certificate of Good Standing
• otherwise assessing your ongoing competency or fitness to practise
• publishing the Register of Costs Lawyers, in which your name and professional details will appear while you hold a current practising certificate
•monitoring compliance with our regulatory rules
• dealing with complaints and disciplinary matters, including investigations and hearings
• publishing disciplinary decisions, including outcomes and sanctions, on our website and in the Register of Costs Lawyers
• determining the completion of Qualifying Experience of a trainee Costs Lawyer if you have acted as their Qualified Person
• developing our policy positions and regulatory approach, including by carrying out research or analysing evidence
• maintaining our records and accounts
• reporting to other regulators and authorities
• administering the personal data that we hold, including to comply with data protection laws

Making an application to CLSB

When you apply for a practising certificate or accredited Costs Lawyer status, you will receive an electronic form that is pre-populated with your personal data, including your contact details and information about your organisation. You will be asked to check the accuracy of the data and input additional personal data in relation to your professional circumstances and practising arrangements.

The data you enter is stored on our server, and accessed by your PC, for the duration of the time you are completing the form. When you submit the data, it is sent to us for processing and you will receive a copy of the data by email. Until you submit your form the data will remain accessible on your PC online for around 4 hours. You should therefore log out of any shared device that you use to open (but not submit) your form; we will remind you of this when we send your form to you.

Obligation to provide personal data

Sometimes you will be required to provide personal data in order to comply with our regulatory rules or to become (or continue to be) an authorised Costs Lawyer. Types of personal data that you must provide include your qualifications, contact details, evidence of ongoing competency, evidence of regulatory compliance and details of disclosable events.

Where it is compulsory to provide certain personal data we will make this clear, for example in our Practising Rules or in the relevant application form. Failure to provide this personal data could have serious consequences, such as disciplinary action or the inability to practise as a Costs Lawyer.

How long we retain your data for

We only retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including the purposes of satisfying any legal, regulatory or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use, our legal obligations, the purpose of the processing and whether that purpose can be achieved through other means.

Given our regulatory functions, it is necessary for us to keep some personal data about the people we regulate for as long as we remain the profession’s regulator. If you are not currently practising and therefore do not have a valid practising certificate, we will retain your personal data in our internal database but will not publish it in the Register of Costs Lawyers. We record the retention period for different types of data in our processing record. We delete data safely when the retention period ends.

Keeping your personal data up to date

We take steps to keep your personal data accurate and up to date. For example, we ask you to provide current information in your annual application for a practising certificate. If your personal data needs updating during the practising year, please Contact Us to let us know.

We will hold some personal data about you that is no longer current, but which is an accurate record relating to a particular point in time. Examples include previous years’ insurance documentation and complaints procedures, as it may be necessary to use this data in the context of future audits or complaints.

Special categories of data

The Practising Rules require Costs Lawyers to disclose certain events to us upon an application for a practising certificate and during the year. Where relevant, this includes data about criminal convictions. We use this data to consider your fitness to practise as a Costs Lawyer and we only process this type of data where it is necessary to do so in the public interest in the pursuit of our regulatory functions. To do this lawfully, we must meet one of the conditions for processing in Schedule 1 of the Data Protection Act 2018. We rely on paragraph 6 of Part 2 to Schedule 1 (statutory purposes). In rare cases, we might also use criminal conviction data in relation to legal claims, to protect your interests or someone else’s, or if you have already made the data public.

The GDPR considers certain types of personal data to be particularly sensitive and deserving of additional protections. This is known as “special category” data and it includes data about things like race, political opinions, religion, health, sexual orientation and trade union membership. We do not collect special category data about Costs Lawyers as a matter of course. We do collect special category data through our diversity survey, which helps us monitor diversity and inclusion within the profession, however this is anonymised.

Sometimes we receive special category data that a Costs Lawyer has chosen to provide, such as data relating to health to evidence a period of absence from the profession. This data is provided with the Costs Lawyer’s consent, is handled using additional safeguards and is safely deleted once the evidence has been assessed.

This part of the privacy policy applies to anyone who is not a Costs Lawyer or a member of CLSB staff (current, past or prospective).

Sources of personal data

Most of the personal data that we hold about you is provided directly by you to us. Situations in which you might provide personal data to us include when you:

• make an enquiry via our website
• contact us by phone or email
• complain about a Costs Lawyer
• respond to a consultation or survey
• participate in research or evidence gathering

Rarely, we might receive personal data about you from a third party. For example, you might be mentioned in the context of a complaint about a Costs Lawyer that is made by someone else.

Please note that, while you can contact us via our website, we do not collect your personal data through mere use of our website. Our website does not use cookies and we analyse usage on an anonymised basis.

Types of personal data

The types of personal data we hold about you will depend on what information you have provided to us. It might include:

• your contact details, including details of the organisation where you work and have worked
• details of complaints, feedback or enquiries you have made
• your personal opinions and responses
your professional details, such as your regulatory status

 

The GDPR considers certain types of personal data to be particularly sensitive and deserving of additional protections. This is known as “special category” data and it includes data about things like race, political opinions, religion, health, sexual orientation and trade union membership.

We do not collect special category data from you as a matter of course. However, sometimes we receive special category data that you have chosen to provide, if it is relevant to your reason for contacting us. In addition, our Client Survey asks whether respondents consider themselves to be vulnerable consumers and, if so, the nature of the vulnerability. Information about vulnerability could, in some instances, include special category data. Any special category data is provided with your consent and is handled using additional safeguards. We will not share it with a third party without your consent, unless we are required to do so by law.

We do not knowingly collect or solicit personal data from anyone aged 16 or under, or knowingly allow such persons to provide us with their personal data without consent from a parent or guardian. In the event that we learn we have collected personal data from someone aged 16 or under and we do not have consent of a parent or guardian, we will safely delete that personal data unless we are required by law not to do so.

How and why we use your personal data

We use your data in order to provide effective regulation of the Costs Lawyer profession in England and Wales, in fulfilment of our role under the Legal Services Act 2007 and always in the public interest. You can read more about the regulatory objectives that we must promote, and the day-to-day regulatory activities that we carry out, on the Who We Are page of our website.

The situations in which we will process your personal data include:

• responding to your enquiries or requests
• handling feedback or complaints you make about a Costs Lawyer
• dealing with disciplinary matters, including investigations and hearings, in relation to which you are a complainant or otherwise provide evidence
• developing our policy positions and regulatory approach, including by carrying out research or analysing evidence, or improving the information we provide to the public
• communicating with you about regulatory matters, such as inviting your views through consultations or informing you of changes to our rules, if you have asked us to do so
• determining the completion of Qualifying Experience of a trainee Costs Lawyer if you have acted as their Qualified Person
• maintaining our records and accounts
• reporting to other regulators and authorities
• administering the personal data that we hold, including to comply with data protection laws

How long we retain your data for

We only retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including the purposes of satisfying any legal, regulatory or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use, our legal obligations, the purpose of the processing and whether that purpose can be achieved through other means.

We record the retention period for different types of data in our processing record. We delete data safely when the retention period ends. Given our regulatory functions, it is necessary for us to keep some personal data about the people we regulate for as long as we remain the profession’s regulatory body. This might include your personal data, for example if you have made a complaint about a Costs Lawyer or given evidence in disciplinary proceedings.

If you have asked to be added to our circulation list for regulatory communications, we process your contact data on the basis of your consent. You can withdraw your consent at any time by using the subscription preferences link in our email communications. If you decide to opt out of receiving our regulatory communications, we will retain your contact data for a period of six months to ensure that we manage your preferences appropriately.

This part of the privacy policy applies to people who work with us, have worked with us or are seeking to work with us in the future. This section will apply to you, for example, if you:

• are an employee of the CLSB
• are a member of our board or disciplinary panel
• act for us as an adviser or consultant
• apply for a job with us

Sources of personal data

Most of the personal data that we hold about you is provided directly by you to us. Situations in which you might provide personal data to us include when you:

• enquire about or apply for a position with us
• provide your CV, personal statement and other evidence of suitability
• enter into a consultancy agreement or employment contract
• complete your new starter forms
• sign up for employee benefits
• participate in an annual appraisal process (your own or someone else’s)

We might receive personal data about you from a third party, for example if we seek references or we run checks to verify the information you have provided to us. We will make you aware before we seek personal data of this kind from a third party.

If you are an employee, we will also receive personal data about you from service providers, such as your nominated pension fund and our payroll agents.

Types of personal data

If you are a job applicant or a contractor, the type of personal data we hold about you will depend on what information you have provided to us. It might include:

• your contact details
• details of previous experience, qualifications and work history
• bank details if you are entitled to a payment (such as a consultancy fee or travel expenses)

If you are an employee (including members of our board and disciplinary panel), in addition to the above we are likely to hold the following personal data about you:

• pension details
• tax details
• date of birth
• remuneration details
• leave records
• assessments of your performance
• your personal views, including on the performance of others
• professional and personal references
• details of any involvement you have with the Association of Costs Lawyers

If you are a member of our board, in addition to the above we are likely to hold the following personal data about you, as required by Companies House:

• appointment details
• nationality
• occupation
• your professional or business interests

In some case, we might need to ask you for additional personal data to ensure you meet the requirements of our Board Appointment Rules or Panel Member Appointment Criteria, as applicable.

The GDPR considers certain types of personal data to be particularly sensitive and deserving of additional protections. This is known as “special category” data and it includes data about things like race, political opinions, religion, health, sexual orientation and trade union membership.

We do not collect special category data about staff as a matter of course. However, sometimes we receive special category data that you have chosen to provide, for example to help us ensure we are an inclusive employer. Any special category data is provided with your consent and is handled using additional safeguards. We will not share it with a third party without your consent, unless we are required to do so by law. We also collect special category data through diversity surveys that we ask job applicants and staff to complete from time to time, however this data is anonymised.

How and why we use your personal data

The situations in which we will process your personal data include:

• assessing your eligibility for a position
• paying your remuneration and determining other entitlements
• paying tax, pension and other contributions in relation to your employment
• conducting performance appraisals and setting objectives
• meeting our reporting, governance and legal obligations (including compliance with the Legal Services Board’s Internal Governance Rules)
• administering the personal data that we hold, including to comply with data protection laws

How long we retain your data for

We only retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including the purposes of satisfying any legal, regulatory or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use, our legal obligations, the purpose of the processing and whether that purpose can be achieved through other means.

We record the retention period for different types of data in our processing record. Generally, we retain employee details for six years following the end of employment, other than bank details which we retain for one year and pension details which we retain much longer. We retain personal data relating to unsuccessful job applicants for six months following a recruitment campaign. We retain director records for twelve years following resignation from the board. We delete data safely when the retention period ends.

C. Sharing personal data with third parties

We share information with the Association of Costs Lawyers (ACL) – including ACL’s education arm, ACL Training – which will sometimes include personal data. In particular, we:

• provide ACL with Costs Lawyers’ contact details and practising status to facilitate the annual renewal of ACL memberships and practising certificates
• share details of CPD records, where an audited Costs Lawyer has claimed CPD points for ACL membership or activities
• pass on communications that are clearly intended for ACL but are sent to us in error
• inform ACL of complaints received about Costs Lawyers where this is necessary to obtain evidence or facilitate an investigation, or is otherwise in the public interest

We share information with other regulatory bodies for the purpose of enabling us or them to fulfil a regulatory or other statutory function in the public interest. These bodies include other approved regulators under the Legal Services Act 2007 and the Legal Ombudsman. We may also share personal data with the police or other law enforcement agencies, or persons seeking to establish a legal claim, where we are satisfied that disclosure of the personal data is necessary and lawful. We will share personal data with regulators outside of England and Wales where they make a valid request under section 9 or 10 of the Professional Qualifications Act 2022.

In the context of complaints and disciplinary proceedings, we will usually share personal data about the complainant with the Costs Lawyer involved, and share details of the Costs Lawyer’s response with the complainant. We might also need to share this data with third parties, such as potential witnesses. This is necessary to ensure that a complaint can be investigated fully, fairly and transparently. If you wish to keep certain personal data confidential in this context, you should discuss this with us, but please be aware that this may not be possible if disclosure is required in the public interest.

We engage third party service providers to help us fulfil our regulatory functions. We share personal data with those service providers only where necessary to carry out the service contract. All service providers are required to take appropriate security measures to keep your personal data safe, use the personal data only as instructed by us and not for their own purposes, and safely dispose of the personal data once the service has been provided.

Your personal data will be stored in our email and/or cloud storage accounts as part of our information management systems. We use Microsoft and Amazon Web Services in the UK for providing these systems, to keep your data safe and secure. These providers do not use the personal data that they process on our behalf for their own purposes.

We do not generally share your information with other third parties (such as marketing agencies) or transfer it outside of the EU/EEA. If we ever need to do so, we will obtain your consent first, unless we are required to share the data by law.

D. The lawful bases for processing your personal data

We only process your personal data where we have a valid lawful basis for doing so.

The lawful basis upon which we rely for the majority of our data processing activities is known as the “public task” basis (Article 6(1)(e) of the GDPR). This applies where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, which covers our role as a regulator. Your personal data will be processed on this basis, except as described below.

We rely on the contract basis (Article 6(1)(b) of the GDPR) for processing personal data about our staff, where the processing is necessary to perform a staff contract. We also rely on the legal obligation basis (Article 6(1)(c) of the GDPR) for processing personal data about staff (including our directors) where this is necessary to meet our obligations to authorities such as HMRC and Companies House.

Generally, we do not rely on your consent to use your personal data, because we need to process personal data to fulfil our public functions. Where we occasionally do rely on your consent as the lawful basis for processing your data, you can withdraw that consent at any time by Contacting Us and we will cease to process the data unless we have another lawful basis upon which to do so. This will not affect the lawfulness of our processing up to that point.

Situations in which we process personal data on the basis of consent are:

• sending communications to members of the public who have asked to join our mailing list
• publishing a Costs Lawyer’s professional contact details (address and telephone) in the Register of Costs Lawyers
• receiving special category data from Costs Lawyers seeking a dispensation from compliance with our regulatory rules (typically health data)
• receiving special category data from consumers about the nature of a vulnerability

In relation to the special category data described above, Article 9 of the GDPR provides that processing can only take place if certain conditions apply. We rely on consent as the condition for processing this special category data (in addition to relying on the public task basis as our lawful basis for handling the data).

E. Automated decision making

We do not currently take any decisions using automated means and do not intend to do so in the foreseeable future. In particular, applications for a Costs Lawyer practising certificate are considered on an individual basis by the CLSB. We will contact you if we intend to use your personal data to make automated decisions in the future.

F. Data security

As a data controller, we take the security of your personal data very seriously. We have put appropriate security measures in place to protect your personal data and minimise the risk of it being accidentally lost, tampered with, disclosed or otherwise used in an unauthorised way.

In relation to electronic data, these measures include encryption, password protection, antivirus measures, back-up systems and physical protection for hardware. These measures apply to all our electronic data, whether it is stored in our email system, electronic files or database. We aim to minimise the storage of hard copy data. Our remaining hard copy archives are stored in a secure facility which are protected by passcode access, alarms, cctv and a physical key.

Our third party providers of IT systems are reputable suppliers, such as Microsoft and Amazon Web Services, which have state of the art data security measures in place. We use contractual measures to ensure that other third party suppliers handle your personal data securely, confidentially and in accordance with our instructions. We limit access to your personal data to those staff members, agents, contractors and other third parties who have a business need to use it.

We have procedures in place to deal with an actual or suspected data breach. We will notify you and any applicable supervisory body of a data breach where we are required to do so by law or if we otherwise believe that notification is appropriate.

G. Your rights in relation to your personal data

Data subject rights

You have the right to see, verify and correct the personal data we hold about you. You can also ask us to erase your personal data, stop processing it or transfer it to someone else. These are your data subject rights.

Detailed information about your data subject rights can be found in the Your Data Matters section of the Information Commissioner’s Office website. In summary, in certain circumstances you have the:

• Right to request access to the personal data that we hold about you, by making a so-called “data subject access request”. This enables you to get a copy of the personal data we process about you and check that it is being used lawfully.
• Right to request correction of your personal data. This enables you to have any incomplete or inaccurate data we hold about you brought up to date (although this does not extend to amending personal data that was accurate at one time even though the current position is different).
• Right to request that your personal data be erased. This allows you to ask us to delete personal data where there is no longer a valid reason for us to process it.
• Right to request that processing of your personal data is restricted, for example to suspend processing while we establish whether the personal data is accurate and there is a valid lawful basis for processing it.
• Right of have your personal data transferred to a third party.

Exercising your rights

If you want to exercise any of your data subject rights, you can Contact Us. You do not need to use any special forms or refer specifically to the right(s) mentioned above. However, the more information you can give us about the nature of your request and what you would like to achieve, the more chance we have of resolving your enquiry quickly and to your satisfaction.

Please note that, because we are a regulatory body and we use your data to fulfil our statutory obligations, there may be some limitations on how we can respond to your request. For example, where we rely on the “public task” basis for processing your personal data, the right to erasure and the right to have your data transferred do not apply. As explained above, much of the personal data we hold is processed on the public task basis. You should not let this stop you from making a request or enquiry about your personal data; we can discuss with you how your rights apply and how we can best meet your needs.

We do not usually charge a fee for providing access to your personal data, however we will charge a reasonable fee if you require further copies of your data following compliance with your original request. If your request is manifestly unfounded or excessive, we are not obliged to comply with it.

We might need to request specific information from you to enable us to verify your identity prior to complying with your request to exercise your data subject rights. This is designed to keep your data safe from unauthorised disclosure and use.

H. Complaints

If you think we have mishandled your personal data in any way, please Contact Us in the first instance and we will do our best to put things right.

You can also complain to the Information Commissioner’s Office, using the information on their Make a Complaint webpage or by letter to their mailing address:

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

The Information Commissioner’s Office is the supervisory authority for data protection issues in England and Wales.

I. Contacting us

If you have any questions about this policy or how we use your personal data, please contact us using the form on our website.

Alternatively, we can be reached at:

PO Box 4336, Manchester, M61 0BW
Telephone: 0161 956 8969

J. Review

This privacy policy is regularly reviewed and kept up to date to reflect changes in our processes and changes in the law. If this privacy policy is amended, we will publish the latest version on our website. If the changes are significant, we will make reasonable efforts to inform those affected.

The most recent review date can be found at the top of this policy.