Information the CLSB collects and how it is shared
The Costs Lawyer Standards Board is an Approved Regulator of the Costs Lawyer profession pursuant to the Legal Services Act 2007. For the purposes of the General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018 which supplements the GDPR and extends its application in the UK, we act as a data controller as we collect, use and share personal data in the exercise of our regulatory functions under the Legal Services Act 2007.
What we consider to be Personal Data
Personal Data is defined by the GDPR as any information relating to an identified or identifiable natural person. It may also be categorised as being sensitive.
Examples of Personal Data include:
- name and surname;
- home address;
- email address;
- identification number;
- location data; and
- internet protocol (IP) address.
Examples of sensitive Personal Data include:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- sexual orientation;
- trade union membership;
- genetic data; and
- biometric data (where processed to uniquely identify someone).
How long we will keep Personal Data
We will keep Personal Data for as long as necessary to ensure it fulfils its regulatory function in the public interest.
How we keep Personal Data secure
We have defined processes and procedures in place to ensure we comply with the eight principles of the Data Protection Act 2018 so that Personal Data is:
- fairly and lawfully processed;
- processed for limited purposes;
- adequate, relevant and not excessive;
- accurate and up to date;
- not kept for longer than is necessary;
- processed in line with your rights;
- secure; and
- not transferred to other countries without adequate protection.
The right to rectification
In most cases you are entitled to have your records amended if the Personal Data we hold is inaccurate or incomplete. Examples where this right does not apply is:
- amending Personal Data which was accurate about you at one time even though the current position is different;
- changing records sent to us by others which you say is inaccurate because the information is an accurate record of what was sent to us.
The right to erasure
You have a right to request your Personal Data be deleted in certain circumstances:
- where it is no longer needed for the purposes it was collected;
- where consent is relied upon as the lawful basis for processing, consent is withdrawn and there is no other lawful basis for our continuing to process it;
- you object to the processing and there are no overriding legitimate grounds to continue;
- where the data has been unlawfully processed; or
- where it has to be erased for compliance with a legal obligation.
This right does not apply where
- we need the information for the performance of our regulatory functions;
- there is a need to comply with a legal obligation; or
- it is necessary to process the Personal Data in connection with legal proceedings or legal advice.
The right to object or to restrict processing
You have the right to object to us processing your Personal Data. If such an objection is raised, we will stop processing your Personal Data unless we can demonstrate compelling legitimate grounds for continuing the processing which override your interests.
The right of access
You have the right to obtain the following information:
- a copy of Personal Data we hold about you;
- the reasons why we hold it;
- who the Personal Data will be shared with; and
- details of the period for which your Personal Data will be retained.
You can request this information by contacting us.
In some cases, we are not required to provide you with this information, for example:
- where your Personal Data includes information about another individual, except where the other individual has agreed to the disclosure or it is reasonable to provide you with this information without the other individual’s consent. In deciding this, we would have to balance your right to access your Personal Data against the other individual’s rights regarding their own information; or
- if it is manifestly unfounded or excessive.
Information sharing with third parties
We may, in performance of our regulatory function, be required to share information which includes Personal Data, with:
- the Legal Services Board as oversight regulator;
- the Legal Ombudsman, who has jurisdiction under the Legal Services Act 2007 to consider complaints about the service provided by a Costs Lawyer authorised and regulated by us;
- other Approved Regulators under the Legal Services Act 2007;
- the Police or other Government agency where it is reasonable to do so to support their or our statutory or public function;
- a third party with a legitimate interest in that information, where we are satisfied disclosure is necessary and lawful such as where a person is making or seeking to establish legal claim;
- the Association of Costs Lawyers, the professions representative body and named Approved Regulator under the Legal Services Act 2007, who delegated its Approved Regulator status to us on 31 October 2011; and
- research bodies appointed to assist the CLSB in achieving the regulatory objectives set out in the Legal Services Act 2007.
In most cases, we will inform you if we are sending your Personal Data somewhere else. We will not inform you that your Personal Data is being shared in law enforcement connected regulatory matters, where to inform you may defeat the purpose of making the disclosure or in certain cases which involve disproportionate effort.
If you have any concerns about this policy or the way your Personal Data was processed by us then this concern can be raised by contacting us.
If you consider it appropriate to make a complaint about any aspect of our application of this policy or the way your Personal Data was processed, this complaint can be made by contacting us.
We believe it is necessary and in the public interest that we ensure we handle complaints fairly and effectively. A complaint will be considered in accordance with the internal complaints policy published on our website.
The Information Commissioner’s Office (ICO)
The ICO is the independent regulatory office in charge of upholding information rights in the interest of the public. We are registered with the ICO. In the event you believe we have breached this policy or the GDPR, you have the right to bring that to the attention of the ICO under their published procedures. They can be contacted on 0303 123 1113.
We will keep this policy under regular review to ensure that it remains current and fit for purpose.
Last updated: 23 September 2019