CORRIGAN & CORRIGAN
DATA PROTECTION POLICY
Data Protection is the means by which the Privacy Rights of individuals are safeguarded in relation to the processing of their Personal Data. The General Data Protection Regulations (EU) 2016/679 (GDPR) confer rights on individuals as well as placing responsibilities on those persons controlling and processing Personal Data.
We treat Personal Data with the greatest possible care and have a clear policy on Data Protection which is set out herein.
1. Who are we?
Corrigan & Corrigan is a third generation firm of Solicitors founded in 1906.It is based at 3 St Andrew Street, Dublin 2.While widely regarded as one of the leading Irish Insurance litigation firms in the Country, we offer a wide and broad range of legal services to our clients including Employment Law, Conveyancing, Probate and Landlord & Tenant.
2. What Personal Data do we collect?
The Personal Data which we collect in relation to our clients includes name, address, telephone number, email address, PPS number, bank information, copy ID and proof of address, medical records, medical reports accident report forms, details an contact details of next of kin. We are required to collect this Personal Data in order to deal efficiently with cases and pursuant to our legal, statutory and regulatory obligations.
3. The Legal Basis for processing the data as well as the purposes of the processing for which the personal data is intended.
We collect Personal Data in order to facilitate us in entering into a contract for the provision of legal services and for the performance of our contractual obligations on foot of same.Different information may be required depending on the type of legal service which is being provided.
We also rely upon consent to retain and process personal data.
We shall keep any personal data and information we have confidential, except where disclosure is required by law or by regulation or in other exceptional circumstances.
It may be necessary to disclose information which is confidential, for example disclosures to third parties involved in the work we are undertaking such as Counsel, Engineers, Medical Advisors, Architects, Tax Consultants, Accountants etc.
It may also be necessary for information to be disclosed to, or inspected by, our specialist IT Service Providers, Law Society, Revenue Commissioners, auditors, or other advisors for the purposes of our professional indemnity insurance and/or for the purposes of applying our risk management procedures.
We endeavour to make sure that the providers of services to us are reputable and can provide sufficient guarantees to implement appropriate technical and organisational measures in such a way that your personal rights are protected.
When we store files off site, we will take all reasonable steps to make sure that information is kept confidential.
The following are examples of how we use the Personal data which we hold depending on the type of legal service we are engaged to provide. This list is not exhaustive.
- For beneficiaries in an Estate, we will require their PPS number together with details of all previous gifts received by them since 5th December 1991 in order to complete the deceased’s Schedule of Assets leading to the Grant of Representation.
- If assets were jointly held with a deceased, details of the same will also be required for inclusion in the Schedule of Assets.
- The Schedule of Assets must be lodged in the Probate Office for the Grant of Representation to issue.
- The Probate Office will send a copy of the Schedule of Assets to the Revenue Commissioners for review.
- PPS numbers and contact details may also be sent to our tax agent to facilitate the completion of tax returns.
- Bank details will be required to be submitted to us by post to facilitate the payment of any bequests.
- Contact details may need to be provided to an Architect to facilitate the preparation of Maps/ Certificate of Compliance with Planning and Building Regulations ;
- Contact details may be required for the completion of mortgage documents and/or a Sale/Purchase Questionnaire;
- PPS numbers will be required to facilitate the stamping of any Deed.
- Transfer documentation in relation to a purchase will be lodged with the Property Registration Authority
- PPS numbers, Contact details and the details of the purchase and sale of a property may be provided to a tax agent to facilitate the filing of any necessary tax returns i.e. CGT etc
- Bank details are required to be submitted by post to facilitate the transfer of the balance of the sale proceeds.
- Contact details together with statements/details of the accident /incident and any investigation or medical reports/records and wages/salary and employment details will be required to enable us give advice on quantum and/or sending papers to Counsel and the making of a claim and any court proceedings
- PPS numbers may be required to facilitate the submission of a PIAB application
- Medical records may also be required as part of the discovery process.
- Bank details will be required for the payment of any settlement etc
The period for which personal data will be stored
How long we hold data is subject to legislation and the regulatory rules we must follow, set by the Law Society, the Revenue Commissioners etc. The conclusion of each case, files are archived and routinely destroyed in accordance with Corrigan & Corrigan’s file destruction policy. Litigation files are normally destroyed after a period of 13 years in accordance with the Law Society Guidelines. Conveyancing files are retained for a period of 12 years. Litigation files involving a minor Plaintiff are destroyed 7 years beyond the age of majority of the Plaintiff. Files may, in exceptional circumstances, be kept beyond those retention periods in certain instances to include the prevention or detection of fraud and dishonesty.
Rights pursuant to the Data Protection Legislation
Arising out of the GDPR, data subjects have the following rights which we treat with the utmost importance.
(i) A Right to Access
The right to access a copy of their Personal Data
We have discretion with regard to the scope of access sought. That discretion arises in certain instances such as the Prevention Investigation or Prosecution of Criminal Offences, the Prevention, Investigation, Prosecution of Breach of Ethics, the protection of the Data Subject, the enforcement of Civil Law claims in the interest of National Security or public interest.
Data Access Requests
Any such request should be submitted in writing by post and directed to the Solicitor handling your file.
We require evidence of identity to make sure that personal information is not given to the wrong person so we ask clients to assist us by sending in the following
- A signed Data Access Request with a return address;
- An original or certified copy of a recent utility bill (dated within the last 3 months) with a matching address;
- A certified copy of a current passport or driving licence;
We request as much information as possible to assist us in locating the data that you are interested in accessing to include references etc.
We reserve the right to charge a reasonable fee for the copying of personal data.
(ii) Right to Rectification
Corrigan and Corrigan’s clients have a right to have Personal Data rectified if it is in any way inaccurate of incomplete. Any such request for rectification of Personal Data must be made to the Managing Partner in writing and Corrigan and Corrigan will endeavour to respond to your written requests within a period of one month of the receipt of the request. This might be extended by two further months if requests are numerous or complex.
We will also (subject to any legal constraints) advise to whom the personal Data has been disclosed, if disclosed.
(iii) Right to Erasure
Clients have the right to seek erasure of your Personal Data on foot of a written request in the following scenarios:-
- Where the personal data is no longer necessary in relation to the purposes for which it is collected;
- Where consent has been withdrawn and there is no other legal or regulatory ground for processing the personal data;
- When there is objection to the processing of the personal data and there are no overriding legitimate grounds for the processing;
- The personal data may have been unlawfully processed;
- The personal data has to be erased to comply with and EU or Member State legal obligation
- The personal data has been collected in relation to the offer of information society services to a child under 16 years of age if no parental consent has been given
- Right to restriction of processing
We will endeavour to inform recipients, to whom personal data has been disclosed, of the request for erasure, unless we are legally precluded from doing so, this proves impossible or involves disproportionate effort.
We will further endeavour to erase the data within one month of receipt of the request.We reserve the right to extend this period by a further two months where appropriate
The right to erasure is not an absolute right and for example is not available where we are required by law or regulation to retain certain personal data or where it undermines freedom of expression.
(iv) Right to Restriction of Processing
Clients have the right authorises us to store their personal data but not to process it.This right arises in four scenarios:-
- Where the accuracy of the data is contested, processing can be restricted for a period to enable us to verify its accuracy
- Where the processing is unlawful and the client opposes erasure and requests restriction instead;
- Where we no longer need the personal data, but the client requires the data to exercise or defend a legal claim.
- Where the client has objected to the processing, it should be restricted pending verification of whether our legitimate interest overrides all clients.
Whilst Corrigan & Corrigan’s clients have the right to restrict the processing of their personal data, this may hinder the performance of our contractual obligations to such an extent that we are no longer in a position to act for them.
(v) Right to Data Portability
The right to data portability which enables a client to obtain their data and have it transmitted to another data controller without hindrance, where technically feasible.
(vi) Right to Object to Processing
The right to object to the processing of personal data where it causes unwarranted substantial damage or distress.GDPR does provide a general right for a data subject to object to processing.Data subjects have the right to object to:-
- Processing based on public interest or legitimate interest grounds including profiling
- Direct marketing
- Processing for scientific historical or research purposes.
When a data subject objects to such processing the Controller must stop processing the personal data unless we are obligated by law or regulation to do the same.It should be noted however that objecting to the processing of a client’s personal data may hinder the performance of our contractual obligations to such an extent that we are no longer in a position to act for that client.
(vii) Right to Withdraw Consent
Data subjects have the right to withdraw consent at any time in relation to the retention and processing of personal data with Corrigan & Corrigan.Such withdrawal in relation to consent should be furnished to the managing partner at our offices in writing and will result in the termination of our contractual arrangements with the client.The exercise of this right is not an absolute right and is subject to our legal and regulatory obligations.
If a client wishes to invoke your their data protection rights, they must contact Cora Fitzsimons Managing Partner in writing by post or alternatively by e-mail to Cora.Fitzsimons@corrigan.ie.
4. Right to Lodge a Complaint with the Supervisory Authority
If a client is unhappy with how we have acted in handling the personal data in any way, please contact Cora Fitzsimons, Managing Partner in writing by post or alternatively by e-mail at Cora.Fitzsimons@corrigan.ie.
Clients also have the right to submit a complaint to the Data Protection Commissioner who can be contacted at Canal House, Station Road, Portarlington, Co. Laois or 32AP23 by e-mail at email@example.com or by telephone at 057 8684800 or 076 104800.
5. Data Protection Principles and Accountability
Data subjects are entitled to know that their information and personal data is being processed and controlled for legitimate purposes and disclosed only where permissible by law. We are committed to complying with the following principles of data protection law
- Data must be processed lawfully, fairly and in a transparent manner
- Personal data must be processed for specified explicit and legitimate purposes and cannot be further processed in a manner incompatible with those purposes however processing for archiving purposes in the public interest scientific or historical research purposes or statistical purposes are not considered to be incompatible with the initial purposes
- Personal data must be accurate, relevant and limited to what is necessary only in relation to the purpose for which the data is processed
- Personal data must be accurate and where necessary kept up to date and every reasonable step must be taken to ensure that the personal data which may be incorrect or inaccurate having regard to the purposes for which it was processed, is erased or rectified without delay
- Personal data must be kept for no longer then is necessary for the purposes for which the data is processed however, personal data may be stored for longer periods insofar as it is necessary for archiving purposes in the public interest, scientific or historical research purposes of statistical purposes
- Personal data must be processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage and in that regard we have particular technical and organisational measures in place which will be set out below
- A client is entitled to receive a copy of their personal data upon request. We have set out in our Client Care Policy (which is made available to our clients upon engagement), our Confidentiality and Data Protection Policy. The purposes for which the personal data is being obtained and the fact that it is being obtained is made clear in our policy as are our obligations in certain instances for the use and disclosure of personal data.
6. Security Integrity and confidentiality of data
Any personal data that a client provides to us will be treated with the highest standards of security and confidentiality and handled in accordance with the General Data Protection Regulation
We have systems in place in order to protect clients personal data. E-mails sent from our offices to domains utilising TLS are automatically encrypted. When sending sensitive data to a domain not TLS enabled, those e-mails are password protected. Staff with office mobile phones are restricted to using encrypted iPhones. Devices such as Blackberrys are not used for e-mail and are not linked to the office systems for data security purposes. Our offices are accessed via a secure door with a pass code protected keypad. Only office personnel are permitted beyond reception and the access to our offices is CCTV monitored.
All files are retained in cabinets and any files in use outside the office are transported and stored in a locked briefcase which must be attended by Corrigan & Corrigan personnel at all times.
Our computers and laptops are password protected and documentation of a sensitive nature when being transferred to other parties such as Counsel, are delivered by registered post or by courier in tamper proof envelopes.
All of our personnel are fully aware of their obligations in terms of data protection and the GDPR. All office information is treated with the utmost confidence by our personnel.
Any files which are archived off site are archived in a secure facility with a reputable company with whom we have a Data Processing Agreement in place.
Under Data Protection Legislation we are required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented in processing data for our clients. Such measures can include an ongoing review of our processing systems and services by the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident and a process for regularly testing, accessing and evaluating the effectiveness of technical and organisational measures in order to secure the processing of personal data for our clients.
We are also obliged to take steps to ensure that any individuals acting under our authority who have access to personal data do not process it except on very specific instructions and unless required to do so and that obligation has been made clear in our internal policies to our personnel.
7. Data Breach Reporting
In the event of a data breach, it is our policy to notify the Data Protection Commissioner without undue delay and where feasible not later than 72 hours after becoming aware of it. The breach will be logged in our Data Breach Log.
We consider a data breach to be a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or processed by us.
We have data processing agreements in place with our sub-processers to include our I.T. personnel, shredding personnel, file storage etc and it is also required that our sub-processers notify the breach to us and to the Data Protection Commissioner in the event one occurs.
We will also notify the data subject in the event of a data breach, where the breach is likely to result in high risk to them however notification is not required in some instances such as where we have implemented appropriate technical and organisational measures so that the personal data is unintelligible or where we have taken measures to ensure that the high risk to our customers does not materialise.
8. Data transfers outside of Ireland
All personal data collected for the purposes specified in this Statement is processed inside the European Union (EU) or the European Economic Area (EEA) and will never be transferred to countries located outside the EU or EEA unless that Country has an adequate level of data protection or you have explicitly consented to that transfer and it is necessary for the performance of a contract or for public interest reasons and the defence of legal claims or in the vital interests of our customers.