Privacy Notice for Karen Maxwell Summary
- All the barristers and arbitrators at Twenty Essex are independent practitioners who share the costs of offices and administration, but not profits or liabilities. Each barrister and arbitrator is a separate data controller and is separately responsible for their own compliance with data protection law.
- I collect, store, use and otherwise process personal data to enable me to provide my professional services including advising and acting on behalf of my clients and providing dispute resolution services. I also process it so that I can train pupils, work experience students and others, and to carry out business administration including marketing, and supporting and managing chambers’ employees.
- The personal data I process is about people who engage or appoint me or make enquiries about my professional services; people involved in legal matters; visitors to chambers; present, past and prospective pupils, assistants, employees and members of chambers; suppliers; lawyers, judges, arbitrators and court and arbitral institution employees, and tribunal secretaries.
- Where necessary for professional reasons or because I am legally required to do so, I share personal data with others including regulators, courts, tribunals, arbitrators, arbitral institutions, and for the administration of my professional practice.
- I will not keep personal data longer than I think is necessary, which is normally seven years after the resolution of a dispute, or after my services are no longer required, or (if you work at chambers) for two years after your employment ends.
- Using secure means, I take data away with me when I work outside of the UK, and I transfer personal data outside the UK to chambers’ employees who work in chambers’ office in Singapore, to other members of chambers in various countries, and to encrypted storage in Ireland.
- Because I decide why and how to process personal data, I am a “data controller” for the purposes of the Data Protection Act 2018 and the General Data Protection Regulation (usually known as the UKGDPR). Because of the way barristers’ chambers like mine operate, other people in my chambers may also be data controllers for the same data.
- You have several rights relating to my processing of your personal data. Depending on the circumstances, these include the right to know how I am processing it, the right to have it erased and the right to complain to the Information Commissioner’s Office (ICO).
My contact details
If you have any questions about this privacy notice or the data I hold about you, please get in touch.
The best way to contact me is to write to my Compliance and Governance Manager
Hayley Poole
Twenty Essex
20 Essex Street
London
WC2R 3AL
The telephone number is +44 (0)20 7842 1200, and the email address is hpoole@twentyessex.com. Please include “Data protection” in the subject line of your email.
How my Chambers works
As is usual for barristers’ chambers, the members of my chambers at Twenty Essex have no collective legal identity. All the barristers and arbitrators here are independent practitioners who share the costs of offices and administration, but not profits or liabilities. Each barrister and arbitrator is a separate data controller and is separately responsible for their own compliance with data protection law.
Facilities such as practice management software, document reproduction, internet and communications, are provided by our service company Twenty Essex Limited for the benefit of all of us. This means that Twenty Essex Limited is the “data processor” for us in relation to those facilities. Twenty Essex Limited is also the employer of our clerks and employees, and is the data controller in respect of personal data relating to chambers’ general administration, such as employment, tenancy and pupillage applications, relationships with suppliers, general marketing activities and monitoring for equality and diversity and work allocation.
Twenty Essex Limited is registered with the ICO with registration number, ZB291594.
Because we all participate in the management of chambers as a whole, each member may also (depending on the particular data in question) be a joint data controller with other members in chambers. But even where this is the case, each remains responsible for their own compliance with data protection law and any relevant obligations of confidentiality.
Your rights
You have a number of rights that you can exercise free of charge and on request in certain circumstances. But if your requests are obviously unfounded or excessive, I reserve the right to charge a reasonable fee or to refuse to act on them.
In summary, depending on the circumstances, you have the right:
- to be informed about the collection and use of your personal data
- to access your personal data and supplementary information
- to have inaccurate personal data corrected, or completed (if it is incomplete)
- to have your personal data erased
- to restrict my processing of your personal data
- to receive a copy of any personal data you have provided to me, in a machine-readable format, or have this information sent to a third party
- to object at any time to processing of your personal data for direct marketing purposes
- to object in certain other situations to the continued processing of your personal data.
For more information on these rights and when you can exercise them, see the Information Commissioner’s Guide.
If you want to exercise any of these rights, please let me know by using the contact details above. If you want me to reply, or to send you anything, you must give me your contact details as well. I may need to ask you to verify your identity.
I will respond to you within one calendar month from when I receive your request, unless the complexity and number of requests I receive means that I need more time. If I need more time (up to two further months) I will tell you why within the first month.
How to make a complaint
You also have the right to lodge a complaint with the ICO if you are in the UK, or with another supervisory authority outside of the UK where you work, normally live or where the alleged infringement of data protection laws occurred.
The ICO can be contacted here.
How I use personal data
My particular reasons and justifications for processing your personal data depend on our relationship.
If you are an individual appointing or engaging me, or if you make an enquiry about my professional services
What I process, and why
I need information from you to make sure there are no conflicts of interest with any of my other work, to provide you with the professional services you ask for, to charge you for them and to keep track of what you have paid. I will process:
- your name and contact details (address, phone number and email address)
- ID document information (document numbers, photograph)
- your employment information (the organisation you work for, your position or job title, your qualifications)
- correspondence involving or concerning you
- any personal details about you which are given to me
- billing and financial information (bank account number, sort-code, VAT details), which is only likely to be personal data if a non-corporate account is used.
The legal basis I rely on for processing your personal data is article 6(1)(b) of the UKGDPR, which relates to processing necessary to perform a contract or to take steps at your request before entering a contract. If the information contains special category data, such as health, religious, ethnic or sexual orientation information, the legal basis I rely on to process it is article 9(2)(e) of the UKGDPR, which relates to personal data you have manifestly made public, and article 9(2)(f) which relates to processing necessary for the establishment, exercise, or defence of legal claims.
I also need your information to comply with my legal obligations to keep accounting and tax records, and to perform due diligence checks on you for anti-money laundering and terrorism funding purposes if the work I am undertaking for you falls within the scope of the Money Laundering Regulations.
My legal basis for processing this information is article 6(1)(c) of the UKGDPR because it is necessary for compliance with my legal obligations. My processing of special category data is based on article 9(2)(g) and Schedule 1 Part 2 paragraphs 10, 14 and 15 of the Data Protection Act 2018 because it is necessary for reasons of the substantial public interest in the prevention or detection of an unlawful act, for the purposes of preventing fraud, and to make a disclosure in good faith under the Terrorism Act 2000 or Proceeds of Crime Act 2002.
In addition, I will use your data for the purposes of:
- carrying out office administration
- checking before accepting future work that there are no conflicts of interest
- taking or defending legal or regulatory proceedings, exercising a lien or responding to potential complaints or making complaints
- training others and providing work-shadowing opportunities
- promotion and marketing
- responding to requests for references
- procuring goods or services
- keeping in touch with you for professional reasons
- to publish judgments or other decisions of the courts or tribunals
- security and access to our buildings.
The legal basis I rely on for these purposes is article 6(1)(f) of the UKGDPR, which allows me to process personal data when its necessary for the purposes of my legitimate interests.
You are not obliged to provide me with any of this information, but if you do not I may not be able to answer your query or provide you with the services you ask for.
Where I get this data from
If you do not provide me with this information yourself, I may still receive it from your lawyer, members of the public, your family and friends, arbitral institutions, other professionals or parties involved in your matter, witnesses, courts and tribunals, investigators, government departments, regulators, public records or registers.
How long I store your personal data for
I will only keep your personal data for as long as necessary to fulfil the purposes for which I collected and continue to process it, and to satisfy any legal, accounting or reporting requirements. This means:
- if your personal data relates to a legal matter, I will normally keep it until at least 1 year after the expiry of any relevant limitation period (which will usually be 6 years, but may be longer or shorter depending on the circumstances or if the laws of other countries apply), from the date of the last item of work carried out, the date of the last payment received or the date on which all outstanding payments are written off, whichever is the latest. This is because it may be needed for potential legal proceedings. At this point I will review the need for any further retention and the data will be marked for deletion or marked for retention for any necessary further period. That further retention period is likely to be necessary only where the information is needed for legal proceedings, regulatory matters or active complaints. I will review this retained data on a regular basis. Deletion will be carried out (without further notice to you) as soon as reasonably practicable after the data is marked for deletion.
- I will store some personal data which I need to carry out conflict checks for the rest of my career. However, this is likely to be limited to your name and contact details, a broad outline of your role, and the names of significant individuals involved.
- I may be required to keep certain records of any anti-money laundering and terrorism funding due diligence I have carried out for up to five years. After that, I will delete them, unless I am required to keep them for the purposes of any legal proceedings or to comply with any legal enactment.
- So that we may keep in touch for professional reasons I will retain your contact details for as long as you are content for me to have them.
If you are an individual (such as a witness, a judge, arbitrator or tribunal member, or a director or employee of a company) involved in a legal matter I am or might become engaged on
What I process and why
If you have not engaged or appointed me yourself but you are involved in a legal matter I may still process your personal data so that I can provide my professional services or consider whether to provide them. This might happen if, for example, you are a witness or if you are employed by a company which is involved.
I will process:
- your name and contact details (address, phone number and email address)
- ID document information (document numbers, photograph)
- your employment information (the organisation you work for, your position or job title, your qualifications)
- the nature of your involvement
- your relationship to the parties or potential parties who are involved
- correspondence involving or concerning you
- any personal details about you which are given to me.
My processing is based on article 6(1)(f) and 6(1)(e) of the UKGDPR, and section 8(a) of the Data Protection Act 2018, because it is necessary for the performance of a task carried out in the public interest, namely the administration of justice or because it is necessary for the purpose of the legitimate interests of the person who has engaged or appointed me, or who is considering whether to do so.
If the information contains special category data, such as health, religious, ethnic or sexual orientation information, the legal basis I rely on to process it is article 9(2)(e) of the UKGDPR, which relates to personal data you have manifestly made public, and article 9(2)(f) which relates to processing necessary for the establishment, exercise, or defence of legal claims.
Where I get this data from
If you do not provide me with this information yourself, I may still receive it from the person who has engaged or appointed me (or who is considering whether to do so), your lawyer, arbitral institutions, other professionals or parties involved in the matter, witnesses, arbitrators, courts and tribunals, investigators, government departments, regulators, public records or registers.
How long I store your personal data for
I will keep this information for the same amount of time as I would if you were an individual appointing or engaging me, or if you made an enquiry about my professional services (see above).
If you are a past, present or potential future pupil, mini-pupil or work experience student, member of or employee at my chambers
What I process and why
If I am involved in your recruitment, I will use the information you provide during the recruitment process to progress your application with a view to offering you a pupillage, mini-pupillage, work experience or tenancy contract, or to fulfil legal or regulatory employment requirements if necessary. I will also use your personal data to pay you and provide you with employment benefits, to keep employment records, to monitor and assess your performance and progression, and to provide you with a reference if required.
I will process:
- your name and contact details (address, phone number and email address)
- ID document information (document numbers, photograph) and visa document information
- your professional, academic and educational qualifications and institutions attended
- your training and previous experience and employment details
- if you are a lawyer, details of your practice to date
- your tax reference/NI number/PAYE and payroll details
- previous references
- correspondence involving or concerning you
- your bank details, to process salary or other payments to you
- your emergency contact details so we know who to contact in case you have an emergency at work.
The information I ask for at the recruitment stage is used to keep you informed about the progress of your application and to assess your suitability for the position you have applied for. You don’t have to provide it, but it may affect your application if you don’t.
You will also be asked to provide equal opportunities information so that we can produce and monitor equal opportunities statistics. This is not mandatory. If you don’t provide it, it won’t affect your application, contract or membership. I will not make the information available to anyone apart from those members of chambers and employees involved in the monitoring of equal opportunities.
The legal basis I rely on for processing your personal data is article 6(1)(b) of the UKGDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract.
The legal basis I rely on to process any information which is special category data, such as health, religious, ethnic or sexual orientation information (for example if you would like us to make adjustments to accommodate you) is article 9(2)(b) of the UKGDPR, which relates to my obligations in employment and the safeguarding of your fundamental rights, and article 9(2)(h) for assessing your work capacity as an employee. I also rely on Schedule 1 Part 1 paragraphs 1, 2(a) and 2(b) of the Data Protection Act 2018 which relates to processing for employment, the assessment of your working capacity and preventative or occupational medicine.
If you are a member of chambers or pupil and you leave chambers, I will keep your name and contact details to stay in touch with you, but only if you agree. The legal basis I rely on for processing that personal data is article 6(1)(a) of the UKGDPR, which relates to processing you have consented to.
Where I get this data from
I will get this information from you or, from members of my chambers involved in recruitment, from recruitment agencies, from the Bar Standards Board and Bar Council, and in the case of pupillage applications, from the Bar Council’s Pupillage Gateway. If you nominate referees, I will get information about you from them.
How long I store your personal data for
If your application is unsuccessful, I will retain your data for one year from the date a decision is communicated to you. If your application is successful, I will retain your personal information during your employment, contract or membership and for two years afterwards. If you are a former member or pupil, I will keep your name and contact details for as long as you agree.
If you are a visitor to Chambers or to a Chambers event
We keep records of who you are, when you visit, and who you are visiting. We will record and keep that information for one month and then destroy it.
We also operate a CCTV system in our buildings which will record your image, and a security access system which retains your details for 30 days.
We may keep all of that information and share it with the police and our insurers if it is necessary to do so for the purposes of an ongoing criminal or insurance investigation.
We process this information for security and safety reasons. The legal basis we rely on to process your personal data is article 6(1)(f) of the UKGDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.
If your name or image reveals personal data concerning your racial or ethnic origin or your religious or philosophical beliefs, we will process it for those same reasons. The legal bases we will rely on are articles 9(2)(e) and 9(2)(g) of the UKGDPR and Schedule 1 Part 2 paragraph 10 of the Data Protection Act 2018, to the extent they have manifestly been made public by you, and because it is necessary for reasons of the substantial public interest in the prevention or detection of an unlawful act.
We have Wi-Fi at chambers for the use of visitors. If you use it we record the device address, the name of your device and the IP address allocated to you. We retain that information whilst you are using the Wi-Fi, and for a short while longer (about 24 hours).
The purpose for processing this information is to provide you with access to the internet whilst visiting our site. The legal basis we rely on to process your personal data is article 6(1)(f) of the UKGDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.
If you use the Chambers’ website or Chambers’ IT systems
We use cookies on our website which are necessary for the website to work properly.
A cookie consists of information sent by a web server to a web browser and stored by the browser. The information is then sent back to the server each time the browser requests a page from the server. This enables the web server to identify and track the web browser.
Some cookies will be deleted from your computer when you close your browser, but some will remain stored on your computer until deleted, or until they reach a specified expiry date.
Most browsers allow you to reject all cookies, whilst some browsers allow you to reject just third-party cookies (see online guidance). For example, in Edge you can refuse all cookies by clicking “Tools”, “Internet Options”, “Privacy”, and selecting “Block all cookies” using the sliding selector. Blocking all cookies will, however, have a negative impact upon the usability of many websites, including ours.
For security reasons and to fulfil our legal obligations to ensure that the systems are adequately secured so that clients’ affairs can be kept confidential, we will record your IP address and details of the pages you have visited. We keep this information for up to one month unless it is needed for the purposes of an ongoing security investigation.
The legal basis we rely on to process your personal data is article 6(1)(f) of the UKGDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.
If you telephone or email Chambers
I need to keep details of phone calls or emails so that I can respond to them promptly and properly.
I or chambers’ employees will process:
- your name
- the name of your organisation
- your position or job title
- your telephone number or email address
- any personal information you provide during the call or leave in a message, or provide in an email.
The legal basis I rely on to process your personal data is article 6(1)(f) of the UKGDPR, which allows me to process personal data when its necessary for the purposes of my legitimate interests.
If you leave a voicemail for me, this will be deleted after I have listened to the message or automatically after 4 weeks.
Our voicemail system will also automatically send a copy of your voicemail message to me by email. This email will be deleted once I have dealt with it or automatically after 4 weeks.
If you do not fall into the other categories (for example if you supply me with goods or services)
In order to manage my relationship with you, manage my practice, to buy products or services from you and to comply with my legal obligations to keep accounting and tax records, I will process:
- your name and contact details
- financial information (bank account number, sort-code, VAT details), which is only likely to be personal data if a non-corporate account is used
- correspondence involving or concerning you.
The legal bases I rely on for processing your personal data are article 6(1)(b) of the UKGDPR, which relates to processing necessary to perform a contract or to take steps at your request before entering a contract, and article 6(1)(f) of the UKGDPR because it is necessary for the purpose of my legitimate interests. To the extent that I need to keep data in records for tax or accounting purposes, my legal basis for processing this information is article 6(1)(c) of the UKGDPR because it is necessary for compliance with my legal obligations.
I will keep your information for so long as I think we might have a business relationship and for up to 7 years if it is necessary to do so for accounting or tax purposes.
Sharing your information
All barristers are required by the Bar Code of Conduct to keep their client’s affairs confidential. In addition, much of the information barristers deal with is protected by their client’s legal privilege unless and until it becomes public in the course of any proceedings or otherwise. In most circumstances, arbitrators have a legal duty of confidentiality.
In some circumstances I am legally obliged to share information. For example, I may have to do so under a court order or with regulators, such as the Bar Standards Board, the Solicitors Regulation Authority, the Financial Conduct Authority or the ICO. In the case of the ICO, there is a risk that your information (including privileged information) may lawfully be disclosed by them for the purpose of any other civil or criminal proceedings, without my consent or yours.
In chambers, we use some third-party data processors such as IT service and support companies to help us provide our legal services. We have contracts in place with them which mean that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any other organisation. They will hold it securely and retain it for the period we instruct.
I share personal data (not including confidential or legally privileged information) for the purposes of chambers’ administration. Please see “How my Chambers works” above.
For training purposes, I share personal data with trainee barristers, students and others, but always subject to a data processing contract and obligations of confidentiality.
Whilst performing my professional services, and subject to my professional obligations and any relevant duties of confidentiality, I may share personal data with other legal professionals, arbitral institutions, witnesses, courts and tribunals.
In the event of a complaint being made against me, I will share personal data with the Heads of Chambers, other members of chambers who deal with complaints, the Bar Standards Board, relevant arbitral institutions and the Legal Ombudsman.
If you do not pay my invoices, I might disclose information about your identity, assets and amounts owed to a third-party recovery agency.
If you apply for a position as a pupil, mini-pupil or work experience student, member or employee, I will share personal data with:
- the intended recipient, where you have asked me to provide a reference
- other members of chambers who are involved in the recruitment process and in monitoring for the purposes of equality and diversity
- current, past or prospective employers.
Transfer of your information outside of the United Kingdom
My chambers has an office in Singapore. Some of the administrative staff are based there, and they have secure access to chambers’ administrative computer systems. Therefore, for the purposes of chambers administration, your name, contact details and (if you engage or appoint me) billing details, and details concerning your need for my services necessary for administrative purposes, will be transferred out of the UK to employees in Singapore.
If you communicate with me and you are in a country outside the UK, or if for professional reasons I must contact someone in a country outside the UK, then I will have to transfer information which may include personal data to those countries. If this applies to you and you wish additional precautions to be taken in respect of your information please let me know. The same applies if I have to provide a reference for you to someone outside the UK.
The data protection laws and procedures of some countries and organisations outside the UK have been assessed by the UK Government and found to be adequate. The list can be found here. Most have not been found to be adequate. If your data has to be transferred outside the UK to one of these countries, then it may not have the same protections and you may not have the same rights as you would within the UK. So that I can access your data when I need to, and protect it in the case of corruption, I use a cloud storage and backup solution which is based in Ireland. Ireland does not have the same data protection laws as the UK but has been recognised by the UK as providing adequate protection.
Because I am an independent professional, I may carry out my work when I am in a country outside the UK on business or on holiday, and I may be based there for substantial periods of time. When I take personal data with me or process it whilst outside the UK I will always ensure that it is appropriately encrypted and protected.
If you would like any further information please let me know.
Exemptions from the UKGDPR
You should note that parts of the UKGDPR do not apply in respect of some of the data I process.
That includes data that is:
- information in respect of which a claim to legal professional privilege could be maintained in legal proceedings, or
- information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser.
There are more details in Schedule 2 Part 4 paragraph 19 of the Data Protection Act 2018.
Also, certain provisions of the UKGDPR do not apply to personal data where disclosure of the data is required by an enactment, a rule of law or an order of a court or tribunal, to the extent that the application of those provisions would prevent me from making the disclosure. That data is personal data where disclosure:
- is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings),
- is necessary for the purpose of obtaining legal advice, or
- is otherwise necessary for the purposes of establishing, exercising or defending legal rights
to the extent that the application of those provisions would prevent the controller from making the disclosure. There are more details in Schedule 2 Part 1 paragraph 5 of the Data Protection Act 2018.
Marketing communications
If you provide me with your name, contact details or professional interests, I may use them for the purposes of sending you marketing communications.
I will not send you any marketing communications by email unless you have consented or unless you have given me your details in the course of the sale or negotiations for the sale of my services to you, the marketing is in respect of similar services, and you have been given the opportunity to opt-out.
You will also be given another opportunity to opt-out in all marketing emails.
If you have consented to receive marketing communications by email, I rely upon that consent as the legal basis for processing your personal data for that purpose, under article 6(1)(a) of the UKGDPR.
Otherwise, the legal basis I rely on for the purposes of sending you marketing communications is article 6(1)(f) of the UKGDPR, which allows me to process personal data when its necessary for the purposes of my legitimate interests.
You have the right to withdraw your consent at any time if you do not wish to receive marketing communications (whether by email or otherwise), please let me know and we will update our records immediately to reflect your wishes. This will not affect the lawfulness of any processing activity we have carried out prior to you withdrawing your consent.
For the purposes of the marketing of members of chambers’ practices, I will share your details with other members of chambers, but we will not share those details with any third parties for marketing purposes.
We will keep your name, contact details and details of your professional interests on our business development system for direct marketing purposes for two years after your last contact with chambers. At that point we will delete your details from that system.
Last updated: June 2024
Contains public sector information from https://ico.org.uk licensed under the Open Government Licence v3.0.