UK Migration Lawyers

GDPR And Data Protection Privacy Notice

Introduction

At UK Migration Lawyers, we use a wide range of personal data in order to provide high quality legal advice and services, and we take our legal obligations to your privacy and confidentiality seriously.  This document outlines your rights with regards to our use and retention of your personal data, details how and why we use your personal data, and our legal obligations that this gives rise to.

On the 25th of May 2018, the EU General Data Protection Regulations (GDPR) took effect.  These regulations replace the current law regarding data privacy (Data Protection Act 1998) and offer individuals more rights and improved protection for the processing of their personal data. The Data Protection Act (2018) further modifies the rights of data subjects and the obligations of those who use, store and processs their data as defined in the EU General Data Protection Regulations.

This document is written in as clear and concise a manner as possible.  Throughout this document, we will make reference to different sections of the GDPR (these are known as articles) and these can be found on the easy to use website at https://gdpr-info.eu/ This is a third party website and we cannot guarantee that it will always be available or that the information it contains will be correct, and if you have any doubt you should double check the European Commission or Information Commissioner’s websites.

To help you understand this notice, definitions of the key terms used are provided at the end of this document.

UK Migration Lawyers (The Data Controller)

UK Migration Lawyers Ltd. (company registration no. 06702262) is a firm of solicitors who specialise solely in the provision of immigration advice and services. Our head office is at Centre Court, 1301 Stratford Road, Birmingham, B28 9HH and you may contact us regarding GDPR matters via email at [email protected] We are regulated by the Solicitors Regulation Authority (497640) and accredited by the Law Society.  UK Migration Lawyers Ltd. is registered as a Data Controller with the Information Commissioner’s Office (registration number Z2121476) and this document constitutes.

Information We Collect And Process When You Visit Our Website

Web Server Log Information

The web server upon which we host our site is privately owned by us and located within the European Union.  Our server automatically records the IP address and page of those who visit our website and this data is stored in log files securely.  As new log entries are made, old log entries are removed, and the data contained within the logs is therefore refreshed on a rolling basis.  We do not attempt to identify individuals unless we are investigating criminal or suspicious activity.

Legal basis for processing

Legitimate interest, Article 6(1)(f) of the GDPR.

Our legitimate interest

We have a legitimate interest in using log data to ensure the security of our server and the continuity and information security of the website that it hosts.

Duration and erasure

This data is continually replaced and whilst the frequency of this varies on the traffic our website received, we do not anticipate that the data will be retained for longer than one month.

Disclosure

We may be required to disclose this information for the purposes of fraud, money laundering, crime detection and prevention.

 

Cookies

Cookies are small data files that are exchanged between a website and a visitor’s device (eg. Phone, computer or tablet) for the purposes of identifying browsing sessions.

We use cookies to enable us to understand the usage of our website including the how users have found or website, the time they have spent on it and the pages that they have visited. 

Cookies are considered ‘online identifiers’ and can be used in combination with other data, such as web server logs, to uniquely identify website users.  We do not attempt such data manipulation and cookie data on our web server is routinely and periodically expunged.

Legal basis for processing

Legitimate interest, Article 6(1)(f) of the GDPR.

Our legitimate interest

We require to use cookies on our website for the purposes of enhancing website functionality and understanding aggregate patterns of usage of our website.

Duration and erasure

Cookie data is routinely and periodically expunged from our servers 24 hours after a user’s last website activity.

Disclosure

We may be required to disclose this information for the purposes of fraud, money laundering, crime detection and prevention.

Information We Collect And Process When You Interact With Our Website

When you complete the contact form on our website, we collect the following pieces of information if you provide them:

  1. Name;
  2. Telephone Number;
  3. Email Address;
  4. Type of Help Required;
  5. An optional message.

This information is transferred from your web browser to our web server in an encrypted format under SSL. Once this data reaches our web server, it is then transferred to our Customer Relationship Management (CRM) tool in an encrypted format under SSL.  This data is held securely in our EU based CRM, access to which is restricted by username and password, and is only available to be accessed from our main office.  We do not use this data for direct marketing purposes.

Legal basis for processing

Necessary to perform a contract [or to take steps at your request prior to entering into a contract], Article 6(1)(b) of the GDPR.

Why this data is necessary to perform a contract

The data that we collect through this method is the minimum that we can gather to allow us to contact prospective clients.

Duration and erasure

We keep this personal data for a period of 2 years, after which time it is removed from our CRM system.

Disclosure

We may be required to disclose this information for the purposes of fraud, money laundering, crime detection and prevention.

Data Gathered And Processed When You Call Our Client Liaison Team

Data Gathered And Processed By Our Client Liaison Team Prior To And Whilst Becoming a Client

Our Client Liaison Team is the first point of contact that prospective clients have and this interaction, and the data that is gathered during this interaction, is critical to the process of becoming a client.  During the initial assessment conducted by the by the Client Liaison Team, it will be necessary to disclose to them your personal data and this will be stored in notes held on our Client Relationship Management tool.  It may also be necessary for you to disclose special categories of data and data relating to criminal convictions and offences. Where this is the case, the Client Liaison Officer will seek your oral consent to hold this data for the purposes of taking steps to form a contract.

Our Client Liaison Team may also request evidence of previous immigration history such as Home Office Refusal Letters, Passport Stamps or Vignettes or Immigration and Asylum Court Decisions.  This evidence will be requested via email or by fax, and will be stored in the email account of the Client Liaison Officer from whom the request originated.  Such data may include ‘special category’ data and the Client Liaison Officer will seek your oral consent to hold this data.  In the event that a prospective client becomes a client, all of the data that has been provided to our Client Liaison Team will be transferred to a file on our digital Case Management System, access to which is strictly limited to our legal team, details of which are discussed later in this notice.

We audio record all inbound calls to our mainline office switchboard and to our client liaison team, and where the data contained within those calls is subject to the protections afforded by the GDPR, our use and retention of that data is done so under the legal bases below. All call recordings are made in accordance with The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000

Legal basis for processing

Necessary to perform a contract [or to take steps at your request prior to entering into a contract], Article 6(1)(b) of the GDPR.

Our reason that your data is necessary to perform a contract

the data that we collect allows us to offer products and services to, and form contracts with, prospective clients.

Secondary legal basis for processing

Processing is necessary for compliance with a legal obligation to which the controller is subject, Article 6(1)(c) of the GDPR.

Our legal obligation

We are required by the Solicitors Regulation Authority to keep clients’ instructions for at least six years, Account Rule 29.17 of the SRA Handbook.

Legal basis for processing special category/criminal data

The data subject has given consent to the processing of his or her personal data for one or more specific purposes, Article 6(1)(a) of the GDPR.

Duration and erasure

Where a prospective client does not contract with us we keep this personal data for a period of 2 years, after which time it is removed from our CRM system. Where a prospective client does contract with us and legally instructs us, we keep this personal data for a period of 6 years. Beyond these time limits, digital data is deleted and paper files are securely shredded.

Disclosure

We may be required to disclose this information for the purposes of fraud, money laundering, crime detection and prevention.  We may also be required to disclose this data to our regulator or for the purposes of audit and accreditation.

If a call is made to our office as a result of online marketing, we may well attach details of your call to the form of marketing that you saw for the purposes of marketing analysis.  We also maintain a register of all calls to and from our offices for the purposes of billing and business analysis. We do not routinely attribute specific call or marketing data to specific individuals unless required in extraordinary circumstances.

Data Gathered And Processed When Making a Payment To Us

Our Client Liaison Team also handle client payments of legal fees and disbursements.  When payment is made by way of card, we enter the card details provided into a secure virtual terminal that is processed by our merchant bank. We do not, under any circumstances, hold card details of any kind.  We do, for the purposes of accounting, hold information relating to payments that have been made to us and to which invoice or disbursement those payments were in respect of.

Legal basis for processing

processing is necessary for compliance with a legal obligation to which the controller is subject, Article 6(1)(c) of the GDPR.

Our legal obligation

We are required by the Solicitors Regulation Authority to keep clients’ instructions for at least six years, Account Rule 29.17 of the SRA Handbook.

Duration and erasure

we keep this personal data for a period of 6 years, after which time it is removed from our Case Management System and the paper file is disposed of using secure waste.

Disclosure

We may be required to disclose this information for the purposes of fraud, money laundering, crime detection and prevention. Our accounts are maintained by an accredited accountant who retains payment data for a specific period necessary to comply with their legal obligation as stipulated by their regulator

Data Gathered And Processed By Our Legal Team

Data Gathered And Processed By Our Legal Team In The Performance of Your Matter

Our legal team require a wide variety of personal data in order to provide the wide variety of legal advice and services that we offer. This data falls into two categories: personal data and special category personal data.

Personal data is any data that identifies you or relates to you as an individual. Examples are your name or your email address. Special category data, however, is a special set of data that, as the GDPR defines it, reveals “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”

Personal Data

The personal data that is provided during the process of becoming a client of UK Migration Lawyers is used to create a paper file and a digital file on your Case Management System (this is also GDPR compliant and a compliance statement is available on request). This ensures that clients can make best use of the time they spend with the legal team and are not forced to repeat all of the details that they have previously provided. Furthermore, once a client has instructed us they are deemed to have contracted with us and our legal obligations to our regulator with respect to the client’s matter begin.

Legal basis for processing

i) the data subject has given consent to the processing of his or her personal data for one or more specific purposes, Article 6(1)(a) of the GDPR.

ii) necessary to perform a contract [or to take steps at your request prior to entering into a contract], Article 6(1)(b) of the GDPR.

ii) processing is necessary for compliance with a legal obligation to which the controller is subject, Article 6(1)(c) of the GDPR.

i) Your consent

ii) Our legal obligation


iii) Contract Performance

 

Clients consent to their data being used when signing our Terms of Business.

We are required by the Solicitors Regulation Authority to keep clients’ instructions for at least six years, Account Rule 29.17 of the SRA Handbook.

All the personal data that we collect and process is necessary for the performance of our clients’ instructions.

Duration and erasure

we keep this personal data for a period of 6 years from when the associated matter is completed and the file closed. If, at this time, any original documents exist on file and we have made reasonable endeavours to return them but been unsuccessful, we will destroy these documents by secure waste.

Disclosure

We may be required to disclose this information for the purposes of fraud, money laundering, crime detection and prevention. We will also be liable to disclose your personal details to those with a legitimate interest in them including (but not limited to) barristers, counsel, chambers and their clerks, courts and their clerks, the Home Office, couriers, auditors, regulators, contractors and service providers, and those who we deem essential to the performance of a client’s instructions within the context of us being in receipt of a valid form of authority.

The safeguards that the GDPR puts in place with respect to Personal Data are complemented by those afforded by the Solicitors Regulation Authority’s Regulations and by which all firms of solicitors must abide. The utmost care is taken to ensure that client confidentiality is respected and that legally privileged information is not shared unless absolutely necessary to the performance of a client’s instructions (an example of this would be providing a barrister a copy of a client’s court bundle in order that the barrister can prepare thoroughly and best represent the client in court).

Special Category Data and That Relating to Criminal Offences and Convictions

Special category data, as defined at the end of this document, may be required to be processed in the performance of a client’s instructions to us and it is difficult for us to predict when this will be the case in all matters.  Most immigration applications require that applicants declare any criminal convictions but other matters, such as Administrative Review or challenging a civil penalty, may not, on first sight, need this data and then subsequently rely on its use at a later stage. To this end, we request from all clients unambiguous and explicit consent to our processing their special category data as consent is the only legal basis upon which special category data can be processed in the context of a firm of solicitors.

Storage of Special Category Data and That Relating to Criminal Offences and Convictions

Where you provide this data to us on paper, this may be photocopied and the original and any copies kept securely under lock and key within our offices, with any digital scans being entered onto our secure Case Management System. Where you provide this data by email, this data will be imported into our secure Case Management System and your original email retained in our secure email archive. Where you fax your data to us, this data is stored digitally in our secure Case Management System.

Why And to Whom Do We Disclose or Exchange This Data?

In the performance of your instructions to us regarding your immigration matter, it may be necessary to disclose or exchange your special category data or data relating to any criminal offences and convictions, to people or bodies other than the employees of UK Migration Lawyers.  Those with whom we routinely allow to process this data are contractors of UK Migration Lawyers and consultants to us who have a clear need to access this data in order to perform your instructions to us whilst attending our offices to work on your immigration matter. In the performance of an immigration matter or instructions we may also be required to disclose special category data or data relating to criminal offences and convictions to the following:-

  • The Home Office (including The Secretary of State for the Home Office Department, UK Visas And Immigration, Home Office Presenting Officers and others within the Home Office) as the body with whom all applications, extensions are lodged and who are the respondent in reviews and appeals. In particular, if we request a Subject Access Request from the Home Office on your behalf, this may well hold various types of special category and, if any, data relating to criminal convictions or offences.
  • Barristers’ Chambers (including barristers and clerks) where a complex matter requires specialist advice or when we seek counsel representation for Reviews or Appeals in court.
  • Medical Professionals and Experts, where, with the data subject’s permission, we may seek medical reports or an expert opinion.
  • Social Services, where it may be necessary, with the data subject’s permission, to seek reports or expert opinion.
  • The Probation Service and other Ministry of Justice bodies and Prisons and Detention Centres, where, with the data subject’s permission, we may seek reports and data on criminal offences, convictions and sentencing and rehabilitation.
  • Interpreters and Translators, where it may be necessary to have documents translated or for speech to be interpreted.
  • Regulatory Bodies (such as the Solicitors Regulation Authority) or the Legal Ombudsman where we have a legal obligation to process and disclose special category data or data relating to criminal convictions or offences.
  • Police or other law enforcement bodies where we have a legal obligation to disclose your data or have been legally compelled to do so.
  • Other firms of Solicitors where, from time to time, it may be necessary to request documents relating to any previous instruction handled by another firm.

The above list is not exhaustive and only relates to special category data or to data concerning criminal offences and convictions.

Retention and Destruction of Special Category Data and That Relating to Criminal Offences and Convictions

We have two files for each matter of each client. Our digital file, stored on our secure Case Management Portal, is deleted from our system after 6 years of being closed as is our legal obligation under the Solicitors Regulation Authority Account Rule 29.17 of the SRA Handbook. Our paper file, stored in our offices under lock and key, is disposed of as confidential waste after 6 years of being closed as is our legal obligation under the Solicitors Regulation Authority Account Rule 29.17 of the SRA Handbook.  Where a paper file includes original documents, we will make all necessary endeavours to return them, however, should we be unable to within 6 years of file closure, we will dispose of them as confidential waste.

Your Rights Regarding Special Category Data and That Relating to Criminal Offences and Convictions

The GDPR affords you various new and enhanced rights with regards to the data that we hold about our clients, applicants, sponsors and other data subjects. Most notable is the right to withdraw consent for us to hold special categories of personal data or data relating to criminal offences and convictions.  Consent can be withdrawn at any time by email to [email protected] or by calling our offices on 0121 777 7715 to inform us.  Withdrawing consent will mean that we are no longer able to process this data, however, there is no effect on the lawfulness of processing based on consent before its withdrawal.

Children’s Privacy

Where we require to process data pertaining to a child and which complies with the legal bases for processing data as specified above, we will seek the consent of the child’s parent or guardian to do so. 

Disclosure of Personal Information To Service Providers

We use a number of third parties to provide us with services that are necessary to run our business and to perform our clients’ instructions on their behalf. These include:

Telephone Providers: LegalTX - http://www.legaltx.co.uk/privacy-policy/

Cloud Computing Provider (Hosting, CRM, Backup): Amazon AWS https://aws.amazon.com/compliance/gdpr-center/

Case Management System: LEAP https://leap.co.uk/information-security-policy/

Email Provider: http://www.privacy.microsoft.com/en-gb/privacystatement

Your Rights In Relation to Your Information

Subject to certain limitations on certain rights, you have the following rights in relation to your information, which you can exercise by writing to UK Migration Lawyers, Centre Court, 1301 Stratford Road, Birmingham, B28 9HH or sending an email to [email protected] :

 

  • to request access to your information and information related to our use and processing of your information;
  • to request the correction or deletion of your information;
  • to request that we restrict our use of your information;
  • to receive information which you have provided to us in a structured, commonly used and machine-readable format (e.g. a CSV file)and the right to have that information transferred to another data controller (including a third party data controller);
  • to object to the processing of your information for certain purposes (for further information, see the section below entitled Your right to object to the processing of your information for certain purposes); and
  • to withdraw your consent to our use of your information at any time where we rely on your consent to use or process that information. Please note thatif you withdraw your consent, this will not affect the lawfulness of our use and processing of your information on the basis of your consent before the point in time when you withdraw your consent.

In accordance with Article 77 of the General Data Protection Regulation, you also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or of an alleged infringement of the General Data Protection Regulation.

For the purposes of the UK, the supervisory authority is the Information Commissioner’s Office (ICO), the contact details of which are available here: https://ico.org.uk/global/contact-us/

Further Information On Your Rights In Relation To Your Personal Data As An Individual

The above rights are provided in summary form only and certain limitations apply to many of these rights. For further information about your rights in relation to your information, including any limitations which apply, please visit the following pages on the ICO’s website:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/; and

https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/

You can also find out further information about your rights, as well as information on any limitations which apply to those rights, by reading the underlying legislation contained in Articles 12 to 22 and 34 of the General Data Protection Regulation, which is available here: http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf

Verifying Your Identity Where You Request Access To Your Information

Where you request access to your information, we are required by law to use all reasonable measures to verify your identity before doing so.

These measures are designed to protect your information and to reduce the risk of identity fraud, identity theft or general unauthorised access to your information.

How we verify your identity

Where we possess appropriate information about you on file, we will attempt to verify your identity using that information.

If it is not possible to identity you from such information, or if we have insufficient information about you, we may require original or certified copies of certain documentation in order to be able to verify your identity before we are able to provide you with access to your information.

We will be able to confirm the precise information we require to verify your identity in your specific circumstances if and when you make such a request.

Questions or Complaints

For the purposes of the GDPR, any complaints, questions or feedback should be primarily directed to Gazala Rashid, Director, UK Migration Lawyers, Centre Court, 1301 Stratford Road, Birmingham, B28 9HH or [email protected]

 

 

 

Definitions

  1. ‘Personal data’ means any information relating to an identified or identifiable person; an identifiable person is one who can be identified by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more combinations of factors that can identify an individual person.
  2. ‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  3. ‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
  4. ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  5. ‘Special categories’ of personal data is that related to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

First Published 25/5/2018

OUR EXPERT LEGAL TEAM

Has your application for a UK visa been refused? We have an excellent track record of successful appeals.

Meet our expert team

UK Migration Lawyers is authorised and regulated by the Solicitors Regulation Authority (SRA Number 497640). Accredited immigration Law Solicitors. UK Migration Lawyers Ltd. / All rights reserved. Company Registration No 06702262 / Registered in England and Wales. Calls to our Solicitors' direct lines are note recorded. Calls to our mainline numbers listed on this website and to our client liaison officers are recorded; by calling these numbers you consent to these recordings being made and to their storage outside of the EU.