Reviewed September 2021
Next review September 2023
In order to try to minimise the risk of data security breaches, we have certain data security protocols (including Schedule 1: data protection Addendum). This means that:
1. All documents have to leave our office electronically. This is for data protection. Please let us know as soon as possible if you have any problems accessing any discs or encrypted emails.
2. We will provide our opinion by secure form, i.e. on an encrypted document, in a password protected attachment to an email or via encrypted transfer, such as We Transfer or Egress. In routine communications between us we will assign a reference to this matter so it can quoted in emails and therefore avoid having to refer to my client or the Claimant by name.
3. We will not refer to the Claimant or my clients' names in the subject line of emails.
4. We will ensure that adequate security measures are in place to protect all information received and stored by us. All electronically held information should be encrypted and any hard copy material should be stored with adequate physical security.
5. At the conclusion of this claim, we will need to dispose of (shred/destroy) or return hardcopies (by recorded delivery or courier) or delete electronic communications of all confidential information sent to us once we it has been agreed and deemed appropriate for us to do so. We will ensure that any electronic information which has been downloaded onto you system is deleted which is subject to the termination of the case and an agreement to delete the files is appropriately acknowledged.
Schedule 1 - Data Protection Addendum
1. PARTIES
The parties to this Data Protection Addendum are as follows:
(A) White House Medicolegal of 3 Sandygate Park, Sheffield S10 5TZ
and
(B) YOU as the referring party or ‘solicitor’ (either "You" or "Your" for the purpose of this Data Protection Addendum),
each a "Party" and together the "Parties".
2. DEFINITIONS
For the purpose of this Data Protection Addendum, the following expressions shall have the following meanings:
“Data Controller”
as defined in Data Protection Legislation;
“Data Processor”
as defined in Data Protection Legislation;
"Data Protection Legislation"
means all data protection and privacy legislation, regulations and guidance applicable in respect of a Party from time to time including, without limitation as applicable:
(i) the Retained Regulation (EU) 2016/679 (UK GDPR) and Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003;
(ii) any other relevant UK legislation; and
(iii) Guidance, or codes of practice issued by the Data Protection Regulator from time to time (all as amended, updated or re-enacted from time to time),
“Data Subject(s)”
as defined in Data Protection Legislation;
“Discloser”
means the Party disclosing Shared Data to the Recipient;
“Data Protection Regulator”
means the UK Information Commissioner’s Office or any successor body from time to time and any other regulator or supervisory authority with jurisdiction over either Party;
“Personal Data”
as defined in Data Protection Legislation;
“Process” or “Processes” or “Processing”
as defined in Data Protection Legislation;
“Recipient”
means the Party receiving Shared Data from the Discloser;
"Security Breach"
means an actual, suspected or threatened event that affects the confidentiality, integrity, availability and/or resilience of the Shared Data, the systems on which it is Processed, and/or the services through which it is accessed, including (without limitation) a 'personal data breach' as defined in Data Protection Legislation; and
“Shared Data”
means Personal Data held by one Party as a Data Controller, which is provided to the other Party as a Data Controller under this Agreement.
3. DATA PROTECTION
General Obligations
3.1 The Parties acknowledge that in respect of the Shared Data each is a separate Data Controller; one Party will be the Recipient and the other Party the Discloser.
3.2 In relation to the Shared Data, the Discloser shall ensure that:
3.2.1 the Shared Data has been obtained by it and transferred to the Recipient, in accordance with the Data Protection Legislation; and
3.2.2 in particular:
3.2.2.1 the Shared Data is accurate and up to date;
3.2.2.2 it has provided the Data Subjects of the Shared Data with a fair processing notice in accordance with the Data Protection Legislation, which allows it to transfer the Shared Data to the Recipient and allows the Recipient to Process the Personal Data; and
3.2.2.3 where possible, the Shared Data includes the contact details of the Data Subjects to enable the Recipient to provide them with their fair processing notice.
3.3 In relation to the Shared Data, the Recipient shall:
3.3.1 comply with the Data Protection Legislation;
3.3.2 implement, maintain, and regularly test, appropriate technical and organisational measures to protect the Shared Data from a Security Breach; and
3.3.3 in particular:
3.3.3.1 provide the Data Subjects of the Shared Data a fair processing notice in accordance with the Data Protection Legislation; and
3.3.3.2 where necessary under the Data Protection Legislation, it will obtain the consent of the Data Subjects to Processing of the Shared Data.
Security Breach Notification
3.4 In the event of a Security Breach in respect of the Shared Data Processed by (or on behalf of) the Recipient, the Recipient shall handle such Security Breach in accordance with the Data Protection Legislation and shall notify the Discloser as soon as reasonably practicable, and in any event at least 24 hours before notifying any
Regulator or any Data Subject.
3.5 In such notification to the Discloser, the Recipient shall provide the Discloser with sufficient information about the Security Breach and steps it is taking to remedy the Security Breach, mitigate any risk arising out of it and prevent it recurring, in order for the Discloser to assess:
3.5.1 the severity of the Security Breach;
3.5.2 the risk posed to Data Subjects;
3.5.3 the appropriateness of the steps being taken to remedy the Security Breach, mitigate any risk arising out of it and prevent it recurring; and
3.5.4 the likelihood of any further Security Breaches.
If sufficient information is not available at the time the Recipient is required to notify the Discloser, the Recipient shall provide as much information as it has available at the time.
3.6 The Recipient shall continue to provide updates to the Discloser as to their investigation of the Security Breach at regular intervals (as reasonably requested by the Discloser) including:
3.6.1 the steps it is taking to remedy the Security Breach, mitigate any risk arising out of it and prevent its recurrence;
3.6.2 copies of any communication to and from any Regulator and Data Subjects, to the extent it does not contain confidential information; and
3.6.3 any other information reasonably requested by the Discloser.
Co-operation and Assistance
3.7 Each Party shall promptly notify the other Party if it becomes aware of any circumstance which may cause either Party to breach:
3.7.1 this Data Protection Addendum; and/or
3.7.2 the Data Protection Legislation in relation to the Shared Data.
3.8 Each Party shall promptly notify the other Party as soon as it receives any request or enquiry from a Regulator or Data Subject with regard to the Shared Data, and shall keep the other Party regularly updated as to how it handles such request or enquiry.
3.9 Each Party shall reasonably cooperate with the other Party concerning:
3.9.1 the other Party’s compliance with this Data Protection Addendum;
3.9.2 the other Party’s compliance with the Data Protection Legislation in relation to the Shared Data; and/or
3.9.3 any request or investigation by a Regulator regarding the Shared Data.
Audit
3.10 The White House Medicolegal will review and require all information necessary to demonstrate compliance with this Data Protection Policy.
3.11 We may ask for any involved third party to comply with request to assist in our audit where it is deemed necessary to review any transactions between both parties.
4. Contact
For concerns, complaints relating to GDPR please contact The White House Medicolegal where a formal process of investigation will be followed.
30/09/2021
