Privacy Policy

In the UK, data protection is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’ 

UK GDPR states that personal data should be processed lawfully, fairly and in a transparent manner in relation to individuals and ‘collected for specified, explicit and legitimate purposes’ and that individual’s data is not processed without their knowledge and are only processed with their ‘explicit’ consent.

Kenneth Curtis & Co LLP is committed to protecting the rights and freedoms of individuals with respect to the processing of personal data. UK GDPR gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly. Kenneth Curtis & Co LLP is registered with the ICO (Information Commissioners Office) under registration number Z1590368.

In order to provide legal services to you and for related purposes shown below we may obtain, process, use and disclose personal data about you:-

  • updating and enhancing client records and client files in paper and on computer systems
  • analysis to help us manage our practice
  • statutory returns
  • legal and regulatory compliance and crime prevention

Our use of that information is subject to your instructions, the UK GDPR and our duty of confidentiality. Please note that our work for you may require us to give information to third parties such as to other solicitor firms other professional advisers, and statutory bodies such as HM Land Registry, HM Revenue Customs etc. You have a right of access under data protection legislation to the personal data that we hold about you.

When processing personal data for accounting and auditing in accordance with Solicitors Regulation Authority, taxation and related services, we act as the data controller. We confirm that we will comply with the obligations UK GDPR places on Kenneth Curtis & Co LLP as a data controller. For services such as tax returns you are the data controller and we act as the data processor and we confirm we will comply with the obligations the UK GDPR places on us as a data processor.

We record clients’ names, addresses, telephone numbers, email addresses, dates of birth and National Insurance numbers. In family matters we need to know children’s full names, addresses, and dates of birth.  Information is stored on our computers systems on our servers and on our client files. 

We record details of our suppliers, referrers names, addresses, telephone numbers, email addresses and fax numbers which are held on our computer systems and in our accounts department where invoices are processed.

As an employer Kenneth Curtis & Co LLP is required to hold data on its employees; names, addresses, email addresses, telephone numbers, dates of birth, National Insurance numbers, photographic ID for example passport, driver’s licence, bank details, utility bills..

At any point an individual can make a request relating to their data and Kenneth Curtis & Co LLP will provide a response within 28 days.  Kenneth Curtis & Co LLP can refuse a request i.e. if we have a lawful obligation to retain data but we will inform the individual of the reasons for the rejection.

Individuals have the right to request the deletion of data where there is no legal reason for its continued use. If an individual requests their personal data is removed from the firm’s files or accounting system or computer system, the request cannot be fulfilled where files have to be kept for a specific length of time by law. The individual will have the right to complain to the ICO if they are not happy with the decision.

Clients and staff can object to their data being used for certain activities like marketing or research.

Kenneth Curtis & Co LLP does not use personal data for marketing based organisations or do they use data for any direct marketing purposes.

Access to all office computers is password protected.  When a member of staff leaves the firm their password will immediately be changed in accordance with Kenneth Curtis & Co LLP leavers process.

Article 5 of the UK GDPR sets out seven key principles which lie at the heart of the general data protection regime and are set out below.

UK GDPR means that Kenneth Curtis & Co LLP must:-

“(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

The legislation places a responsibility on every data controller to process any personal data in accordance with the seven key principles. Detailed guidance on how to comply with these principles can be found on the ICO’s website (www.ico.org.uk) In order to comply with its obligations Kenneth Curtis & Co LLP strives to adhere to the seven principles.

This policy will be updated as necessary to reflect best practice or future amendments made to the UK GDPR and Data Protection Act 1998.