Privacy Policy

This policy sets out the requirements for collecting, using, storing, sharing, retaining, and protecting confidential client data. It is designed to support compliance with the UK GDPR and the Data Protection Act 2018, and to align day-to-day handling of information with Cyber Essentials Plus control expectations.

The policy applies to all employees, contractors, temporary staff, and any other person who processes client data on behalf of the organisation. It defines the core responsibilities, controls, and reporting expectations that must be followed to reduce the risk of unauthorised access, loss, misuse, or disclosure of personal data and other confidential client information.

1. Purpose

This policy sets the minimum requirements for handling confidential client data securely and lawfully. It supports compliance with the UK GDPR, the Data Protection Act 2018, and control practices aligned to Cyber Essentials Plus. The policy applies to personal data and any other confidential information obtained, created, stored, transmitted, or otherwise processed in connection with client work.

The organisation will process client data only for legitimate business purposes, in line with applicable legal bases, contractual obligations, and documented instructions where it acts as a processor. Data handling must always be proportionate, necessary, and limited to what is required for the stated purpose.

2. Scope

This policy applies to:

  • All employees, officers, workers, interns, contractors, and agency staff.
  • All systems, devices, applications, storage media, and paper records used to process client data.
  • All client data, including personal data, special category data where applicable, and confidential business information received from or about clients.
  • All processing activities, whether performed on-site, remotely, or through approved third parties.

This policy does not replace contract terms, project instructions, legal advice, or other mandatory information security requirements. Where another approved policy is more stringent, the stricter requirement must be followed.

3. Definitions

Client data means any information relating to a client or an identifiable individual connected with a client matter, whether in electronic, physical, or verbal form.

Confidential data means information that is not intended for public release and whose unauthorised disclosure could cause harm, loss, or regulatory concern.

Processing includes collecting, recording, organising, storing, adapting, retrieving, using, sharing, disclosing, deleting, and destroying data.

4. Roles and responsibilities

4.1 All staff and contractors

  • Handle client data only where they are authorised to do so.
  • Use approved systems and approved methods for storing and sharing data.
  • Protect credentials, devices, documents, and media from unauthorised access.
  • Report suspected breaches, security incidents, data loss, or policy breaches without delay.
  • Complete required privacy and security training and follow all instructions issued by the organisation.

4.2 Managers and team leads

  • Ensure staff understand their privacy and security obligations.
  • Limit access to client data to those who genuinely need it for their role.
  • Escalate non-compliance, repeated errors, or unresolved security concerns.
  • Support prompt containment and investigation of incidents.

4.3 IT and security functions

  • Maintain access controls, secure configuration, endpoint protection, patching, monitoring, and backup arrangements.
  • Review technical controls that protect client data in line with organisational risk and Cyber Essentials Plus expectations.
  • Support incident response, evidence collection, and secure recovery.

4.4 Data protection lead or responsible owner

  • Oversee compliance with data protection obligations and this policy.
  • Advise on lawful processing, retention, disclosure, and breach response.
  • Support reviews, audits, and corrective actions.

5. Lawful and fair processing

Client data must be processed fairly, lawfully, and transparently. Before new processing begins, the responsible owner must confirm the business purpose, lawful basis, retention requirement, access need, and any sharing or cross-border transfer implications. Data collected must be limited to what is adequate, relevant, and necessary for the purpose.

Where the organisation relies on consent, the consent must be informed, specific, freely given, and capable of being withdrawn. Where the organisation acts as a processor, it must process client data only on documented instructions from the controller, unless required otherwise by law.

6. Data handling and storage

6.1 Collection and use

  • Collect only the minimum data required for the intended purpose.
  • Use client data only for approved business purposes and compatible follow-on uses.
  • Do not create unnecessary copies of client data.
  • Check the accuracy of data where it is relied upon for business decisions or client deliverables.

6.2 Storage

  • Store client data only in approved systems, repositories, or filing locations.
  • Apply encryption or equivalent protective measures for portable devices, removable media, and remote access where approved by the organisation.
  • Keep physical records in locked cabinets or secured areas when not in use.
  • Prevent client data from being stored in personal accounts, unauthorised cloud services, or unapproved messaging applications.

6.3 Transport and transfer

  • Use approved secure transfer methods when sending client data internally or externally.
  • Verify recipient details before sending sensitive information.
  • Use password protection or equivalent safeguards where appropriate, and share passwords through separate channels.
  • Do not leave paper files, laptops, or removable media unattended in public or unsecured locations.

6.4 Disposal

  • Destroy paper records securely when they are no longer needed, using approved confidential waste processes.
  • Delete electronic records securely in accordance with retention and disposal procedures.
  • Ensure media is wiped, overwritten, or physically destroyed where appropriate before reuse or disposal.

7. Access controls

Access to client data must be based on the principle of least privilege and granted only where needed for a defined business purpose. Access rights must be approved by an appropriate manager or system owner and reviewed when job roles change, access is no longer required, or a user leaves the organisation.

  • Unique user accounts must be used wherever practicable.
  • Shared accounts must not be used unless expressly authorised and controlled.
  • Strong authentication must be enabled for access to systems that store or process client data.
  • Privileged access must be restricted, monitored, and reviewed more frequently than ordinary user access.
  • Default, unused, or dormant accounts must be disabled or removed promptly.

Passwords and authentication factors must not be shared, disclosed, written where others can access them, or reused in a way that undermines account security.

8. Sharing and disclosure

Client data may be shared only where there is a legitimate need, an approved legal basis, and, where relevant, a written contract or instruction that covers the disclosure. Before sharing, the sender must consider whether the recipient is authorised, whether the minimum necessary data is being disclosed, and whether the data must be redacted, pseudonymised, or otherwise protected.

  • Do not disclose client data to third parties without approval where approval is required by contract, law, or internal procedure.
  • Do not discuss client data in public places or with unauthorised persons.
  • Use caution when copying recipients into emails, messages, or meeting materials.
  • When external service providers process client data, appropriate contractual and security controls must be in place before transfer.

9. Remote working and device security

Client data must be protected when working remotely or using portable devices. Staff must lock screens when away from devices, avoid using public or insecure networks for sensitive work where possible, and prevent unauthorised viewing of information by family members, visitors, or members of the public.

  • Company devices must be used for client data wherever issued and approved.
  • Local storage on devices must be limited to what is required for the task.
  • Lost or stolen devices must be reported immediately.
  • Security updates, patches, and protection software must not be disabled or bypassed.

10. Security controls and Cyber Essentials Plus alignment

The organisation will maintain technical and organisational measures designed to protect client data from common threats. These measures will include secure configuration, malware protection, patch management, access control, firewalls or equivalent network protection, and secure administration of systems used to process client data.

Users must not circumvent security controls, install unauthorised software, or connect unauthorised devices where this would weaken the security of client data or systems. Any exception to a security control must be approved by the appropriate owner, documented, time-limited, and subject to compensating controls where necessary.

11. Retention and deletion

Client data must be retained only for as long as necessary for the purpose for which it was collected, to meet legal, contractual, regulatory, tax, audit, or operational requirements, or for the exercise or defence of legal claims. Retention periods must be defined where possible and applied consistently.

  • Data no longer required must be deleted, anonymised, or securely destroyed in line with approved disposal procedures.
  • Temporary working files must not be kept longer than needed.
  • Where legal hold, dispute, or investigation requirements apply, deletion must be suspended for the affected records.

12. Data subject rights and privacy notices

Where the organisation determines the purposes and means of processing, it must support data subject rights requests in accordance with applicable law. Requests for access, rectification, erasure, restriction, portability, or objection must be forwarded promptly to the responsible owner or designated contact.

Privacy notices, client terms, and related documents must provide clear information about the nature of processing, lawful basis, retention, sharing, and relevant rights, as required by law and the organisation's role in the processing activity.

13. Breaches and incidents

Any actual or suspected breach of confidentiality, unauthorised disclosure, loss of client data, malware event, phishing compromise, or security weakness affecting client data must be reported immediately through the organisation's incident reporting route.

On receipt of a report, the organisation will take prompt steps to contain the issue, assess the risk, preserve evidence, determine the scope of the incident, and decide whether notification or other action is required. Where personal data breaches occur, the organisation will assess whether notification to the relevant supervisory authority and affected individuals is required under applicable law and will act within the required time limits.

Staff must cooperate with investigations and must not delete, conceal, or alter evidence relevant to an incident.

14. Training and awareness

All staff and contractors who handle client data must complete privacy and security awareness training at induction and refresher training at intervals set by the organisation. Training must cover lawful handling, secure storage, phishing awareness, incident reporting, data minimisation, and the consequences of non-compliance.

Additional role-based training must be provided where a role involves elevated access, high-risk processing, or specialist handling requirements.

15. Monitoring, review, and compliance

The organisation may monitor use of systems, access to records, security events, and compliance with this policy to protect client data and to support lawful and proportionate oversight. Monitoring will be conducted in accordance with applicable law and internal requirements.

This policy will be reviewed periodically and also when there is a material change to law, regulatory guidance, business operations, systems, risk profile, or client requirements. Staff must comply with the version in force at the time of processing.

16. Breach of policy

Failure to follow this policy may result in access removal, disciplinary action, contractual action, or other remedial measures, depending on the seriousness of the issue and any legal or regulatory implications.

17. Records and evidence of compliance

Where applicable, the organisation will maintain records to demonstrate compliance with this policy, including access approvals, training completion, retention schedules, incident records, exception approvals, and review or audit outcomes.

Records must be accurate, complete, and retained in line with the organisation's retention requirements.