Privacy Policy & Cookies

Data Protection Policy


John Nash Solicitors needs to gather and use certain information about individuals. These can include clients, suppliers, business contacts, employees and partners and other people the firm may have a relationship with or may need to contact.

This policy describes how this data may be collected, handled and stored to meet the firms’ data protection standards – and to comply with applicable data protection laws.

Data protection definitions are set out at Appendix 1 below.

Why this policy exists

This data protection policy ensures John Nash Solicitors:

  • Complies with data protection law and follows good practice
  • Protects the rights of clients, staff and partners
  • Is open about how it stores and processes individuals’ personal data
  • Protects itself from the risks of a data breach

This policy does not form part of any employee's contract of employment and it may be amended at any time. Any breach of this policy will be taken seriously and may result in disciplinary action up to and including dismissal.

Data Protection Law

The General Data Protection Regulation and the Data Protection Act [2018] describes how organisations, including John Nash Solicitors – must collect, handle and store personal data.

These rules apply regardless of whether data is stored electronically, in paper files or on other materials.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The Data Protection Act is underpinned by the following principles;

Personal data must be;

  1. Processed fairly and lawfully.
  2. Processed for limited purposes and in an appropriate way.
  3. Adequate, relevant and not excessive for the purpose.
  4. Accurate, complete and up to date.
  5. Not kept longer than necessary for the stated purpose.
  6. Processed in line with data subjects' rights i.e. access and amendment rights.
  7. Secure.
  8. Not transferred to people or organisations situated in countries without adequate protection.

Policy scope

This policy sets out the firms’ rules on data protection and the legal conditions that must be satisfied in relation to the collecting, obtaining, handling, processing, storage, transportation and destruction of personal and sensitive information.

This policy applies to all data that the firm holds relating to identifiable individuals. This can include:

  • Names of individuals
  • Postal addresses
  • Email addresses
  • IP addresses
  • Telephone numbers
  • Personnel/employment files
  • Client correspondence (email and hard copy)
  • Application forms
  • Financial information
  • Records of telephone calls
  • Records of websites visited

Data Protection risks

This policy helps to protect John Nash Solicitors from some very real data security risks, including;

  • Breaches of confidentiality
  • Reputational damage


Everyone who works for John Nash Solicitors has some responsibility for ensuring data is collected, stored and handled appropriately.

Each person that handles personal data must ensure that it is handled and processed in line with this policy and the data protection principles.

The principal are ultimately responsible for ensuring that John Nash Solicitors meets its legal obligations by;

  • Appointing a data protection officer (where required to under law)
  • Keeping the staff updated about data protection responsibilities, risks and issues
  • Reviewing all data protection procedures and related policies, in line with an agreed schedule
  • Arranging data protection training for the people covered by this policy
    Dealing with requests from individuals to see the data John Nash Solicitors holds about them (“subject access requests”).
  • Checking and approving any contracts or agreements with third parties that may handle the firm’s sensitive data.
  • Ensuring all systems, services and equipment used for storing data meet acceptable security standards
  • Performing regular checks and scans to ensure security hardware and software is functioning properly
  • Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services.

General staff guidelines

  • The only people able to access data covered by this policy should be those who need it for their work.
  • Data should not be shared informally.
  • John Nash Solicitors will provide training to all employees to help them understand their responsibilities when handling data
  • Employees should keep all data secure, by taking sensible precautions and following the guidelines below
  • In particular, strong passwords must be used and they should never be shared
  • Personal data should not be disclosed to unauthorised people, either within the firm or externally
  • Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of. See file retention and destruction policy.
  • Employees should request help from a principal or the data protection officer if they are unsure about any aspect of data protection

Data Storage

These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the principal.

  • When data is stored on paper, the paper or files should be kept in a locked drawer or filing cabinet.
  • Employees should ensure paper/printouts/files are not left where unauthorised people could see them, like on a printer.
  • Data printouts should be shredded and disposed of securely when no longer required.

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts. In this regard, the firm has the following policies in place;

  • Information Systems Security policy
  • Password policy
  • Computer back-up policy
  • General email, intranet, internet and computer usage policy

Data use

Personal data should only be collected to the extent that it is required for the specific purpose notified to the data subject. Any data which is not necessary for that purpose should not be collected in the first place.

Data accuracy

The law requires John Nash Solicitors to take reasonable steps to ensure data is kept accurate and up to date. Information which is incorrect or misleading is not accurate and steps should be taken to check the accuracy of any personal data at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date data should be destroyed. Employees should ensure that they notify the principal of any relevant changes to their personal information so that it can be updated and maintained accurately. Examples of relevant changes to data would include a change of address.

Obtaining and processing data

Data protection legislation is not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject. The data subject must be told who the data controller is, in our case it is John Nash, the purpose for which the data is to be processed by the firm and the identities of anyone to whom the data may be disclosed or transferred.

For personal data to be processed lawfully, certain conditions have to be met. These may include, among other things, requirements that the data subject has consented to the processing or that the processing is necessary for the legitimate interest of the data controller or the party to whom the data is disclosed. When special categories of data (previously referred to as sensitive personal data) are being processed, more than one condition must be met.

In most cases the data subject’s explicit consent to the processing of such data will be required.

We have inserted relevant consents to such processing in our template Letter of Engagement.

Personal data may only be processed for the specific purposes notified to the data subject when the data was first collected or for any other purposes specifically permitted by the Data Protection Acts. This means that personal data must not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the data is processed, the data subject must be informed of the new purpose before any processing occurs. Any employee personal data collected by the firm is used for ordinary Human Resources purposes. Where there is a need to collect employee data for another purpose, the firm will notify the employee of this and where it is appropriate will get employee consent to such processing.

Data Retention

Personal data should not be kept longer than is necessary for the purpose. For further guidance in relation to data retention and destruction, we refer to our File Retention and Destruction policy.

Processing in line with Data Subjects Rights

Data must be processed in line with data subject’s rights. Data subjects have a right to:

  • Request access to any data held about them by a data controller.
  • Prevent the processing of their data for direct-marketing purposes.
  • Ask to have inaccurate data amended.
  • Prevent processing that is likely to cause damage or distress to themselves or anyone else.

Dealing with Subject Access Requests

The firm has a Data Subject Access request protocol in place.

Providing information over the telephone

Any employee dealing with telephone enquiries should be careful about disclosing any personal information held by the firm over the phone. In particular the employee should:

  • Check the identity of the caller to ensure that information is only given to a person entitled to that information.
  • Suggest that the caller put their request in writing if the employee is not sure about the identity of the caller and in circumstances where the identity of the caller cannot be verified.
  • Refer the request to the principal for assistance in difficult situations. No employee should feel forced into disclosing personal information.

Transfer of Data outside the EEA

If any personal data is being transferred outside the EEA, they must be compliant with EU law. Such transfer is required to be subject to “an adequate standard of protection” and an appropriate data transfer mechanism will be required to transfer personal data outside the EEA.

The requisite contractual provisions must be in place and the client/employee /data subject must be notified of such a transfer.

Providing information

John Nash Solicitors aims to ensure that individuals are aware that their data is being processed, and that they understand;

  • How the data is being used
  • How to exercise those rights

To these ends, the firm has a privacy statement, setting out how data relating to individuals is used by the firm. [this is available on request. A version of this statement is also available on the firm’s website]

Review of Policy

The firm will continue to review the effectiveness of this policy to ensure it is achieving its stated objectives on at least an annual basis and more frequently if required taking into account any changes to current data protection laws.

Appendix 1

Definition of Data Protection terms
(as defined by the General Data Protection Regulation)

  1. Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  2. Sensitive personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
  3. Data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
  4. Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  5. Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  6. Profiling means any form of automate automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person in particular to analyse or predict aspects concerning the natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
  7. Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified of identifiable natural person.
  8. Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data transmitted, stored or otherwise processed.


Cookies are small files that a site or its service provider transfers to your computer's hard drive through your Web browser (if you allow) that enables the site's or service provider's systems to recognize your browser and capture and remember certain information.

They are also used to help us understand your preferences based on previous or current site activity, which enables us to provide you with improved services. We also use cookies to help us compile aggregate data about site traffic and site interaction so that we can offer better site experiences and tools in the future.

We use cookies to:

  • Understand and save user's preferences for future visits.
  • Compile aggregate data about site traffic and site interactions in order to offer better site experiences and tools in the future. We may also use trusted third-party services that track this information on our behalf.

You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser settings. Since every browser is different, look at your browser's Help Menu to learn the correct way to modify your cookies.

If you turn cookies off, it won't affect the user's experience .

The table below explains the cookies we use and why.

Name Purpose Activated Expires
Initiated by this website
PHPSESSID The PHPSESSID cookie is native to PHP and enables websites to store serialised state data. It is used to establish a user session and to pass state data via a temporary cookie, which is commonly referred to as a session cookie. (expires when you close your browser) On visit When you close your browser
Initiated by Google Analytics | Read More
_ga Used to distinguish users. On visit After 2 Years
_gat Used to determine new sessions/visits. The cookie is created when the javascript library executes and no existing __utmb cookies exists. The cookie is updated every time data is sent to Google Analytics. On visit After 30 Minutes
_gid Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named On visit 1 minute