Humble and Clark – Data Protection Policy
Purpose statement
Humble and Clark gather and store personal data for a variety of reasons. The main purpose of gathering personal data is to provide legal services to clients, and our data is stored in physical and electronic files. We process data concerning clients, their families, and those on the other side of transactions. We also process information about staff members and third parties.
We are the controller of all personal data we have in our files and in our offices.
This policy sets out the expectations for staff as follows:
· Keep personal data confidential and safe
· Ensure data collection is within the law, and we are open, and transparent with clients and others
· Data will be collected only for specified purposes, and will be limited to what we need
· Data should be accurate and up to date
· Data will be destroyed in line with legal industry timescales and standards
This data protection policy should be read in conjunction with our privacy policy. We have a separate policy regarding handling data with Thirdfort, and this should be referred to directly. Any questions should be directed to the DPO (Data Protection Officer).
Privacy notices
We should inform clients of the way in which we hold personal data and the lawful basis for holding that data. This information is in our privacy notice and should be sent to all clients with our initial client care pack.
All staff should also be notified of our procedures for processing personal data and provided with a copy of our privacy notice and a copy of this policy when they join the firm.
Our suppliers and contractors should be referred our privacy policy and this policy during our initial contracting process.
Copies of this policy should also be available on request.
We may redact the exemptions section of this policy where it covers suspicion for money laundering.
We do not collect identifiable personal data from our website at the moment.
Our privacy notice should include information about processing personal data and the lawful bases for doing so; what personal data will be gathered and why; where the personal data will be transferred to; retention periods and destruction policies; contact details for complaints and the ICO; and details of the Data Protection Officer.
Lawful basis
Our lawful basis for processing personal data is usually:
· Consent – this will be the consent of the client, staff member, or contracted third party. We ask for this consent in our client care pack, from our staff during the contracting process, and from any third party during contract formation with them.
· Contract – to fulfil a contractual obligation. This means in circumstances where it is necessary to process the personal data to fulfil the contract.
· Legal obligation – this means we may have a legal obligation to process personal data, particularly for the purposes of law enforcement in AML.
We may also use any of the other lawful bases for processing personal data available under the GDPR. Please see Article 6 of the UK GDPR.
For special category data we usually have the lawful basis of consent, or legal claim. Special category data is data related to race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life, and sexual orientation. As conveyancers, we do not often require special category data, but some data related to health may be discussed as it can impact house purchases (for example the purchase of a bungalow). In this situation, we would rely on consent to process the personal data.
We do not usually process personal data related to criminal convictions, or children. We do not consider that our services are being used by children. If we did deal with a case involving a child, we would abide by the Children’s Code, published by the ICO.
Personal data use purposes
We usually ask for and store the following personal data:
· Name
· Address
· Age
· Financial information – including mortgage and banking information, and corporate accounting information
· Employment information – which could occasionally include trade union information
· Corporate appointment information
· Passport information and passport numbers
· Utility bills and council tax information
· Birth certificates
· Care home residence information
· Wealth information – including financial information pertaining to family members and family wealth
· Health information – including for example related to home accessibility and suitability
· Religious information – including of the other side, for example if they are a notary regulated by the master of the faculties (part of the Archbishop of Canterbury).
· Special cases - we ask if clients, or close family or business associates fall into the category known at Politically Exposed Persons
We may also store other information if it was relevant to the conveyance or our required internal processes.
We use personal data for our work in instructions in sale, purchase, and re-mortgage; search instructions; liaison with the mortgage company; liaison with Thirdfort and any other external organisation involved with AML checks; liaison with the regulator; registering property at the land registry; registering stamp duty at HMRC; law enforcement; payroll; marketing (with consent); and for appraisals and in other personnel records.
Data Storage
All data on our client files (including contracted third party data) will be stored for the minimum period required by our regulatory body and insurer.
All personnel data will be stored for the minimum period required by HMRC.
Please see our data destruction policy in the office manual for more information about data destruction schedules.
Data should be securely stored, meaning it should be placed in a locked cupboard in a locked office, and should not be left in sight of clients or third parties. We should not disclose data over the telephone without permission, and our electronic methods of storage should also be monitored. We should protect data using strong passwords, limit the data leaving our offices (including on data sticks or via portable electronic means), and monitor our system for attempts at cybercrime. We have a separate cybercrime policy and regular cybercrime training.
Transfer
We transfer data to other parties such as estate agents; search companies; Thirdfort; regulators and law enforcement agencies; compliance consultants; other law firms involved in conveyancing; the Land Registry; and HMRC. All of these parties are involved in conveyancing or conveyancing support. We use the lawful bases of consent, legal obligation, and contractual obligation for this purpose.
We do not transfer data overseas.
Thirdfort
We have a separate policy regarding handling data with Thirdfort, and this should be referred to directly.
Data Profiling
We do not profile clients on the basis of the data we receive.
Complaints
Complaints about how we have handled data can be handled under our complaints procedure. As well as subsequent referral to the Legal Ombudsman, complaints about Data Protection can be referred to the Information Commissioner’s Office. We will consider whether a complaint concerns data protection in the response and contact details we provide as part of our complaints procedure.
The ICO may in the future make regulations concerning reporting the number of complaints about data to them. We will make these reports should this be required.
The individual has rights of access, to be informed, rectification, erasure, restricting processing, portability, and the right to object. All of these rights relate to the processing of their personal data.
We comply as follows:
We will provide personal data on request, providing we are not exempt from doing so. We will inform clients of their data processing through our privacy notices. We will rectify inaccurate information on request and make every effort to ensure we have correct information. We will erase unnecessary data, and maintain data as required by our regulator (CLC), insurer, and the law enforcement agencies. We will make data available in an electronic format where possible to achieve portability, and we will listen to an application to restrict processing bearing in mind our professional obligations and legal obligations to other parties. We also listen to any objection to processing activities which are not required, such as marketing.
We may not always be able to restrict processing or comply with an objection to processing (including a request for erasure) if such processing is necessary to fulfil our legal or professional obligations, including to law enforcement and state organisations.
Subject access requests
We will respond to any subject access request as follows:
· Acknowledge the request as soon as possible, informing the requester that we will respond to them within one month of receipt of the request.
· Undertake reasonable searches in line with the ICO’s search checklist
· Make data available in an electronic format (by scanning if necessary)
· Respond to the data subject within one month with a copy of their data
We do not need to supply data they already have.
We cannot usually supply data from a third party, and the decision in this respect also takes account of the confidentiality owed within legal services. Any third party data should be deleted or redacted from the response.
We can ask for further information from a requester, if it would assist us in complying with the subject access request. This would stop the clock on the subject access request for up to two months.
If a request is large, complex, or comes as a large number of requests, we can also delay the response by up to two months.
If the request response is delayed beyond one month for any of those reasons we must write to the client and inform them of the reasons for the delay and when to expect a response. We must keep the requester updated.
We can charge a fee or refuse to respond to requests which are manifestly unfounded or excessive.
We are exempt from some data requests in some circumstances. There are exemptions in the Data Protection Act for law enforcement activities, including AML.
A data breach is an unauthorised disclosure of data. The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible. Please report any data breach to the Data Protection Officer.
If we think there has been a data breach we will need to:
· Attempt to rectify the situation by recovering any disclosed or missing data
· Investigate the situation – how much data has been disclosed or compromised, where has it gone, and can it be recovered before anyone finds it / uses it / etc?
· Consider the situation carefully and take legal advice if necessary
· Inform the ICO if necessary
· Inform those impacted if necessary
The test for reporting is a consideration of the severity of the breach, and whether it has an impact on the rights and freedoms of the individual. If the rights and freedoms of the individual have not been impacted, the breach does not require reporting to either the subject or the regulator.
We must complete a DPIA if there is a high risk to individuals’ data (measured by the likelihood and severity of any impact). It is good practice to do a DPIA for any major project that changes the way we work. For example, a new computer system.
The DPIA must:
· describe the nature, scope, context and purposes of the processing;
· assess necessity, proportionality and compliance measures;
· identify and assess risks to individuals; and
· identify any additional measures to mitigate those risks
There are example DPIA forms on the ICO website.
Data Protection Officer
Our Data Protection Officer is Sarah Clark.
The DPO is required to complete regular training in data protection, and ensure all staff also have training or undertake data protection awareness activities.
Last Updated: Nov 24, 2025