CCG
Claims Compensation Group

Legal & Policies

Data Protection Policy

1. Introduction

This Policy sets out the obligations of The Claims Compensation Group Ltd, a law firm whose office is at Unit E2, The Point Office, Weaver Road, Lincoln LN6 3QN (“the Organisation”) regarding data protection and the rights of clients (“Data Subjects”) in respect of their personal data under the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 (“DPA 2018”) and the Data (Use and Access) Act 2025 (“DUAA”).

2. Scope

Compliance with this Policy is mandatory for all individuals who work for or on behalf of the Organisation, including:

  • Directors and Members;
  • Employed solicitors, paralegals and support staff;
  • Consultants, agency workers and contractors;
  • Trainees.

3. Definitions

“Personal Data” — Any information relating to an identifiable individual, e.g. name, address, email address, telephone number, payroll data, identification documents, IP addresses, personnel records.

“Special Category Data” — Sensitive personal data including health information, biometric data, racial or ethnic origin, religious belief, trade union membership, sexual orientation.

“Processing” — Any operation performed on personal data including collection, recording, accessing, sharing, storing, deleting, altering.

“Data Subject” — An individual whose personal data is being collected, processed or stored, and whose personal information can be identified, either directly or indirectly, by reference to an identifier such as a name, identification number or other facts specific to their identity.

4. The UK GDPR data protection principles

All personal data processed by the Organisation must comply with the data protection principles set out in Article 5 UK GDPR as follows:

  1. It is processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).
  2. It is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’).
  3. It is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (‘data minimisation’).
  4. It is kept accurate and up to date, with inaccuracies corrected promptly (‘accuracy’).
  5. It is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (‘storage limitation’).
  6. It is processed in a manner that ensures protection of data against unauthorised access, loss or destruction using appropriate security measures (‘integrity and confidentiality’).
  7. The firm must be able to demonstrate compliance with the principles above (‘accountability’).

5. Lawful basis for processing

The UK GDPR seeks to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the Data Subject. The UK GDPR states that processing of personal data shall be lawful if at least one of the following applies:

  • The data subject has given consent to the processing of their personal data for one or more specific purposes;
  • The processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract with them;
  • The processing is necessary for compliance with a legal obligation to which the data controller is subject;
  • The processing is necessary to protect the vital interests of the data subject or of another natural person;
  • The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; or
  • The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

If the personal data in question is “special category data” (also known as “sensitive personal data”) — for example, data concerning the data subject’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics (if used for ID purposes), health, sex life, or sexual orientation — at least one of the following conditions must be met:

  • The data subject has given their explicit consent to the processing of such data for one or more specified purposes;
  • The processing is necessary for the purpose of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment, social security, and social protection law;
  • The processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
  • The data controller is a foundation, association, or other non-profit body with a political, philosophical, religious, or trade union aim, and the processing is carried out in the course of its legitimate activities, provided that the processing relates solely to the members or former members of that body or to persons who have regular contact with it in connection with its purposes, and that the personal data is not disclosed outside the body without the consent of the data subjects;
  • The processing relates to personal data which is clearly made public by the data subject;
  • The processing is necessary for the conduct of legal claims or whenever courts are acting in their judicial capacity;
  • The processing is necessary for substantial public interest reasons, shall respect the essence of the right to data protection, and shall provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject;
  • The processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of an employee, for medical diagnosis, for the provision of health or social care or treatment, or the management of health or social care systems or services, subject to the conditions and safeguards referred to in Article 9(3) of the UK GDPR;
  • The processing is necessary for public interest reasons in the area of public health, for example protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, and provides for suitable and specific measures to safeguard the rights and freedoms of the data subject (in particular, professional secrecy); or
  • The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) of the UK GDPR, which shall be proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
  • The processing is necessary for sharing personal data with public authorities or regulators acting in the public interest (e.g. the SRA, HMRC, the Home Office) where requested;
  • Processing is necessary for the detection, investigation or prevention of crime;
  • Processing is necessary for safeguarding vulnerable individuals.

6. Staff obligations

Every person working for or on behalf of the Organisation is responsible for the following:

  1. Protecting confidential information;
  2. Accessing data only where authorised;
  3. Keeping passwords secure;
  4. Reporting data breaches immediately;
  5. Following Company procedures;
  6. Completing requisite data protection training;
  7. Ensuring emails and documents are sent to the correct recipients;
  8. Locking screens when away from workstations;
  9. Securely disposing of confidential information;
  10. Immediately notifying the Compliance Officer for Legal Practice (“COLP”) or designated Data Protection Officer (“DPO”) if they:
    • Lose a device containing Company data;
    • Send information to the wrong recipient;
    • Suspect unauthorised access;
    • Experience phishing or cyber incidents;
    • Become aware of any data breach.

7. Data collection and minimisation

Staff must only collect personal data that is necessary for the specific purpose of the matter or task. In practice this means:

  • Do not collect personal data “just in case” it might be useful;
  • Do not retain data beyond what is needed for the matter;
  • Do not ask for more personal information than the work requires;
  • Ensure that any data collected from third parties (e.g. referrers, other solicitors) was legitimately provided.

Data re-use for a different but compatible purpose is permitted. Compatible purposes may include internal auditing or quality assurance, fraud prevention within the Organisation, and statistical or research purposes where appropriate safeguards are in place.

If you believe data may need to be used for a different purpose, engage the COLP or designated DPO before proceeding. When onboarding new clients, use the Organisation’s standard client care and ID verification process and record only what is required.

8. Data security

The Organisation takes its obligations under Article 32 UK GDPR seriously. All staff must adhere to the following security requirements.

8.1 Physical security

  • Paper files containing personal data must not be left unattended in common areas;
  • Offices and filing cabinets containing personal data must be locked when unattended;
  • Confidential waste must be shredded using a cross-cut shredder; do not use general waste bins;
  • Visitors must not be left unattended in areas where personal data is accessible.

8.2 IT and system security

  • Use only Firm-approved devices and systems to access, store or transmit personal data;
  • Never store client data on personal devices without prior approval;
  • Approved devices, whether owned by staff or the Organisation, must be password-protected, use encryption, have up-to-date antivirus software, and permit remote wiping where necessary;
  • Use strong, unique passwords and enable two-factor authentication (2FA) where available;
  • Lock your workstation when leaving your desk (Windows key + L);
  • Do not email personal data to personal email addresses;
  • Encrypt documents containing sensitive personal data before sending by email;
  • Do not use unsecured public Wi-Fi to access Firm systems without a VPN;
  • Do not circumvent IT security measures;
  • The use of AI tools in client-facing work or internal processes that involve personal data must be reviewed and approved by the COLP or DPO before implementation;
  • The use of AI tools and automated decision-making systems carries increased regulatory scrutiny following the DUAA 2025. Inputting client names or details into unapproved AI tools may constitute a data breach and trigger the ICO’s enforcement powers.

8.3 Remote and home working

  • Access Organisation systems via the remote access methods recommended by the IT Support Lead;
  • Ensure your home workspace is private and screens are not visible to others;
  • Printed documents must be stored securely and shredded when no longer needed;
  • Report any lost or stolen devices immediately to the IT Support Lead.

8.4 Third-party processors

  • Only use third-party services approved by the Firm for storing or processing client data;
  • Do not upload client data to unapproved cloud services, AI tools or online platforms;
  • Raise any proposed new supplier with the Data Protection Lead before use.

9. Data sharing

Staff must not share personal data with third parties without authorisation. When sharing is required, staff must:

  • Confirm the recipient is authorised to receive the data;
  • Use secure methods of transfer (encrypted email, secure file transfer portal);
  • Not send personal data via unencrypted email if it is sensitive or special category data;
  • Not share data with another party’s solicitor or agent without client instructions;
  • Ensure any new third-party supplier is reviewed and approved before client data is shared.

Where the Firm uses third-party data processors (e.g. case management systems, cloud providers, AML verification services etc.), a written Data Processing Agreement (DPA) must be in place before any data is shared.

10. Data retention and deletion

  1. Personal data must only be retained for as long as necessary.
  2. When data is no longer required, it must be securely destroyed using approved methods, including:
    • Secure shredding;
    • Confidential waste disposal;
    • Permanent electronic deletion.
  3. Employees must not retain unnecessary copies of Company information.

11. Data breaches

A personal data breach is any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Examples include:

  • Sending a client’s documents to the wrong email address;
  • Loss or theft of a device containing personal data;
  • Unauthorised access to the Firm’s systems;
  • Accidental deletion of client files without backup;
  • A ransomware or cyber-attack affecting personal data.

Staff must report any suspected or actual data breach to the COLP or designated DPO immediately. The COLP or designated DPO will:

  • Assess whether the breach requires notification to the ICO and/or affected individuals;
  • Document the breach;
  • Take steps to contain and remediate the breach;
  • Notify the ICO within 72 hours if the breach is likely to result in a risk to an individual’s rights and freedoms;
  • Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

All breaches — including those that do not require notification — must be recorded internally.

12. Data protection complaints procedure

A data protection complaint is any expression of dissatisfaction about how the Firm has handled someone’s personal data. It does not need to use legal language. Examples include:

  • Dissatisfaction with how the Firm responded to a Subject Access Request;
  • A concern about a data breach affecting the complainant;
  • A belief that data has been shared without authorisation;
  • A concern about how long data has been retained.

The Firm must accept complaints however they are received — by email, letter, telephone or in person. If any member of staff receives a data protection complaint, through any channel:

  • The complaint should be forwarded to the COLP or designated DPO immediately;
  • Data or documents belonging to the complainant cannot be deleted or altered while the complaint is live;
  • The date and method of receipt should be recorded.

The Data Protection Lead will manage the response and must:

  • Acknowledge the complaint within 30 days of receipt (the clock starts the day after receipt, including weekends and public holidays);
  • Investigate without undue delay, keeping the complainant informed of progress;
  • Provide a written outcome clearly explaining the findings, any remedial steps taken, and why the Organisation considers it has complied (or what it will do to comply);
  • Inform the complainant of their right to escalate to the ICO if dissatisfied;
  • Record the complaint in the Organisation’s Data Protection Complaint Log.

ICO guidance indicates that outcomes should be provided within three months unless exceptional circumstances apply. The Organisation must be able to justify the timeline in every case.

13. Data subject access requests

  1. Individuals have the following rights under UK GDPR: access (SAR), rectification, erasure, restriction, objection, portability, and rights related to automated decision-making.
  2. If a client, employee or third party contacts the Organisation to exercise any of these rights, staff should forward the request to the COLP or designated DPO immediately for appropriate guidance.
  3. The Organisation must respond to a Subject Access Request (SAR) within one calendar month. The COLP or designated DPO will manage the response process, including any identity verification required before disclosure.
  4. The Organisation may request clarification or further information where required to manage the request effectively. This should not be on a blanket basis. The response timeline may be paused while awaiting clarification.
  5. No fee may be charged for a SAR unless the request is manifestly unfounded or excessive.

14. Monitoring

The Organisation reserves, in accordance with applicable law, the right to monitor Company systems, emails, internet usage, device activity and access logs where lawful and proportionate for security, regulatory compliance, fraud prevention and business protection purposes.

15. Automated decision-making

  • Significant decisions about a client, employee or third party should not be made based entirely on automated processing of special category data without prior approval from the Data Protection Lead.
  • Appropriate human oversight should be exercised where any automated system (including AI tools) is used in decision-making that affects individuals.
  • The ICO may take enforcement action where automated decision-making systems lack transparency or meaningful human intervention.

16. International data transfers

The Organisation does not routinely transfer personal data outside the United Kingdom. Where this is necessary, it must comply with the UK GDPR requirements as amended by the DUAA 2025.

17. Training

  1. The Organisation is responsible for arranging appropriate data protection training for all staff.
  2. All staff must complete mandatory data protection training as and when required.
  3. Failure to complete training may result in suspension of system access.

18. Policy breach

Breach of this Policy may result in disciplinary action and/or regulatory and legal consequences for the Organisation and the individual involved.

19. Policy review

  1. This policy will be reviewed at least annually or following any significant incident, change in legislation, or material change in the nature of the Organisation’s activities, as applicable.
  2. The most recent version of this Policy will be made available to all staff by email.

Approved by Ray Trew, Director · Dated 2 January 2026 · Due for review 2 January 2027