Wotton + Kearney (W+K)
Notification of Legitimate Interest for Client Data Processing
As a client of W+K, we take your fundamental right to privacy and the respect for, and compliance with, all global data protection laws, including the Australian Privacy Act, the APPs, the New Zealand Privacy Act, and the EU General Data Protection Regulation (GDPR), very seriously.
We strive to only collect, process, access, share, store, and/or transfer personal data that is absolutely required to manage our relationship with you and to provide support and services that are relevant to you and your specific needs. The personal data we collect from you is only used for the purposes for which it was provided and for which you are aware and have had the opportunity to question.
As a compliant organisation, W+K endeavors to be open and transparent about the use of your data, how long it is maintained, where it is stored and who has access to it. One of the obligations we have to meet the requirements under applicable data protection laws is processing under “legitimate interest.” The purpose of this notification is to inform you of the legitimate interests under which we process your personal data. Before getting into the details of legitimate interests, we want to provide you with a little background on lawful processing.
Personal data must be processed lawfully, fairly, and in a transparent manner. Processing is considered lawful when it is necessary for the legitimate business or legal interests of W+K provided we do not violate the fundamental rights and freedoms of any individual, including our clients. Processing is also lawful when it is required to manage our client contractual obligations, and where it is required to comply with a legal obligation. Even under these processing rights, W+K must abide by the purpose limitations and data minimisation principles defined in the data protection laws to ensure we are only collecting, accessing and processing the minimal amount of personal data we need to manage the client relationship.
Under the GDPR, legal services are considered legitimate activities and a legal basis for collecting and processing personal data, including some sensitive information, provided certain conditions are met. For W+K, these conditions include:
- Being fair about how it holds and uses personal data
- Making available information, describing the personal data it is holding, and what it is doing with it
- Continuing to hold and use personal data only if our clients do not object.
As a law firm, W+K is allowed to hold and use personal and/or sensitive personal data when it is “necessary for the provisions of our legal services”. The word “necessary” implies that our services would be impossible to provide without personal and, in some cases, sensitive personal data.
W+K handling of personal data
W+K, as providers of legal services, may receive records containing personal data from clients, clients’ adversaries and other parties. Personal information (including financial account information, medical information and personal communications) may be contained in records we receive and review in connection with claims that we are instructed on, litigation discovery, or an internal investigation we undertake on behalf of a client. When providing services to individuals on instructions from insurers, we may handle highly confidential personal information. We may provide access to personal information to third parties, such as technology vendors that assist in processing our clients’ documents or entities that provide services on behalf of the firm.
Regardless of the circumstances in which we handle personal data, W+K must appropriately safeguard the information to protect the interests of the firm and our clients. We are uniquely positioned in that our need for adequate privacy and information security procedures arises not only from the obligations imposed by privacy and information security laws. We are bound by a professional duty of confidentiality, which is a paramount component of the solicitor-client relationship. W+K’s failure to safeguard personal data that results in an unauthorised disclosure may result in not only a legal enforcement action against the firm, but financial and reputational harm to our clients and, potentially, irreparable harm to one of our most valuable assets – our reputation.
W+K retains a variety of third party service providers. These service providers may have access to personal data when they provide services on our behalf, including technical support or management of client or third-party records. Regardless of the services provided, we require our service providers to sign a privacy, confidentiality and information security agreement that limits how our service providers may use or disclose the personal data they process on behalf of W+K and require the service providers to comply with all applicable data protection laws, and implement appropriate security measures to safeguard the information.
Storage and retention of personal data
W+K will maintain client personal data in our secure internal systems located in Sydney, Australia. Your data will be retained for the duration of our client relationship with you and in accordance with legal, regulatory, government reporting requirements. Should you wish to have your data destroyed once it is no longer required for the purpose for which it was collected, and there is no legal requirement to maintain your data, you may request destruction by contacting the Privacy Officer at firstname.lastname@example.org.