Privacy notice

The Law Society of England and Wales (a body established under Royal Charter) is the "data controller" of the personal information we hold for the purposes of the General Data Protection Regulation (the GDPR) (which applies across the EU including the UK) and the Data Protection Act 2018 (the Data Protection Act) which supplements GDPR and extends its application in the UK. Although we are part of the Law Society, we operate separately from it.

We collect, use and share data primarily in the exercise of our regulatory functions. Those functions – and our duties and powers - are chiefly found in primary legislation - the Legal Services Act 2007, the Solicitors Act 1974, Administration of Justice Act 1985 and the Courts and Legal Services Act 1990 - and in the rules and regulations made by our Board which sit beneath it.

We also collect and use data to comply with our duties with equality legislation including the Equality Act 2010.

We share certain information about those we regulate within the Law Society and we explain this below. Details about how the Law Society uses that data can be found in the Law Society’s privacy statement.

This notice contains information about:

• What is personal data and special category data?
• Why we collect your personal information
• How long we keep information
• How we keep information secure
• Your rights
• How we provide the information
• Can you see all the information we hold about you?
• Information sharing and third parties
• Overseas transfer
• Information collected from third parties

If you would like to ask for information about our policy, you can email our Information Compliance Team.

Personal data is defined in the GDPR as any information relating to an identified or identifiable natural person. It can include obvious data like your name but also identification numbers, online identifiers and/or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Special category data includes data revealing race or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, data concerning health or data concerning a person’s sex life or sexual orientation.

This policy applies to information we collect about you:

• visitors to our website
• applicants to profession such as to become a trainee, a solicitor or be approved in a role
• regulated persons such as solicitors and people who work in law firms
• people making complaints about regulated persons
• people making complaints about us
• people who make enquiries or as for general help
• others connected to our work
• job applicants

As a professional regulator, most of the personal data we process is data relating to our regulatory functions, powers and duties.

We generally process data on the basis it is necessary for the performance of a task carried out in the public interest and/or in the exercise of our statutory functions. When we process special category data we do so either in the substantial public interest to achieve regulatory objectives or to comply with our equality duties or we do so because we are exercising our protective functions designed to protect the public from misconduct, unfitness or incompetence.

Data may also be processed because it is necessary for the pursuit of our legitimate interests and/or the legitimate interests of others such as the Law Society (which are explained more particularly below).

There may be occasions where we process data to comply with legal obligations, particularly in the context of legal proceedings and/or compliance with requests by law enforcement agencies, for example; although, even in these cases, our regulatory functions will also generally be engaged. We will also make pro-active disclosures to police and other authorities as part of our public interest role.

We will not generally rely on consent as a basis for processing personal data. In the limited circumstances where we may rely upon consent, we will specifically obtain this in the course of collecting the data.

We may also use data to improve our level of service. Where we do this, we do it to help inform us how to improve the way we work since both we and those we deal with have an interest in us doing so.

Applicants to profession

Applications such as to become a trainee, a solicitor or be approved in a role

When we receive applications containing personal information we create or update the information we hold about that person on our systems and files. We use the personal information to process the application and to make a decision about the application itself. It is also retained to capture a full regulatory history of an individual.

Failure to provide requested information may result in an application being refused.

Where required as part of the suitability assessment, applicants will be directed to provide information to Atlantic Data who will perform credit checks and criminal record checks on our behalf. We also use external assessors to process resource intensive applications for exemptions from certain training and qualification requirements).

Data received may also be used to check our level of service. Where we do this we do it to help inform us how to improve the way we work since both we and those we deal with have an interest in us doing so.

We may also prepare and publish or share statistics or research obtained from data we collect such as the number and types of applications we receive but not in a form that identifies anyone. As explained above, this may include certain special category data.

Regulated persons

MySRA lets you manage your information online. We use it to allow regulated persons to keep us up to date and to make applications.

mySRA sets several cookies over and above the cookies explained in our section about visitors to our website.

We use personal information provided by registered users of mySRA to carry out checks such as fraud and credit checks by independent Credit Reference and other agencies.

Personal information we collect on an annual basis from individuals or firms may be used to inform our regulatory work. This may include investigations, enforcement and applications made to us. It may also inform our ‘thematic work’, for example, the data used collectively identifies trends about risks that either exist or are emerging in the legal market and which lead us to engage with those we regulate on one to one basis.

From time to time, we may contact regulated professionals in relation to research projects we are undertaking (or you may be contacted by a research organisation acting on our behalf). We undertake research to gain more insight into the profession and emerging issues to inform policy development, achieve regulatory objectives, comply with equality duties and decision making (which, again, accords with our regulatory powers and duties). We also prepare and publish or share statistics obtained from data we collect from those we regulate but not in a form that identifies anyone.

When we take enforcement action we will generally publish our decision in line with our guidance on publication. If a person has appeared before the Solicitors Disciplinary Tribunal (SDT) the Findings of the Tribunal are usually published on the SDT website. In the course of investigations, we may need to disclose information to third parties such as employers or complainants in order to establish the facts of a case, explain our decisions and ensure transparency in our processes. Where there is an overriding public interest in doing so, we may make further details available, including public statements where there is a need to safeguard public confidence.

We make some information publicly available such as the practicing details of solicitors. Some personal information is contained in our Alternative Business Structure register and may be held within our Law Firm Search and Firm Data Web Service pages of our website.

If a regulated person contacts us for guidance or advice we use the information we collect to handle the request for help. We may also use the information to check our level of service.

Solicitors and businesses manage the provision of information to us through on-line accounts, activated by email and we use email to reset lost or forgotten passwords. Email addresses of regulated persons are used:

• to remind those we regulate about notifications and reminders for key changes to the MySRA account, or relating to regulatory requirements such as practising certificate renewal
• to inform regulated individuals and organisations of regulatory news, time sensitive regulatory requirements, events, and other important information to ensure that members of the profession are informed of any changes which will affect them
• to send non-essential communications (such as events which may be relevant to your role) include an option to unsubscribe, although continued receipt is encouraged so as to assist our efforts in ensuring the regulated population are well-informed on matters affecting the profession.

People making complaints about regulated persons

When we receive complaints about those we regulate we create a complaint file. Usually the file will contain the identity of the complainant and other people involved in the complaint.

We usually have to disclose a complainant's identify to the person complained about or to the firm in which that person is involved. If a person making a complaint does not want to be identified we will try to respect that. However, if we are unable to progress a complaint where we think there is an overriding need to protect the public we may decide to disclose a person's identity.

Information obtained via this process may be used to inform our regulatory work which may include using information in investigations, enforcement and applications made to us. Your details may be shared with relevant third parties where this required to establish the facts of the case explain our decisions and ensure transparency in our processes. It may also inform our thematic work, for example, the data used collectively identifies trends about risks that either exist or are emerging in the legal market and which lead us to engage with those we regulate on one to one basis.

Where we take action as a result of a complaint, where possible, we try to keep those making the complaint informed of progress.

We may also prepare and publish or share statistics and research obtained from data we collect such as the number and types of complaints we receive but not in a form that identifies anyone.

We will also generally obtain diversity data and some special category data in the course of compiling complaint files. In some cases the data may be relevant to the complaint itself such as data concerning health that may be relevant to reasonable adjustments. We may also use the data to monitor outcomes to help us achieve regulatory objectives, as well as our equality duties.

We give information about the use of our website and cookies in our section about 'Visitors to our website'. A small number of our online forms and surveys are served securely by a cloud-based platform using the web address 'form.sra.org.uk'.

Data received may also be used to check our level of service. Where we do this we do it to help inform us how to improve the way we work since both we and those we deal with have an interest in us doing so.

Complaints about us

When we receive complaints about us we create a complaint file. Usually the file will contain the identity of the person complaining and other people involved in the complaint.

We use personal information to deal with the complaint. We may also use the information to check and improve our level of service. Where we do this we do it to help inform us how to improve the way we work since both we and those we deal with have an interest in us doing so.

We may also prepare and publish or share statistics and research obtained from data we collect such as the number and types of complaints we receive about our service but not in a form that identifies anyone.

We may also share personal information with selected third parties which provide relevant services to us, such as outsourced IT services or legal support but only where this helps us to fulfill effectively our statutory and regulatory functions.

On the request of the person making the complaint, data may be shared with an independent reviewer who is asked to review the way we have handled matters.

When aiming to achieve the regulatory objectives, in particular to protect and promote the public interest, it is necessary and in the substantial public interest that we ensure we handle complaints fairly and effectively. We therefore commission an annual review to help improve how we handle complaints. To do this it is necessary to share personal data with the Ombudsman Services (an independent reviewer of the regulated sector in the UK.

People who make enquiries or ask for general help

When enquiries are sent to us we usually only use the information to handle the request or to deal with any later issues.

We keep a record of our telephone calls. We record our telephone calls. Recordings are kept for two months although in some cases we keep recordings for longer to help with training our staff or where we receive a complaint about our service.

We may also use information to help inform the way we regulate and to check and improve our level of service. Where we do this we do it to help inform us how to improve the way we work since both we and those we deal with have an interest in us doing so.

Others connected to our work

The nature of our work means that we handle personal information about third parties who are, in some way, connected to the work we do. This category is broad and examples include witnesses to an investigation, clients of those we regulate, applicants to our Compensation Fund.

Some data is collected when people sign up to newsletters, act as an organisation's contact, respond to our consultations or register with us for events or webinars. We use personal data collected in this way to deliver the service we provide or to improve the service we offer. Respondents to consultations will generally be identified in the consultation responses documents, although the respondents can ask to have their details kept confidential.

Information about online forms, the use of our website and the use of cookies is explained in our section about 'Visitors to our website'. A small number of our online forms and surveys are served securely by a cloud-based platform using the web address 'form.sra.org.uk'.

Jobs and employees

When people apply to work with us, we use the information sent to us to process applications and to monitor our recruitment.

To ensure we are an equal opportunities employer we collect information about age, disability, ethnicity, sex, gender reassignment, sexual orientation and religion or belief. This information is not used in relation to the application itself and is treated with strict confidence. We will only use the information to help us monitor and deliver equal opportunity measures. With the exception of the disclosure of a disability which may be used to meet our legal obligations and our commitment to the disability confident scheme.

Successful applicants who secure fixed term or permanent contracts are asked to agree to – where applicable - an appropriate criminal records check. This will be in addition to reference checks and proof of eligibility to work in the UK.

Once a person is employed by us, we compile a file relating to their employment. We keep this information secure and only use it for purposes directly related to their employment. When a person's employment ends with us we destroy the file in line with our retention and disposal policies.

For unsuccessful applicants we keep the information secure and destroy the file in line with our retention and disposal policies.

We keep personal information for as long as necessary to ensure we can fulfill our regulatory role in the public interest and in line with our published retention and disposal policies.

We are under a general duty to keep personal data and information confidential. Where we share information, we take all reasonable steps to keep it secure, use it fairly and ensure that data protection safeguards are in place. We use secure portals and encryption tools when necessary to ensure data in transit is protected.

We apply best practice in terms of information security, in line with the ISO:27001 standard and adopt a privacy by design approach in developing new systems and processes involving personal data, considering the rights of individuals and the risks involved at the start of projects to make sure we build in suitable controls.

Depending on the information we hold about you, and the reason for us holding it, you have certain rights which are set out below. If you have any concerns of this nature, you can email our Information Compliance Team.

The right to rectification

You are entitled to have your records amended if the personal data we hold is inaccurate or incomplete.

If you have access to MySRA account, you can update you details there.

The right to erasure

You have a right to request your data is deleted in certain circumstances, i.e. where it is no longer needed for the purposes it was collected; the (rare) occasions where consent is relied upon as the lawful basis for processing, it is withdrawn and there is no other lawful basis for our continuing to process it; you object to the processing (see below) and there are no overriding legitimate grounds to continue; where the data has been unlawfully processed; or where it has to be erased for compliance with a legal obligation.

This right does not apply where we need the information for the performance of our regulatory functions, there is a need to comply with a legal obligation, it is necessary in connection with legal proceedings or legal advice.

The right to object or to restrict processing

You have the right to object to us processing your information where we are processing data in connection with the exercise of our regulatory functions or other data in pursuit of our legitimate interests. In such case, we will stop processing unless we can demonstrate compelling legitimate grounds for continuing the processing which override your interests.

If you have concerns about how we are using your information and believe that this should stop, you can email our Information Compliance Team.

The right of access

You have the right to obtain a copy of personal data we hold about you, including the reasons why we hold it, who the data will be shared with as well as details of the period for which the data will be retained.

In some cases, we are not required to provide you with information we hold about you. Where this is the case we will let you know.

You can request information by email or by letter. The form below is optional, you can use it to structure your request and help us identify the relevant information for you.

Subject access request form (DOC 4 pages, 572KB)

Subject access request form (Editable PDF 4 pages, 81KB)

Email or post it to us.

We need to satisfy ourselves as to your identity. Please therefore send us proof of who you are so that we are sending the information to the right person. We accept the following as proof:

• a copy of your birth certificate
• a copy of your passport
• a copy of your driving licence.

Please do not send original documents.

You will also need to let us have a postal or email address so that we can send you the information.

We ask that you mark the covering envelope or email as 'Confidential'.

In most instances, we will provide the information to which you are entitled within one month of receipt of a valid request. Requests which are complex or numerous may however take up to three months.

Requests which are considered manifestly unfounded or excessive will be refused.

How we provide the information to you

We usually send a hard copy by special delivery post to your residential address or by email. We can make other arrangements in some cases. Please you can email our Information Compliance Team if you would like to agree alternative arrangements.

Can you see all the information we hold about you?

You may not be entitled to see all the information held about you if an exemption applies. Examples of exemptions include information that:

• is about another person
• may prejudice our regulatory work
• is subject to legal privilege

If an exemption applies we will explain which exemption applies and we tell you if we have removed any information from the copy we send you.

We are under a general duty to keep personal data and information confidential. Where we share information, we take all reasonable steps to keep it secure, use it fairly and ensure that data protection safeguards are in place. We use secure portals and encryption tools when necessary to ensure data in transit is protected.

If you have any concerns about the matters in this statement or the way we process your data, then you can you can email our Information Compliance Team. You also have the right to lodge a complaint with the Information Commissioner’s Office.

Sharing with The Law Society

We operate shared policies with the Law Society that set out and advise staff about how we collect, handle and keep information secure to ensure we meet our data protection obligations as well as how we maintain the confidentiality, accessibility and integrity of information we hold.

We share data with the Law Society when they need it to make a decision on accrediting a firm.

We collect and share data about regulated individuals with the Law Society which the Law Society uses for the following purposes:

• to fulfil their statutory role under the Legal Services Act 2007, as well as:
• to validate and maintain their membership register and ensure eligibility for, for example, the right to stand and vote in Council elections
• to provide membership services to solicitors
• to provide and maintain the “find a solicitor” service
• to conduct research and compile management information.

When we collect and share data with the Law Society for purposes outside the Law Society’s statutory functions we do so because the Society has a legitimate interest in using that data in order to govern the work of the Society, maintaining its membership, providing services to its members and raising public awareness of services offered by its members, and the Society needs this data to perform these functions. Some research carried out will be done as part of the Law Society’s statutory functions while in other cases the Law Society or third parties will have a legitimate interest in the outcome of research. We provide the minimum amount of personal information required for them to perform these tasks. For further details, please see the Law Society’s privacy statement.

In some cases, the public has a legitimate interest in the personal data used by the Law Society such as information presented on the ‘Find a Solicitor’ service which holds personal data about a broad range of those we regulate such as non-lawyer managers and compliance officers. The Society provides this service to ensure the public can identify relevant individuals within a firm and how they can contact them.

Suppliers and service providers

We use cloud-based providers who operate within the EU under suitable data protection arrangements and security controls in place in accordance with the requirements in GDPR.

We also store hard copy material with Capita in the UK who provide archive services to the SRA. We have a data processing agreement in place with Capita to ensure Capita’s security arrangements and the understanding as to the basis and requirements for processing is aligned with ours.

We use Atlantic Data to conduct credit reference and criminal record checks where required for authorisation decisions.

We also share data with organisations who perform audit and assurance roles for us and those who provide professional advisory services. This includes legal, medical and other professional advisers; again, with whom we have arrangements to ensure their compliance with our requirements.

Research bodies

We work with third parties to carry out research to help us achieve the regulatory objectives found in the Legal Services Act 2007 and to work in the public interest. We may also do so in connection with our equality duties. For example, we need to collect certain data including special category data in to monitor the diversity of the profession. The outcome of any research will not relate to or identify any individual.

Research may also inform our 'thematic work', for example, it may identify trends about risks that either exist or are emerging in the legal market which lead us to engage with those we regulate on one to one basis.

Other regulators and enforcement agencies

In appropriate cases, personal information will be disclosed to other regulators, the Legal Ombudsman, law enforcement or Government agencies where it is reasonable to do so to support our, or the relevant agency's, statutory or public function.

In most cases, we will tell the person whose information we hold that we are sending their information somewhere else. You can get more information about how we share information with agencies with a public interest by reading our Memorandums of Understanding. There will be occasions where we will not tell the individual that their data is being shared, particularly in law enforcement connected regulatory matters, where to inform the relevant individual may defeat the purpose of making the disclosure (and/or, in certain cases, involve disproportionate effort).

Adjudicators

We have external Panel Adjudicators who take certain delegated decisions on behalf of the SRA. There are a wide range of regulatory decisions that may be made by a single Adjudicator or by an Adjudication Panel. This includes dealing with:

• applications to determine suitability for student enrolment or admission;
• applications to grant or refuse waivers;
• considering the imposition of conditions on practising certificates;
• applications to consider grants from the compensation fund;
• requests to intervene into firms;
• allegations relating to the conduct of individuals, making findings, imposing sanctions, including fines, for failure to comply with regulatory obligations;
• distribution proposal reports to determine beneficial entitlement to money held on statutory trust, and
• making Orders under sections 41 or 43 of the Solicitors Act 1974.

Independent reviewer

We believe it is necessary and in the substantial public interest that we ensure we handle complaints fairly and effectively. We therefore commission an annual review to help improve how we handle complaints and ensure our services are working effectively in the public interest. To do this it is necessary to share personal data with the Ombudsman Services who independently review complaints we are unable to resolve.

Save as specifically provided for in this Statement, the prospect of international transfer of data will generally only arise in circumstances where we need to send information to our international regulatory counterparts or to officials overseas in connection with regulatory or criminal investigations or processes. In such circumstances, the relevant individuals will not generally be informed that their data has been transferred if doing so would undermine the purpose for which it was transferred.

As explained more particularly below, we also obtain data from third parties. Generally, when we do this, it is in the exercise of our regulatory functions, powers and duties, including:

• Credit Reference Agencies as part of the Suitability Test for applicants
• complainants, other regulatory bodies, law enforcement agencies and witnesses and experts in connection, for example, with a regulatory investigation or other enforcement matter.

Visitors to our website

Cookies are small text files stored on your computer while you are visiting a website. Cookies help make websites work. They also provide us with aggregated information about how users interact with our site. We use this information to try to improve your experience on our website and the quality of service we provide. Cookies help us do this by allowing us to remember personal settings you have chosen at our website. We do not use cookies in any other way to collect information that identifies you personally. Most of the cookies we set are automatically deleted from your computer when you leave our website or shortly afterwards.

Complete information about the cookies we may set on your browser appears below. A hyperlink to this information about cookies appears prominently on most pages of our website.

Cookies set by www.sra.org.uk

Below is a list of cookies set by the SRA website, along with a brief description of what each is used for.

Cookie name	Purpose	Expiry
ASP.NET_SessionId	Unique identifier for sessions, identifies a user’s session	When you close your browser
BIGipServerEktron_Web_CMS	Used by load balancer to map browser sessions to specific web application servers	When you close your browser
Ecm	Used by web platform to determine whether user is a logged-in content management system user	When you close your browser
firstCookie	Used to collect aggregate data on user selections in customer-contact form	When you close your browser
CookieDropDowns	Used to collect aggregate data on user selections in customer-contact form	When you close your browser
ekContentRatingID	Intended to prevent single user from biasing content ratings by rating the same content repeatedly	8,000 years (expires 31 Dec 9999)
EktGUID	Contains no data other than its file name, which is a unique number referencing user data stored on the web application serve	1 year
webvers	Contains no data other than the word "desktop"; stores a user's preference for desktop-optimised display features regardless of device type	14 days
cookie-acceptance	Used to note that you have read our pop-up message on cookies to stop the message appearing multiple times	1 month
sraTranslate	Works with our Bing translator tool to detect if website translation is turned on or off	1 month

Cookies set by mySRA (https://my.sra.org.uk)

Our online account management solution— mySRA—sets several cookies over and above the cookies listed directly above. By logging in to mySRA, you consent to the following cookies being set on your browser.

Cookie name	Purpose	Expiry
ASP.NET_SessionId	Unique identifier for sessions, identifies a user’s session	When you close your browser
ASPXAUTH	Used by web platform to determine whether a user is an authenticated user	When you close your browser
BIGipServerMYSRA_POOL_443	Used by load balancer to map browser sessions to specific web application servers	When you close your browser
TLSUserName	Contains username in encrypted format so that user is automatically logged in to website if cookie is present	100 minutes
TLSPassword	Contains password in encrypted format so that user is automatically logged in to website if cookie is present	100 minutes

Cookies set by https://form.sra.org.uk

A small number of our online forms and surveys are served securely by a cloud-based platform using the sub-domain form.sra.org.uk. This platform sets the following cookie.

Cookie name	Purpose	Expiry
sg-response-939471	Used selectively to identify user and re-direct to appropriate unique instance of form	90 days

Cookies set by https://events.sra.org.uk

When you register for an SRA event you are served securely by a dedicated platform called Eventsforce which uses the sub-domain events.sra.org.uk. The platform sets the following cookies, in addition to those listed under www.sra.org.uk above.

Cookie name	Purpose	Expiry
_zendesk_shared_session, _zendesk_session	Used by our Eventsforce software to store information temporarily while you are using the site	When you close your browser

Cookies set by https://lawsociety.tal.net

When you apply for a job at the SRA you are served securely by a dedicated recruitment platform called WCN which uses the domain lawsociety.tal.net. The platform sets the following cookies, in addition to those listed under www.sra.org.uk above.

Cookie name	Purpose	Expiry
wcn_agent_session	agent session on a system	When you close your browser
wcn_ats_session	recruiter session on a system	When you close your browser
wcn_session	candidate session on a system	When you close your browser
Crsf-token	cross site request token for api	When you close your browser

Third-party cookies

Some services we use to add value and convenience to those who use our website. The browsers may set cookies on our behalf. These services fall into two broad groups: social media and web analytics.

Social media

We publish all of our video content on YouTube.com, and embed it on our website. When a visitor triggers a video to play, YouTube sets cookies on their browser. Any concerns about those cookies should be checked with Google's privacy policy.

Some of our web content includes buttons that allow visitors to share content easily with their online networks—using Twitter, LinkedIn and Facebook. When visiting these areas Twitter, LinkedIn and Facebook may set cookies on a visitor's browser. We do not control the use of these third-party cookies, and any concerns should be checked with the privacy policies of Twitter, LinkedIn and Facebook.

Service	Cookie name	Expiry
twitter.com	Pid	2 years
linkedin.com	X-LL-IDC	When you close your browser
youtube.com	use_hitbox	When you close your browser
youtube.com	VISITOR_INFO1_LIVE	240 days

Web analytics

To improve our web-based services we collect and use overall data about the use of our site from a third-party service, Google Analytics. When visitors use our website Google Analytics sets cookies on their browser. We do not control the use of these third-party cookies and any concerns should checked with Google's privacy policy.

Here is a list of cookies we set on our website and a brief description of what we use each for

Service	Cookie name	Expiry
Google Analytics	_ga	2 years
Google Analytics	_gid	24 hours
Google Analytics	_gat	1 minute
Google Analytics	_gat_UA	10 minutes

We also use a third-party service—LivePerson—to chat to users in real time who visit our guidance pages. This service works alongside our Professional Ethics Guidance helpline in answering solicitors' queries. LivePerson sets several cookies on your browser and you should check LivePerson Privacy Policy for more information.

Service	Cookie name	Expiry
liveperson.net	LivePersonID	1 year
liveperson.net	HumanClickKEY, HumanClickCHATKEY, HumanClickSiteContainerID_<SITEID>, lpCloseInvite, LPit	When you close your browser
liveperson.net	HumanClickACTIVE	1 day

More information about cookies

To learn more, including how to manage cookies, visit www.aboutcookies.org. If you have any questions or concerns about cookies set by www.sra.org.uk, www.my.sra.org.uk. https://form.sra.org.uk or https://events.sra.org.uk please contact us.

We keep this notice under regular review.

Last updated May 2018