This policy applies to:

• The head office of Lex
• All branches and operational locations under the Lex name
• All Lex staff and volunteers
• Any contractors, suppliers, or third parties working on behalf of Lex

It covers all data held by Lex that relates to identifiable individuals, even if that data falls outside the scope of the Data Protection Act 1998. The policy aims to ensure Lex:

• Complies with data protection law and follows best practices
• Protects the rights of staff, clients, and partners
• Is transparent about how personal data is stored and processed
• Protects itself against the risks of a data breach

This policy helps protect Lex from real and significant data security risks, including:

• Breaches of confidentiality – for example, when personal information is shared without proper authorisation.
• Lack of individual choice – people should have control over how their personal data is used by Lex.
• Reputational harm – a data breach or unauthorised access to sensitive information could damage trust in the company.

Everyone who works for or with Lex has a shared responsibility to ensure that personal data is collected, stored, and handled properly. Any team or individual working with personal information must process it in line with this policy and data protection principles.

While Lex does not operate with a large internal team, the following areas of responsibility are still actively maintained:

• Overall responsibility – Senior leadership is responsible for ensuring Lex meets its legal data protection obligations.
• Policy oversight – A designated point of contact oversees data protection practices, ensures internal processes are reviewed regularly, and offers guidance to anyone covered by this policy.
• Training and support – Relevant team members are given the appropriate tools and knowledge to handle data securely and responsibly.
• Subject access and enquiries – Lex ensures individuals can make requests to access their data and receive timely responses.
• Data security – All systems and services used for storing or processing data are kept secure and meet current standards. Regular checks are carried out where possible.
• Third-party review – Any external providers or platforms used to store or process data are assessed for compliance and security before use.
• Marketing and communications – Communications, marketing campaigns, and data use for outreach are reviewed to ensure they align with data protection principles.

Only individuals who need access to personal data as part of their role should be able to view or process it. Data should never be shared informally or without a clear business need.

If access to confidential information is required, a formal request should be made through the appropriate internal contact or supervisor.

Lex ensures that anyone handling personal data is made aware of their responsibilities. Training and guidance are provided as needed, depending on role and risk level.

All employees and collaborators are expected to keep data secure by following practical, everyday precautions:

• Use strong passwords and never share them with others
• Do not disclose personal data to unauthorised individuals inside or outside the company
• Review and update data regularly to ensure accuracy
• Securely delete or dispose of data that is outdated or no longer needed

If anyone is uncertain about how to handle specific data or situations, they should seek advice from a supervisor or the person responsible for data protection within Lex.

These guidelines explain how and where data should be stored securely. If you have questions about safe storage, please speak to the relevant contact at Lex responsible for IT or data protection.

When data is stored on paper (including printouts of digital data), it must be kept somewhere secure where unauthorised individuals cannot access it:

• Paper documents should be stored in locked drawers or filing cabinets when not in use
• Printouts must not be left unattended in shared areas such as printers or desks
• Documents that are no longer needed should be shredded and disposed of securely

When data is stored electronically, it should be protected from unauthorised access, accidental deletion, and potential cyber threats:

• Use strong passwords that are changed regularly and never shared
• Removable media (such as USB drives, CDs, or DVDs) must be locked away when not in use
• Only use designated drives, servers, or approved cloud services for storing data
• Servers containing personal data should be located in secure areas, away from general access
• Data must be backed up regularly, and backups should be tested as part of Lex’s backup protocol
• Avoid saving personal data directly to laptops, tablets, or smartphones
• All devices storing personal data must be protected with authorised security software and firewalls

We process personal information for specific and legitimate business purposes, which may include some or all of the following:

• Improving and personalising our services and communications to better serve our customers
• Identifying and preventing fraud
• Enhancing the security of our networks and information systems
• Understanding how users interact with our websites
• Sending communications that we believe may be of interest to you
• Evaluating the effectiveness of promotional campaigns and advertising

Whenever we process data for these purposes, we do so with a strong commitment to protecting your rights. Your personal data will always be handled with care, and your rights will be fully respected.

You have the right to object to this type of data processing. If you wish to do so, please contact us. However, please note that objecting may impact our ability to deliver certain services or communications that are intended to benefit you.

Personal data is only valuable to Lex when it is used responsibly and securely. However, the risk of loss, corruption, or theft increases when that data is accessed or shared.

To minimise these risks, the following guidelines must be followed when working with personal data:

• Always lock your computer screen when leaving it unattended
• Never share personal data informally or send it by email, as email is not a secure method of transmission
• Ensure all personal data is encrypted before being transferred electronically — if unsure, speak to the appropriate internal contact
• Do not transfer personal data outside the European Economic Area (EEA)
• Never save personal data to local devices — always use and update the central, authorised version

Lex is required by law to take reasonable steps to ensure that personal data is accurate and kept up to date.

The more critical the accuracy of the data, the more effort must be made to verify and maintain it.

It is the responsibility of everyone who handles personal information at Lex to help ensure its accuracy. This includes:

• Storing data in as few places as necessary and avoiding duplicate or unnecessary records
• Taking every opportunity to confirm and update data — for example, checking customer details during a phone call
• Making it easy for individuals to update their information, such as through the company website or other official channels
• Correcting or removing outdated or inaccurate data as soon as it is identified — for example, deleting incorrect contact details

Marketing-related databases should also be checked regularly against official suppression files to ensure compliance and accuracy.

Under data protection legislation, individuals have the following rights regarding their personal information:

• The right to be informed about the collection and use of their personal data
• The right to access personal data and any supplementary information
• The right to have inaccurate data corrected or completed if incomplete
• The right to request erasure ("to be forgotten") in certain circumstances
• The right to restrict processing in specific situations
• The right to data portability, allowing individuals to obtain and reuse their data across different services
• The right to object to certain types of data processing
• Rights related to automated decision-making and profiling
• The right to withdraw consent at any time (where applicable)
• The right to lodge a complaint with the Information Commissioner’s Office (ICO)

Requests to access this information are known as subject access requests.

To make a subject access request, individuals should contact Lex by email at privacy@lex.co.uk. A request form is available on request, but it is not mandatory to use it.

Lex aims to respond to all valid requests within 30 days. Before any personal data is released, the requestor’s identity will be verified to protect against unauthorised disclosure.

In certain circumstances, the Data Protection Act permits personal data to be disclosed to law enforcement agencies without the consent of the individual concerned.

Lex will comply with any such legitimate requests, but only after verifying that the request is lawful and appropriate. The data protection lead will review the request and, where needed, consult with senior management or legal advisers before any data is disclosed.

Lex is committed to ensuring that individuals are fully informed when their personal data is collected or processed. This includes making it clear:

• How their data is being used
• What rights they have in relation to their data and how to exercise them

To support this, Lex provides a clear and accessible privacy statement that outlines how personal data is collected, stored, and used. This statement is available to all individuals whose data we process.