Introduction and definitions
The UK General Data Protection Regulation (UK GDPR) protects the privacy and integrity of data held on individuals by businesses and other organisations.
This policy incorporates requirements from the Data Use and Access Act 2025 (DUAA), which updates UK GDPR, Data Protection Act (DPA) 2018, and PECR (Privacy and Electronic Communications Regulations).
The UK GDPR is enforced in the UK by the Information Commissioner’s Office (ICO) with whom Lichfields is registered: registration number Z6193122.
Some helpful definitions:
Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Controller is the person, public authority, agency or body which, jointly or alone, determines the purposes and means of processing of personal data.
Data Processor is the person, public authority, agency or body which processes personal data on behalf of the data controller.
Data Protection Officer (DPO) is the person who ensures Lichfields adheres to the policies and procedures set forth in the UK GDPR. Sophie Jefferson is Lichfields’ DPO.
As your employer, Lichfields needs to keep and process information about you for normal employment purposes. The information we hold and process will be used for our management and administrative use. We will keep and use it to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately, during the recruitment process, whilst you are working for us, at the time when your employment ends and after you have left. This includes using information to enable us to comply with the employment contract, to comply with any legal requirements (including right to work checks), pursue the legitimate interests of the company and protect our legal position in the event of legal proceedings. If you do not provide this data, we may be unable in some circumstances to comply with our obligations and we will tell you about the implications of that decision.
It is also important you understand your responsibilities and follow the processes we have in place to protect any personal data you come into contact with whilst working at Lichfields.
You should have attended a Data Protection/ GDPR training seminar or completed an interactive course on GDPR during your induction. Please inform the DPO if you haven’t received data protection training or are unsure of your responsibilities.
Sophie Jefferson is responsible for keeping this policy current.
Personal data
Personal data can be anything that identifies and relates to a living person. This can include information that when put together with other information can then identify a person.
Examples of personal data include:
- a person’s name;
- location data (e.g. address or partial address);
- date of birth;
- an online identifier (e.g. email address, cookies and IP address);
- a person’s health data;
- identification number;
- statement of fact;
- any expression or opinion communicated about an individual;
- minutes of meetings, reports;
- emails, file notes, handwritten notes, sticky notes;
- CCTV footage if an individual can be identified by the footage;
- employment applications;
- spreadsheets and/or databases with any list of people; and
- employment or education history.
Special categories of personal data
Some information is ‘special’ and needs more protection due to its sensitivity. It’s often information you might not want widely known and is very personal to you. This is likely to include anything that can reveal your:
- sexuality and sexual health;
- religious or philosophical beliefs;
- ethnicity;
- physical or mental health;
- trade union membership;
- political opinion;
- genetic/biometric data; and
- criminal history.
Privacy and Electronic Communications Regulations (PECR)
While GDPR governs personal data processing broadly, PECR specifically regulates electronic communications, including marketing emails, texts, and cookie usage.
PECR governs electronic marketing and the use of cookies and similar technologies. Our commitments include:
- Marketing communications: we only send electronic marketing to individuals who have given clear, informed consent, unless an exemption applies (including legitimate interest where relevant) in line with UK GDPR, DPA 2018 and DUAA changes. Every communication includes an easy opt-out mechanism.
- Cookies and tracking: we seek consent for cookies which are intrusive or used for tracking and profiling. Non-intrusive cookies (e.g. for site functionality or analytics) may be used without consent, as permitted by law.
- Record keeping: we maintain accurate records of consent for marketing and cookie preferences.
- Transparency: individuals are informed about how their data will be used for marketing and tracking at the point of collection, through our privacy notice which explains our cookie policy.
Failure to comply with PECR may result in regulatory action by the ICO and reputational damage.
Data minimisation
We only collect and process personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. We take reasonable steps to ensure personal data is accurate and, where necessary, kept up to date.
Uses of data
We may sometimes need to process your data to pursue our legitimate business interests. ‘Legitimate interest’ is where Lichfields processes data in ways you would reasonably expect and which have a minimal impact on your privacy, or where there is a compelling justification for the processing of your data. When relying on legitimate interest as a lawful basis, we carry out a balancing test to ensure our interests are not overridden by your rights and freedoms.
We may process data under the lawful ground of 'recognised legitimate interests' as defined by DUAA, where appropriate. This may apply in cases specified by the Act, without the need for a balancing test.
We will never process your data where these interests are overridden by your own interests.
Much of the information we hold will have been provided by you, but some may come from other internal sources, such as your manager or a director, or in some cases, external sources, such as referees.
The sort of information we hold includes your CV, job application and references, your contract of employment, correspondence with or about you, for example letters to you about a pay rise or, at your request, a letter to your mortgage company confirming your salary; information needed for payroll, benefits and expenses purposes; contact and emergency contact details; records of holiday, sickness and other absence; and records relating to your career history, such as training records, appraisals, other performance measures and, where appropriate, disciplinary and grievance records etc.
As part of our commitment to better understand and address diversity and promote broader inclusion at Lichfields, we also collect and monitor special category data. This data includes information related to ethnicity, disability, sexuality and gender identification, including reassignment, and religious beliefs. The collection and monitoring of this special category data is conducted in compliance with the UK GDPR and other relevant data protection laws. Our legal basis for processing this data under Article 9 of the UK GDPR is Legitimate interest. We have in place strict security measures to safeguard your data, including software with nominated access controls, staff training, policies, and procedures. When requesting such information, we will always provide clear communication regarding the purpose for data collection. By participating in this process, our employees contribute to creating a more inclusive and equitable workplace for everyone. However, there is no compulsion for our staff or candidates to divulge such information about themselves, and they retain the autonomy to update or remove such data at any given time.
Under the UK’s Gender Pay Gap Reporting legislation, employers with 250 or more UK-based employees must collect certain gender and pay data and analyse this. We now have a legal obligation to collect and share gender-related information on our website, together with a written statement, which must be reported to the UK government.
Where necessary, we may keep information relating to your health, which could include reasons for absence and GP reports and notes. This information will be used in order to comply with our health and safety and occupational health obligations – to consider how your health affects your ability to do your job and whether any adjustments to your job might be appropriate. We may also need this data to administer and manage statutory and company sick pay, health insurance or life insurance policies.
In addition, we may monitor computer and telephone/mobile telephone use, as detailed in our Information Technology and Data Policy available via the Employee Handbook on the intranet. We also keep records of your hours of work by way of timesheets and signing in/out sheets.
We will only disclose information about you to third parties if we are legally obliged to do so or where we need to comply with our contractual duties to you, for instance we may need to pass on certain information to our external payroll provider, pension or life insurance schemes.
If in the future we intend to process your personal data for a purpose other than that which it was collected we will provide you with information on that purpose and any other relevant information.
Data retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.
Staff training and awareness
All staff receive data protection training as part of their induction and regular refresher training thereafter. Updates to data protection policies and procedures are communicated promptly to ensure ongoing awareness and compliance.
Handling data subject requests
We respond to data subject requests (such as access, rectification, or erasure) within one month of receipt, as required by law. We verify the identity of all requesters to protect personal data from unauthorised disclosure.
Your rights
Under the UK GDPR you have a number of rights with regard to your personal data. You have the right to request from us access to and rectification or erasure of your personal data; the right to restrict processing, object to processing as well as in certain circumstances the right to data portability. Your rights have been listed and explained in full below.
If you have given your consent for the processing of your data, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of any processing carried out before consent was withdrawn.
These rights are relevant to every individual, including of course, members of the public. This means all personal data you come into contact with during your work with Lichfields must also be handled by you in line with these rights. We have explained each right along with how we and you must meet these rights.
We have a guidance note in the Quality Management Handbook which explains how to process personal data in your line of work.
The UK GDPR sets legislative requirements for organisations processing personal data which we must follow when handling data:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- rights in relation to automated decision making and profiling.
Where required (for example, under Freedom of Information legislation or other official transparency obligations), we maintain public registers of data access requests, including requester identity and purpose, in line with DUAA transparency requirements.
Where significant decisions are made solely by automated means, individuals will be informed, may challenge the decision, and may request human intervention, in accordance with DUAA safeguards.
Right to be informed
This right encompasses our obligation to provide ‘fair processing information’ to individuals, typically through a privacy notice. It emphasises the need for transparency over how we use personal data. The information we supply about the processing of personal data must be: concise, transparent, intelligible and easily accessible; written in clear and plain language; and free of charge.
At the time data is collected, and where we have obtained personal data directly from an individual, the individual must give their consent to their data being obtained, and have the opportunity to opt out of any subsequent uses of their data. We must ensure individuals have a very clear and unambiguous understanding of the purpose(s) for collecting the data and how it will be used.
Our privacy notice is available to all visitors to our website:
http://lichfields.uk/privacy-notice/.
Where our business contacts wish to receive marketing material, such as blog posts, insights and/or news, they subscribe via our website choosing the content they wish to receive. They supply their email address and may unsubscribe immediately or at any time thereafter. Each email correspondence for a blog post, insight or news item has a clear unsubscribe option. Lichfields reserves the right to email subscribers with updates that may be of interest to them, even if not explicitly subscribed to, at its discretion. Such examples could include (but are not limited to) policy updates, product releases and events.
A record of who, when, how, and what we told people who consented to receive marketing material, such as blog posts, insights and/or news is retained by the Marketing Department.
Where we collect personal data from others, for instance, during public consultations, client projects or surveys, a short-form privacy notice must be included. All such notices must be signed off first by Sophie Jefferson or Helen Ashby-Ridgway in her absence.
Right of access
Individuals will have the right to obtain: confirmation that their data is being processed; access to their personal data; and other supplementary information (which largely corresponds to the information that should be provided in a privacy notice about fair processing). This will usually be obtained via a “Subject Access Request” (SAR).
We will respond to requests with the results of reasonable and proportionate searches, in line with DUAA requirements. A reasonable search means using systems and records we can access without disproportionate effort or cost, focusing on sources where relevant information is most likely to be found. We will explain any limitations in scope to the individual making the request.
When receiving a request for personal data, its rectification or deletion, the identity etc. of the person must be verified – so we do not assist identity theft. Where we have reasonable doubts concerning the identity of the person making the request, we may request the provision of additional information necessary to confirm the identity of the data subject.
The information should be provided in a commonly used format. Our IT department will provide information requested in .pst files (for emails), or for other information via .pdf or Microsoft packages (e.g. MS Word or MS Excel). Where possible this information will be sent electronically by OneDrive.
Personal data relating to other individuals must be redacted or removed before data is provided to the data subject.
Applicants are asked to send subject access requests to the Data Protection Officer, Lichfields, The Minster Building, 21 Mincing Lane, London, EC3R 7AG or by email to:
dpo@lichfields.uk.
Right to rectification
The UK GDPR gives individuals the right to have personal data rectified where it is inaccurate or incomplete. Where personal data has been disclosed to a third party, we must also inform the third party of the rectification. Where appropriate the individual must be informed about the third party to whom the data has been disclosed.
We aim to keep all personal data up-to-date and accurate. Where we are in doubt of the accuracy of personal data it will not be used.
Please refer any right to rectification requests to the Data Protection Officer, Lichfields, The Minster Building, 21 Mincing Lane, London, EC3R 7AG or by email to: dpo@lichfields.uk.
Lichfields employees – potential, past and current
Changes to personal data relating to staff held in the ‘Personal’ tab, bank details in the ‘Payroll’ tab, memberships in the ‘Professional membership’ tab on the HR System can be rectified by the individual. For all other changes a request will be made to HR.
Changes to personal data relating to candidates on iCIMS, our recruitment software, can be rectified by the individual or the recruitment agency representing the candidate.
Any other changes should be referred to the HR Department.
Right to erasure
Sometimes referred to as “the right to be forgotten” this enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
Individuals have a right to have personal data erased and to prevent processing in specific circumstances, such as:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When the individual withdraws consent.
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed (i.e. otherwise in breach of the UK GDPR).
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child.
A refusal to comply with a request for erasure is legitimate where the personal data is processed for the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation for the performance of a public interest task or exercise of official authority.
- for public health purposes in the public interest;
- archiving purposes in the public interest, scientific research historical research or statistical purposes; or
- the exercise or defence of legal claims.
Personal data may be used for scientific research under broad consent, as permitted by DUAA. This may include studies on housing trends, transport patterns, land use, or community needs. Where providing individual privacy notices would involve disproportionate effort, we may publish notices online instead of sending them individually, while ensuring privacy and data protection standards are maintained.
All automated correspondence from Lichfields contains an option to unsubscribe from further communications. A record is retained by the Marketing Department where an individual has unsubscribed to any marketing material: blog posts, insights and/or news.
We will retain just enough information about the individual to ensure that the deletion is respected in future should a system go down and we need to re-install data from back up.
Where such information has been disclosed to a third party we will inform the individual. We will also request the data to be erased from the third party’s records.
Please refer any right to erasure requests to the Data Protection Officer, Lichfields, The Minster Building, 21 Mincing Lane, London, EC3R 7AG or by email to:
dpo@lichfields.uk.
Disposal of records
Paper records containing personal data must be disposed of securely when no longer needed.
When electronic data is no longer required, it must be deleted.
Lichfields’ computers and mobile devices are not given away or sold before all information stored on them has been securely wiped. Where this is not possible, they are securely destroyed.
Personal data collected on behalf of our clients is deleted at the conclusion of each assignment.
Review files
Only request, create and retain personal data where absolutely necessary. Securely dispose of or delete any personal data which is out of date, irrelevant or no longer required. Where you need to retain personal data, inform Sophie Jefferson, who keeps a record of all “Personal protection folders”, the job name and number, the Lichfields team with access to the personal data, and the date the folder was created.
Right to restrict processing
In some circumstances individuals have a right to ‘block’ or suppress processing of personal data. When processing is restricted, we are permitted to store the personal data, but not further process it. In these circumstances we can retain just enough information about the individual to ensure that the restriction is respected in future.
Please refer any right to processing requests to the Data Protection Officer, Lichfields, The Minster Building, 21 Mincing Lane, London, EC3R 7AG or by email to:
dpo@lichfields.uk.
The list of restricted data is maintained by the DPO.
Right to data portability
Individuals are allowed to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
Where a request for personal data is made, the information will be provided in a commonly used format. E.g. .pst or a collection of .msg - .eml files (for emails), or for other information via .pdf or Microsoft packages (e.g. MS Word or MS Excel). This information will be sent electronically to the individual using one of the formats or via OneDrive.
Please refer any right to data portability requests to the Data Protection Officer, Lichfields, The Minster Building, 21 Mincing Lane, London, EC3R 7AG or by email to:
dpo@lichfields.uk.
Right to object
Individuals have the right to object to their data being processed. Where Lichfields receives such a request we will stop processing the personal data unless we can demonstrate compelling legitimate grounds for the processing, which overrides the interests, rights and freedoms of the individual; or the processing is for the establishment, exercise or defence of legal claims.
Any right to object requests must be sent to the Data Protection Officer, Lichfields, The Minster Building, 21 Mincing Lane, London, EC3R 7AG or by email to:
dpo@lichfields.uk.
Right to object requests are recorded and the outcome logged, this list is maintained by the DPO.
Rights related to automated decision making including profiling
The UK GDPR has provisions on automated decision-making (making a decision without any human involvement) and profiling (automated processing of personal data to evaluate certain things about an individual).
Lichfields only performs automated decision making during the recruitment process to determine if a candidate has the right to work in the UK.
Security
We have taken appropriate measures and put security controls in place to prevent the personal data we hold being accidentally or deliberately compromised.
We design and organise our security to fit the nature of the personal data we hold, taking into consideration the harm which may result from a security breach.
We may use cookies for statistical and preference purposes without requiring consent, as permitted by DUAA. Consent will still be sought for intrusive cookies or those used for tracking and profiling.
We maintain an information asset register where we record all our personal data processing activities.
Disclosing data
Lichfields will never reveal personal data to third parties (third parties include our clients and local authorities) without the prior consent of the individual concerned, through legal compulsion or other reasonable justification.
Data breach notification
In the event of a data breach, we follow our Data Breach and Information Security Incident Policy. All breaches are assessed and, where required, reported to the ICO within 72 hours. Affected individuals will be notified where there is a high risk to their rights and freedoms.
The use of data protection impact assessment (DPIA)
Data protection impact assessments (also known as privacy impact assessments or PIAs) help to identify the most effective way to comply with our data protection obligations and meet individuals’ expectations of privacy.
We will use data protection impact assessments when:
- introducing new technologies; or
- a new process is likely to result in a high risk to the rights and freedoms of individuals.
Using email, cloud services, and other systems, and how to be compliant when using these services
Many of our technology systems are cloud based, our Information technology and data policy gives guidance on: password security; which systems are considered safe for personal data; and keeping data secure whilst in transit either on physical media (USB sticks and mobile devices etc.) or via cloud based file shares.
Where personal data needs to be sent to a third party, it should only be transmitted via encrypted USB memory or by OneDrive, part of our Office365 subscription. OneDrive ensures only the intended recipient can open the data (or provide access to others). It also provides an accurate audit trail.
Anonymising and encryption of data
Anonymisation is the process of removing personally identifiable information from data sets so that the people whom the data describes remain anonymous.
Encrypting data is the translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, only those who have access to a secret key or password are able to decrypt it.
We inform those giving feedback during public consultations and surveys that where we publish or share their personal data it shall be anonymised.
Where we are privy to physical or mental health conditions during, for example, a planning application we ensure their sensitive data is not publicly shared.
Senior planners and above have been provided with secure encrypted USB sticks. We are also able to encrypt normal USB sticks and drives if required for larger transfers. Individual files can be password protected and passwords provided.
Protocols of transferring data to third parties
Using OneDrive during transfer from one device to another, or to another business or individual, the data is encrypted (e.g. information sent across the internet or over a wireless connection). This provides effective protection against interception of the communication by a third party whilst the data is in transfer.
Sending personal data outside the European Economic Area (EEA) and the UK
International transfers of personal data are managed in accordance with the requirements of the DUAA. We ensure compliance with the latest rules for cross-border data transfers. Where personal data is transferred to, or stored at, destinations outside the EEA and the UK, we only use organisations and service providers which meet the data protection standards recognised by the ICO or other relevant UK authorities. We do not transmit personal data unless appropriate safeguards are in place, as required by DUAA.
Before placing personal data on the internet or transferring it internationally, we obtain explicit consent from the data subject or ensure the data is anonymised, as required by DUAA.
Third party processors
Where Lichfields uses a third-party processor, we will always have a written contract in place to evidence and govern the working relationship; the processor must guarantee that they will meet the requirements of UK GDPR and protect the rights of data subjects.
Where Lichfields is the data processor, we have a contract in place with the data controller which must always be used.
Processing includes obtaining, recording, holding, accessing, storing, retrieving, disclosing and erasing or destruction of data.
Where Lichfields is the processor we will only act on the documented instruction of a controller.
We may use third-party survey software, such as SurveyMonkey, to collect survey responses. Such platforms may automatically record technical metadata, including IP addresses. We will ensure that anonymous mode is enabled so that no identifying metadata is collected.
Conditions for processing
Unless a relevant exemption applies, at least one of the following conditions is met whenever we process personal data:
- The individual has consented to their personal data being processed. This consent is fully recorded.
- The processing is necessary:
-
- in relation to a contract which the individual has entered into; or
- because the individual has asked for something to be done so they can enter into a contract.
- The processing is necessary because of a legal obligation that applies to the individual (except where an obligation is imposed by a contract).
- The processing is necessary to protect the individual’s “vital interests”. This condition only applies in cases of life or death, such as where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident.
- The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions.
- The processing is in accordance with the “legitimate interests” condition.
We use data protection impact assessments before: using new technologies, and when processing is likely to result in a high risk to the rights and freedoms of individuals.
Working with other businesses
When Lichfields is not designing and/or collecting personal data, or where another party is co-ordinating the consultation and exhibition services, all our staff are expected to understand the need for personal data security.
Implications of failure to comply
Failure to comply with the requirements of UK GDPR may result in:
- Damage to Lichfields’ reputation;
- Legal action;
- Fines and damages (up to £17.5m or 4% of turnover – whichever is higher);
- Suspension/withdrawal of the right to process personal data by the ICO; and
- Loss of confidence in the integrity of Lichfields’ systems and procedures.
- You may be subject to investigation and subsequent action under our disciplinary procedure.
Our Data breach and information security incident policy sets out the procedure which should be followed and ensures a consistent and effective approach is in place for managing data breaches and information security incidents across the company.
Complaints
If you have any concerns as to how your data is processed, you can contact:
Non Lichfields employees should be directed to: dpo@lichfields.uk
Lichfields staff should contact:
Sophie Jefferson, Data Protection Officer,
sophie.jefferson@lichfields.uk
Bruce McLeod, Finance and Operations Director,
bruce.mcleod@lichfields.uk
or you can write to the:
Data Protection Officer, The Minster Building, 21 Mincing Lane, London, EC3R 7AG
Where you submit a data-related complaint electronically, we will acknowledge it within 30 days and provide a full response as promptly as possible, in line with DUAA requirements. Complaints submitted by post will also receive a timely response.
Policy Review and Approval
This Policy is reviewed at least annually, or sooner if there are significant changes in legislation or business practices. Updates are approved by the Data Protection Officer and communicated to all staff via email and the intranet and to the general public via Lichfields’ website.
