Staff privacy notice

How we will use and share your personal data 

This notice explains how Mills & Reeve LLP, 24 King William Street, London, EC4R 9AT, and Mills & Reeve Services Limited, 1 St. James Court, Whitefriars, Norwich, Norfolk, NR3 1RU, will collect, use or otherwise process personal data of prospective, current staff and partners, apprentices, interns, volunteers and similar individuals (“you”),how we use it internally, how we share it, how long we keep it and what your legal rights are in relation to it.  

“Personal data” is information relating to you as a living, identifiable individual.

Get in touch

Send us your enquiry and we will get back to you as soon as possible.

Contact us

In the course of facilitating your employment, we may obtain a range of personal data about you.  This data may be received from you, or it may be received from a third party such as a referee obtained from a public source. 

The types of personal data that we hold might include:

  • The contact details that you provide to us, including names, addresses (including previous addresses) and telephone numbers.
  • Other personal details, such as your date of birth, previous names, or marital status.
  • Your position, role, contract terms, grade, salary, benefits and entitlements.
  • Records about your recruitment, including your application paperwork, details of your qualifications, references, requests for special arrangements and communications regarding our decisions.
  • Details of any relevant criminal convictions or charges that we ask you to declare to us, either when you apply to us, or during your employment. Further, we carry out pre-employment checks including Disclosure and Barring Services (“DBS”) check for all roles which will provide us with details of any relevant criminal convictions and/or cautions that you have received. 
  • Details of your disciplinary history. It is a requirement of firms regulated by the Solicitors Regulation Authority (“SRA”) to check that all new employees, and individuals the firm contracts with, do not cause or contribute to a breach of the SRA’s Standards and Regulations.
  • Copies of passports, right to work documents, visas and other documents required to comply with immigration checks.
  • Pensions membership data, including identification numbers, quotes and projections, terms benefits and contributions.
  • Details of any medical issues and/or disabilities that you have notified to us, including any consideration and decision on reasonable adjustments made as a result.
  • Diversity and inclusion monitoring data.
  • Your financial details, including bank and building society account numbers, sort codes, BACS IDs, NI numbers, tax codes, payslips and similar data.
  • Learning and development records, including your attendance, completions, accreditations and certifications.
  • Promotion and progression records, including applications, references and supporting materials, records of deliberations and decisions, feedback and awards.
  • Records regarding grievances, disciplinary proceedings or investigations prompted by, involving or relating to you.
  • Photographs (CCTV from our office locations or taken by us for identification purposes to be displayed on the Mills & Reeve LLP’s intranet, and in the case of fee earners, be displayed on the Mills & Reeve LLP’s website and used for marketing purposes. Please contact the HR team if you would not like us to disclose your photograph in this way).
  • Absence records, including leave requests, sickness records and related data.
  • Computing and email information, including login information and usage of our IT systems, IP address(es), equipment allocated to you and records of network access.
  • Access control information from our office locations. 

Contract: To the extent that we have a contract with you (or one is in prospect), the primary legal basis for processing your personal data is that the processing is necessary for the performance of a contract with you, or in order to take steps at your request prior to entering into a contract. This can relate, but is not limited to, processing linked with training, remuneration, benefits, performance appraisal, and communication about issues connected with your work, its location or critical systems.

Legal Obligation: Processing of your personal data may be necessary for compliance with our legal and professional obligations to third parties as an employer including, not limited to, right to work, tax and equality and inclusion.

Legitimate Interests: Further we may process your personal data in pursuit of our legitimate interests. We have legitimate interests:

  • in supporting the wellbeing of our current staff and partners and promoting a supportive work environment;
  • in maintaining our relationships and communicating with current and ex-staff, partners, volunteers, and applicants for roles within the firm;
  • in undertaking client specified and contractually binding identity checks and other verification;
  • in protecting the safety and wellbeing of everyone whilst on our premises, of our staff when engaged in work for the firm regardless of location;
  • in maintaining the security of the systems, premises, equipment and information to prevent cyber or physical incidents;
  • in recording activities for evidentiary purposes in the case of suspected or actual security or other incidents affecting Mills & Reeve; 
  • in recording relevant activities for evidentiary purposes in formal Mills & Reeve disciplinary processes arising from breaches in policies and/or employment terms and conditions;
  • in monitoring capacity and quality, including workforce and availability planning, to deliver an appropriate level of service to clients; 
  • in responding to prospect and client tenders and requests for diversity and inclusion information;
  • in seeking confidential legal advice when necessary and/or establish or defend legal claims.

Public Task: We may process your data in furtherance or support of specific tasks that are in the public interest. Examples include but are not limited to our support of military reservists, and the sharing of relevant staff information with government and public authority clients where required for their own vetting and similar processes.

Vital Interests: We may also use your personal information, typically in an emergency, where this is necessary to protect your vital interests, or someone else’s vital interests. 

Consent: In a small number of cases, where other lawful bases do not apply, we may process your data on the basis of your consent. At present, we do not use consent as our basis for processing in relation to the personal data of prospective, current or ex-staff members.

The table below sets our main uses for personal data and connects them to our usual legal bases for doing so.

Purpose for which data is processed

Legal basis for that processing

To make decisions about your recruitment, appointment, continued employment and/or exit from the business, including determining any applicable contractual terms and sponsorship, carrying out background checks, checking your qualifications and references, and sharing relevant information with clients where needed.

Contract

Legal Obligation

Public Task

Legitimate Interests

To meet immigration and employment law requirements.

Legal Obligation

To administer the financial aspects of your employment, including paying you, deducting tax and National Insurance contributions, liaising with your pension provider, and engaging in business management and planning (e.g. accounting and auditing tasks).

Contract

Legal Obligation

Legitimate Interests

To manage and administer the wider terms of your contract with us, including conducting performance reviews, managing performance. recording and assessing your development, making decisions regarding salary reviews and promotions, and complying with health and safety obligations.

Contract

Legal Obligation

Legitimate Interests

To understand our workforce and their wellbeing, including ensuring that they feel supported as part of the Mills & Reeve community.

Vital Interests

Legitimate Interests

To meet legal obligations regarding Health & Safety, and to reduce potential for fraud and other unlawful behaviours.

Contract

Legal Obligation

Legitimate Interests

To investigate, follow and evidence company processes in relation to grievances, disciplinary proceedings or investigations prompted by, involving or relating to you.

Contract

Legal Obligation

Legitimate Interests

To monitor your use of our information and communication systems to ensure compliance with our IT policies.

Ensuring network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution.

Contract

Legitimate Interests

To conduct workforce analysis and planning, to review and better understand employee retention and attrition rates.

Legitimate Interests

To meet equalities law requirements

Legal Obligation

To engage with complaints and possible legal disputes involving you, or other employees, workers and contractors.

Legal Obligation

Legitimate Interests

To enable a merger, acquisition, change of control, joint venture or other similar arrangement involving our business.

Legal Obligation

Legitimate Interests

Certain personal data is subject to additional safeguards under data protection legislation. Such information includes details of:

  • your racial or ethnic origin;
  • your political opinions;
  • your religious beliefs or other beliefs of a similar nature;
  • whether you are a member of a trade union;
  • your physical or mental health or condition;
  • your sexual life;
  • the commission or alleged commission by you of any offence, or
  • any proceedings for any offence committed or alleged to have been committed by you, the disposal of such proceedings or the sentence of any court in such proceedings.

It may be necessary for us to process some special category personal data in order to comply with legal or regulatory obligations (including making reasonable adjustments for colleagues with disabilities, or to fulfil our obligations to the Solicitors Regulation Authority and the Legal Complaints Service), or if we need to do so in order to seek confidential legal advice, or establish or defend legal claims. Processing may also be necessary to fulfil legal obligations or exercise legal rights, to enable a merger, acquisition, change of control, joint venture or other similar arrangement involving our business.

It may be necessary for us to process some special category personal data for purposes of identifying or keeping under review the existence or absence of equality of opportunity between specified groups by monitoring specified diversity and inclusion data (ethnic/racial origin, religious/philosophical belief, physical/mental health, sex life and sexual orientation).

We will process health data provided to us in accordance with our rights and obligations as an employer, including requesting occupational health, medical assistance or other wellbeing support for employees, engaging in internal absence monitoring, and supporting health insurance claims by our employees.

Special category data may also be processed in the course of investigative, disciplinary, grievance, redundancy and other internal processes., as well as in relation to the establishment, exercise or defence of legal claims. Special category and/or criminal offence data may also, in rare cases, need to be shared on a confidential basis with public sector clients of the firm, where required by their own vetting and authorisation processes. 

We do not base our processing of special category data on your consent.  You may on occasion be requested to consent to participate in specific processes, such as referrals to Occupational Health, but such consent is to participation, not to the processing of personal data.  
From time to time, we may share anonymised summary data to support a bid for client work; or in response to a request from a client to support their information gathering.  To ensure anonymity for employees, details will not be provided where the number of employees in relation to whom information is requested is fewer than five.

If you decide not to supply personal data that we have requested and as a result we are unable to comply with our professional, legal or regulatory obligations, then we may not be unable to enter into, or continue, with your employment. 

For example, copies of your passport, right to work, and visa information will be collected to enable us to comply with UK Immigration and Visa requirements or financial data, including your account number and sort code, BACS ID, NI number, salary, tax codes and payments information.

Some data that you give to us is provided on a wholly voluntary basis – you have a choice whether to do so.  Once such data is volunteered to us, it will be processed in accordance with our rights and obligations as an employer. Examples include: diversity and inclusion monitoring data, which is requested by us as part of the diversity monitoring that we undertake to fulfil our legal obligations under the Equality Act 2010 or disability and health condition information, which you may choose to provide to us in order that we can take this information into account when considering whether to make any reasonable adjustment/s.

Basic professional information, such as professional email addresses, names, and details of your availability may be shared with colleagues within the firm to facilitate introductions, the smooth progress of ongoing work, the advancement of firm projects and initiatives, internal processes, and the maintenance of the Mills & Reeve community.

Other personal data will be seen by relevant members of the HR Team in the course of their duties, your manager where relevant (for example, sickness absences), and by confidential data analysts whose role it is to generate the dashboards used for diversity monitoring, or to complete submissions to prospects/clients. 

We may need to share your data with relevant third parties to facilitate our contract with you for example BACs payment providers to pay you, or where you ask us to share your data for example to select other benefits. 

The firm will provide basic professional information, such as professional email addresses, names, and details of your availability to clients, to facilitate new instructions or make introductions.  We may also be required, on occasion, to share employee background details with public authority clients where they require such information for security and vetting purposes.

We may outsource some of our services or engage consultants, professional advisors and others to support us in delivering or evaluating our services (for example, auditors, trainers, courier or IT services).  In these cases, relevant personal data would be provided to and processed by the provider of such services, in accordance with the terms of our contract with them and to the extent appropriate for the performance of that contract.

We might need to share or transfer your data confidentially with relevant parties and/or their professional advisers if there is a merger, acquisition, change of control, joint venture or other similar arrangement involving Mills & Reeve LLP.

Exceptionally we might need to share your personal information in order to obtain necessary confidential legal advice or to comply with our insurance, legal or regulatory obligations.  For example, we may have to provide some public authorities such as HMRC with relevant data, or confirm details to the SRA.

In the course of carrying out the activities referred to above we may transfer your data to other countries, which may not have the same legal protections for your data as the UK.

Where data is being transferred outside of the European Economic Area, we will take steps to ensure that your data is adequately protected in accordance with UK legal requirements.  Where we are in a contractual relationship with the recipient, such protection will normally consist at minimum of appropriate contractual protections agreed between us and the recipient.

Otherwise for example we may transfer your data if it is necessary for performance of our contractual duties to you, or because we have other legal obligations to transfer the data, or it is necessary for important reasons of public interest.  If you require further detail about the protections in connection with any particular relevant transfer, matter or jurisdiction please ask us.

We retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purpose of satisfying any legal, accounting or reporting requirements.  

Where your personal data relates to your employment, we expect to retain your personal data in accordance with our retention policies for up to seven years after your employment or partnership ends.  This policy is reviewed periodically and the periods for storage specified in it may alter depending on the requirements of law and regulation, best practice and insurance.  

We may be obliged to suspend any planned destruction or deletion under our retention policy where legal or regulatory proceedings require it or where proceedings are underway such as require the data to be retained until those proceedings have finished.

Please note that we may keep anonymised statistical data indefinitely, but you cannot be identified from such data.

You have the right to request copies of the personal data we hold about you.  If you wish to obtain a copy of your personal data, you may contact us by emailing [email protected].

You also have the right to ask for inaccuracies in your data to be corrected, and in certain circumstances for us to stop processing your data or for your data to be erased. Some of these rights are not automatic, and we reserve the right to discuss with you why we might not comply with a request from you to exercise them.

If you have any questions about this privacy statement, the practices of this web site or your dealings with this web site, please use the following contact point: [email protected].

If you believe that we have not complied with any of our obligations under data protection laws in the UK, please let us know.  You have the right to lodge a complaint with the Information Commissioner’s Office.