CILEx Regulation takes your privacy and your rights to your personal data extremely seriously and we are committed to protecting the privacy of all personal data obtained about individuals whilst fulfilling wider regulator legal duties in the public interest. Data is held in compliance with the EU General Data Protection Regulation 2016 (GDPR), the Data Protection Act 2018 and other applicable data privacy laws.
CILEx Regulation is committed to protecting the privacy of all personal data obtained about individuals through, but not limited to, personal contact, email enquiries, event registrations, application forms and membership forms.
Data will be collected and used only for the purposes for which it was originally submitted or for legal or regulatory requirements.
- Who we are and how to contact us
- How we communicate with you
- How and why we obtain personal data
- How we process personal data
- The personal data we collect, how we collect it and where is it stored
- Sharing personal data
- Security of your personal information
- How long do we keep your personal data
- Your rights
- Reviewing the Privacy Statement.
CILEx Regulation Limited regulates individuals and firms in England and Wales, such as: individuals who are authorised and known as Chartered Legal Executives and CILEx Practitioners; individual members of the Chartered Institute of Legal Executives (CILEx) in other grades of membership; and firms, known as CILEx Authorised Entities.
In most circumstances, CILEx Regulation is the data controller in relation to the personal data it holds and the processing activities it undertakes are outlined below. However, data may be held by both CILEx Regulation and CILEx as joint data controllers where there are different lawful bases for holding the data, reflecting the different objectives of a regulator and a membership body.
If you have any questions about this Privacy Statement, you can contact us by writing to: Data Protection Officer, CILEx Regulation Ltd, Room 301, Endeavour House, Wrest Park, Silsoe, Bedford, MK45 4HS.
CILEx Regulation respects the privacy of personal data we hold, accepting that on rare occasions regulatory duties may take precedence over individual data rights.
There are updates that CILEx Regulation needs to communicate to members, students, stakeholders and firms in relation to regulation and supervision. For this purpose, we use direct communications, email, newsletters and other channels. Where appropriate, we will seek your consent, to send updates about CILEx Regulation and CILEx products and services to you via these communications channels. However, we will continue to communicate with you where our regulatory duties require us to do so.
CILEx Regulation only processes personal data where we have a lawful basis to do so. This will depend on the activity we collect it for, e.g. authorisation, supervision, enforcement and general compliance with the rules and regulation of CILEx Regulation.
As a professional regulator, most of the personal data we process is data relating to our regulatory functions, powers and duties.
We generally process data on the basis that it is necessary for the performance of a task carried out in the public interest and/or in the exercise of our statutory functions. When we process special category data, we do so either in the substantial public interest to achieve regulatory objectives or to comply with our equality duties, or we do so because we are exercising our protective functions designed to protect the public from misconduct, unfitness to practise or incompetence.
We may also use data to improve our level of service. Where we do this, we do it to help inform us how to improve the way we work since both we and those we deal with have an interest in us doing so.
In some instances, there may be more than one lawful basis for which we process your personal data.
The lawful bases which are relevant to CILEx Regulation are as follows:
- Legal obligations
CILEx Regulation processes personal data which is necessary for compliance with legal obligations to which CILEx Regulation is subject specifically, but not exclusively, regulation in the public interest under the Legal Services Act 2007. For example, this includes, but is not limited to, processing personal data to conduct investigations, providing personal data to external regulators, law enforcement and statutory bodies. This also includes making information such as practising details and disciplinary sanctions of authorised and regulated individuals publicly available in the CILEx Authorised Practitioners Directory, on CILEx Regulation’s website and the Legal Choices website.
- Legitimate interest
Data may also be processed because it is necessary for the pursuit of our legitimate interests and/or the legitimate interests of others such as CILEx, where disclosure is lawful and the processing is aligned with the purpose for which the personal data was originally collected. CILEx Regulation processes personal data which is necessary for the pursuit of its legitimate interests such as creating checklists for applicants and analysing statistical data obtained from surveys, etc.
The law allows CILEx Regulation to do so provided the processing is fair, balanced and does not unduly impact your rights.
CILEx Regulation may also rely on a third party’s legitimate interests, such as when an organisation has requested information or services from us which may be the case in some of the examples given above (such as where you have made an enquiry).
CILEx Regulation processes personal data, which is necessary to deliver contractual services when investigating an allegation, misconduct and any other matter in relation to a person’s suitability to become a member of CILEx.
CILEx Regulation also has a contract with the individual and needs to process personal data to comply with specific counter-obligations under the contract (e.g. processing payment details).
We will not generally rely on consent as a basis for processing personal data. In the limited circumstances where we may rely upon consent, we will specifically obtain this.
CILEx Regulation also asks for consent in complaints for copying the complaints form and any other documents that the individual provides to the person or entity they are complaining about. If you withhold consent to share the form, we may not be able to conduct an investigation into your complaint.
CILEx Regulation collects and processes personal data. Your personal data, however provided to us, will be used for the purposes specified in this Privacy Statement or otherwise notified to you. In particular, we may use your personal data:
- to provide you with services, products or information you have requested;
- to provide further information about our work, services, activities or products;
- to answer your questions/ requests and communicate with you in general;
- to manage relationships with our members, with employers, firms and other stakeholders and those who engage with our services and publications;
- to further our organisational aims in general;
- to analyse and improve our work, services, activities, products or information (including our website), or for our internal records;
- to report on the impact and effectiveness of our work;
- to run/ administer our websites, keep them safe and secure and ensure that content is presented in the most effective manner for you and for your device;
- to register and administer your participation in events;
- to process your application for a job or volunteer role with us when you apply through our job vacancies page (including to conduct background checks and employer references);
- for training and/ or quality control;
- to audit and/ or administer our accounts;
- to satisfy legal obligations which are binding on us, for example in relation to regulatory, government and/ or law enforcement bodies with whom we may work (for example requirements relating to the payment of tax or anti-money laundering or criminal activities);
- for the prevention of fraud or misuse of services;
- for the establishment, defence and/ or enforcement of legal claims;
- to regulate members of CILEx, CILEx Practitioners or CILEx Authorised Entities, including authorisation and supervision, maintaining and enforcing standards and maintaining the CILEx Authorised Practitioner directory and the CILEx Authorised Entity directory.
CILEx Regulation is committed to respecting the personal data you supply to us. The personal data we collect will be relevant to the purposes for which it is to be used and we will do our utmost to ensure that such personal data will be accurate, complete and kept up to date. Whenever personal data is obtained from you, you will have access to information explaining how that personal data will be used.
The personal data we collect
CILEx Regulation may collect, store and otherwise process the following kinds of personal data:
- name and contact details including postal address, telephone number, email address;
- date of birth
- gender; ethnicity, whether you have a disability or any other protected characteristics and any information relating to a background check;
- financial information, such as bank details and/ or credit/ debit card details;
- the information about your membership and your interactions with CILEx;
- details of your qualifications/ experience;
How we collect personal data
We collect, use and share data primarily in the exercise of our regulatory functions. Those functions – and our duties and powers – are chiefly found in primary legislation: Legal Services Act 2007; Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017; and in the rules and regulations passed by our Board which sit beneath it.
We also collect and use data to comply with our duties with equality legislation including the Equality Act 2010.
When we process special category data, we do so either in the substantial public interest to achieve regulatory objectives or to comply with our equality duties or we do so because we are exercising our protective functions designed to protect the public from misconduct, unfitness or incompetence.
Practitioner Applications and Continuing Professional Development (CPD)
To enable assessment of applications made by individuals for Qualifying Employment, Fellowship status or additional Practice Rights and statements regarding continuing professional development.
Entity Authorisation and Supervision
To enable assessment of applications to have an entity authorised and then to monitor and supervise ongoing compliance with our rules and regulations.
Investigation and Misconduct
To process prior conduct declarations from regulated persons, authorised entities and applicants and to investigate allegations of misconduct against members.
Complaints about us
When we receive complaints about us, we create a complaint file.
Usually the file will contain the identity of the person complaining (which may also include contact details such as email addresses, telephone numbers and addresses etc.) and other people involved in the complaint.
We use personal information to deal with the complaint. We may also use the information to check and improve our level of service. Where we do this, we do it to help us to improve the way we work since both we and those we deal with have an interest in us doing so.
We may also prepare and publish or share statistics and research obtained from data we collect such as the number and types of complaints we receive about our service, but not in a form that identifies anyone.
When aiming to achieve the regulatory objectives, in particular, to protect and promote the public interest, it is necessary and in the substantial public interest that we ensure we handle complaints fairly and effectively.
People who make enquiries or ask for general help
When enquiries are sent to us, we usually only use the information to handle the request or to deal with any later issues. We keep a record of our telephone calls.
Other parties connected to our work
The nature of our work means that we handle personal information about third parties who are, in some way, connected to the work we do. This category is broad, and examples include witnesses to an investigation, clients of those we regulate, and applicants to our Compensation Fund.
Some data is collected when people sign up to newsletters, act as an organisation’s contact, respond to our consultations or register with us for events or webinars. We use personal data collected in this way to deliver the service we provide or to improve the service we offer. Respondents to consultations will generally be identified in the consultation responses documents, although the respondents can ask to have their details kept confidential.
We undertake surveys using a secure cloud-based platform and all data downloaded is anonimysed prior to analysis.
Job applicants and employees
We hold and process data relating to our employment applications process which is supporting by CILEx HR Department and the data is held in line with employment regulations.
Information collected from third parties
We also obtain data from third parties. Generally, when we do this, it is in the exercise of our regulatory functions, powers and duties, including complainants, other regulatory bodies, law enforcement agencies, witnesses and experts in connection, for example, with a regulatory investigation or other enforcement matters.
Very often, your personal data will have been provided to us by your employer at your request or by your agreement with them.
We can also obtain personal information from CILEx as part of the membership and qualifications activities.
When you visit our website
When you visit our website, we automatically collect the following types of personal data:
- Technical information, including the internet protocol (IP) address used to connect your device to the internet, browser type and version, time zone setting, browser plug-in types and versions and operating systems and platforms.
- Information about your visit to the websites, including the uniform resource locator (URL) clickstream to, through and from the website (including date and time), services you viewed or searched for, page response times, download errors, length of visits to certain pages, referral sources, page interaction information (such as scrolling and clicks) and methods used to browse away from the page.
In general, we may combine your personal data from these different sources set out in a-c above, for the purposes set out in this Statement.
Where you lodge a complaint, your personal data will be used to correspond with you. Depending on your connection with CILEx, we will determine if the complaint is recorded on our CRM system e.g. you are a member of CILEx or if it is only held electronically. To exercise your rights please see section H of this Privacy Statement.
Access to your personal data
We take reasonable steps to ensure that the personal data we hold will be accurate and up to date. You can check the personal data that we hold about you if you are a member through your MyCILEx account or through MyCRL. Alternatively, you can ask us to check by e-mailing us at: DPO@cilexregulation.org.uk or writing to the Data Protection Officer, CILEx Regulation Ltd, Room 301, Endeavour House, Wrest Park, Silsoe, Bedford, MK45 4HS.
Users 16 and under
We do not knowingly collect or solicit personal data from anyone aged 16 or under or knowingly allow such persons to provide us with their personal data without parental or guardian consent. If you are aged 16 or under, please do not provide us with your personal data, without first asking your parent/guardian for permission. In the event that we learn that we have collected personal data from anybody aged 16 or under and we do not have the consent of a parent or guardian, we will delete that personal data as quickly as possible.
If you believe that we might have any personal data from or about anyone aged 16 or under without the consent of a parent or guardian, please contact the Data Protection Officer by email to DPO@cilexregulation.org.uk or writing to the Data Protection Officer, CILEx Regulation Ltd, Room 301, Endeavour House, Wrest Park, Silsoe, Bedford, MK45 4HS.
Storage of data
Personal data collected by CILEx Regulation is stored on secure IT systems. This personal data can generally be accessed throughout CILEx Regulation except where this is not permitted, in which case appropriate measures are put in place to ensure personal data can only be accessed on a need to know basis.
No external person will have access to CILEx Regulation records except in circumstances outlined in this Privacy Statement.
The personal data we collect will only be used for the purposes set out in this Statement or otherwise notified to you. We will not disclose your personal data to third-parties except as set out in this Statement, e.g. where required to or permitted to by law or where those parties are conducting CILEx Regulation activities on our behalf, (for example to regulators, assessors, accredited course provider, independent panels or law enforcement agencies including parts of CILEx Group such as: CILEx Professional, CILEX Law School, CILEx Foundation).
Depending on the nature of services being delivered and/or the regulatory objectives being met by us, the third parties with whom we share your data with may include, but are not limited to:
- other regulators, the Legal Ombudsman and anti-money laundering supervisors (where appropriate) to meet our or the other party’s regulatory objectives or other legal requirements;
- the Police or other organisations that have a crime prevention or law enforcement function. Data Protection legislation allows organisations to share personal information if it is needed to prevent or detect a crime, or to catch and prosecute a suspect;
- independent panel members, committee members and external assessors where they are required in accordance with our rules and regulations to make decisions including in applications to determine suitability for membership or authorisation, allegations or declarations of conduct, imposition of sanctions or fines, interventions into firms and grants from the compensation fund;
- any individual or organisation who may have relevant information that may assist with our enquiries necessary to meet our regulatory objectives or to meet our legal requirements, e.g. your employers, people making complaints about your conduct, etc;
- any other third party who has a legitimate interest in the data, where disclosure is necessary and lawful and the processing is aligned with the purpose for which the personal data was originally collected.
We share data with CILEx where CILEx has a legitimate interest in using that data to inform the work it undertakes in providing services to its members.
In circumstances, where we engage a service provider or CILEx to provide services to us, we ensure that personal data is only processed in a manner compliant with the relevant law, and subject to a formal data processing agreement, and only used for the purposes for which the personal data was originally collected for.
If we undergo a merger or reorganisation, in doing so, we may acquire or transfer personal data as part of that transaction, but your personal data would continue to be used for the same purpose.
CILEx Regulation does not store credit/debit card details nor share financial information with third parties. However, when paying for goods/services online, CILEx Regulation uses a credit card processing company or a Direct Debit service to complete these transactions. These companies do not retain, share, store or use personal data for any purposes other than to provide this service to CILEx Regulation.
The information that you provide will be stored securely on our electronic systems. Our security measures and procedures reflect the seriousness with which we approach security and the value we attach to your information.
Only relevant members of staff will have access to the information you provide to us. Those members of staff will have received appropriate data protection training.
In general, CILEx Regulation only retains personal data for as long as necessary to fulfil the purposes for which it is being processed (including to comply with relevant legal or regulatory requirements, and/or to resolve legal disputes).
That length of time may vary depending on the reasons for which we are processing the personal data and whether we have a legal (for example under financial regulations) or contractual obligation to keep it for a certain amount of time.
Once the retention period has expired, personal data will be confidentially disposed of or permanently deleted. If you object to further contact from us, we will keep some basic information about you in order to avoid sending you unwanted communications in the future.
If before that date (i) your personal data is no longer required in connection with such purpose(s), (ii) we are no longer lawfully entitled to process it or (iii) you validly exercise your right of erasure, we will remove it from our records at the relevant time.
You have the following rights:
- To have inaccurate personal data rectified
- To have your personal data deleted from our systems
- To object to certain processing of your personal data
- To access to your personal data
In certain cases, CILEx Regulation can refuse to comply with a request if it is manifestly unfounded or excessive. In order to decide if a request is manifestly unfounded or excessive, CILEx Regulation must consider each request on a case-by-case basis.
The right to rectification
The right to rectification does not always apply. For example, it does not include amending data which was accurate about you at one time even though the current position is different. Nor does it include changing records of information sent to us by others which you say is inaccurate because the information is an accurate record of what was sent to us.
The right to erasure
You have a right to request your data to be deleted in certain circumstances, i.e. where it is no longer needed for the purposes it was collected; the (rare) occasions where consent is relied upon as the lawful basis for processing, consent is withdrawn and there is no other lawful basis for us to continue processing it; you object to the processing (see below) and there are no overriding legitimate grounds to continue; where the data has been unlawfully processed; or where it has to be erased for compliance with a legal obligation.
This right does not apply where we need the information for the performance of our regulatory functions and for example there is a need to comply with a legal obligation or it is necessary to process the data in connection with legal proceedings or legal advice.
The right to object or to restrict processing
You have the right to object to us processing your information where we are processing data in connection with the exercise of our regulatory functions or other data in pursuit of our legitimate interests. In such case, we will stop processing data unless we can demonstrate compelling legitimate grounds for continuing the processing which override your interests.
The right of access
You have the right to obtain a copy of personal data we hold about you, including the reasons why we hold it, who the data will be shared with as well as details of the period for which the data will be retained.
In some cases, we are not required to provide you with information we hold about you. Where this is the case, we will let you know.
You can request information by email or by letter.
To exercise any of the above rights or make a related complaint, please contact:
Data Protection Officer, CILEx Regulation Ltd, Room 301, Endeavour House, Wrest Park, Silsoe, Bedford, MK45 4HS.
You also have the right to lodge a complaint with the Information Commissioner’s Office. Their contact details are:
Information Commissioner’s Office
Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
CILEx Regulation will review and update this Privacy Statement annually or when changes to our processes or procedures and systems are made, or if laws and regulations change or if new circumstances require it.
If this Privacy Statement changes in any way, we will put an updated version on the website. Regular review of this page ensures that you are always aware of what personal data we collect, how we use it and under what circumstances.
CILEx Regulation will make reasonable efforts to contact and update those affected if the changes are significant in nature.
Correct as at: July 2023
Next formal review date: September 2023
For more information about how CILEx collect and use your data, please take a look at CILEx Privacy Statement which can be found on the CILEx website.