top of page
dpoutsource 1.jpg

LOCS:23

This is the electronic copy of the LOCS:23 Certification Standard.

It is a duplicate of the downloadable standard although contains links to related solutions that may assist with compliance and preparation for certification.

To apply for certification click here

Contents

1 Introduction

2 Scope

  2.1 Scope of Certification Scheme Standard

  2.2 Processing Activities in Scope

  2.3 Types of Organisations in Scope

  2.4 Territorial Scope for LOCS

  2.5 UK GDPR areas out of Scope

  2.6 Processing areas out of Scope

  2.7 Target of Evaluation

3 Normative References

  3.1 Legal Provisions

3.2 Related National Standards

3.3 ICO Guidance

3.4 Other Documents

4 Definitions

5 Compliance Requirements

6 Methodology

7 Certification

8. UK GDPR Compliance Standard LOCS:23 Controls

8.1 ORGANISATIONAL AND CLIENT FILE GOVERNANCE

8.2 DATA SUBJECT RIGHTS

8.3 OPERATIONAL PRIVACY

8.4 THIRD PARTY SERVICE PROVIDERS AND DATA SHARING

8.5 MONITOR & REVIEW

Appendix 1 – Controls Table. 76

Appendix 2 – UK GDPR Applicability. 79

Appendix 3 – Data Processor Control Applicability. 82

Appendix 4 – LOCS:23 Self-Audit Checklist template  84


8.1 ORGANISATIONAL AND CLIENT FILE GOVERNANCE

This section describes the controls designed to enable Legal Services certification applicants to demonstrate that they have the required governance model for the Client File in place and that all relevant policies are documented and made available to employees.

An Organisation needs an organisational structure for managing data protection and information governance, which provides strong leadership and oversight, clear reporting lines and responsibilities, and effective information flows.

The Board or other highest level of Senior Management that a Legal Services Provider deploys will have overall responsibility for matters regarding the Personal Data on a Client File and the Privacy Council will have oversight of the day-to-day governance requirements.

8.1.1    Privacy Council

CONTROL REFERENCE     LOCS:23:C1 Governance - Privacy Council
CONTROL OBJECTIVE    To form an internal governance body to oversee Client File data protection.


CONTROLS     

8.1.1.1    The Organisation SHALL create a Privacy Council that will take overall responsibility for data protection activities.
8.1.1.2    The Privacy Council
SHALL include the DPO (or equivalent), the most senior IT professional and at least one of the non-IT Senior Management team.
8.1.1.3    The Organisation
SHALL maintain a transparent approach to data processing and ensure compliance with transparency obligations.


CONTROL APPLICATION GUIDANCE    

NB 1.    The terms of reference for the Privacy Council can be defined by the Organisation and should include overall Data Protection decision making, policy review and audit review.
NB 2.    8.1.1 forms part of an Organisation’s compliance with the principle of accountability described in 8.1.4.13
DATA PROCESSOR ALTERNATIVE CONTROL     8.1.1 does not apply to Data Processors.
UK GDPR REFERENCE    Article 5 (2)

RELEVANT SOLUTIONS 
 

8.1.2    Data Protection Officer

CONTROL REFERENCE     LOCS:23:C2 - DPO
CONTROL OBJECTIVE    To appoint a single point of contact responsible for day-to-day duties associated with the protection of Client File data.
CONTROL    8.1.2.1    The Organisation SHALL determine whether a Data Protection Officer (DPO) is required under the UK GDPR and appoint one if any of the following criteria are met:
a.    the Processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
b.    the core activities of the controller or the processor consist of Processing operations which, by virtue of their nature, their scope and/ or their purposes, require regular and systematic monitoring of Data Subjects on a large scale (see definitions); or 
c.    the core activities of the controller or the processor consist of Processing on a large scale of special categories of data pursuant to Article 9 UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 UK GDPR.
8.1.2.2    The Organisation SHALL document the decision.
8.1.2.3    If a DPO is not required by legislation the Organisation SHALL either voluntarily appoint a DPO or assign alternative responsibility for Data Protection (see NB 4).
8.1.2.4    The Organisation SHOULD make the manager of Data Protection the single point of contact for Data Protection matters within the Organisation.
8.1.2.5    If a DPO is appointed, they SHALL have specific responsibilities in line with Article 39 of the UK GDPR including:
a.    to inform and advise the Organisation and the employees who carry out Client File data Processing of their obligations pursuant to this standard, the UK GDPR and other relevant laws, such as PECR;
b.    to monitor compliance with this standard, the UK GDPR, with other domestic law relating to data protection and with the Organisation’s data protection policies;
c.    providing or overseeing awareness-raising and training of staff involved in Client File Processing operations;
d.    to provide advice when requested as regards the data protection impact assessment and monitor its performance;
e.    to cooperate with the ICO;
f.    to act as the contact point for the ICO on issues relating to Processing, including the prior consultation where required for a DPIA (8.3.2.9).
8.1.2.6    In addition, a DPO SHALL in line with Article 38:
a.    have expert knowledge of data protection law and practices;
b.    report to the highest level of the business;
c.    operate independently;
d.     be afforded the authority, support and resources to do their job effectively.
CONTROL APPLICATION GUIDANCE    NB 1.    If an alternative to the DPO is appointed, the Organisation should document the justification for the decision along with a job description outlining his or her duties and responsibilities.
NB 2.    8.1.2.2 forms part of an Organisation’s compliance with the principle of accountability described in 8.1.4.13
NB 3.    The ICO definition of Large Scale Processing can be found here: ICO DPO guidance.
NB 4.    Where it is appropriate to appoint an alternative to a DPO this could be one person, multiple people, or a designated 'committee', depending on the size and structure of the organisation
DATA PROCESSOR ALTERNATIVE CONTROL     None – 8.1.2 applies equally to Data Processors.
UK GDPR REFERENCE    Article 5 (2) Articles 37-39
AUDIT REFERENCE     LOCS:23:A2 –DPO 

8.1.3     ICO Registration and Cooperation

CONTROL REFERENCE     LOCS:23:C3 - Registration
CONTROL OBJECTIVE    Mandatory registration and cooperation with the ICO
CONTROL     8.1.3.1    The Organisation SHALL register with the ICO and pay their annual data protection fee, unless they are exempt. In which case the reasons shall be documented.
8.1.3.2    If applicable, the Organisation SHALL register the DPO’s details with the ICO.
8.1.3.3    The Organisation and, where applicable, their representatives, SHALL cooperate, on request, with the Information Commissioner in the performance of the Commissioner’s tasks.
CONTROL APPLICATION GUIDANCE    NB 1.    Registration information here
DATA PROCESSOR ALTERNATIVE CONTROL     None – 8.1.3 applies equally to Data Processors.
UK GDPR REFERENCE    Article 5 (2)
AUDIT REFERENCE    LOCS:23:A3 – ICO Registration


8.1.4    Data Protection Principles

The Data Protection principles form the fundamental building blocks for protecting Personal Data.

Organisations must apply these core principles to their processing activities in order to meet UK GDPR requirements.

CONTROL REFERENCE     LOCS:23:C4 - Principles
CONTROL OBJECTIVES    To ensure that core Data Protection principles are applied to the processing of Client data.
CONTROL    8.1.4.1    Client File data SHALL be processed lawfully, fairly and in a transparent manner in relation to the Data Subject (‘lawfulness, fairness and transparency’) in line with sections 8.3.4 and 8.2.2.
CONTROL APPLICATION GUIDANCE    NB 1.    Lawfulness – organisations must identify a lawful basis prior to processing personal data. The lawful basis is connected to the purpose for processing and in most cases, the processing must be necessary to achieve that purpose. For the processing in scope the lawful basis is typically contract (between the Legal Service Provider and the Client) and the processing must be necessary for the fulfilment of that contract. Additional Processing such as marketing and promotion may also be in the ‘legitimate interest’ of the Legal Service Provider. It is good practice that once a lawful basis is decided upon and justified it is recorded for each Processing activity in the Record of Processing Activities.

Lawfulness also means that you don’t do anything with the personal data which is unlawful in a more general sense.

NB 2.    Fairness – Organisations should only handle Personal Data in ways that the Client would reasonably expect and not use it in ways that have unjustified adverse effects on them. Consider using the Client engagement process to document and inform of how the Processing may affect the Clients concerned and justify any potential adverse impact.
NB 3.    Transparency – In order to demonstrate this, applicants should include relevant information in their privacy notice (see Privacy Notice) In addition, information regarding Processing should be given where possible at the point of data collection for example in the Client engagement process. This will include the intended purposes for Processing the Personal Data; the lawful basis for the Processing, where the Client file will be located, who will be accessing the data and the retention period. 
NB 4.    Further ICO guidance regarding lawfulness, fairness and transparency can be found here
NB 5.     Where Client and/or ex-employee personal data is retained in an ‘alumni’ database it will be best practice to record this in the ROPA, record the lawful basis (likely to be consent as per 8.3.4.7 – 8.3.4.11) indicate a retention period and inform the individual. 
CONTROL    8.1.4.2    Client File Data SHALL be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’) in line with section 8.3.1.
8.1.4.3    If a new purpose for processing personal data already collected is proposed an Organisation SHALL only go ahead if:
a.    the new purpose is compatible with the original purpose;
b.    you get the individual’s specific consent for the new purpose; or
c.    you can point to a clear legal provision requiring or allowing the new processing in the public interest – for example, a new function for a public authority.
8.1.4.4    If a new purpose for processing personal data already collected is proposed based on 8.1.4.3 (a) compatibility, an Organisation SHALL do a compatibility assessment to decide whether the new purpose is compatible with the original purpose. The assessment should take into account:
a.    any link between your original purpose and the new purpose;
b.    the context in which you originally collected the personal data – in particular, your relationship with the individual and what they would reasonably expect;
c.    the nature of the personal data – eg is it particularly sensitive;
d.    the possible consequences for individuals of the new processing; and
e.    whether there are appropriate safeguards – e.g. encryption or pseudonymisation.
CONTROL APPLICATION GUIDANCE    NB 6.    Only the Client Data necessary for providing the legal services contracted should be collected. It is important that any secondary purposes (such as marketing) are made clear in the Client engagement process.
NB 7.    The following purposes will be considered ‘compatible’  as laid out in 8.1.4.3 (a)
a.    archiving purposes in the public interest;
b.    scientific or historical research purposes; and
c.    statistical purposes.
NB 8.    if the new purpose is either very different from the original purpose, would be unexpected, or would have an unjustified impact on the Data Subject, it is likely to be incompatible with the original purpose.
NB 9.    Further ICO guidance regarding purpose limitation can be found here
CONTROL    8.1.4.5    Client File Data SHALL be all adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’) in line with section 8.3.1. Only the Client Data that is needed to complete the contracted service SHALL be collected.
CONTROL APPLICATION GUIDANCE    NB 10.    Any surplus data provided by the Client should be deleted as laid out in 8.1.7.
NB 11.    Further ICO guidance regarding data minimisation can be found here
CONTROL    8.1.4.6    Client File Data SHALL be all accurate and, where necessary, kept up to date and steps will be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).
8.1.4.7    The Organisation SHOULD provide a self-service mechanism for Data Subjects to assist with maintenance of personal data. 
8.1.4.8    Where an Organisation collects opinions as part of the Client Data File, they SHALL make clear that it is an opinion, and, where appropriate, whose opinion it is. If it becomes clear that an opinion was based on inaccurate data, an Organisation SHOULD also record this fact in order to ensure records are not misleading.
8.1.4.9    In order to ensure that records are not inaccurate or misleading, an Organisation SHALL:
a.    accurately record the information provided;
b.    accurately record the source of the information;
c.    take steps to ensure the accuracy of the information; and
d.    carefully consider any challenges to the accuracy of the information (see 8.2.4).
CONTROL APPLICATION GUIDANCE    NB 12.    It is good practice to periodically confirm with the Client that all Personal Data they have provided held on file is up to date and accurate. 
NB 13.    Further ICO guidance regarding accuracy can be found here
CONTROL    8.1.4.10    Client File Data SHALL be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed (‘storage limitation’) in line with section 8.1.7.
8.1.4.11    Retention of Client File Data SHALL be managed in line with the Retention & Destruction Policy outlined at 8.1.7.
CONTROL APPLICATION GUIDANCE    NB 14.    This principle can be managed using the Data Retention Policy and associated Retention Schedule that details the lifespan of Personal Data within the Client file. This is typically applied upon completion or closure of a Client Matter.
NB 15.    Further ICO guidance regarding storage limitation can be found here
CONTROL    8.1.4.12    Client File Data SHALL be processed in a manner that ensures security of the Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using technical or organisational measures (‘integrity and confidentiality’) in line with sections 8.3.7 and 8.3.8.
CONTROL APPLICATION GUIDANCE    NB 16.    This principle requires that security both in technical and operational form as laid out in 8.3.7 and 8.3.8 be applied to the Client data file.
NB 17.    Further ICO guidance regarding integrity and confidentiality can be found here
CONTROL    8.1.4.13    The Organisation SHALL be responsible for, and be able to demonstrate compliance with, all above principles (‘accountability’).
CONTROL APPLICATION GUIDANCE    NB 18.    Accountability will be achieved by ensuring that documentation and records are kept demonstrating compliance with the above principles. These will include the following:
a.    Record of Processing Activities (8.3.3);
b.    Data Retention Schedule (8.1.7);
c.    Personal Data Breach logs (8.3.5);
d.    Client Rights Response logs (8.3.6);
e.    Completed DPIAs (8.3.2);
f.    Third-party due diligence checklists (8.4.3);
g.    Third-party Processing Agreements (8.4.4);
h.    Transfer Impact Assessments (8.4.6);
i.    Privacy Notice (8.2.2);
j.    Training Records (8.3.9);
k.    Internal Audits (8.5).
NB 19.    Further ICO guidance regarding accountability can be found here
DATA PROCESSOR ALTERNATIVE CONTROL    8.1.4.14    Data Processors SHALL:
a.    act on the instructions of the controller, 
b.    notify the controller if any of their instructions would lead to a breach of UK data protection laws, and 
c.    assist the controller in meeting their data protection obligations. 
NB 20. Data Processors can only process the Personal Data on instructions from a controller (unless otherwise required by law). If a Data Processor acts outside of its instructions or processes for its own purposes, it will step outside the role as a processor, would be in breach of contract and the processing may not be lawful. They also risk regulatory action by the ICO.
UK GDPR REFERENCE    Article 5 (1) Article 5 (2)
AUDIT REFERENCE    LOCS:23:A4 – Principles

8.1.5    Data Protection and Information Security Policy

CONTROL REFERENCE     LOCS:23:C5 – Data Protection and Information Security Policy
CONTROL OBJECTIVE    To document and distribute a Data Protection Policy to provide staff with enough direction to understand their roles and responsibilities regarding data protection and information governance.
CONTROL    8.1.5.1    The Organisation SHALL have a documented Data Protection Policy. The Data Protection Policy shall cover the following as a minimum:
a.    Data Protection principles
b.    The types of Client data processed and the purpose
c.    How data is collected
d.    Who data is shared with
e.    How long data is kept
f.    How data is protected
g.    Client File access
h.    Working remotely
i.    Sending Client documents securely
j.    Data classification
k.    Acceptable use of IT
l.    Removable devices
8.1.5.2    Unless information security is explicitly covered in the data protection policy, the Organisation SHALL have a documented information security policy. The information security policy shall cover the following as a minimum:
a.    Access Control
b.    Encryption
c.    Asset Control
d.    Network Security
e.    Acceptable Use
f.    Password Management
g.    Incident Management
h.    Breach Notification
i.    Email Usage
j.    Clear Desk and Clear Screen
k.    Removable Media
l.    Patch Management
m.    Documents and Records Control
n.    Electronic destruction
o.    Remote working
8.1.5.3    The Organisation SHALL make the Data Protection and information security policies available to all employees.
8.1.5.4    The Organisation SHOULD audit employee awareness of the policies on a regular (at least annual) basis.
8.1.5.5    The Organisation SHALL have policies signed off and reviewed at regular intervals.
CONTROL APPLICATION GUIDANCE    NB 1.    8.1.5.1 forms part of an Organisation’s compliance with the principle of accountability described in 8.1.4.13
NB 2.    Current and valid certification to ISO 27001/Cyber Essentials may be accepted as evidence of compliance with 8.1.5.2 in certain circumstances subject to approval by the LOCS:23 Certifying Body.
DATA PROCESSOR ALTERNATIVE CONTROL     None – 8.1.5 applies equally to Data Processors
UK GDPR REFERENCE     Article 5 (1) f Article 5 (2)
AUDIT REFERENCE    LOCS:23:A5 – Data Policy Document

8.1.6     Business Continuity Plan

CONTROL REFERENCE     LOCS:23:C6 – BC Policy
CONTROL OBJECTIVE    To document how the Client File is protected in the event of a serious incident impacting the live data.
CONTROL    8.1.6.1    The Organisation SHALL have a documented Business Continuity Plan.
8.1.6.2    The Organisation SHALL make the Business Continuity Plan available to all employees.
8.1.6.3    The Organisation SHALL regularly test the Business Continuity Plan and document results.
8.1.6.4    The Organisation SHOULD audit employee awareness of the plan.
8.1.6.5    The Business Continuity Plan SHALL include at least the following:
a.    A list of relevant contacts and contact details
b.    Detailed list of systems and data structures required to enable Client access to their data.
c.    Descriptions of disruption scenarios and recommended next step actions for each
d.    Details of how Client data can be recovered or restored as reflected by backup and restore capabilities (8.3.7.5).
CONTROL APPLICATION GUIDANCE    NB 1.    It is recommended that the Business Continuity Plan covers all scenarios for potential disruption to the Client File. Outcomes should be designed to protect the integrity and availability of Client Personal Data.

NB 2.    It is recommended that Information Security or Data Protection training carried out contains a reference to the Business Continuity Plan.

NB 3.    It is recommended that periodic reminder notices of the Business Continuity Plan are sent out to all employees.

NB 4.    It is recommended that the Business Continuity Plan identifies records that are essential and critical to the continued functioning of the Organisation.
UK GDPR REFERENCE    Article 5 (1) f
DATA PROCESSOR ALTERNATIVE CONTROL    None – 8.1.6 applies equally to Data Processors
AUDIT REFERENCE    LOCS:23:A6– BC Policy Document

8.1.7     Retention & Destruction Policy


CONTROL REFERENCE     LOCS:23:C7 – R&D Policy
CONTROL OBJECTIVE    To document the length of time Client File data will be retained and the process for its safe destruction when no longer required.
CONTROL    8.1.7.1    The Organisation SHALL have a documented Retention & Destruction Policy.
8.1.7.2    The Organisation SHALL make the Retention & Destruction Policy available to all employees.
8.1.7.3    The Organisation SHOULD audit employee awareness of the policy.
8.1.7.4    The Organisation SHALL reference retention periods in the Record of Processing Activities, as laid out in 8.3.3.
8.1.7.5    The Organisation SHALL allocate responsibility for destroying Client File records in line with the Data Retention and Destruction Policy.
8.1.7.6    The Retention & Destruction Policy SHALL include a Retention Schedule that details retention periods applied to data held within the Client File.
8.1.7.7    The Organisation SHALL implement regular diarised activities to ensure Personal Data is deleted in line with the Data Retention schedule.
8.1.7.8    The retention periods SHALL be further broken down into activity types such as ‘Client due diligence data’, ‘matter data’, ‘Client contact data’ etc. as each may necessitate different retention periods.
8.1.7.9    The Retention & Destruction Policy SHALL include clear instructions for the disposal of both electronic and hard copy data that has reached its stated retention period as laid out in 8.3.8.4.
8.1.7.10    Where Client File data is archived before reaching its stated retention period, it SHOULD be pseudonymised.
8.1.7.11    Where an Organisation intends to keep Personal Data for archiving purposes in the public interest, scientific or historical research purposes; or statistical purposes. It SHALL 
a.    delete any non-essential personal data 
b.    anonymise or pseudonymise personal data (where possible)
c.    document this in the Retention Schedule
d.    make this intention clear to Clients
e.    document this in the ROPA
8.1.7.12    An Organisation SHALL NOT retain data for research purposes if the processing is likely to cause someone substantial damage or substantial distress.
8.1.7.13    An Organisation SHALL NOT retain data for research purposes if it is carrying out the processing for the purposes of measures or decisions with respect to particular people, unless the research is approved medical research.
CONTROL APPLICATION GUIDANCE    NB 1.    The agreed Retention periods should be added to the ROPA (8.3.3).

NB 2.    Where Client File data is archived, it is recommended that data is moved to an archival system, for ease of access, destruction and ease of use for exercising Client’s rights when requested.

NB 3.    When completing a Retention Schedule it is recommended that any statutory retention periods be taken into consideration. (e.g. HMRC salary/benefits requirements)

NB 4. When archiving personal data as per 8.1.7.11, the primary consideration is to anonymise (see 8.3.7.17) the data where possible as this will mean data protection legislation no longer applies. If anonymisation is not possible, consideration should be given to pseudonymising (see 8.3.7.18) the data in which case the data protection legislation will still apply.
DATA PROCESSOR ALTERNATIVE CONTROL    None – 8.1.7 applies equally to Data Processors taking into account any contractual requirements as laid out in 8.4.4.2 (h)

UK GDPR REFERENCE    Article 5 (1) e
AUDIT REFERENCE    LOCS:23:A7– R&D Policy Document
 

Anchor 1
bottom of page