Data Sharing Agreement

1. Definitions and Interpretation 

1.1. In this Agreement (including the recitals and appendices) the following meanings are to be attributed to the words/phrases in bold unless the context otherwise requires or except as expressly provided:

“Agreed Purpose”

means the act of a Prospective Client using the Direct Access Portal to seek assistance with a legal issue.

“Barrister”

a Practising barrister in England and Wales (“Barristers”) who is qualified to undertake direct access work and is advertising their services on the Direct Access Portal having paid the Bar Council the Bar Representation Fee.

“Clerk”

An employee of one or more Barristers, who has been authorised to access the Portal on behalf of one or more Barristers to provide them with administrative support.

“Commissioner”

means the Information Commissioner (as defined in section 3(8) of the DPA 2018).

“Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing (including “Process”, “Processes” and “Processed”), “Processor” and “Appropriate Technical and Organisational Measures”

shall have the meanings set out in the applicable Data Protection Legislation.

“Data Protection Legislation”

means all applicable data protection and privacy legislation in force from time to time in the United Kingdom (UK) including without limitation the UK GDPR; the DPA 2018; the Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended, and the guidance and codes of practice issued by the Information Commissioner, and which are applicable to the Parties.

“DPA 2018”

means the Data Protection Act 2018 (and regulations made thereunder).

“Force Majeure Event”

means any circumstance not within a Party's reasonable control including, without limitation:

  1. acts of God, flood, drought, earthquake or other natural disaster;
  2. epidemic or pandemic (but excluding, for the avoidance of doubt, those measures implemented as at the date of this AGREEMENT designed to tackle the spread of COVID-19);
  3. terrorist attack, civil war, civil commotion or riots, war, threat of or preparation for war, armed conflict, imposition of sanctions, embargo, or breaking off of diplomatic relations;
  4. nuclear, chemical or biological contamination or sonic boom;
  5. any law or any action taken by a government or public authority, including without limitation imposing an export or import restriction, quota or prohibition;
  6. collapse of buildings, fire, explosion or accident; and
  7. interruption or failure of a utility service.

“Joint Controller”

shall have the meaning set out in Article 26 of the UK GDPR.

“Lawful Bases for Sharing”

means the lawful bases on which the Parties will share the Personal Data as set out in Clause 6 of this Agreement.

“Prospective Client”

are the Data Subjects. Members of the public, businesses, and enterprises of any size, including multinational incorporations and global conglomerates, charitable organisations and other relevant entities using the Direct Access Portal to seek assistance with a legal issue.

“Shared Personal Data”

means the Personal Data to be shared between the Parties under Clause 5 of this Agreement.

“Special Categories of Personal Data”

has the meaning set out in the Data Protection Legislation and for the purpose of this Agreement shall include information relating to criminal convictions and offences

“The Bar Council”

The Bar Council is part of the General Council of the Bar of England and Wales and is the representative body for barristers in those jurisdictions. This Agreement is with The Bar Council, as opposed to the General Council of the Bar of England and Wales which would also include the Bar Standards Board.

“UK GDPR”

has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.

“Working Day”

Means a day other that a Saturday, Sunday or public holiday in England when banks in London are open for Business.

2. Intention and Application of this Agreement

2.1. The Bar Council and the Barrister (together the “Parties”) therefore acknowledge and agree that they will share the Shared Personal Data of Prospective Clients for the Agreed Purpose as set out in this Agreement. 

2.2. With respect to the Parties' rights and obligations under this Agreement, the Parties agree and acknowledge that they are Joint Controllers.  

2.3. This Agreement should be read in conjunction with the Terms and Conditions of the Bar Council’s Direct Access Portal.

3. Commencement and Duration

This Agreement shall commence on the date that the Barrister agrees to it through the Direct Access Portal and shall continue in force unless and until terminated in accordance with this Agreement.

4. Purpose

4.1. This Agreement sets out the framework for the sharing of Personal Data when one Controller discloses Personal Data to another Controller. It defines the principles and procedures that the Parties shall adhere to and the responsibilities the Parties owe to each other.

4.2. The Parties consider this data sharing initiative necessary to enable Prospective Clients to use the Bar Council’s Direct Access Portal to seek legal assistance from the Barrister. 

4.3. The Parties consider this data sharing initiative is justifiable on the grounds that the Barrister will not be able to assist Prospective Clients or enter contracts with them for the provision of legal services without being able to access their Personal Data.   

4.4. The Parties agree to only share the Shared Personal Data for the Agreed Purpose.

4.5. The Parties shall not Process Shared Personal Data in a way that is incompatible with the Agreed Purposes.

5. Shared Personal Data

5.1. Shared Personal Data will include the following types of Personal Data relevant to the following categories of Data Subject:

5.1.1. first and last name.

5.1.2. email address.

5.1.3. mailing address.

5.2. Shared Personal Data may include the following types of Personal Data relevant to the following categories of Data Subject:

5.2.1. job title and company name.

5.2.2. phone number.

5.2.3. gender. 

5.3. Shared Personal Data may include the following types of Special Categories of Personal Data relevant to the following categories of Data Subject:

5.3.1. racial or ethnic origin.

5.3.2. political opinions.

5.3.3. religious or philosophical beliefs.

5.3.4. trade-union membership.

5.3.5. health data. 

5.3.6. sex life or sexual orientation.

5.3.7.  criminal convictions and offences.

5.4. Except for the Shared Personal Data set out under Clause 5.1. above, the volume of Personal Data that the Data Subject submits as Shared Personal Data will be their choice. It will not therefore be irrelevant or excessive with regard to the Agreed Purposes.

6. Lawful Bases for Sharing

6. Lawful Bases for Sharing

6.1. The sharing of the Shared Personal Data between the Parties will be carried out on the following lawful bases (“Lawful Bases for Sharing”):

6.1.1. Personal Data

6.1.1.1. Article 6(1)(b) UK GDPR processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps prior to entering into a contract.

6.1.2. Special Categories of Personal Data

6.1.2.1. Article 9(2)(a) UK GDPR processing is based on the explicit consent of the Data Subjects.

6.1.2.2. Article 9(2)(f) UK GDPR processing is necessary for the establishment, exercise, or defence of legal claims.

6.1.2.3. Article 10 UK GDPR processing is carried out under official authority or is authorised by law (in relation to Personal Data relating to criminal convictions and offences).

6.2. Each Party will ensure that it only further Processes the Shared Personal Data fairly and lawfully and that it has legitimate grounds under the Data Protection Legislation for the Processing of Shared Personal Data.

7. Compliance with the Data Protection Legislation

7.1. Each Party shall comply with all the obligations imposed on a Controller
under the Data Protection Legislation.

7.2. Each Party warrants and undertakes that it will:

7.2.1. Process the Shared Personal Data in compliance with all applicable laws, enactments, regulations, orders, standards and other similar instruments that apply to its Personal Data Processing operations.

7.2.2. Respond within a reasonable time and as far as reasonably possible to enquiries from the Commissioner in relation to the Shared Personal Data.

7.2.3. Respond to a request from a Data Subject in accordance with the Data Protection Legislation.

7.2.4. Where applicable, pay the appropriate fees to the Commissioner to Process all Shared Personal Data for the Agreed Purpose.

7.2.5. Maintain complete and accurate records and information to demonstrate its compliance with this Agreement.

7.2.6. Take all appropriate steps to ensure compliance with the security measures set out in Clause 11 of this Agreement.

7.2.7. Not disclose or transfer Shared Personal Data outside the UK unless it complies with the obligations set out in Clause 13 of this Agreement.

7.3. Any Party sharing Shared Personal Data warrants and undertakes that it is entitled to provide the Shared Personal Data to the recipient party and will ensure that the Shared Personal Data are accurate.

7.4. The Parties agree to use compatible technology, where possible, for the Processing of Shared Personal Data to ensure that there is no lack of accuracy resulting from Personal Data transfers.

8. Lawful, Fair and Transparent Processing

8.1. Each Party shall ensure that:

8.1.1. it Processes the Shared Personal Data fairly and lawfully during the term of this Agreement; and

8.1.2. it only shares the Shared Personal Data with the other Party on the Lawful Bases for Sharing.

8.2. The Bar Council will be responsible for providing clear and sufficient information to Data Subjects, jointly on behalf of the Parties, in respect of the Shared Personal Data, in accordance with the Data Protection Legislation, of the purposes for which the Parties will Process their Personal Data, the legal basis for Processing their Personal Data and such other information as is required by Articles 13 and 14 of the UK GDPR.

8.3. Where appropriate, each Party shall ensure that it has all necessary consents in place to enable lawful transfer of the Shared Personal Data for the Agreed Purposes.

9. Data Quality

9.1. If either Party becomes aware of any changes to the Shared Personal Data, or aware or suspects that any of the Shared Personal Data contains inaccuracies, it shall notify the other Party without undue delay.

10. Data Subjects’ Rights

10.1. The Parties agree that The Bar Council will be responsible for responding to requests from Data Subjects in respect of the Shared Personal Data under this Agreement.

10.2. The Barristers each agree to provide such assistance as is reasonably required to enable the Bar Council to comply with requests from Data Subjects to exercise their rights under the Data Protection Legislation within the time limits imposed by the Data Protection Legislation.

10.3. The Parties agree that the Bar Council is responsible for maintaining a record of individual requests for information, the decisions made and any information that was exchanged. Records must include copies of the request for information, details of the data accessed and shared and where relevant, notes of any meeting, correspondence or phone calls relating to the request.

11. Data Security

11.1. The Parties undertake to have in place throughout the term of the Agreement Appropriate Technical and Organisational Measures (to comply with the obligations under Article 32 of the UK GDPR) to prevent unauthorised or unlawful Processing of the Shared Personal Data and the accidental loss or destruction of, or damage to, the Shared Personal Data to ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful Processing or accidental loss, destruction or damage and the nature of the Shared Personal Data to be protected.

11.2. It is the responsibility of each Party to ensure that its staff members are appropriately trained to handle and Process the Shared Personal Data in accordance with the Appropriate Technical and Organisational Measures noted in Clause 11 of this Agreement together with any other applicable national guidance and have entered into confidentiality Agreements relating to the Processing of Personal Data.

11.3. In the case of the Barrister, staff members will include Clerks.

11.4. The level, content and regularity of training referred to in Clause 11.2 of this Agreement shall be proportionate to the staff members' role, responsibility, and frequency with respect to their handling and Processing of the Shared Personal Data.

12. Data Retention and Deletion

12.1. All Shared Personal Data must be stored appropriately by each Party in accordance with that Party’s data storage and retention policies and procedures. No Personal Data should be stored by personnel on their own personal computer systems.

12.2. Each Party shall ensure that once Shared Personal Data is no longer require and relevant retention periods have expired, Personal Data is securely and permanently deleted in accordance with that Party’s retention and disposal policies or returned to the originating party as appropriate.

13. Data Transfers

13.1. For the purposes of this Clause, transfers of Personal Data shall mean any sharing of Personal Data with a third party, and shall include, but is not limited to, the following:

13.1.1. subcontracting the Processing of Shared Personal Data to a Processor; and

13.1.2. granting a third-party Controller access to the Shared Personal Data.

13.2. If a Party appoints a third-party Processor to Process the Shared Personal Data it shall comply with Article 28 and Article 30 of the UK GDPR.

13.3. If a Party grants a third party Controller access to the Shared Personal Data, it shall comply with Article 26 of the UK GDPR (in the event the third party is a Joint Controller) and shall comply with the Commissioner’s Data Sharing Code of Practice (as may be updated from time to time).

13.4. The Parties shall not transfer any Shared Personal Data outside the UK unless the transferor:

13.4.1. complies with the provisions of Article 26 of the UK GDPR (in the event the third party is a Joint Controller); and

13.4.2. ensures that: (i) the transfer is to a country providing adequate protection pursuant to Article 45 of the UK GDPR; (ii) there are appropriate safeguards in place pursuant to Article 46 of the UK GDPR; or (iii) where neither (i) nor (ii) is applicable or appropriate, one of the derogations for specific situations in Article 49 of the UK GDPR applies to the transfer.

14. Personal Data Breaches

14.1. Each Party shall comply with its obligation to report a Personal Data Breach to the Commissioner under Article 33 of the UK GDPR and (where applicable) Data Subjects under Article 34 of the UK GDPR and shall each, promptly (and in any event within twenty-four (24) hours) inform the other Party, where the other party is likely to be affected by the Personal Data Breach, irrespective of whether there is a requirement to notify the Commissioner or Data Subjects.

14.2. The Parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Personal Data Breach in an expeditious and compliant manner.

15. Resolution of Disputes with Data Subjects or the Commissioner

In the event of a dispute or claim brought by a Data Subject or the Commissioner concerning the Processing of Shared Personal Data against one or a number of the Parties, the Parties will inform each other about any such disputes or claims and will cooperate with a view to settling them amicably in a timely fashion.

16. Review and Termination of this Agreement

16.1. The Parties agree that the Bar Council shall review the effectiveness of this Agreement every 12 months, having consideration to the Agreed Purposes and shall continue, amend or terminate this Agreement depending on the outcome of this review. This review will involve:

16.1.1. assessing whether the purposes for which the Shared Personal Data is being Processed are still those listed in Clause 4 of this Agreement; and

16.1.2. assessing whether the Shared Personal Data is still as listed in Clause 5 of this Agreement; and

16.1.3. assessing whether the legal framework governing data quality, retention, and Data Subjects' rights are being complied with; and

16.1.4. assessing whether Personal Data Breaches involving the Shared Personal Data have been handled in accordance with this Agreement and the Data Protection Legislation; and

16.1.5. assessing whether this Agreement needs to be updated to comply with any amendments to the Data Protection Legislation.

16.2. The Agreement will otherwise be immediately terminated if the Barrister becomes ineligible to use the Portal. For avoidance of doubt, the Barrister may only use the Portal if they: (i) are registered with the Bar Standards Board as a practising barrister in England and Wales; (ii) are properly qualified under rC120 of the Bar Standards Board Handbook to undertake direct access work; and (iii) have paid the Bar Council the Bar Representation Fee.

16.3. Termination of this Agreement shall not affect any rights, remedies, obligations, or liabilities of the Parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of this Agreement which existed at or before the date of termination or expiry. Any provision of this Agreement that expressly or by implication is intended to come into or continue in force on or after termination of this Agreement shall remain in full force and effect.

17. Indemnity

Each Party shall indemnify the other and hold each other harmless from any cost, charge, damages, expense or loss which they cause each other as a result of their breach of any of the provisions of this Agreement, except to the extent that any such liability is excludedunder clause 19, provided that the indemnified party gives to the indemnifier prompt notice of such claim, full information about the circumstances giving rise to it, reasonable assistance in dealing with the claim and sole authority to manage, defend and/or settle it. The liability of the indemnifying party under this Clause shall be subject to the limits set out in clauses 52 and 53 of the Terms and Conditions of the Bar Council’s Direct Access Portal.

18. Allocation of Cost

Each Party shall perform its obligations under this Agreement at its own cost.

19. Limitation of Liability

19.1. No Party shall be liable to the other Parties, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, for any indirect or consequential loss arising under or in connection with this Agreement.

19.2. Each of the Parties shall at all times take all reasonable steps to minimise and mitigate any loss or damage arising out of or in connection with this Agreement.

19.3. Notwithstanding any other provision of this Agreement none of the Parties limits or excludes its liability for:

19.3.1. fraud or fraudulent misrepresentation;

19.3.2. death or personal injury caused by its negligence (or the negligence of its personnel, agents or subcontractors);

19.3.3. breach of any obligation as to title implied by statute; or

19.3.4. any other liability for which may not be limited under any applicable
law.

19.4. Nothing in this Agreement shall relieve any of the Parties from their own direct responsibilities and liabilities under the Data Protection Legislation.

20. Force Majeure

20.1. Provided it has complied with its disaster recovery and backup policies and procedures and Clause 21.1, to the extent a Party is prevented, hindered or delayed in or from performing any of its obligations under this Agreement by a Force Majeure Event ("Affected Party"), the Affected Party shall not be in breach of this Agreement or otherwise liable for any such failure or delay in the performance of such obligations. The Affected Party shall be entitled to a reasonable extension of the time for performing such obligations.

20.2. The Affected Party shall:

20.2.1. as soon as reasonably practicable after the start of the Force Majeure Event, notify the other Parties in writing of the Force Majeure Event, the date on which it started, its likely or potential duration, and the effect of the Force Majeure Event on its ability to perform any of its obligations under this Agreement; and

20.2.2. use all commercially reasonable efforts to mitigate the effect of the Force Majeure Event on the performance of its obligations; and

20.2.3. resume the performance of its obligations as soon as reasonably practicable after the removal of the Force Majeure Event.

21. Notice

21.1. Any notice given to a Party under or in connection with this Agreement shall be in writing and shall be sent by email.

21.2. Any notice shall be deemed to have been received at the time of transmission, or if this time falls outside working hours (9.00am to 5.00pm Monday to Friday on a Working Day), the next Working Day, so long as it is sent to the correct email address without any error message or automatic out of office response.

21.3. This Clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

22. Entire Agreement

22.1. This Agreement constitutes the entire Agreement between the Parties with respect to the subject matter contained herein and supersedes and extinguishes all previous Agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.

22.2. Each Party agrees that it shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this Agreement. Each Party agrees that it shall have no claim for innocent or negligent misrepresentation or negligent misstatement based on any statement in this Agreement.

23. Third Party Rights

A person who is not a party to this Agreement shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement. This does not affect any right or remedy of a third party which exists, or is available, apart from that Act. The rights of the Parties to terminate, rescind or vary this Agreement are not subject to the consent of any other person.

24. Severance

If any provision or part-provision of this Agreement is or becomes invalid, illegal, or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal, and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this Clause shall not affect the validity and enforceability of the rest of this Agreement.

25. Governing Law and Jurisdiction

25.1. This Agreement and any disputes or claims arising out of or in connection with its subject matter or formation (including non-contractual disputes or claims) are governed by and construed in accordance with the law of England and Wales.

25.2. The Parties irrevocably agree that the courts of England have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Agreement or its subject matter or formation (including non- contractual disputes or claims).