Information governance for data controllers

Hempsons’ information governance statement, February 2024

Hempsons LLP (“Hempsons”) is subject to a number of Information Governance requirements, including under the Data Protection Act 2018 and UK General Data Protection Regulations (GDPR) and those imposed on it by virtue of its status as a supplier to many public sector (including NHS) bodies. As a Data Controller in your own right, you will also be subject to these same standards. This statement outlines the minimum standards that are required of you when dealing with data (including personal data) provided to you, or acquired by you, from Hempsons by virtue of the firm’s instructions to you (“Hempsons’ Data”).  If you continue to accept instructions from Hempsons (by conduct or otherwise), you will be taken as agreeing to comply with this Information Governance Statement.


  1. You must keep confidential and secure all Hempsons’ Data in your possession or under your control.
  2. You must have and maintain, adequate and appropriate policies and procedures that provide robust protection for all Hempsons’ Data whilst in your possession or under your control.
  3. You must ensure that you, and any staff who may access Hempsons’ Data, understand, and are adequately trained in information governance and data security including your obligations to Hempsons, its clients, and other third parties under this Information Governance Statement, the Data Protection Act 2018 and UK GDPR and, where relevant, NHS guidance on Information Governance.  In the case of your staff, they must be contractually obliged to follow their training and to maintain confidentiality, and you should have a disciplinary policy which provides for the enforcement of these obligations

Use and Storage of Hempsons’ Data

  1. All Hempsons’ Data must only be used for the purposes for which it has been provided to, or acquired by you, or for your own legal, regulatory and indemnity requirements, and must not otherwise be shared with any third party without our prior written consent.
  2. Hempsons’ Data must be processed and stored securely, whether in physical or electronic form. The security arrangements for your premises and your manual and electronic data storage systems must be regularly reviewed and risk assessed and appropriate access controls implemented to prevent loss, theft or corruption of, or unauthorised access to, Hempsons’ Data.

Transporting and Transmitting Hempsons’ Data

You must only remove Hempsons’ Data from your usual place of business, transport or transmit it where it is strictly necessary for the purposes of carrying out our instructions. You must also ensure appropriate safeguards are in place to protect Hempsons’ Data from loss, theft, corruption, or unauthorised access during removal, transportation or transmission.  For example:

  • only the minimum amount of Hempsons’ Data should be removed, transported or transmitted at any time;
  • risk assessments should be undertaken prior to such removal, transportation or transmission to determine the most appropriate methods of data handling and the security measures to adopt;
  • as a minimum you must encrypt electronic data (including emails) and physical media (for example USB sticks) containing sensitive personal data such as medical records;
  • you should avoid removing or transporting physical paper files where possible and, if unavoidable, ensure that appropriate security measures are put in place. For example where paper files are to be posted they must be clearly marked as confidential, be appropriately packaged so as to preserve confidentiality and be sent via a secure courier or recorded/special delivery Royal Mail service;
  • no Hempsons’ Data, including paper files or portable devices containing such Data, must be left unattended in cars or other vehicles;
  • faxes should be avoided unless absolutely necessary, in which case secure fax must be used, with a call to confirm the fax number and a subsequent call to confirm safe receipt being made; and
  • Hempsons’ Data and files should not be used or worked on in public places where others may be able to view details of a case or overhear conversations about cases.

Retention of Hempsons’ Data

At the conclusion of our instructions, you will need to take your own view on whether you need to retain any information about the case for own legal, regulatory and indemnity requirements.  You may also retain copies of anonymised reports and any documents which have been deployed publicly in open Court.

Disposal of Hempsons’ Data

  1. You must have and maintain systems for the secure disposal of Hempsons’ Data whether in paper or electronic form – for example, cross cut shredding of papers and CD-ROMs.
  2. When disposing of any computer, hard-drive, removable-drive or other removable media on which Hempsons’ Data has been stored, physical destruction and use of specialist deletion and over-writing software is required.

Data Breaches

  1. Any actual or potential loss, theft, or corruption of, or unauthorised access to Hempsons’ Data (“Data Breach”) must be reported to us immediately.
  2. You must undertake an investigation to establish the cause of any Data Breach and report the outcome of the same to us, explaining the actions taken to remedy the Data Breach and to prevent recurrence.  We may suspend our instructions to you until we are satisfied that all necessary actions have been taken.


  1. You must be able to provide to us on request, information that evidences your compliance with this Information Governance Statement.
  2. We reserve the right from time to time to audit such information and your premises and systems where Hempsons’ Data is stored and/or processed and your Information Governance policies, procedures and records, in order to establish whether you are complying with this Information Governance Statement and/or the law and guidance to which you are subject.

Any queries regarding this Information Governance Statement and your compliance with it should be emailed to: