top of page

Privacy Notice - GDPR

Please read the following information carefully. This privacy notice contains information about the information collected, stored, and otherwise processed about you and the reasons for the processing. It also tells you whom I share this information with, the security mechanisms I have put in place to protect your data and how to contact me in the event you need further information.


Who Am I?

I, Katherine Bullock, collect, use and am responsible for personal information about you (personal information being any information about an individual from which that person can be identified). When I do this, I am the ‘controller’ of this information for the purposes of the GDPR and the Data Protection Act 2018.  I am registered with the Information Commissioner’s Office (ICO) as a Data Controller for the personal data that I hold and process and my ICO registration number is ZA448648 .


If you need to contact me about your data or the processing carried out you can use the contact details at the end of this document.

What Do I Do With Your Information?

Information collected from you

When carrying out the provision of legal services, providing a reference or dealing with an application to become a member of my staff, I collect some or all of the following personal information that you provide:

  • personal details

  • family details

  • lifestyle and social circumstances

  • goods and services

  • financial details

  • education, training, and employment details

  • physical or mental health details

  • racial or ethnic origin

  • political opinions

  • religious, philosophical, or other beliefs

  • trade union membership

  • sex life or sexual orientation

  • criminal proceedings, outcomes and sentences, and related security measures

  • other personal data relevant to instructions to provide legal services, including data specific to the instructions in question.

Information collected from other sources

The same categories of information may also be obtained from third parties, such as other legal professionals or experts, members of the public, your family and friends, witnesses, courts and other tribunals, suppliers of goods and services, investigators, government departments, regulators, public records, and registers.

Sources of Information

In addition to the information that you may provide to me directly or indirectly, the personal information that I obtain may include information which has been obtained from: 

  • other legal professionals, including solicitors, barristers and their associates, trainees and staff

  • experts and other witnesses

  • prosecution authorities

  • courts and tribunals

  • lay clients

  • family and associates of the person whose personal information I am processing

  • in the event of complaints, the barrister whom we have agreed will investigate the dispute, the Bar Standards Board, and the Legal Ombudsman

  • other regulatory, public or administrative authorities

  • current, past, or prospective employers

  • education and examining bodies

  • business associates, professional advisers, and trade bodies, e.g. the Bar Council

  • the intended recipient, where you have asked me to provide a reference.

  • the general public in relation to the publication of legal judgments and decisions of courts and tribunals

  • data processors, such as IT support staff, email providers, data storage providers

  • public sources, such as the press, public registers, law reports, searches and the media.


Purposes: How I use your personal information

I may use your personal information for the following purposes:

  • to provide legal services to my clients, including the provision of legal advice and representation in courts, tribunals, arbitrations, and mediations 

  • to keep accounting records and carry out office administration

  • to take or defend legal or regulatory proceedings or to exercise a lien 

  • to respond to potential complaints or make complaints 

  • to check for potential conflicts of interest in relation to future potential cases 

  • to promote and market my services 

  • to carry out anti-money laundering and terrorist financing checks

  • to train other barristers and when providing work-shadowing opportunities

  • to respond to requests for references

  • when procuring goods and services

  • to publish legal judgments and decisions of courts and tribunals

  • to fulfil equality and diversity and other regulatory matters

  • to manage matters relating to employment, including payroll and pensions

  • as required or permitted by law.


Whether information has to be provided by you, and why

If I have been instructed by you or on your behalf on a case or if you have asked for a reference, your personal information has to be provided to enable me to provide you with advice or representation or the reference, and to enable me to comply with my professional obligations, and to keep accounting records.


If you apply to me for a position your personal information has to be provided to me so that your application can be properly assessed and to enable me to comply with my regulatory obligations.


If you are a member of staff, your personal information has to be provided to me so that your employment records, pay and pensions can  be administered and to enable me to comply with my regulatory obligations and to keep accounting records.


If you wish to receive information about my practice or request to attend my events your personal information has to be provided to me so that you can benefit from that information or to be invited to events.


If you are offering or providing me with goods or services your information may be processed in relation to such offers or contracts. If you do not provide that data, I will not be able to perform the contract I have or am trying to enter into with you.


My lawful basis for processing your personal information

I rely on the following as the lawful bases on which I collect and use your personal information:

  • If you have consented to the processing of your personal information, then I may process your information for the Purposes set out above to the extent to which you have consented to me doing so.

  • If you are a client, processing is necessary for the performance of a contract for legal services or in order to take steps at your request prior to entering into a contract.

  • In relation to information which is in categories (g) to (n) above (these being categories which are considered to include particularly sensitive information and which include information about criminal convictions or proceedings) I rely on your consent for any processing for the purposes set out in purposes (ii), (iv), (vi), (viii) (ix), (xii) and (xiii) above. I need your consent to carry out processing of this data for these purposes. However, if you do not consent to processing for purposes (iv) and (ix) (responding to potential complaints and providing a reference) I will be unable to take your case or to provide a reference. This is because I need to be able to retain all the material about your case until there is no prospect of a complaint and to provide an informed and complete reference.

  • In relation to information in categories (g) to (n) above (these being categories which are considered to be particularly sensitive information and include information about criminal convictions or proceedings), I am entitled by law to process the information where the processing is necessary for legal proceedings, legal advice, or otherwise for establishing, exercising or defending legal rights.

  • In relation to information which is not in categories (g) to (n) above, I rely on my legitimate interest and/or the legitimate interests of a third party in carrying out the processing for the Purposes set out above.

  • In certain circumstances processing may be necessary in order that I can comply with a legal obligation to which I am subject (including carrying out anti-money laundering or terrorist financing checks).

  • The processing is necessary to publish judgments or other decisions of courts or tribunals.


Who will I share your personal information with?

If you are a client, some of the information you provide will be protected by legal professional privilege unless and until the information becomes public in the course of any proceedings or otherwise. As a barrister I have an obligation to keep your information confidential, except where it otherwise becomes public or is disclosed as part of the case or proceedings.


It may be necessary to share your information with the following:

  • data processors, such as IT support staff, email providers, data storage providers

  • instructing solicitors, instructing accountants and other lawyers and advisors involved in your case

  • other legal professionals including opposing counsel

  • experts and other witnesses

  • prosecution authorities

  • courts and tribunals

  • the staff in my chambers

  • trainee barristers

  • lay and professional clients

  • opposing lay and professional clients where necessary to the settlement of a claim

  • family and associates of the person whose personal information I am processing

  • in the event of dispute, compliant or other legal matter, the barrister whom we have agreed will investigate the dispute or complaint, the Bar Standards Board, and the Legal Ombudsman, my regulators, arbitrators and legal advisers

  • other regulatory authorities

  • law enforcement officials, government authorities or other third parties to meet any legal obligations

  • current, past, or prospective employers

  • education and examining bodies

  • accountants and banking officials

  • any relevant tendering committee or panel or legal directory for the purposes of professional development

  • business associates, professional advisers, and trade bodies, e.g. the Bar Council, the

  • intended recipient, where you have asked me to provide a reference.

  • the general public in relation to the publication of legal judgments and decisions of courts and tribunals

  • any other party where I ask you for consent and you consent to the sharing.


I may be required to provide your information to regulators, such as the Bar Standards Board, the Financial Conduct Authority or the Information Commissioner’s Office. In the case of the Information Commissioner’s Office, there is a risk that your information may lawfully be disclosed by them for the purpose of any other civil or criminal proceedings, without my consent or yours, which includes privileged information.


I may also be required to disclose your information to the police or intelligence services, where required or permitted by law or pursuant to a court order.  


Transfer of your information outside the United Kingdom (UK)

My practice is based in the UK and as such I do not anticipate that I will be required to transfer your personal data outside of the UK. If you are outside of the UK, I will only process your data in accordance with this Privacy Notice and the UK GDPR and Data Protection Act 2018.


This privacy notice is of general application and as such it is not possible to state whether it will be necessary to transfer your information out of the UK in any particular case or for a reference. However, if you reside outside the UK or your case or the role for which you require a reference involves persons or organisations or courts and tribunals outside the UK then it may be necessary to transfer some of your data to that country outside of the UK for that purpose.


Where I need to share your data with others who are based outside the UK, I expect that I will only transfer the data where the following apply:

(i) The jurisdiction in which the data being transferred is covered by the UK’s “adequacy regulations”.

(ii) If (i) does not apply, there are “appropriate safeguards” in place in both my practice and the third party organisation, prior to the transfer of data taking place. These will be commensurate to the safeguards afforded to data subjects under UK GDPR and I will ensure the same through the completion of transfer impact assessments.

(iii) If “appropriate safeguards” are not in place, then I will include “additional measures” (such as Standard Contractual Clauses in contracts with those to whom I will transfer the data) so your personal data is appropriately safeguarded.

(iv) If (i),(ii),(iii) do not apply, then I will only transfer the data:

a. Where it is necessary to establish if you have a legal claim, to make a legal claim, or to defend a legal claim; or

b. Under a contract between us or to be entered into between us because the transfer is necessary to enter or perform the contract; or

c. Under a contract between us or entered between us, which benefits another individual whose data is being transferred, because the transfer is necessary to enter or perform the contract.


I may also transfer the data outside the UK, where you have given your explicit consent to transfer data outside the UK after having been advised on the possible risks. You may also withdraw your consent, but this withdrawal will not affect the legality of any transfers before the withdrawal.


If I decide to publish a judgment or other decision of a Court or Tribunal containing your information then this will be published to the world.  


I will not otherwise transfer personal information outside the UK except as necessary for providing legal services or for any legal proceedings. In particular, on occasion I may be working from abroad outside the UK and as such I may take personal information with me so that I can work from abroad. 


If you would like any further information, please use the contact details at the end of this document.


How long will I store your personal data? 

I will normally store all your information:

  • While you remain a client, until you ask me to delete it. I will delete or anonymise your information at your request unless there is an unresolved issue (such as a claim or dispute); I am legally required not to do so; or there are overriding legitimate business interests not to do so.

  • Until at least 1 year after the expiry of any relevant limitation period. The law relating to limitation periods is complicated, but for present purposes I will usually rely (pursuant to the overriding time limit in s.14B Limitation Act 1980) on a period of 16 years from the conclusion of a matter or receipt of final payment, whichever is latest). This is because it may be needed for potential legal proceedings. This reflects the period required by the Bar Mutual Indemnity Fund relating to potential limitation periods. At this point any further retention will be reviewed and the data will be marked for deletion or marked for retention for a further period. The latter retention period is likely to occur only where the information is needed for legal proceedings, regulatory matters, or active complaints. Deletion will be carried out (without further notice to you) as soon as reasonably practicable after the data is marked for deletion. Some materials (e.g. opinions and legal pleadings) might be retained in anonymised form rather than being deleted. Where this is the case, I will anonymise personal information and/or redact personal information which may identify an individual and I will risk assess continued retention of the documents.

  • Equality and diversity data may be retained in pseudonymised form for the purpose of research and statistics and complying with regulatory obligations in relation to the reporting of equality and diversity data.

  • I will store some of your information which I need to carry out conflict checks for the rest of my career. However, this is likely to be limited to your name and contact details and the name of the case. This will not include any information within categories (g) to (n) above. 

  • Information related to anti-money laundering checks will be retained until five years after the completion of the transaction or the end of the business relationship, whichever is the later;

  • Names and contact details held for marketing purposes will be stored indefinitely or until I become aware or are informed that the individual has ceased to be a potential client.

  • The legal judgments and decisions of courts and tribunals will be stored and published indefinitely.


How will I keep your personal data secure? 

Publication of details about my security arrangements would risk their compromise, but my accounts, equipment, premises, and records are all backed-up, encrypted, locked, password-protected, secured and/or subject to anti-virus and firewall protection as appropriate and having regard to Bar Council guidance on IT issues. In this regard, my staff in my chambers and my IT support staff provide me with assistance and support and communicate and liaise with others on my behalf and I also use my IT systems, including email servers, fee, diary, practice-management and record-keeping software, internet and intranet, network and other shared drives and servers.


Data Processing

I use a number of different service providers (acting as “data processors”) who provide administration and IT-related services to enable me to operate my practice and provide services to clients. Your personal information is transferred to (and stored by) these data processors, who generally fall under the following categories:

  • Document and data storage service providers

  • Practice management service providers

  • IT service providers (which may include cloud-based storage providers)

  • Accounting service providers

  • Email providers


Please contact me using the details at the end of this document if you want further information on specific data processors or the types of personal data that they process for me.


Marketing and promotion

In relation to personal information collected for marketing purposes, personal information consists of:

  • name, contact details and name of the organisation

  • the nature of your interest in my marketing

  • your attendance at my events.


I process this so that you can be provided with information about me and to invite you to events.


You may opt out of receiving emails and other messages from my practice with information or invitations by following the instructions in those messages.



As explained above, I am relying on your explicit consent to process your information in categories (g) to (n) above. You provided this consent when you agreed that I would provide legal services, you asked me to provide a reference or applied to become a member of my staff.


You have the right to withdraw this consent at any time, but this will not affect the lawfulness of any processing activity I have carried out prior to you withdrawing your consent. However, where I also rely on other bases for processing your information, you may not be able to prevent processing of your data. 


If there is an issue with the processing of your information, please contact me using the contact details below. 


Your Rights 

Under the GDPR, you have a number of rights that you can exercise in certain circumstances. These are free of charge. In summary, you may have the right to:

  • Ask for access to your personal information and other supplementary information;

  • Ask for correction of mistakes in your data or to complete missing information I hold on you;

  • Ask for your personal information to be erased, in certain circumstances;

  • Receive a copy of the personal information you have provided to me or have this information sent to a third party. This will be provided to you or the third party in a structured, commonly used and machine readable format, e.g. a Word file;

  • Object at any time to processing of your personal information for direct marketing;

  • Object in certain other situations to the continued processing of your personal information;

  • Restrict my processing of your personal information in certain circumstances;

  • Request not to be the subject to automated decision-making which produces legal effects that concern you or affects you in a significant way.


If you want more information about your rights under the GDPR please see the Guidance from the Information Commissioners Office on Individual's rights under the GDPR.


If you want to exercise any of these rights, please:

  • Use the contact details at the end of this document;

  • I may need to ask you to provide other information so that you can be identified;

  • Please provide a contact address so that you can be contacted to request further information to verify your identity;

  • Provide proof of your identity and address;

  • State the right or rights that you wish to exercise.


I will try to respond to all legitimate requests within one month from when I receive your request. If your request is particularly complex or you have made a number of requests, it may take me longer than one month. In this case, I will notify you and keep you updated.


How to make a complaint?

The GDPR also gives you the right to lodge a complaint with the Information Commissioners’ Office. The Information Commissioner’s Office can be contacted at  


Future Processing

I do not intend to process your personal information except for the reasons stated within this privacy notice. If this changes, this privacy notice will be amended and placed on the Chambers website


Changes to this privacy notice

This privacy notice was published on 1st January 2023 and last updated on 1st January 2023. 


I continually review my privacy practices and may change this policy from time to time. When I do it will be placed on the website  


Contact Details

If you have any questions about this privacy notice or the information I hold about you, please contact me. 


The best way to contact me is by one of the following:

  • to email me at 

  • write to me at my Chambers address (St Katharine’s House, Main Street, York YO23 7DN)

  • telephone me at 07273 746949

bottom of page