SPU Law logo SPU LawNot-for-profit legal support clinic
Start a case check

SPU Law

Privacy notice

This notice explains how SPU Law collects, uses, stores and shares personal information for website enquiries, case checks, portal use, casework, documents, complaints and compliance.

Case checks

Website case checks are stored in the case-management database as intake enquiries for staff triage.

Sensitive information

Enquiries may include legal, health, disability, welfare benefits, employment, safeguarding, financial or identity information.

Your rights

You may have rights to access, correction, deletion, restriction, objection, portability and withdrawal of consent depending on the circumstances.

1. Who this notice is for

This privacy notice explains how SPU Law uses personal information from people who visit the website, submit a case check, contact SPU Law, use the client portal, provide documents, receive casework support, make a complaint, or are connected to a matter.

SPU Law is the controller for personal information it decides to collect and use for its public website, triage, case management, compliance and administration. Contact details for privacy requests should be kept up to date on the Contact page before publication.

2. Information SPU Law may collect

SPU Law may collect identity and contact details, enquiry details, case and document records, deadline information, employment and welfare benefit information, tribunal or appeal papers, communication records, portal messages, billing or payment records, complaint records, consent records, audit logs, IP address and browser information.

Some information may be sensitive. This can include information about health, disability, safeguarding, welfare benefits, financial hardship, employment, discrimination, family circumstances, children or dependants, criminal allegations, or other especially private matters.

3. Why SPU Law uses information

SPU Law uses information to review enquiries, carry out conflict and risk checks, decide whether a matter is within scope, provide accepted support, communicate with people, manage documents, operate the client portal, keep audit records, handle complaints, comply with legal or insurance duties, protect people from harm and improve the service.

Submitting a case check does not create a client or representative relationship. The information is used first for triage and suitability review.

4. Lawful bases and sensitive information

Depending on the situation, SPU Law may rely on consent, steps taken before entering into an agreement, contract, legal obligation, legitimate interests, vital interests, or public interest reasons where the law allows this.

For special category information, SPU Law may rely on explicit consent, legal claims, substantial public interest, safeguarding, or another condition that applies to the particular matter. SPU Law should record the appropriate basis where sensitive information is used.

5. Who information may be shared with

Where necessary and proportionate, SPU Law may share information with courts, tribunals, HMCTS, DWP, ACAS, employers or respondents, medical professionals, support workers, advisers, advocates, interpreters, insurers, IT and hosting providers, auditors, regulators, safeguarding bodies, emergency services or law enforcement.

SPU Law will normally seek consent before contacting third parties such as a GP, DWP, ACAS, employer, support worker or adviser, unless there is another lawful reason to share information, such as safeguarding, legal duty or urgent risk.

6. How long information is kept

SPU Law keeps information only for as long as it is needed for triage, casework, audit, insurance, complaints, safeguarding, legal or regulatory reasons. Retention periods may differ depending on whether an enquiry was declined, signposted, accepted for support, or involved safeguarding or a dispute.

The case-management system includes retention and deletion review fields. SPU Law should keep an approved retention schedule and review records when the review date is reached.

7. Security

SPU Law uses access controls, authentication, role permissions, private document handling, audit logs and secure configuration settings to protect information in the case-management system.

No online system can be guaranteed completely risk-free. People should avoid sending information that is not needed for triage or casework, and should not use the website for emergencies.

8. Your rights

Depending on the lawful basis and circumstances, you may have rights to be informed, access your information, correct inaccurate information, ask for deletion, restrict processing, object to processing, ask for portability, and withdraw consent where consent is being relied on.

Some rights are not absolute. For example, SPU Law may need to keep certain records for legal, insurance, complaint, safeguarding or audit reasons. SPU Law should respond to privacy requests within the legal timescale and explain if an exemption or limitation applies.

9. Complaints about privacy

If you are concerned about how SPU Law has used your personal information, raise it with SPU Law first so it can review the issue. You also have the right to complain to the Information Commissioner's Office.

This notice should be reviewed before publication and whenever SPU Law changes how it collects, stores, shares or retains personal information.

Not sure where to start?

Use the case-check form and SPU Law will review whether the matter is within scope.

Start a case check