CILEX (Chartered Institute of Legal Executives) Privacy Statement
CILEX (Chartered Institute of Legal Executives) takes your privacy and your rights to your Personal Data extremely seriously and we are committed to protecting the privacy of all Personal Data that we obtain from individuals. Data is held in compliance with current UK Data Protection Legislation and other applicable Data Privacy Laws.
We are committed to protecting the privacy of all Personal Data obtained about individuals through, but not limited to, personal contact, email enquiries, newsletter sign up forms, event registrations, membership forms, etc.
Data will be collected and used only for the purposes for which it was originally submitted or in accordance with your preferences.
Table of Contents
- A. Who we are and how to contact us
- B. How we communicate with you
- C. How and why we obtain personal data
- D. The personal data we collect, how we collect it and where is it stored
- E. Sharing personal data
- F. Automated decision-making
- G. How long do we keep your personal data
- H. Your rights
- I. Legislation
- J. Freedom of Information Act 2000 (FOIA)
- K. Reviewing the Privacy Statement
CILEX (Chartered Institute of Legal Executives) is the governing body for Chartered Legal Executives, Paralegals and other Legal Professionals. CILEX as a professional association provides professional development, support and guidance to its members. It delivers legal education and training through CILEX Law School (CLS), qualifications through its Awarding Body function and independent regulation through CILEX Regulation (CRL).
CILEX is incorporated by Royal Charter (RC000850). Our registered address is: CILEX, Kempston Manor, Kempston, Bedford MK42 7AB.
CILEX is an Awarding Organisation and is required to share Personal Data with our Regulators, appropriate Government Agencies and Partner Organisations.
In most circumstances, CILEX is the Data Controller, in relation to the Personal Data it holds and the processing activities it undertakes as outlined below. This means that CILEX decides why and how the Personal Data it holds is processed, where it delegates the sharing of that data to other companies within CILEX and those companies act as Data Processors.
If you have any questions about this Privacy Statement, log in to myCILEX Portal and go to Contact Us, then select ‘Data Protection: Query and Request’ on ‘My Query Relates to’ section. If you do not have access to the myCILEX Portal or do not wish to log your details on the system, please contact us by email at [email protected].
CILEX respects the privacy of the Personal Data that we hold.
During the year, there are updates that CILEX needs to communicate to members, students and stakeholders, in relation to the Institute and CILEX membership and qualifications (administration and development). We use direct communications, e-shots, newsletters, technical bulletins and other mediums for this purpose. You may also receive surveys regarding our service provision, with regard to our continuous improvement and to further ascertain our students’ requirements. You can control what you like to receive at any time in your User Account Preference Centre or by selecting unsubscribe on an email link. Unless you advise us otherwise, we will continue to send updates about CILEX and CILEX products and services to you via email.
CILEX only processes Personal Data, where we have a lawful basis to do so. This will depend on the activity, that we collect it for e.g., to provide membership services. In some instances, there may be more than one lawful basis for which we process your Personal Data.
The lawful bases for processing of Personal Data can include Consent of the Data Subject, Contractual Necessity, Compliance with a Legal Obligation, Vital Interests, Public Interest and Legitimate Interest.
The lawful bases, which are relevant to CILEX are primarily as follows:
1. Consent of the Data Subject
CILEX processes Personal Data, where you have given consent for us to do so. This includes, but is not limited to, newsletters, surveys, consultations, events, products, services and sending you marketing communications. In relation to marketing communications, you always have the right to withdraw your consent.
2. Compliance with a Legal Obligation
CILEX processes Personal Data, which is necessary for compliance with legal obligations to which CILEX is subject. (e.g., the supply of regulatory information to The Office of Qualifications and Examinations Regulation (Ofqual) or Department for Education (DfE), Qualification Wales, CCEA; regulation as an Approved Regulator under the Legal Services Act 2007 in the public interest, such as the maintenance of the CILEX Authorised Practitioners Directory). This also includes, but is not limited to, providing Personal Data to regulators, law enforcement bodies and statutory bodies.
3. Legitimate Interest
CILEX processes Personal Data, which is necessary for the pursuit of its legitimate interests, as a Professional Awarding Association, as a Governing Body and in pursuing our objectives. This includes, but is not limited to, responding to general enquiries, supporting our members, asking our members about member services they would like to receive in the future and researching the ongoing relevance of our member services.
The law allows us to do so provided that the processing is fair, balanced and it does not unduly impact on your rights.
We may also rely on a third party’s legitimate interests, such as when an organisation has requested information or services from us and your legitimate interests, which may be the case in some of the examples given above (such as where you have made an enquiry).
4. Contractual Necessity
CILEX processes Personal Data to fulfil a contract or take steps linked to a contract. CILEX relies on contractual obligation to provide the products and/or services, to communicate with its customers, in relation to the provision of the contracted products and services or to provide administrative support.
5. How We Process Personal Data
CILEX collects and processes Personal Data. Your Personal Data, however, it is provided to us, will be used for the purposes specified in this Privacy Statement or otherwise notified to you. In particular, we may use your Personal Data:
- a. to provide you with services, products or information that you have requested (including membership services and to enrol you on courses);
- b. to administer examinations, applications, membership and to manage employer accounts, in accordance with any related statutory or regulatory obligations. This may include background checks and employer references;
- c. to provide further information about our work, services, activities or products;
- d. to answer your questions or requests and to communicate with you in general;
- e. to manage relationships with our members, with employers and other stakeholders and those who engage with our services and publications;
- f. to further our organisational aims in general;
- g. to analyse and improve our work, services, activities, products or information (including our website) or for our internal records;
- h. to report on the impact and effectiveness of our work;
- i. to run and administer our websites, keep them safe and secure and to ensure that content is presented in the most effective manner for you and for your device;
- j. to register and administer your participation in events;
- k. to process your application for a job or volunteer role with us, when you apply through our job vacancies page (including to conduct background checks and employer references);
- l. for training and/or for quality control;
- m. to audit and/or to administer our accounts;
- n. to satisfy legal obligations, which are binding on us, for example, in relation to regulatory, government and/or law enforcement bodies with whom we may work with (for example, requirements relating to the payment of tax or Anti-Money Laundering);
- o. for the prevention of fraud or misuse of services; and/or
- p. for the establishment, defence and/or enforcement of legal claims.
CILEX is committed to respecting the Personal Data that you supply to us. The Personal Data that we collect will be relevant to the purposes for which it is to be used and we will do our utmost to ensure that such Personal Data will be accurate, complete and kept up-to-date. Whenever Personal Data is obtained from you, you will have access to information explaining how that Personal Data will be used.
1. The Personal Data We Collect
CILEX may collect, store and otherwise process the following kinds of Personal Data:
- a. name and contact details, including postal address, telephone number, email address and emergency contact details;
- b. date of birth;
- c. financial information, such as bank details and/or credit/debit card information;
- d. information about your computer or mobile device and your visits to and use of this website, including for example, your IP address and geographical location;
- e. video and audio recording, if you choose to take an online test or examination through the online invigilation platform;
- f. unique candidate identifiers/unique learner numbers;
- g. examination results, the information about your membership and your interactions with CILEX;
- h. details of your qualifications and experience and;
- i. through cookies on our website.
For further information on our Cookies Banner and the use of Google Analytics, please read our website Cookies Policy.
2. Special Categories of Personal Data
We may also collect Special Categories of Personal Data, such as gender, ethnicity, etc., whether you have a disability or any other protected characteristics (particularly related to where reasonable adjustments or access arrangements may be needed) and any information relating to a background check.
Such data will only be collected and/or provided to us, if you have provided your explicit consent or if we are otherwise permitted to receive and process it under the UK Data Protection Legislation.
For the processing of Special Categories of Personal Data, we consider whether the risks associated with our use of this type of Personal Data will affect our other obligations around data minimisation and security. A Data Protection Impact Assessment (DPIA) and an appropriate policy document should be completed.
The lawful bases for Special Categories of Personal Data (also known as Sensitive Personal Data) can include one or more of the following lawful bases (and not all of which will be relevant to CILEX): Explicit Consent, Employment Law, Vital Interests, Charity or Not for Profit Bodies, Data manifestly made public by the Data Subject, Legal Claims, Reason for Substantial Public Interest, Medical Diagnosis or Treatment, Public Health, Historical, Statistical or Scientific Purposes, processing for new purposes and processing not requiring identification.
3. How We Collect Personal Data
- a. When you give your Personal Data to any part of CILEX directly.
For example, Personal Data that you give to us, when you communicate with us by email, phone or letter, such as when you apply to and become a member, complete a CILEX survey, take a test or examination, join a Specialist Reference Group (SRG), report a problem or sign-up to receive our communications.
- b. When we obtain it indirectly.
For example, your Personal Data is provided by you to an approved training provider may be shared with us by training or learning providers, after you enrol for a course or submit your apprenticeship application form, in relation to which we provide the relevant qualification/assessments (as CILEX acts as an End-Point Assessment Organisation for apprenticeships) and we may also conduct background checks and obtain employer references or receive your Personal Data from dependent applicants to the CILEX Foundation.
Very often, your Personal Data will have been provided to us by your employer at your request or with your agreement with them.
- c. When it is available publicly
Your Personal Data may be available to us from external publicly available sources. For example, depending on your privacy settings for social media services, we may access Personal Data from those accounts or services.
- d. When you visit our website
When you visit our website, we automatically collect the following types of Personal Data;
• Technical information, including the internet protocol (IP) address used to connect your device to the internet, browser type and version, time zone setting, browser plug-in types and versions and operating systems and platforms.
• Information about your visit to the websites, including the uniform resource locator (URL) clickstream to, through and from the website (including date and time), services you viewed or searched for, page response times, download errors, length of visits to certain pages, referral sources, page interaction information (such as scrolling and clicks) and methods used to browse away from the page.
• Through Cookies and the use of Google Analytics on our website – please refer to our Cookies Policy.
In general, we may combine your Personal Data from these different sources set out in sections a-d above, for the purposes set out in this Statement.
Where you lodge a complaint, your Personal Data will be used to correspond with you. A complaint can be made in writing or by telephone. We encourage complaints to be made in writing by completing a ‘Contact Us’ form by logging into your myCILEX account via the CILEX website, wherever possible. We will get in contact by email regarding your complaint, in accordance with the CILEX Complaints Policy. To exercise your rights, please see section H of this Privacy Statement.
5. Access to your Personal Data
We take reasonable steps to ensure that the Personal Data that we hold will be accurate and up-to-date. You can check the Personal Data that we hold about you, if you are a member through your myCILEX account. Alternatively, you can ask us to check by using the website’s Contact Us Form and selecting ‘Data Protection: Query and Request’ on ‘My Query Relates to’ section. If you do not have access to the myCILEX Portal or do not wish to log your details on the system, please contact us by email at [email protected].
6. Users 16 and Under
We do not knowingly collect or solicit Personal Data from anyone aged 16 or under or knowingly allow such persons to provide us with their Personal Data without Parental or Guardian consent. If you are aged 16 or under, please do not provide us with your Personal Data, without first asking your Parent or Guardian for their permission. In the event, that we learn that we have collected Personal Data from anybody aged 16 or under and we do not have the consent of a Parent or Guardian, we will delete that Personal Data, as quickly as possible. If you believe that we might have any Personal Data from or about anyone aged 16 or under without the consent of a Parent or Guardian, please send us a message by logging in to myCILEX Portal and go to Contact Us, then select ‘Data Protection: Query and Request’ on ‘My Query Relates to’ section. If you do not have access to the myCILEX Portal, or do not wish to log your details on the system, please contact us by email at [email protected].
7. Storage of Data
Personal Data collected by CILEX is stored on secure IT systems. This Personal Data can generally be accessed throughout CILEX, except where it is unsuitable to do so, in which case appropriate measures are put in place to ensure Personal Data can only be accessed by those with a need to know.
Any third party contracted by CILEX to process Personal Data on its behalf will be requested to have security measures in place to protect the Personal Data and to treat such data, in accordance with UK Data Protection Legislation. We also set up Data Processing Agreements with our third party or supplier contracts. In the event of any contract relating to International Data Transfers the additional applicable documents will be in place such as EC SCCs (European Commission’s Standard Contractual Clauses), IDTA (International Data Transfer Assessment) or ICO Addendum. CILEX has put in place procedures to deal with any Potential Data Security Incident (PDSI) and they will notify you and the UK Information Commissioner’s Office (ICO), when appropriate of any data breach, where we are legally required to do so.
We may contact you for marketing purposes related to our products and services and our website, unless you let us know that you do not want to receive marketing communications from us. Your agreement to the use of your personal information for these purposes is optional and if you decline to provide your agreement, your visit to and use of the website will not be affected. You can opt in or opt out of your Communication Preferences via the myCILEX Portal at any time or unsubscribe via the email link.
The Personal Data that we collect will only be used for the purposes set out in this Statement or otherwise notified to you. We will not disclose your Personal Data to any third parties, except as set out in this Statement, including where required to or are permitted to by law or where those parties are conducting CILEX activities on our behalf (For example, to regulators, law enforcement agencies or partner organisations) including with other entities such as in CILEX, CILEX Regulation, CILEX Law School or CILEX Foundation.
In circumstances, where we engage a service provider or CILEX entity to provide services to us, we ensure that Personal Data is only processed in a manner compliant with the relevant UK Data Protection Legislation, subject to a formal Data Processing Agreement and only used for the purposes for which the Personal Data was originally collected.
We may need to share your Personal Data with our professional advisers, including auditors, lawyers and insurers who provide professional advice, accounting, banking, legal, insurance, and pension services or to meet our audit responsibilities. However, we do not allow our third-party service providers to use your Personal Data for their own purposes. They can process your Personal Data for specific purposes and under our instructions.
Personal information may be shared with a third party, who has a legitimate interest in the data, where disclosure is necessary and lawful and the processing is aligned with the purpose for which the Personal Data was originally collected. CILEX may share your Personal Data with your employer, where they have paid for your course fees on a distance learning course.
We also might share personal information with the Police or other organisations that have a crime prevention or law enforcement function. UK Data Protection Legislation allows organisations to share personal information, if it is needed to prevent or detect a crime or to catch and prosecute a suspect.
CILEX is committed to keep children and vulnerable adults safe, when its employees and representatives come into contact with them during the course of their work. Where there is a safeguarding concern of a serious and/or urgent nature, confidential information related to the affected individual may be disclosed to emergency services or an external agency.
If we undergo a merger or re-organisation, in doing so we may acquire or transfer Personal Data as part of that transaction, but your Personal Data would continue to be used for the same purpose. CILEX’s recent acquisitions in 2023 have included the IOP (Insititute of Paralegals) and PPR (Professional Paralegal Register).
1. Sharing Data with Overseas Approved Training Providers
Where a member is studying at an overseas CILEX approved training provider, they will share the member’s Personal Data with us in the form of their name, membership number and name of examination. Examination results will be shared in return by us with the CILEX approved training provider.
2. International Data Transfers
We may transfer Personal Data to countries outside of the United Kingdom, where Personal Data is not protected in the same way (usually to other businesses, who provide services on our behalf). In such cases, we will make sure that suitable safeguards are in place to protect the Personal Data, such as a signed Data Processing Agreement, EC SCCs, IDTA and ICO Addendum, as applicable. Additional steps are taken to ensure that appropriate measures and controls are in place to protect that data, in accordance with the relevant UK Data Protection Legislation and Regulations.
Neither Party shall transfer Shared Data to any country outside the European Economic Area or the UK, unless that Party ensures that (as required to comply with applicable UK Data Protection legislation):
• the transfer is to a country, territory or one or more specific sectors within a country approved by the UK’s Information Commissioner’s Office or the European Commission as providing adequate protection and the prior written consent of the data subject/s
• there are appropriate safeguards in place as required by applicable UK Data Protection Legislation; or
• it can rely on a derogation from the relevant obligations under the UK Data Protection Legislation.
From 28th June 2021, the UK has been granted an adequacy decision by the EU, which covers data transfers between the UK and the EU and this adequacy decision is due to be reviewed on 28th June 2025 with a view to this safeguard remaining in place for UK/EU Data Transfers.
3. Qualifications/End Point Assessments
If you are taking CILEX exams or assessments, CILEX will share your Personal Data with CILEX Approved Training Providers, our Assessment Providers, CILEX Assessors and Panel Members and CILEX Regulators e.g., Ofqual, Qualification Wales, CCEA and/or CILEX Regulation. CILEX will share the Personal Data of Apprentices with the Education and Skills Funding Agency (ESFA), which operates the process for issuing Apprenticeship Certificates on behalf of the Secretary of State and with Apprentices’ Employers, in relation to CILEX provision of the End Point Assessment.
CILEX may also share data with the Department for Education (DfE) and the Institute of Apprenticeships and Technical Education in its role, as an Awarding Body and End Point Organisation.
4. Financial Information
CILEX does not store credit or debit card details and it does not share financial information with third-parties. However, when paying for goods or services online, CILEX uses a credit card processing company or a Direct Debit service to complete these transactions. These companies do not retain, share, store or use Personal Data for any purposes other than to provide this service to CILEX. We adhere to PCI-DSS compliance for the processing of all card payments.
5. Advertising Cookies
The main purpose of CILEX Cookies is to provide the user with the best experience possible. No personal information is permanently stored within a Cookie from the CILEX website.
When users access the CILEX website, the encrypted session Cookies are used to validate the users’ access to different parts of the website.
CILEX also collects information about how people access and use its websites using Google Analytics. Please see our Cookies Policy for further information.
6. Verification Requests
CILEX may sometimes respond to verification requests of qualification or membership status from current or prospective employers, employment agencies, regulators or other third-party contacts.
7. Links to Other Websites
This Website may contain links to other websites and third-party content. Unless expressly stated, these sites are not under the control of the CILEX or that of our affiliates.
We assume no responsibility for the content of such Websites and disclaim Liability for any and all forms of loss or damage arising out of the use of them. Any such activity and any terms, conditions, warranties or representations associated with such activity, is solely between you and the applicable third-party. CILEX shall have no liability, obligation or responsibility for any such correspondence, purchase or promotion between you and any such third-party.
8. Social Media
By communicating with the brand CILEX across Hivebrite (The CILEX Community Website), Instagram, Twitter, LinkedIn or Facebook (or any other social media channels), you agree to the following:
1. You hereby grant us the right to use any image(s), content and/or your handles, in which you have tagged or mentioned in CILEX, on our website and/or any CILEX social media platforms, including, but not limited to Hivebrite (The CILEX Community Website), Twitter, LinkedIn, Instagram and Facebook.
2. The CILEX reserves the right to use, modify, combine or reproduce with other material your content with no obligation and it is royalty free.
3. You warrant that you own your posted content and that it does not violate or infringe on the rights of any third-party and you have permission to use or appear in the content.
4. You are 18 years of age and over. (The CILEX Community Website age limit is aged 16 years of age and over).
These terms and conditions serve all activity, in relation to CILEX, unless otherwise stated.
CILEX makes automated decision-making for membership applications, tutors management, etc. Depending on the situation, CILEX could make others automated decisions as part of its processes.
In general, CILEX only retains Personal Data for as long as it is necessary to fulfil the purposes for which it is being processed (including to comply with relevant UK Legislation or Regulatory requirements and/or to resolve legal disputes).
That length of time may vary depending on the reasons for which we are processing the Personal Data and whether we have a legal (for example, under financial regulations) or contractual obligation to keep it for a specific time period.
Once the data retention period has expired, Personal Data will be confidentially disposed of or permanently deleted. If you object to further contact from us, we will keep some basic information about you, in order to avoid sending you unwanted communications in the future.
If before that date (i) your Personal Data is no longer required, in connection with such purpose(s), (ii) we are no longer lawfully entitled to process it or (iii) you validly exercise your right of erasure, we will remove it from our records at the relevant time.
Your Individual Rights are:
- • The Right to be Informed – Data Subjects have the right to be informed about the collection, sharing, protection and use of their Personal Data.
- • The Right of Access – Data Subjects have the right to request access to any personal information that we hold on them.
- • The Right to Rectification – Individuals have a right to have inaccurate Personal Data rectified, removed or completed, if it is incomplete. If the Personal Data is found to be incorrect, but it is unable to be updated, this should be removed.
- • The Right to Erasure – The Right to Erasure – Under certain circumstances, a Data Subject may request for us to delete their information that we retain regarding them, with the exception of any information that we are legally required to retain and for the other exemptions set out in UK Data Protection Legislation (our right to get your data deleted | ICO).
- • The Right to Restrict Processing – The Right to Restrict Processing – Data Subjects have the right to request the restriction or suppression of their Personal Data, in certain circumstances.
- • The Right to Data Portability – Individuals may request a copy of their data for reuse across different services, which should be provided in a way, so that information can be copied or transferred from one IT environment to another safely and securely without affecting tis usability.
- • The Right to Object – Data Subjects have the right to object to the processing of their Personal Data, in certain circumstances. For example, individuals have an absolute right to stop their data being used for direct marketing.
- • Rights Concerning Automated Decision Making and Profiling – We may only carry out this type of decision-making, where the decision is either necessary for the entry into or performance of a contract, authorised by EU or UK law applicable to the Data Controller or it is based on the individual’s explicit consent.
In certain cases, CILEX can refuse to comply with a request, if it is manifestly unfounded or excessive. In order to decide, if a request is manifestly unfounded or excessive, CILEX must consider each request on a case-by-case basis.
If you have any questions about how CILEX process your Personal Data or you would like to exercise any of your rights under the UK Data Protection legislation, log in to myCILEX Portal and go to Contact Us, then select ‘Data Protection: Query and Request’ on ‘My Query Relates to’ section. If you do not have access to the myCILEX Portal or do not wish to log your details on the system, please contact us by email at [email protected].
You also have the right to lodge a complaint with the UK’s Information Commissioner’s Office (ICO). Their contact details are:
Information Commissioner’s Office
Tel No: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
“UK Data Protection Legislation” means All applicable UK Data Protection and Privacy legislation in force from time-to-time, including the General Data Protection Regulation (EU) 2016/679, the UK Data Protection Act 2018 and the Privacy and Electronic Communications (EU Directive) Regulations 2003 (as amended) (PECR) and any superseding legislation and all other applicable laws, regulations, statutory instruments and/or any codes, practice or guidelines issued by the relevant data protection or supervisory authority in force from time to time and applicable to a Party, relating to the processing of Personal Data and/or governing individual’s rights to privacy.
CILEX is not listed as a ‘public body’ for the purposes of the FOIA and therefore, it is not under a duty to comply with the provisions of the FOIA.
CILEX will review and update this Privacy Statement from time to time, when changes to our processes or procedures and systems are made, if UK legislation and regulations change or if new circumstances require it.
If this Privacy Statement changes in any way, we will put an updated version on the website. Regular review of this page ensures that you are always aware of what Personal Data we collect, how we use it and under what circumstances.
CILEX will make reasonable efforts to contact and update those affected, if the changes are significant in nature.
Statement Approval Date of Issue: January 2023 Review Date: December 2024 Version: 1.4 Procedure Owner: Corporate Compliance Manager Approved By: Corporate Policy Review Panel (CPRP)