Your privacy: our General Data Protection Regulation compliance statement
This is a statement of the General Data Protection Regulation compliance policy that is adopted by SHCE Ltd t/a The Sheriffs Office for delivering our services, which include the enforcement of writs, tracing services and debt collection for our clients. SHCE Ltd will, when delivering these services, collect and use personal information only which is relevant to the work that we are undertaking and which will be controlled, stored and processed in accordance with the General Data Protection Regulations (GDPR), howsoever it is collected, recorded and used; whether it be on paper, in electronic media form (e.g. in a computer system), or recorded by other means.
We consider the lawful and correct treatment of personal information by the company as critical in maintaining the confidence of our clients; we therefore manage and process personal information lawfully and correctly.
Information is defined under the GDPR as being Personal Information if any of the following criteria are met:
Can a living individual be identified from the data, or, from the data and other information in the possession of, or likely to come into the possession of, the data controller?
Does the data “relate to” the identifiable living individual, whether in their personal or family life, business or profession?
Is the data “obviously about” a particular individual?
Is the data “linked to” an individual so that it provides particular information about that individual?
Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual?
Does the data have any biographical significance in relation to the individual?
Does the data focus or concentrate on the individual as its central theme rather than on some other person, or some object, transaction or event?
Does the data impact or have the potential to impact on an individual, whether in a personal, family, business or professional capacity?
We adhere to the Principles of Data Protection, as set out in The Data Protection Act 1998 and the General Data Protection Regulations (GDPR), which come into force in May 2018.
Specifically, these Principles require that personal information:
- Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met.
- Shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Shall be accurate and, where necessary, kept up to date.
- Shall not be kept for longer than is necessary for that purpose or those purposes.
- Shall be processed in accordance with the rights of data subjects under the Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
SHCE Ltd will, through appropriate management and by strict application of criteria and controls:
- Observe fully the conditions regarding fair collection and use of information.
- Meet its legal obligations to specify the purposes for which information is used.
- Collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements.
- Ensure that the quality and accuracy of information used is adequate and is maintained.
- Apply strict checks to determine the length of time information is held and that it is stored for no longer than is necessary.
- Ensure that the rights of people about whom information is held are able to be fully exercised under the Act and Regulations. These include: the right to be informed that processing is being undertaken, the right of access to one’s personal information, the right to prevent processing in certain circumstances and the right to correct, rectify, block or erase information.
- Take appropriate technical and organisational security measures to safeguard personal information.
- Ensure that personal information is not transferred abroad to countries to which transfers are not permitted under the GDPR.
The information storage and processing systems used by SHCE Ltd are certified as compliant with the International standard for information security management systems (ISMS), ISO 27001: 2013, accredited through the British Standards Institute (BSI). This is designed to ensure that:
- There is an officer appointed with specific responsibility for data protection within the organisation: You may contact our Data Protection Officer by telephone on 44 (0) 333 001 5100, via e-mail at firstname.lastname@example.org, via the Contact Us form on our web site or by letter addressed to The DPO, SHCE Ltd, 3rd Floor, Linden House, Guards Avenue, Caterham CR3 5XL
- Everyone handling, managing and working with personal information understands that they are contractually and legally responsible for following the GDPR and good data protection practice.
- Everyone handling, managing and working with personal information is appropriately trained to do so.
- Everyone handling, managing and working with personal information is appropriately supervised.
- Anyone wanting to make enquiries about personal information knows how to do so.
- Queries about personal information are promptly and courteously dealt with, in accordance with the GDPR.
- Methods of handling, managing and working with personal information are clearly described.
- A regular review and audit is made of the way personal information is managed.
- Methods of handling, managing and working with personal information are regularly reviewed, assessed and evaluated.
- The performance of the methods and process is regularly reviewed, assessed and evaluated.
Information processing - general
We do not undertake automated decision making about, or profiling of personal data.
Data subjects have a right, as set out in the GDPR, to obtain the personal information which is stored and used by us, and can obtain this information by contacting the Data Protection Officer whose details are given in this document. The data comprising the personal information will be delivered to the data subject in a secure manner and in a format which is readily accessible using common proprietary data access tools (such as word processor document or spreadsheet viewer programs).
GDPR compliant policy for enforcement information
What information do we obtain, process and/or store:
We receive basic personal information relating to both claimants and defendants from HM Courts and Tribunals Service and other statutory authorities when writs and orders are issued to us for enforcement.
The personal information which is obtained consists of name, address(es) and details of the judgment or order made by the Court or statutory authority, which consist of the details of monies due, the premises or land to which a judgment or order refers or specific actions defined in the judgment or order, for example the delivery of specific items to specific persons. Occasionally, we will be provided with information concerning potential vulnerability, generally by the data subject, or by persons or agencies acting on his or her behalf. This information may therefore relate to the data subjects’ health.
What we use the data we collect for:
The information which we obtain, store and process is necessary and is used to enable us to enforce the writ or order and thereby comply with the commands contained in the writ or order, and with any order subsequently made by the Court relating to the enforcement of that writ or order.
Administrative staff and Enforcement Agents employed by us act to enforce the writ or order, at the direction and under the control of the Authorised High Court Enforcement Officer to whom the writ and/or order was directed by the Court or statutory authority, in accordance with the Courts Act 2003. We also enforce such instructions or other orders as may be directed to us and which are made by any person or entity authorised by the laws of England and Wales to issue such order or instruction.
When we are required to obtain health information where it is relevant to issues of vulnerability, as provided under regulations 10 and 23 of Part 2 of The Taking Control of Goods Regulations 2013, governing the enforcement of writs and orders, the information obtained is used by administration staff and Enforcement Agents to alert creditors where they have identified such debtors. Enforcement Agents and relevant staff are trained to recognise and to manage interactions with vulnerable debtors, and when to withdraw from such situations.
The information thus obtained will be used to contact the defendant(s) in the enforcement action, by surface mail, e-mail or SMS text message or by means of an attendance by an Enforcement Agent.
Once enforcement has been completed, we are required to retain the detailed information recording the enforcement of the writ or order for 6 years in accordance with The Limitation Act 1980. Because we are required under The Courts Act 2003 and related legislation to enforce writs directed to us, we are not able to delete personal data stored for the purpose of enforcing writs or orders. At no stage will we divulge to a third party any personal data unless specifically ordered to do so by the Court.
We confirm that no part of our enquiry will be sub-contracted to any other person or company without prior client approval or by order of the Court. No information concerning the data subject given to us by our clients or obtained during the course of our enforcement actions will be used for any other purpose.
At all stages of the enforcement process we act as a data controller and as such we will fully comply with the GDPR and with the Data Protection Act and its guiding principles.
GDPR compliant policy for Tracing Services information
What information do we obtain, process and/or store:
The personal information which is obtained when we are undertaking our client’s instructions to trace individuals and companies consists of name and address and in some cases the date of birth of an individual person.
In cases where it is appropriate and reasonable, we will search for tracing subjects’ names in various databases to which we are granted lawful access. In some circumstances, depending on the nature of the enquiry, this may leave a "footprint" under the search purpose that clients have provided to us on the subject’s credit history file.
Depending on the information we obtain from these databases, we may then determine that further enquiries may be made, such as obtaining telephone numbers for addresses at which we believe the subject may be found. We may also utilise other public databases and/or Registries that we think would be of value to this enquiry (e.g. the Insolvency Register, Land Registry, London Gazette etc.).
Once this research has been completed, we may then conduct enquiries by telephone at and around the locations identified. At no stage will we divulge to a third party any personal data relating to the data subject.
What we use the data we collect for:
We use the data collected relating to the tracing subject’s address to appraise our client of the subjects’ current residential and/or commercial address and/or telephone number and/or e-mail address.
Once the tracing operation has been completed, we normally retain the detailed information recording the tracing activity for 6 years, in accordance with the Limitation Act 1980. We are able, upon request of the data subject, to securely erase all personal data stored for the purpose of tracing. At no stage will we divulge to a third party any personal data.
Whatever the instruction, we confirm that no part of our enquiry will be sub-contracted to any other agent without prior client approval. We also confirm that no information concerning the data subject given to us by our clients or obtained during the course of a trace enquiry will be used for any other purpose.
At all stages of enquiries we recognise that we are acting as our clients’ data processor and as such we will fully comply with the GDPR and with the Data Protection Act and its guiding principles.
GDPR compliant policy for marketing and general information
What information we collect:
We acquire and use information relating to commercial organisations and individual traders for use in our marketing and sales activities.
Our clients provide some of this information directly, when submitting an instruction to act on their behalf, to provide services or when contacting us for the purposes of making an enquiry about enforcement, collection or tracing services.
We also obtain information by recording how persons use our websites by means of embedded technology such as cookies, and by receiving written enquiries and usage data from relevant forms hosted on our website.
Calls to our telephone system may be recorded and Calling Line Identity (CLI) numbers are identified and stored where they are not withheld.
We also obtain data from third parties.
We protect data obtained from third parties according to the practices described in this statement, together with any additional restrictions that are imposed by the source of the data. These third-party sources vary over time, but have included:
- Data brokers from whom we purchase demographic data.
- Service providers that help us determine a location based upon your IP address.
- Partners with whom we offer co-branded services or engage in joint marketing activities.
- Publicly-available sources such as open government databases or other data in the public domain.
If you are requested by us to provide your personal data, you may of course decline to do so. However, if you do choose not to provide data that is necessary to enable us to provide a service to you (e.g. the enforcement of a writ), we may not be able to deliver that service to you.
The information that we obtain may be dependent upon the nature and context of your enquiry or instruction. The information that we collect can include the following:
Name and contact data. We collect your first and last name, postal address, phone number and e-mail address.
Demographic data. We may on occasion collect data about you such as your profession, country and preferred language.
Payment data. Where it is necessary to process your payment if you make purchases or payments made as directed by a writ or order, sensitive information such as your credit card number and security code are not collected by us: the payment is processed using external secure processing websites operated by our bank and the information is not processed or stored by our systems or personnel.
Contacts and relationships. We may collect such information that you provide us relating to your contacts and business relationships.
Location data. Our on-line services may obtain imprecise location data: e.g. a location derived from your IP address or data, that indicates where you are located with low precision, such as at a city or postcode level.
Content. We may collect the content of any data files and communications that you may send us in the course of an instruction, together with any physical documents that you may give us when these are necessary to provide you with the service you have purchased. Data we collect may include:
- the address, subject line and body of an email,
- text or other content of an instant message,
- audio and video recording of a video message or attachment, and
- audio recording and transcript of a telephone call or voice message you send to us or receive from us.
Video. If you enter our office locations or some enforcement sites, or attend an event organised by us, your image may be captured by our production or body-worn video cameras.
We also collect information that you provide us and the content of messages you send to us (e.g. feedback from our webinar productions), or questions and information you provide for customer support. When you contact us, telephone conversations with our representatives may be monitored and recorded.
What we use the data we collect for:
We use the data that we collect to operate our business and to deliver the services that we provide, to send communications, including marketing promotional materials, and to deliver advertising of our services.
Service delivery. We use information which we collect to provide and to improve the services which we offer and to undertake essential business operations. This includes service delivery and monitoring, maintaining and improving the quality standards, security and performance of our services, developing new services, conducting research and providing focused advice to our clients. Examples of such uses include the following:
Communications. We use information which we collect to communicate with our clients and with their staff, and thus to and personalise our communications. We may contact you by telephone or by e-mail or other means to inform you when a publication or presentation which may be of professional interest is available or to enquire or to advise about a service enquiry that you have made, or to invite you to participate in a survey or to attend a commercial event.
For information about how to manage, edit or to delete contact data which contains your personal information, please use the contact and access section of this privacy statement.
Advertising. We may use personal information contained in e-mail, telephone calls or voicemail, or your documents, or data files to target advertisements to you.
We do not share any data which we collect with third parties. The advertisements that you see on our interactive media may be targeted based upon information stored, such as IP address.
Data retention. For advertising and marketing, we retain data for no longer than 24 months, unless we obtain your consent to retain the data for a longer period.
How to access & control your personal data:
You can submit a request to view, edit or delete any personal data that we hold and which is not retained for the purpose of writ or order enforcement.
You may do so by submitting a request in writing or by using our Contact Us form . We will respond to requests to access or delete your personal data within 30 days.
Your marketing choices
You may opt out of receiving marketing information by using our Contact Us form , or by un-subscribing using the link incorporated into all our e-mail communication.
Because the data used for marketing may also be used for other necessary purposes (for example if you have instructed us to enforce a writ or collect monies owing), in such cases, opting out of marketing does not stop that data from being collected or stored.
- Storing your preferences and settings. Settings that enable our products to operate correctly or that maintain your preferences over time may be stored on your device. For example, if you enter your city or postcode to get information on our website, we may store that data in a cookie so that you will see the relevant local information when you return to the site. We also save preferences, such as language, browser and multimedia player settings, so those do not have to be reset each time you return to the site.
- Sign-in and authentication. When you sign into a website using your account credentials, we store a unique ID number, and the time you signed in, in an encrypted cookie on your device. This cookie allows you to move from page to page within the site without having to sign in again on each page. You can also save your sign-in information so you do not have to sign in each time you return to the site.
- Storing information you provide to a website. When you provide information on our websites, we store the data in a cookie to remember the information you have added.
- Social media. Some of our websites include social media cookies, including those that enable users who are logged in to the social media service to share content via that service.
As there are only a few cookies used on this website, we have listed them all here:
First party cookies
Created by the Content Management System (CMS) to determine if a user is logged into the CMS or not
Duration: End of session
CRAFT_CSRF_TOKEN Created by the Content Management System (CMS) and used as protection against Cross-Site Request Forgery attacks (CSRF), where form submissions can be hijacked.
Duration: End of session
__utma, __utmb, __utmc, __utmz
We use Google Analytics to monitor traffic levels, search queries and visits to this website. Google Analytics stores IP address (anonymously) on its servers in the United States, and neither The Sheriffs Office or Google associate your IP address with any personally identifiable information
A mixture of both persistent and session cookies are used to enable Google to determine whether you are a return visitor to this site and to track the pages that you visit during your session.
In addition to the cookies we set when you visit our websites, third parties may also set cookies when you visit our sites. In some cases, that is because we have hired the third party to provide services on our behalf, such as site analytics. In other cases, it is because our web pages contain content from third parties. Because your browser connects to those third parties’ web servers to retrieve that content, those third parties are able to set or read their own cookies on your device and may collect information about your online activities across websites or online services.
How to control cookies
Most web browsers automatically accept cookies but provide controls that allow you to block or delete them. Most browsers allow you to refuse to accept cookies, however, blocking cookies will have a negative impact upon the usability of some websites.
Certain features of our websites depend upon cookies. Please be aware that if you choose to block cookies, you may not be able to sign in or use those features, and preferences that are dependent on cookies may be lost. If you choose to delete cookies, the settings and preferences controlled by those cookies will be deleted and may need to be recreated.
You can opt out of data collection or use by some of these analytics providers by clicking the following links:
- AppsFlyer: www.appsflyer.com/optout
- Flurry Analytics: https://aim.yahoo.com/aim/us/e...
- Google Analytics: tools.google.com/dlpage/gaoptout (requires you to install a browser add-on)
- Kissmetrics: kissmetrics.com/user-privacy
- Mixpanel: mixpanel.com/optout
- Nielsen: www.nielsen-online.com/corp.js...
- Omniture (Adobe): www.d1.sc.omtrdc.net/optout.ht...
- Visible Measures: www.visiblemeasures.com/viewer...
- WebTrends: ondemand.webtrends.com/support/optout.asp
Changes to this privacy statement
We will update this privacy statement when necessary to reflect customer feedback and changes in our services. When we post changes to this statement, we will revise the "last updated" date at the top of the statement. If there are material changes to the statement or in how we will use your personal data, we will notify you either by prominently posting a notice of such changes before they take effect or by directly sending you a notification. We encourage you to periodically review this privacy statement to learn how we are protecting your information.
How to contact us
If you have a privacy concern, complaint or a question for the Data Protection Officer, please contact us by using our online Contact Us form. We will respond to questions or concerns within 30 days.
Unless otherwise stated, SHCE Ltd is a data controller for personal data we collect through the products and services subject to this statement. Our address is
SHCE Limited, March 2018