Otter Financial Services processes information as an essential part of its business function. This includes confidential information about businesses and individuals. Information is a valuable asset and business continuity is dependent on its integrity and continued availability. Therefore, these procedures are in place to protect the information under our control from unauthorised use, disclosure or destruction, either accidental or deliberate.
Otter Financial Services will comply with all legislative and regulatory requirements in this respect and this policy and procedure will be monitored and updated as required.
The information within this policy and procedure is important and applies to the entire workforce at Otter Financial Services. Non-compliance may result in disciplinary action.
The primary purpose of data protection legislation is to protect individuals against possible misuse of information held about them by others. It is the policy of Otter Financial Services to ensure that all members of staff are aware of the requirements of data protection legislation and their individual responsibilities in this connection.
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect, it will replace the data protection directive (officially Directive 95/46/EC) of 1995 and the UK Data Protection Act 1998.
The GDPR regulation was adopted on 27th April 2016 and becomes enforceable from 25th May 2018 after a two-year transition period.
The Data Protection Act 1998 is all about personal data which means any information relating to living individuals. This can be as little as a name and address. This personal data may be information held on computer or in structured manual files. The Act also refers to sensitive personal data which means information relating to a person’s racial or ethnic origins; political beliefs; religious or other beliefs; trade union membership; physical or mental health; sexual life; criminal allegations or criminal proceedings or convictions.
Otter Financial Services holds and processes information about its employees, customers, suppliers and other living individuals.
3. Data Protection Officer
Otter Financial Services Data Protection Officer is Damien Clyburn. All queries about Otter Financial Services policy, procedure and all requests for access to personal data should be addressed to the Data Protection Officer.
4. Notification to the Information Commissioner
Otter Financial Services has an obligation as a Data Controller to notify the Information Commissioner (formerly Data Protection Commissioner) of the purposes for which it processes personal data. Individual data subjects can obtain full details of Otter Financial Services data protection registration/notification no: Z5646918 with the Information Commissioner from the Information Commissioner’s website http://www.ico.gov.uk
5. Legal obligations
Otter Financial Services is obliged to abide by the data protection principles embodied in the Act.
These principles require that personal data shall:
- be processed fairly and lawfully;
- be held only for specified purposes and not used or disclosed in any way incompatible with those purposes;
- be adequate, relevnt and not excessive;
- be accurate and kept up-to-date;
- not be kept for longer than necessary for the particular purpose;
- be processed in accordance with data subject’s rights;
- be kept secure;
- not be transferred outside the European Economic Area unless the recipient country ensures an adequate level of protection.
6. Processed fairly and lawfully
‘Processing’ of data will, in practical terms, mean anything you do with the data, including obtaining the information, accessing it, updating it, printing it, disclosing it etc.. All these things must be done ‘fairly and lawfully’.
To comply with this principle, whenever Otter Financial Services collects information about people, those people should be made aware that it is Otter Financial Services they are giving their information to and be told what Otter Financial Services intends to do with that information if not obvious. People should not be misled about this. This rule applies whether the information is collected on-line, in writing or via the telephone.
Additionally, a condition for processing must be satisfied. See conditions at Appendix 1.
In the case of sensitive personal data, a further condition must also be met. See additional conditions at Appendix 2.
7. Held only for specified purposes
The register entry identifies the purposes for which data are held and processed by Otter Financial Services. If you wish to use data for any additional purpose(s) then you must consult the Data Protection Officer before doing so.
In particular, no member of staff may, without the prior authorisation of the Data Protection Officer:
- develop a new computer system for processing personal data;
- use an existing computer system to process personal data for a new purpose;
- create a new manual filing system containing personal data;
- use an existing manual filing system containing personal data for a new purpose.
8. Adequate, relevant and not excessive
Collect and process appropriate information, and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements. Do not process excessive and irrelevant information provided by customers.
9. Accurate and kept up-to-date
Ensure the quality of information used. Errors in recording information can subsequently cause problems for the Council and individuals alike.
10. Not kept for longer than necessary
Personal data shall be held for no longer than is necessary. In most cases data is held in accordance with the requirements of the Financial Conduct Authority to maintain a suitable audit trail for the safeguarding of the client’s best interest.
11. Processed in accordance with an individual’s rights
The Act provides individuals with rights in connection with the personal data held about them.
The following 8 points explain the client’s rights in greater detail.
11.1 The right to be informed.
The right to be informed encompasses our firm’s obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data.
11.2 The right of access
You have the right to receive a copy of your personal information that we hold about you, subject to certain exemptions.
11.3 The right to rectification.
You have the right to ask us to correct personal information that we hold about you where it is incorrect or incomplete.
11.4 The right to erasure
You have the right to ask that your personal information be deleted in certain circumstances subject to there being no other compelling reason to continue processing.
11.5 The right to restrict processing
You have the right to suspend the use of your personal data where you believe your data to be incorrect and/or should you belive our firm has no lawful basis of processing your information.
11.6 The right to data portability
You have the right to obtain your personal information in a structured commonly used format in order for that information to be passed to a third party of your choice, where it is technically feasible.
11.7 The right to object.
You have the right to object to your personal information being used where you believe our firm do not have grounds to process your information.
11.8 Rights to automated decision and profiling.
Safeguards are in place to ensure that you are not risk when processing your data without human intervention.
Most significantly, it provides the right of access to that data. It also provides the right to seek compensation through the courts for damage and distress suffered by reason of inaccuracy or the unauthorised destruction or wrongful disclosure of data.
12. Subject Access Requests
Any person has the right of access to any personal data Otter Financial Services hold about them either on computer or in a structured manual file. To exercise this right, they should put their request in writing to the Data Protection Officer, there is no charge for this request however, a ‘reasonable fee’ may be liable should the data requests be deemed excessive.
Otter Financial Services is obliged to respond to such requests within one month of receipt of the request and the appropriate fee. Therefore, it is essential that such a request is recognised by all members of staff and is passed expeditiously to the Data protection Officer to deal with.
The Data Protection Officer will record all such requests and ask all departmental heads to search their computer and manual files for data concerning the applicant.
Altering or deleting information AFTER such a request has been made AND in order the prevent disclosure of the information is a criminal offence. However, this does not prevent any change to the data which would be made in the normal course of business.
13. Kept secure
In relation to security, the Data Controller must take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data and set out specific considerations for ensuring security.
Otter Financial Services adopts a risk based approach in assessing and understanding the risks, and uses physical, technical and procedural means to achieve appropriate security measures. We take into account technological developments and associated costs to achieve a level of security appropriate to the nature of our information and the harm which may result from its loss or disclosure.
Members of staff will keep confidential that information which is provided to Otter Financial Services to conduct its business and may only disclose it when authorised to do so. Otter Financial Services provides training to staff to enable them to understand and carry out their responsibilities in respect of security.
Members of staff are responsible for ensuring that:
- all personal data is kept securely by using, preserving and not sharing, secure passwords, logging off when not at one’s workstation, locking data in filing cabinets or drawers, ensuring desks are clear when leaving the office and locking doors.
- data are not removed from the office on any laptop or disk or memory stick which is not encrypted.
- all documents containing personal data or other confidential information are shredded when no longer needed.
- personal data is not disclosed orally. in writing or by any other means to any unauthorised third party, and that every reasonable effort will be made to ensure that data is not disclosed accidentally.
Unauthorised disclosure is a disciplinary matter and may be considered gross misconduct. If in any doubt, consult the Data Protection Officer.
Otter Financial Services is responsible for ensuring computer hardware is securely disposed of, in such a way that personal and/or confidential data is impossible to retrieve from it.
Those persons and organisations who process personal data on behalf of Otter Financial Services (but who are not employees of Otter Financial Services) are classed as ‘data processors’ by the Act. There is a legal obligation for Otter Financial Services to have a written contract with them in relation to the security of the data whilst in their custody. Such contracts are arranged, monitored and maintained by the Data protection Officer who is also responsible for ensuring the security procedures are inspected.
14. Not transferred outside the European Economic Area
Otter Financial Services does not currently transfer any data outside the EEA.
15. Responsibilities of individual members of staff
A failure to comply with the provisions of the Act may render Otter Financial Services, and/or in certain circumstances, the individuals involved, liable to prosecution. This could also give rise to civil liabilities, enforcement action by the Information Commissioner and loss of reputation.
In particular, personal data held by Otter Financial Services will not be accessed, by any person, for any personal reason or for other than Otter Financial Services business purpose. Such conduct constitutes a criminal offence.
All staff who record and/or process personal data in any form are encouraged to familiarise themselves with the general aspects of data protection contained in this policy and procedure.
Any breach of this policy may result in disciplinary proceedings.
Conditions for processing personal data
(only one of these conditions is required)
1. The data subject has given his consent to the processing.
2. The processing is necessary;
a) for the performance of a contract to which the data subject is a party, or
b) for the taking of steps at the request of the data subject with a view to entering into a contract.
3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
4. The processing is necessary in order to protect the vital interests of the data subject.
5. The processing is necessary;
a) for the administration of justice,
b) for the exercise of any functions conferred on any person by or under any enactment,
c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or
d) for the exercise of any other functions of a public nature exercised in the public interest by any person.
6. The processing is necessary for the purposes of ‘legitimate interests’ pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
Conditions for processing SENSITIVE personal data
(only one of these conditions is required)
1. The data subject has given his explicit consent to the processing of the personal data.
a) The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment.
b) The Secretary of State may by order;
i. exclude the application of sub-paragraph (1) in such cases as may be specified, or
ii. provide that, in such cases as may be specified, the condition in sub-paragraph (1) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied.
3. The processing is necessary;
a) In order to protect the vital interests of the data subject or another person, in a case where;
i. consent cannot be given by or on behalf of the data subject, or
ii. the data controller cannot reasonably be expected to obtain the consent of the data subject, or;
b) in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.
4. The processing;
a) is carried out in the course of its legitimate activities by any body or association which;
i. is not established or conducted for profit, and
ii. exists for political, philosophical, religious or trade-union purposes,
b) is carried out with appropriate safeguards for the rights and freedoms of data subjects,
c) relates only to individuals who either are members of the body or association or have regular contact with it in connection with its purposes, and
d) does not involve disclosure of the personal data to a third party without the consent of the data subject.
5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.
6. The processing;
a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),
b) is necessary for the purpose of obtaining legal advice, or
c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
7.1. The processing is necessary;
a) for the administration of justice,
b) for the exercise of any functions conferred on any person by or under an enactment, or
c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department.
7.2. The Secretary of State may by order;
a) exclude the application of sub-paragraph (1) in such cases as may be specified, or;
b) provide that, in such cases as may be specified, the condition in sub-paragraph (1) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied.
8.1. The processing is necessary for medical purposes and is undertaken by;
a) a health professional, or
b) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.
8.2. In this paragraph “medical purposes” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.
9.1. The processing;
a) is of sensitive personal data consisting of information as to racial or ethnic origin,
b) is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained, and
c) is carried out with appropriate safeguards for the rights and freedoms of data subjects.
9.2. The Secretary of State may by order specify circumstances in which processing falling within sub-paragraph (1)(a) and (b) is, or is not, to be taken for the purposes of sub-paragraph (1)(c) to be carried out with appropriate safeguards for the rights and freedoms of data subjects.
10. The personal data are processed in circumstances specified in an order made by the Secretary of State for the purposes of this paragraph.