6. Processed fairly and lawfully
‘Processing’ of data will, in practical terms, mean anything you do with the data, including obtaining the information, accessing it, updating it, printing it, disclosing it etc. All these things must be done ‘fairly and lawfully’.
To comply with this principle, whenever Clear IFA Limited collects information about people, those people should be made aware that it is Clear IFA Limited they are giving their information to and be told what Clear IFA Limited intends to do with that information if not obvious. People should not be misled about this. This rule applies whether the information is collected on-line, in writing or via the telephone.
Additionally, a condition for processing must be satisfied. See conditions at Appendix 1.
In the case of sensitive personal data, a further condition must also be met. See additional conditions at Appendix 2.
7. Held only for specified purposes
The register entry identifies the purposes for which data are held and processed by Clear IFA Limited. If you wish to use data for any additional purpose(s) then you must consult the Data Protection Officer before doing so.
In particular, no member of staff may, without the prior authorisation of the Data Protection Officer:
- develop a new computer system for processing personal data;
- use an existing computer system to process personal data for a new purpose;
- create a new manual filing system containing personal data;
- use an existing manual filing system containing personal data for a new purpose.
8. Adequate, relevant and not excessive
Collect and process appropriate information, and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements. Do not process excessive and irrelevant information provided by customers.
9. Accurate and kept up-to-date
Ensure the quality of information used. Errors in recording information can subsequently cause problems for the Council and individuals alike.
10. Not kept for longer than necessary
Personal data shall be held for no longer than is necessary. In most cases data is held in accordance with the requirements of the Financial Conduct Authority to maintain a suitable audit trail for the safeguarding of the client’s best interest.
11. Processed in accordance with an individual’s rights
The Act provides individuals with rights in connection with the personal data held about them.
The following 8 points explain the client’s rights in greater detail.
11.1 The right to be informed.
The right to be informed encompasses our firm’s obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data.
11.2 The right of access
You have the right to receive a copy of your personal information that we hold about you, subject to certain exemptions.
11.3 The right to rectification.
You have the right to ask us to correct personal information that we hold about you where it is incorrect or incomplete.
11.4 The right to erasure
You have the right to ask that your personal information be deleted in certain circumstances subject to there being no other compelling reason to continue processing.
11.5 The right to restrict processing
You have the right to suspend the use of your personal data where you believe your data to be incorrect and/or should you belive our firm has no lawful basis of processing your information.
11.6 The right to data portability
You have the right to obtain your personal information in a structured commonly used format in order for that information to be passed to a third party of your choice, where it is technically feasible.
11.7 The right to object.
You have the right to object to your personal information being used where you believe our firm do not have grounds to process your information.
11.8 Rights to automated decision and profiling.
Safeguards are in place to ensure that you are not risk when processing your data without human intervention.
Most significantly, it provides the right of access to that data. It also provides the right to seek compensation through the courts for damage and distress suffered by reason of inaccuracy or the unauthorised destruction or wrongful disclosure of data.
12. Subject Access Requests
Any person has the right of access to any personal data Clear IFA Limited hold about them either on computer or in a structured manual file. To exercise this right, they should put their request in writing to the Data Protection Officer, there is no charge for this request however, a ‘reasonable fee’ may be liable should the data requests be deemed excessive.
Clear IFA Limited is obliged to respond to such requests within one month of receipt of the request and the appropriate fee. Therefore, it is essential that such a request is recognised by all members of staff and is passed expeditiously to the Data protection Officer to deal with.
The Data Protection Officer will record all such requests and ask all departmental heads to search their computer and manual files for data concerning the applicant. Altering or deleting information AFTER such a request has been made AND in order the prevent disclosure of the information is a criminal offence. However, this does not
prevent any change to the data which would be made in the normal course of business.
13. Kept secure
In relation to security, the Data Controller must take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data and set out specific considerations for ensuring security.
Clear IFA Limited adopts a risk based approach in assessing and understanding the risks, and uses physical, technical and procedural means to achieve appropriate security measures. We take into account technological developments and associated costs to achieve a level of security appropriate to the nature of our information and the harm which may result from its loss or disclosure.
Members of staff will keep confidential that information which is provided to Clear IFA Limited to conduct its business and may only disclose it when authorised to do so. Clear IFA Limited provides training to staff to enable them to understand and carry out their responsibilities in respect of security. Members of staff are responsible for ensuring that:
- all personal data is kept securely by using, preserving and not sharing, secure passwords, logging off when not at one’s workstation, locking data in filing cabinets or drawers, ensuring desks are clear when leaving the office and locking doors.
- data are not removed from the office on any laptop or disk or memory stick which is not encrypted.
- all documents containing personal data or other confidential information are shredded when no longer needed.
- personal data is not disclosed orally. in writing or by any other means to any unauthorised third party, and that every reasonable effort will be made to ensure that data is not disclosed accidentally.
Unauthorised disclosure is a disciplinary matter and may be considered gross misconduct. If in any doubt, consult the Data Protection Officer.
Clear IFA Limited is responsible for ensuring computer hardware is securely disposed of, in such a way that personal and/or confidential data is impossible to retrieve from it.
Those persons and organisations who process personal data on behalf of Clear IFA Limited (but who are not employees of Clear IFA Limited) are classed as ‘data processors’ by the Act. There is a legal obligation for Clear IFA Limited to have a written contract with them in relation to the security of the data whilst in their custody. Such contracts are arranged, monitored and maintained by the Data protection Officer who is also responsible for ensuring the security procedures are inspected.
14. Not transferred outside the European Economic Area
Clear IFA Limited does not currently transfer any data outside the EEA.
15. Responsibilities of individual members of staff
A failure to comply with the provisions of the Act may render Clear IFA Limited, and/or in certain circumstances, the individuals involved, liable to prosecution. This could also give rise to civil liabilities, enforcement action by the Information Commissioner and loss of reputation.
In particular, personal data held by Clear IFA Limited will not be accessed, by any person, for any personal reason or for other than a Clear IFA Limited business purpose. Such conduct constitutes a criminal offence.
All staff who record and/or process personal data in any form are encouraged to familiarise themselves with the general aspects of data protection contained in this policy and procedure.
Any breach of this policy may result in disciplinary proceedings.