DATA PROTECTION POLICY
INTRODUCTION
Insignia Financial Ltd (“the Firm”) needs to gather and use certain information about individuals. These can include clients, business contacts, employees and other people the Firm has a relationship with or may need to contact. As such the Firm is a ‘data controller’ and its employees are ‘data processors’
This policy describes how this personal data must be collected, handled and stored to meet the Firm’s data protection standards and to comply with the Irish Data Protection Acts 1988 to 2018 (the “Acts” and the General Data Protection Regulation (“GDPR”).
WHY THIS POLICY EXISTS
This data protection policy ensures that the Firm:
- complies with data protection law and follows good practice
- protects the rights of clients and staff
- is open about how it stores and processes individuals’ data
- protects itself from the risks of a data breach
DATA PROTECTION LAW
The GDPR describes how firms including the Firm must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The GDPR is underpinned by six fundamental principles. These say that personal data must be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- accurate and kept up-to-date; every reasonable step must be taken to ensure that personal data that is inaccurate is erased or rectified without delay;
- adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
PROCESSING PRINCIPLES
Data processing under the GDPR will be lawful only if it satisfies one of the defined legal bases.
The legal bases for lawful processing are:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
- Processing is necessary for compliance with a legal obligation to which the controller is subject
- Processing in necessary in order to protect the vital interests of the data subject or of another natural person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child. This does not apply to processing by public authorities.
DATA SUBJECT CONSENT
Where data processing is based on consent, the controller must be able to show that consent was given by the data subject. If a data subject’s consent is given as part of a written document, the request for consent must be presented clearly and separately from any other matters, using plain language. Any part of such a document that conflicts with the GDPR will not be enforceable.
A data subject will have the right to withdraw their consent at any time. Before giving consent, the data subject must be informed of their right to withdraw their consent and it must be as easy to withdraw consent as to give it.
Under the GDPR, a data subject must be at least 16 years old to give valid consent. If the data subject is younger than 16, the consent of a guardian will need to be given.
PEOPLE, RISKS AND RESPONSIBILITIES
Policy scope
This policy applies to all members of staff. It applies to all data that the Firm holds relating to identifiable individuals. This can include:
- Names of individuals
- Postal addresses
- Email addresses
- Telephone numbers
- ID and proof of address documentation
- Plus any other information relating to individuals
Data protection risks
This policy helps to protect the Firm from some very real data security risks including:
- Breaches of confidentiality: For example, information being given out inappropriately.
- Failing to offer choice: For instance, all individuals should be free to choose how the Firm uses data relating to them.
- Reputational damage: The Firm could suffer if hackers successfully gained access to sensitive data.
Responsibilities
Everyone who works for or with the Firm has some responsibility for ensuring data is collected, stored and handled appropriately. Each member of staff that handles personal data must ensure that it is handled and processed in line with this policy and data protection rules.
The directors of the Firm are ultimately responsible for ensuring that the Firm meets its legal obligations.
As managing director and data protection officer, Peter Murphy, is responsible for:
- Keeping the directors updated about data protection responsibilities, risks and issues.
- Reviewing all data protection procedures and related policies, in line with an agreed schedule (at least annually).
- Arranging data protection training and advice for the people covered by this policy
- Handling data protection questions from staff and anyone else covered by this policy
- Dealing with requests from individuals to see the data the Firm holds about them (also called ‘subject access requests’ see below).
- Checking and approving any contracts or agreements with third parties that may handle the Firm’s sensitive data.
As managing director, Peter Murphy, is responsible for:
- Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
- Performing regular checks and scans to ensure security hardware and software is functioning properly.
- Evaluating any third party services the Firm is considering using to store or process data. For instance, cloud computing services.
GENERAL STAFF GUIDELINES
- The only people able to access data covered by this policy should be those who need it for their work.
- Data should not be shared informally. When access to confidential information is required, employees should request same from Peter Murphy.
- The Firm will provide training to all employees to help them understand their responsibilities when handling data.
- Employees should keep all data secure, by taking sensible precautions and following the guidelines below.
- In particular, strong passwords must be used and they should never be shared.
- Personal data should not be disclosed to unauthorised people, either within the Firm or externally.
- Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
- Employees should request guidance from Peter Murphy if they are unsure about any aspect of data protection.
DATA STORAGE
These rules describe how and where data should be safely stored. Questions about storing data safely can be directed Peter Murphy as data protection officer. When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.
These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
- When not required, the paper or files should be kept in a locked drawer or filing cabinet.
- Employees should make sure paper and printouts are not left where unauthorised people could see them, like on a printer.
- Data printouts should be shredded and disposed of securely when no longer required.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
- Data should be protected by strong passwords that are changed regularly and never shared between employees.
- If data is stored on removable media (like a CD or DVD), these should be kept locked away securely when not being used.
- Data should only be stored on designated drives and servers.
- Data is backed up daily via the Firm’s cloud provider.
- Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
- All computers containing data are protected by anti-virus software which should always be on and up-to-date. The Firm uses Avast which is updated regularly and automatically via the net.
DATA USE
When personal data is accessed and used it can be at the greatest risk of loss, corruption or theft:
- When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
- Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
- Personal data should never be transferred outside of the European Economic Area.
- Employees should not save copies of personal data to their own computers. Always access and update the central copy of any data.
DATA ACCURACY
The law requires the Firm to take reasonable steps to ensure data is kept accurate and up to date. It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
- Data will be held in as few places as necessary. Staff should not create any unnecessary additional data steps.
- Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call.
- The Firm will make it easy for data subjects to update the information that it holds about them by notifying Peter Murphy.
- Data should be updated as inaccuracies are discovered. For example, if a client can no longer be reached on their stored telephone number, it should be removed from the database.
DATA RETENTION
The Firm must be clear about the length of time for which personal data will be kept and the reasons why the information is being retained. In determining appropriate retention periods, regard will be had for any statutory obligations imposed on the Firm. If the purpose for which the information was obtained has ceased and the personal information is no longer required, the data will be deleted or disposed of in a secure manner.
The Consumer Protection Code, to which the Firm is subject, requires that the Firm must:
- retain details of individual transactions for six years after the date on which the particular transaction is discontinued or completed.
- retain all other records for six years from the date on which the Firm ceased to provide any product or service to the consumer
- maintain complete and readily accessible records; however, the Firm is not required to keep records in a single location.
The Firm is also subject to the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010. This Act requires that customer due diligence records are maintained for five years after the end of the relevant business relationship. It is also recommended that firms store information relating to both internal and external reports made under this act for at least the same period.
SUBJECT ACCESS REQUESTS
All individuals who are the subject of personal data held by the Firm are entitled to:
- ask what information the Firm holds about them and why.
- ask how to gain access to it
- be informed how to keep it up to date.
- be informed how the Firm is meeting its data protection obligations.
If an individual contacts the Firm requesting this information, this is called a ‘subject access request’. Subject access requests from individuals should be made by email, addressed to Peter Murphy at peter@insigniafinancial.ie. They will be supplied with a standard request form (see copy attached).
Individuals will not be charged for a subject access request. The Firm will aim to provide the relevant data within one month of receiving the request. The identity of anyone making a subject access request must always be verified before handing over any information.
DISCLOSING DATA FOR OTHER REASONS
In certain circumstances, the GDPR allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances, the Firm will disclose requested data. However, the data protection officer will ensure the request is legitimate, seeking legal advice where necessary.
PROVIDING INFORMATION
The Firm aims to ensure that individuals are aware that their data is being processed, and that they understand:
- how that data is being used
- how to exercise their rights
To these ends, the Firm has a privacy statement, setting out how data relating to individuals is used by the Firm (see copy attached).
REPORTING DATA BREACHES
The GDPR provides that in the event of a personal data breach, the data controller must notify the Data Protection Commission (“DPC”) without delay after becoming aware of the data breach and, where feasible, not later than 72 hours after becoming aware of it. Where notification is not made within 72 hours, the data controller must give reasons for the delay.
Notification to the DPC is not required where the data breach is unlikely to result in a “risk to the rights and freedoms of natural persons”.
Contents of notifications to data protection authorities
Personal data breach notifications to the DPC must include at a minimum the following:
- a description of the breach including where possible, the categories and approximate number of individuals concerned and the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer or other contact point where more information can be obtained;
- a description of the likely consequences of the data breach;
- a description of the measures taken or that will be taken to address the data breach, including where appropriate measures to mitigate its possible adverse effects.
Where it is not possible to provide the information above at the same time, it may be provided in phases but without further undue delay.
Notifications to individuals
Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Firm will inform the affected individual(s) without undue delay. This communication will be in clear and plain language and at a minimum provide details of a contact point within the organisation, a description of the likely consequences of the breach and the measures taken or that will be taken to address the data breach, including where appropriate measures to mitigate its possible adverse effects.
The Firm will not be required to inform the individual(s) concerned where:
(a) it has implemented appropriate technical and organisational measures which were applied to the personal data affected by the data breach (e.g. encryption); or
(b) measures taken by the Firm following the breach ensure that the high risk to the rights and freedoms of the individual(s) affected are no longer likely to materialize; or
(c) notifying the individual(s) concerned would involve a disproportionate effort. However, in such cases there must instead be a public communication or other similar measure to inform individual(s) in an equally effective manner.
Employees are required to notify Peter Murphy without undue delay after becoming aware of a data breach.
To enable the DPC to verify compliance with the GDPR, the Firm is required to document all personal data breaches, including all of the facts relating to the breach, its effects and remedial action taken.
The Data Protection Commission can be contacted as follows:
Telephone: | +353 578 684 800 | LoCall: +353 761 104 800 |
Website: | www.dataprotection.ie | |
Postal Address: | 21 Fitzwilliam Square South, Dublin 2 D02 RD28, Ireland | |
Offices: | Dublin Office
21 Fitzwilliam Square South Dublin 2 D02 RD28
|
Portarlington Office
Canal House Station Road Portarlington R32 AP23 Co. Laois |