Aegis Financial Planning Ltd processes information as an essential part of its business function. This includes confidential information about businesses and individuals. Information is a valuable asset and business continuity is dependent on its integrity and continued availability. Therefore, these procedures are in place to protect the information under our control from unauthorised use, disclosure or destruction, either accidental or deliberate.
Aegis Financial Planning Ltd will comply with all legislative and regulatory requirements in this respect and this policy and procedure will be monitored and updated as required.
The information within this policy and procedure is important and applies to the entire workforce at Aegis Financial Planning Ltd. Non-compliance may result in disciplinary action.
The primary purpose of data protection legislation is to protect individuals against possible misuse of information held about them by others. It is the policy of Aegis Financial Planning Ltd to ensure that all members of staff are aware of the requirements of data protection legislation and their individual responsibilities in this connection.
The Data Protection Act 1998 is all about personal data which means any information relating to living individuals. This can be as little as a name and address. This personal data may be information held on computer or in structured manual files. The Act also refers to sensitive personal data which means information relating to a person’s racial or ethnic origins; political beliefs; religious or other beliefs; trade union membership; physical or mental health; sexual life; criminal allegations or criminal proceedings or convictions.
Aegis Financial Planning Ltd holds and processes information about its employees, customers, suppliers and other living individuals.
Aegis Financial Planning Ltd's Data Protection Officer Craig Beattie’. All queries about Aegis Financial Planning Ltd policy, procedure and all requests for access to personal data should be addressed to the Data Protection Officer.
Aegis Financial Planning Ltd has an obligation as a Data Controller to notify the Information Commissioner (formerly Data Protection Commissioner) of the purposes for which it processes personal data. Individual data subjects can obtain full details of Aegis Financial Planning Ltd data protection registration/notification no. ZA112816 with the Information Commissioner from the Information Commissioner's website http://www.ico.gov.uk
is obliged to abide by the data protection principles embodied in the Act.
These principles require that personal data shall:
‘Processing’ of data will, in practical terms, mean anything you do with the data, including obtaining the information, accessing it, updating it, printing it, disclosing it etc.. All these things must be done ‘fairly and lawfully’.
To comply with this principle, whenever Aegis Financial Planning Ltd collects information about people, those people should be made aware that it is Aegis Financial Planning Ltd they are giving their information to and be told what Aegis Financial Planning Ltd intends to do with that information if not obvious. People should not be misled about this. This rule applies whether the information is collected on-line, in writing or via the telephone.
Additionally, a condition for processing must be satisfied. See conditions at Appendix 1.
In the case of sensitive personal data, a further condition must also be met. See additional conditions at Appendix 2.
The register entry identifies the purposes for which data are held and processed by Aegis Financial Planning Ltd. If you wish to use data for any additional purpose(s) then you must consult the Data Protection Officer before doing so.
In particular, no member of staff may, without the prior authorisation of the Data Protection Officer:
Collect and process appropriate information, and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements. Do not process excessive and irrelevant information provided by customers.
Ensure the quality of information used. Errors in recording information can subsequently cause problems for the Council and individuals alike.
Personal data shall be held for no longer than is necessary. In most cases data is held in accordance with the requirements of the Financial Conduct Authority to maintain a suitable audit trail for the safeguarding of the client’s best interest.
The Act provides individuals with rights in connection with the personal data held about them.
The following 8 points explain the client’s rights in greater detail.
The right to be informed encompasses our firm's obligation to provide 'fair processing information', typically through a privacy notice. It emphasises the need for transparency over how you use personal data.
You have the right to receive a copy of your personal information that we hold about you, subject to certain exemptions.
You have the right to ask us to correct personal information that we hold about you where it is incorrect or incomplete.
You have the right to ask that your personal information be deleted in certain circumstances, subject to there being no other compelling reason to continue processing.
You have the right to suspend the use of your personal data where you believe your data to be incorrect and/or should you believe our firm has no lawful basis for processing your information.
You have the right to obtain your personal information in a structured, commonly used format in order for that information to be passed to a third party of your choice, where it is technically feasible.
You have the right to object to your personal information being used where you believe our firm does not have grounds to process your information.
Safeguards are in place to ensure that you are not at risk when processing your data without human intervention.
Most significantly, it provides the right of access to that data. It also provides the right to seek compensation through the courts for damage and distress suffered by reason of inaccuracy or the unauthorised destruction or wrongful disclosure of data.
Any person has the right of access to any personal data Aegis Financial Planning Ltd holds about them, either on computer or in a structured manual file. To exercise this right, they should submit their request in writing to the Data Protection Officer. There is no charge for this request; however, a reasonable fee may be charged if the request is deemed excessive.
Aegis Financial Planning Ltd is obliged to respond to such requests within one month of receipt of the request and any applicable fee. Therefore, it is essential that all members of staff recognise such requests and pass them promptly to the Data Protection Officer for processing.
The Data Protection Officer will record all such requests and ask all departmental heads to search their computer and manual files for data concerning the applicant.
Altering or deleting information after such a request has been made in order to prevent disclosure of the information is a criminal offence. However, this does not prevent changes to the data that would normally occur during the ordinary course of business.
In relation to security, the Data Controller must take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data and set out specific considerations for ensuring security.
Aegis Financial Planning Ltd adopts a risk-based approach in assessing and understanding risks, and uses physical, technical and procedural means to achieve appropriate security measures. We take into account technological developments and associated costs to achieve a level of security appropriate to the nature of our information and the harm which may result from its loss or disclosure.
Members of staff will keep confidential information provided to Aegis Financial Planning Ltd to conduct its business and may only disclose it when authorised to do so. Aegis Financial Planning Ltd provides training to staff to enable them to understand and carry out their responsibilities in respect of security.
Members of staff are responsible for ensuring that:
Unauthorised disclosure is a disciplinary matter and may be considered gross misconduct. If in any doubt, consult the Data Protection Officer.
Aegis Financial Planning Ltd is responsible for ensuring computer hardware is securely disposed of, in such a way that personal and/or confidential data is impossible to retrieve from it.
Those persons and organisations who process personal data on behalf of Aegis Financial Planning Ltd (but who are not employees of Aegis Financial Planning Ltd) are classed as ‘data processors’ by the Act. There is a legal obligation for Aegis Financial Planning Ltd to have a written contract with them in relation to the security of the data whilst in their custody. Such contracts are arranged, monitored and maintained by the Data Protection Officer, who is also responsible for ensuring the security procedures are inspected.
Aegis Financial Planning Ltd does not currently transfer any data outside the EEA.
A failure to comply with the provisions of the Act may render Aegis Financial Planning Ltd and/or, in certain circumstances, the individuals involved, liable to prosecution. This could also give rise to civil liabilities, enforcement action by the Information Commissioner, and loss of reputation.
In particular, personal data held by Aegis Financial Planning Ltd will not be accessed by any person for any personal reason or for any purpose other than an Aegis Financial Planning Ltd business purpose. Such conduct constitutes a criminal offence.
All staff who record and/or process personal data in any form are encouraged to familiarise themselves with the general aspects of data protection contained in this policy and procedure.
Any breach of this policy may result in disciplinary proceedings.
Appendix 1
Conditions for processing personal data;
(only one of these conditions is required)
Appendix 2
Conditions for processing SENSITIVE personal data
(only one of these conditions is required)