DATA PROTECTION AND DATA SECURITY POLICY
Our regulated activity involves the collection of personal data but does not involve the collection of sensitive personal data.
We have a contact form on our website which we ask the customer for the following information:
• Full Name
• Email Address
• Telephone Number
• How much debt the customer owes
• How many creditors the customer is indebted to
• The customer’s monthly income
Once we have this information we will contact the customer to determine their eligibility and suitability, this will require us to obtain the customers income and expenditure information to determine their monthly disposable income.
We only store and process data in accordance with the data protection principles contained in the Data Protection Act 1998.
We have not identified any aspect of our products and services which breaches, or is likely to breach, the requirements of the Data Protection Act 1998.
Data is retained in connection with our services for a period of six years in the case of Customers and three months in the case of data subjects who have engaged with us but have not become Customers.
The Information Commissioner enforces the Data Protection Act 1998 which gives individuals the right to know what information is held about them, and provides the framework to ensure that personal information is handled correctly.
Our legal responsibilities under the Act are:
1. To notify the Information Commissioner we are processing information.
2. To process the personal information in accordance with the eight principles of the Act.
3. To answer subject access requests received from individuals.
Our Directors are responsible for overseeing Data Protection. Their responsibilities include:
1. Ensuring that the Information Commissioner is notified and that the notification is kept up to date. Renewal of the Firm’s registration costs an annual fee, no VAT charge and is payable to the Information Commissioner’s Office;
2. Ensuring that the people whose information we hold, know that we have it, and that they are likely to understand what it will be used for;
3. Ensuring that there are sufficient safety measures in place to protect personal information under the Data Protection Act 1998 which are appropriate for the different records held whether they are on paper or digitally;
4. Ensuring that access to personal information is limited to those on a strictly need to know basis;
5. Ensuring that personal information is accurate and up to date;
6. Ensuring that personal information is deleted or destroyed as soon as there is no further need for it;
7. Ensuring that all employees are trained in their duties and responsibilities under the Data Protection Act, and assess whether they are putting them into practice;
8. Ensuring that all personnel are made aware that Exemption 29 under the Data Protection Act can be applied if the police need some information for the prevention and detection of crime or for the apprehension or prosecution of offenders. This exemption cannot be used by the police as a ‘fishing exercise’. This means that all records cannot be asked for in the hope of catching offenders. The request must be specific and there must be a need for this information. If we are satisfied of this, we can disclose the information;
9. Ensuring that if we have a legitimate reason for recording people that call e.g. for staff training purposes that they are made aware of this;
10. Being aware that the Act provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records;
11. Being aware that should an individual or organisation feel they’re being denied access to personal information they’re entitled to, or feel their information has not been handled according to the eight principles, they can ask the Information Commissioner to help;
12. Ascertaining what information needs to be given, if a subject access request is made. We have forty calendar days to respond to the request and we may request a fee of up to £10;
13. Ensuring that third party information is removed from computer records before being disclosed;
14. Ensuring that manual records which are contained within a ‘’relevant filing system’’ are disclosed on request. The files which form part of the relevant filing system are structured or referenced in such a way that information about the applicant can be easily located. Where manual files fall within the definition of a relevant filing system, the content will either be sub-divided, which allows the searcher to go straight to the correct category and retrieve the information requested without a manual search, or will be indexed to allow the searcher to go directly to a relevant page(s);
15. Ensuring that they have read the Data Security Factsheet published by the FCA in August 2011 and act upon anything considered relevant according to the size and complexity of themselves; and
16. Drawing up a Data Security Policy based on the above which is specific to us and ensure that senior management communicate this to everyone within our company.
Everyone within the Firm who processes personal information must comply with the eight principles, which make sure that personal information is:
1. Fairly and lawfully processed.
2. Processed for limited purposes.
3. Adequate, relevant and not excessive.
4. Accurate and up to date.
5. Not kept for longer than is necessary.
6. Processed in line with your rights.
8. Not transferred to other countries without adequate protection.
Those who process personal information must also;
• Inform the person within our Firm who is responsible for Data Protection if a subject access request is made by an individual using their right under the Data Protection Act.
• Ensure that customers are given Customer Documentation which outlines what and how their information is going to be processed. This is to make sure the individual knows exactly what is going to happen to their information and how it is going to be used.
• Not do anything with personal information unless the individual is made aware.
• If a person enquires or wishes to make changes to another customer’s agreement you must ask them to ask the customer to send written authorisation showing that they may act for them.
• Ensure that compliance activities are regularly reviewed to ensure adequate resource and support is being given to these activities.
Senior Management will ensure that the Firm’s records can be made available for FCA inspection. Where records are stored electronically, they need to be reproduced, unchanged from their original content, stored so that they cannot be accidentally deleted and are regularly backed-up. Staff should adhere to the policy that documents which contain sensitive data are destroyed appropriately.
|Accounts Records.||Three years from the end of the accounting period.|
|Financial Records.||In line with Inland Revenue requirements, we retain financial records including bank statements for 6 years.|
|Complaints.||Three years from the date of receipt.|
|Management Structure.||Six years from the date of any change.|
|Training Records.||Three years from the date employment ceased.|
All records, particularly confidential records, are securely retained by us. Measures include:
• Keeping all paper records locked in secure cabinets at the end of the business day.
• Encrypting all digital records.
• Confidential e-mails including customer details to be sent by secure methods and encrypted.
• Maintaining a ‘clear-desk’ policy.
• Company computers to be password-protected.
• Confidential records to be stored on drives with limited access to authorised staff only.
On a regular basis, management will confirm that we maintain appropriate protection of data. Periodically, checks will be made confirming data is retained securely, that cabinets are locked and computers are ‘shut-down’ (or secured) after close of the business day. We will maintain a ‘clear-desk’ policy and ensure that correct encryption procedures are followed.
We will maintain a record of all subject access requests and ensure we follow all appropriate data protection regulations.
Only authorised staff will be allowed access to data and we will maintain records of access authorities. On an annual basis we will conduct an audit of retained data to ascertain whether any is due for destruction.