On 25 May 2018 the Data Protection Act – part of UK law since 1998 – was replaced by the General Data Protection Regulation (GDPR).
The GDPR comes direct from the European Union (EU) and applies to all EU member states, including the UK which remains part of the EU until March 2019. The British Government has confirmed its intention to pass a new Data Protection Bill which will enshrine the requirements of GDPR in UK law for when the country is no longer an EU member state.
The driving force behind GDPR is to increase the standard of data protection practiced by firms who handle personal information. The definition of ‘personal data’ covers everything about an identifiable living person, ranging from their name and address to their marital status and political opinions. In today’s technology-dominated, data-driven world, this sort of information is more abundant then ever and accordingly individuals are more vulnerable to having their personal details and confidential information stolen, misused or exploited in ways they are not aware of or do not approve of. With GDPR, the intention is to make firms demonstrate a clear justification for obtaining personal data and how they use it, and to ensure that the protection of personal data is made a top priority and is placed at the very heart of how they operate. At the same time, the regulations give individuals more power and control over how their personal data is used by increasing the need for transparency and by handing individuals more rights which firms must respect by law.
IPM and Data Protection
IPM’s data protection policy is rooted in the following principles:
- Personal data must be processed lawfully, fairly and transparently;
- Data subjects (the individuals to whom personal data relates) have a fundamental right to privacy, meaning that they are entitled to know how their personal data is being used and be in control of how it is used;
- Only personal data which is necessary to achieve a specific and legitimate purpose may be processed – any data which is not relevant must be erased, and any processing which takes place for a purpose which has not been specified in advance and is not justifiable by law is a data protection breach and is not lawful;
- Internal policies, procedures, systems and controls, both when dealing with personal data in ‘hard’ paper form and ‘soft’ electronic form, are essential to ensure robust data protection in practice, with the company’s employees being the first line of defence when it comes to data security.
On this basis, IPM only obtains personal data about our clients which allows us to provide the necessary services of a pension scheme trustee and administrator. These include identifying the client, verifying client instructions on investments and pension withdrawals are genuine and communicating information about their SIPP to the client. At the outset of their relationship with IPM, clients are provided with a privacy notice which outlines the sort of personal data we will need, the reasons why we need this data and how we will process it. At the point we will also explain the client’s rights as a data subject under the data protection regulations, which include their right to access the personal data we have about them. This is to ensure full transparency and to empower the client in relation to how their personal information is used.
IPM is of course obliged to act in accordance with all laws at all times. This also compels us to obtain personal data about our clients, most notably the regulations on anti-money laundering which require us to carry out due diligence on all clients. On top of that are the reporting requirements of HM Revenue & Customs and the Financial Conduct Authority, and in the event of a criminal investigation it is our duty to fully co-operate with law enforcement agencies. Otherwise, we will only share personal data with authorised parties, such as a client’s designated financial advisor, and with third parties such as banks, investment houses and other financial institutions in the course of executing a client’s instructions.
IPM stores personal data on paper and electronically. All paper files are held securely on site in our office, as are the servers where electronic data is stored. Electronic data is also held on external servers operated by our IT partner who is responsible for the running and maintenance of our computer systems. Data which is input into the IPM website is also held on an external server owned by the website host. These third party data processors have an agreement in place which IPM which sets out the services we have contracted them to provide and contains assurances that any personal data they process on our behalf is used in a way which is lawful and which aligns with the purposes for which the personal data was originally obtained by IPM.
When a client has transferred their pension away from IPM or otherwise terminated their relationship with us, it is unlawful for us to retain their personal data indefinitely without any legitimate reason for doing so. Our policy is to keep a copy of their file (paper and electronic) for a period up to 10 years after the date they ceased to be a client of IPM. We believe this to a reasonable retention period as it will enable us to assist with any enquiries from the client or others with whom we are obliged to co-operate, such as law enforcement agencies, about their arrangement with us during their time as an IPM client. Furthermore, as a client can make a complaint against IPM after their relationship with us has finished it is important that we can access their file and the personal data therein in order to investigate the grievance and respond. During the retention period access to the personal data will be restricted so that it can only be looked at if circumstances do arise which call for it to be retrieved.
Reviews of our data protection policies and procedures are held annually to ensure that they remain appropriate to minimise the risks which the company faces. On an ongoing basis, any data protection breaches or apparent weaknesses in our systems and controls which could bring about a potential breach are analysed immediately and suitable measures implemented in response. This process is led by our Data Protection Officer David Sutcliffe, who is also the managing director of IPM – an indication of how seriously data protection is taken at senior management level and how our culture of privacy and data protection starts at the very top of the company. All members of staff have been put through a comprehensive programme of training so that they understand the data protection regulations, how those regulations impact upon IPM and what is expected of them as they use clients’ personal information to provide a service on a day to day basis. This training is refreshed on an annual basis.
If you have any queries about how IPM approaches protection and our data security practices, please contact us using the details provided on the website. You can also download a copy of our Privacy Notice here.