Statement and purpose of policy
(abridged, full version is available on request)
- Fundpath Limited (the Company) is committed to ensuring that all data handled by us will be processed according to legally compliant standards of data protection and data security. This policy sits alongside our IT and Security policies and our Staff Handbook.
- We confirm for the purposes of the Data Protection Laws, that the Company is a ‘data controller.’ This means that we determine the purposes for which, and the manner in which, data is processed.
- This policy sets out how we comply with our data protection obligations and seek to protect Personal Data relating to our workforce, and to ensure that staff understand and comply with the rules governing the collection, use and deletion of Personal Data to which they may have access in the course of their work.
- The purpose of this policy is to help us achieve data protection and data security compliance by:
- setting out the data protection principles with which you must comply;
- setting out the rules on data protection and the legal conditions that must be satisfied when we collect, receive, handle, process, transfer and store personal data and ensuring staff understand our rules and the legal standards;
- clarifying the rights and responsibilities and duties of staff in respect of data protection and data security; and
- setting out, at high level, the way in which we use our employee personal data and where you can find more information in relation to staff data processing.
- This is a statement of policy only. We may amend this policy at any time, in our absolute discretion.
- For the purposes of this policy:
- Data Protection Lawsmeans all applicable laws relating to the processing of Personal Data, including, for the period during which it is in force, the Data Protection Act 2018 and the UK General Data Protection Regulation.
- Subjectmeans the individual to whom the personal data relates.
- Personal Data or the Datameans any information that relates to a living individual who can be identified from that information.
- Processingmeans any use that is made of data, including collecting, storing, amending, disclosing, or destroying it.
- Special Category of Datameans information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data. Special Category Data is given special protection under the Data Protection Laws.
Data protection principles
- Staff must comply with this policy and with the following data protection principles which require that Personal Data is:
- processed lawfully, fairly and in a transparent manner.We must always have a lawful basis to process personal data, as set out in the Data Protection Laws. These lawful bases are: (a) consent (b) the performance of a contract (c) to comply with a legal obligation (d) protecting vital interests (e) public task and (f) legitimate interests. In relation to Special Category Data processing, further consideration is required under Data Protection Laws, e.g. it must be necessary for the performance of the employment contract, to comply with the Company’s legal obligations or for the purposes of the Company’s legitimate interests. We should always document our lawful basis for processing. Please speak to the DPO for more information on Special Category Data processing before undertaking such processing activities;
- collected only for specified, explicit and legitimate purposes.Personal data must not be collected for one purpose and then used for another;
- processed only where it is adequate, relevant and limited to what is necessary for the purposes of processing.We will only collect personal data to the extent required for the specific purpose;
- accurate, and the Company takes all reasonable steps to ensure that information that is inaccurate is rectified or deleted without delay.Checks to personal data will be made when collected and regular checks must be made afterwards. We will rectify or erase inaccurate information, taking a reasonable and proportionate approach;
- kept only for the period necessary for processing.Information will not be kept longer than it is needed and we will take all reasonable steps to delete information when we no longer need it. For guidance on how long particular information should be kept, contact the Data Protection Officer, or request a copy of our data retention policy;
- processed with integrity and confidentiality in mind, ensuring that secure, and appropriate measures are adopted by the Company to ensure as such; and
- protected by the organisation who is fully accountable for any processing taking place.
- We keep an internal ‘Record of Processing’ which sets out the information which is required under the Data Protection Laws. Please contact the Data Protection Officer for further details.
Who is responsible for data protection and data security?
- Maintaining appropriate standards of data protection and data security is a collective task shared by all members of the Company. This policy and the rules contained in it apply to all staff of the Company, irrespective of seniority, tenure and working hours, including all employees, directors and officers, consultants and contractors, casual or agency staff, trainees, homeworkers and fixed-term staff and any volunteers (Staff).
- Questions about this policy, or requests for further information, should be directed to theChief Data Protection Officer.
- All Staff have a responsibility to ensure compliance with this policy, to handle all personal data consistently with the principles set out here and to ensure that measures are taken to protect the data security. Managers have special responsibility for leading by example and monitoring and enforcing compliance. TheChief Data Protection Officer must be notified if this policy has not been followed, or if it is suspected this policy has not been followed immediately.
- Any breach of this policy will be taken seriously and may result in disciplinary action up to and including dismissal. Significant or deliberate breaches, such as accessing Staff or customer personal data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.
Data gathering, storage and procedures
- The Company regularly collects, collates and stores two types of customer and app user data (the Personal Data) on industry people (the Subjects):
- Publicly available data (Public Data). This includes, but is not limited to sources such as LinkedIn, Company websites, media publications, government websites, statutory bodies, business social media, etc.
- Privately held data (Private Data). This includes any information provided directly to the Company by an individual or Company in response to a request by the Company itself.
- For Public Data, the Company will only collect, collate and store information that relates to a Subject’s participation in the industry the Company has a legitimate interest in: i.e. wealth and asset management. The Company has a legitimate business purpose in collecting this type of Public Data which relates to a Subject’s business contact details only from publicly available sources. This is a lawful basis for processing under the Data Protection Laws. For example, if the Subject works for ABC Wealth Management, but also has a publicly published interest in woodworking, the Company shall only process the information related to the Subject’s role at ABC Wealth Management and will ignore their woodworking hobby. Any information deemed personal and irrelevant to their role at ABC Wealth Management shall be deliberately excluded.
- The Personal Data is managed in an identical format, with security in mind. All data is held in password protected databases and stored within secure cloud computer servers located in the UK. Any redundant data is stored for a maximum of twelve (12) months and then deleted, in line with our retention schedule.
- If the Personal Data is to be transmitted from a Company staff member to another person, whether internal or external to the Company, for legitimate processing, we must have a lawful basis to process that Data, the Data must be password protected and the password to that Data must be transmitted by separate means.
- In the event the Data is transmitted to an external third party for legitimate processing, that company, organisation or individual, shall be made, by contract, party to these policies, principles and procedures and we must have a written processing agreement in place which meets the requirements of Data Protection Laws before the data may be transmitted.
- All Staff are obliged, as part of their employment contract, to maintain the Personal Data to the highest possible level of security and integrity and are subject to appropriate sanctions for data protection breaches.
- The Company must make a required report of a data breach to the Information Commissioner’s Office without undue delay and, where possible within 72 hours of becoming aware of it, and notify the affected data subjects if it is likely to result in a risk to the rights and freedoms of individuals. You must immediately notify the Company’s DPO (contact details above) if there has been a data breach, whether you think it is reportable or not;
- If Staff have access to Personal Data, they must:
- only access the Personal Data that they have authority to access, and only for authorised purposes;
- only allow other Company staff to access Personal Data if they have appropriate authorisation;
- only allow individuals who are not Company staff to access Personal Data if they have specific authority to do so;
- keep Personal Data secure (e.g. by complying with rules on access to premises, computer access, password protection and secure file storage and destruction and other precautions as notified by the Company from time to time;
- not remove Personal Data or devices containing Personal Data (or which can be used to access it), from the Company’s premises unless appropriate security measures are in place (such as pseudonymisation, encryption or password protection) to secure the information and the device;
- not store Personal Data on local drives or on personal devices; and
- make sure safeguards are in place where data is transferred outside of the European Economic Area (EEA).
- All Staff are required to familiarise themselves with this policy and procedure document, which may be amended from time to time;
- The Company will ensure that staff are adequately trained regarding their data protection responsibilities. Individuals whose roles require regular access to Personal Data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.