Fairweather Insurance – Privacy & Data Protection Policy
In order to operate our business activities, Fairweather Insurance Service Limited (hereafter referred to as the Company or We), whose Registered Office is Chalfont Hall, Gravel Hill, Chalfont St Peter, Buckinghamshire, SL9 0NP, need to collect and process information about our Staff (these are people who have work for us in the past, currently work for the Company and future employees), our Clients (any person, business or organisation with an insurance product arranged by us), our Suppliers (person(s), business or organisations We use the service or products of for ourselves or that of our Clients or Staff) and other organisations with which We have dealings.
We are fully committed to complying with the requirements of the General Data Protection Regulation 2018 (GDPR), which came into force on 25th May 2018.
We have further identified information We class as sensitive over and above the requirements in law. These are highlighted below under Additional Sensitive Information.
We are required to maintain certain personal data about individuals for the purposes of satisfying our operational and legal obligations. We recognise the importance of correct and lawful treatment of personal data as it helps to maintain confidence in our organisation and to ensure efficient and successful outcomes when using this data.
We have appointed a Data Protection Team (DPT). This team is responsible for data protection within the Company and as such comprises directors and managers of the Company. They will ensure We fulfil the obligations under all applicable legal and regulatory requirements, ensure Staff are trained and handle any complaints.
Personal data may consist of data kept on paper or electronic media – all of which is protected within GDPR.
We endorse and adhere to the six legal principles of the GDPR which are summarised as follows:
Data must be:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accurate and, where necessary, kept up to date – inaccurate data to be erased or rectified without delay
- Kept in a form which permits identification of data subject for no longer than is necessary for the purposes for which the personal data is processed and;
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Key concepts of applicable data protection law
The GDPR is based on a number of definitions. Whilst the list below is not exhaustive, We feel these are most relevant to any parties whose data We will hold or process. Where possible We have identified where these definitions apply to data We hold and/or process.
Personal Data means any information relating to an identified or identifiable natural person (a Data Subject – explained in more detail below). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the identity of that natural person.
The Company may hold and process data in relation to current, past and prospective Staff, Clients, Suppliers and other organisations with whom We have dealings.
Processing means any operation or set of operations which are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing is interpreted very broadly, to the extent that almost all activities organisations carry out in relation to their personal data are captured by the definition.
Company will generally be deemed to be processing any Personal Data that it may collect, record, store and/or disclose.
Controller means the natural or legal person, public authority, agency or other body, which determines the purposes and means of the processing of Personal Data. The GDPR applies to Controllers, who must comply with its requirements.
The Company will generally be a Controller in relation to the Personal Data of its Clients, Staff and Suppliers. We are also required by insurers, suppliers and other bodies to collect information.
Processor means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller. Where a Controller uses a Processor to process Personal Data on its behalf, the Controller must only use a Processor that provides sufficient guarantees to ensure that personal data is processed securely and in accordance with the requirements of the GDPR. Controllers must engage Processors by way of a contract incorporating the provisions specified by Article 28 of the GDPR.
The Company may use Processors for a variety of purposes; for instance, claim management, to provide insurance services, store Personal Data, to send email communications, or to calculate staff payroll. In each case, We will have conducted sufficient due diligence to be able to evaluate whether the Processor offers sufficient guarantees to protect Personal Data and will ensure that the Processor is bound by a contract that incorporates the provisions specified by the GDPR. The requirements around appointing Processors are explained in more detail below (see Third Party Processors section).
Special categories of personal data means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, data concerning health (including medical data, and medical records) or concerning an individual’s sex life or sexual orientation. Special categories of personal data is the term used in the GDPR.
The Special categories of personal data requires a higher standard of care. If a Personal Data Breach (as defined below) occurs that involves the loss of any of the Special categories of personal data, the Information Commissioner’s Office (ICO) will regard this as a serious breach. The GDPR also requires that personal data relating to criminal convictions and offences is treated with a higher standard of care.
The Company recognises that where appropriate, it is necessary to hold certain information relating to health or medical records and criminal convictions, but is unlikely to hold any other Special categories of personal data. This information is only gathered where specifically needed and is appropriately secured over and above other data as far as is technically possible.
Additional Sensitive Information means information We have identified as sensitive. This information is not necessarily subject to the same controls and requirements set out by the GDPR so may not require all the same reporting, but are handled and processed in the same manner as other Personal Data and Special categories of personal data
These items are: telephone number, family details, bank / card details, risk details, claims information.
Data Subject means an individual to whom Personal Data relates. Typically, these are Staff, Clients and Suppliers.
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
A Personal Data Breach may be accidental, such as a system failure, or loss of an electronic or physical file; malicious, such as a cyberattack; or be related to paper files. In the event that the Company suffers a Personal Data Breach, the DPT will take the specific steps required by our supervisory authority, the ICO https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/
Filing System means any structured set of Personal Data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
The Company utilise several electronic systems and paper filing that are classed as Filing Systems.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.
The Company recognises that Consent will come from Staff, Clients and Suppliers. How We class and achieve Consent is covered later in this policy.
Children – Under GDPR specific requirements are set out regarding data for Data Subjects classified as children. The regulation specifically states the age of 16 or under for this purpose.
We recognise that We may at times hold data in relation to persons aged 16 or below. These will be in limited cases and only likely in relation to holiday and private medical insurance. In all cases We will seek parental consent to hold this data and will never further process this information other than in relation to that specific policy (although it is likely the data will be provided by a parent or guardian anyway).
In an exceptional circumstance, where this cannot be followed, all dealings will be referred to the DPT.
Data Subjects’ Rights
GDPR confers a number of rights upon Data Subjects, which as a Controller We must observe. Data subjects’ rights are a cornerstone of GDPR and must be dealt with promptly should a right request arise. The Company maintains policies and procedures which are audited annually, detailing how We will handle any event of a data subject choosing to exercise his or her rights, should one arise. The most relevant of these rights, from the Company’s perspective, are summarised below:
- Data subject access requests
Data Subjects are entitled to access their Personal Data held by the Company on request (Article 15 GDPR). The response to a data subject access request must include certain information such as, the purposes of the processing, the recipients (or categories of recipient) to whom the Personal Data has or will be disclosed, and individuals’ rights to have their data corrected, deleted or to restrict the processing of their data.
Under GDPR the information must be provided to Data Subjects free of charge* and within one month of the request.
*GDPR states a reasonable cost may be charged where requests are unfounded or excessive and/or repetitive in character.
- The right to be forgotten
Data Subjects have the right to request the Company erase all data held about them in various circumstances (Article 17 GDPR). However, the right to be forgotten is not an absolute right. As such, the Company is only obliged to give effect to a request in specific situations, the most relevant of which are likely to be:
- Where the purpose for which the Personal Data was processed no longer applies
- Where the Company’s processing of the Personal Data is based on Consent and the Data Subject withdraws his or her Consent.
iii. The right to rectification
Data Subjects have the right to have incorrect Personal Data about them corrected without undue delay (Article 16 GDPR).
The Company must endeavour to ensure that any Personal Data it processes is up to date and correct.
- The right to data portability
Data Subjects have the right, in certain circumstances, to access their data in machine-readable format and, where technically possible, to have their data transferred directly from the Company to another data controller (Article 20 GDPR). However, the circumstances in which the right to data portability arises are limited.
- The right to object
Data Subjects have the right, in a number of specific circumstances, to object to having their Personal Data processed (Article 21 GDPR).
Access to Personal Data
Requests should be made by email to firstname.lastname@example.org or in writing to the Company at our Registered Office. The request should be clearly marked as a data subject access request and addressed to the DPT or Data Protection Team.
Personal information will only be released to the individual to whom it relates (the disclosure of such information to anyone else without their consent would be a breach of GDPR).
Where requests are made We reserve the right to seek additional clarification / information to confirm the identity of the Data Subject.
We aim to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within one calendar month of receipt of a written request, unless there is good reason for delay. In such cases the reason for delay will be explained in writing to the individual making the request.
The Company recognises much of its processing activities rely on Consent. We will use several methods to obtain Consent where it is necessary. In all cases the Data Subject will have to positively opt in and will receive information about how We work with their data, their rights and other elements of the legal and regulatory requirements.
The Data Subject can revoke access at any time by following the guidelines in the section above – Access to Personal Data – stating clearly that they “wish to revoke consent”.
We review how Consent was given annually and will, if needed, ask for new or additional Consent to be given.
Collecting Personal Data
We will take all steps possible to ensure We only hold data that is necessary and for the period of time We need it. Where We are required by law and our regulators to hold information for longer periods, these will always take precedence over our day-to-day processes and activities. There are certain, specific areas We feel need particular focus which We have highlighted below:-
Review of Data – We will (at least) annually check what data We hold and on what basis We hold this information. We conduct these checks as part of our normal activities such as processing insurance renewals and claims etc.
Retention Period – We will hold different data for different periods of time, outlined below:
Existing Clients – Any non-essential paperwork that is between 3 and 5 years old is disposed of (with the exception of subsidence related paperwork, which is kept for 11 years).
Lapsed Clients – Dormant / inactive files are retained for a maximum of 5 years.
Quotes Not Taken Up – Details are kept for 18 months.
Staff – Ex Staff files are kept for 7 years for accountancy purposes.
Suppliers – Supplier information is kept for 7 years for accountancy purposes.
The data we collect about you may be transferred to, and stored at, a destination outside of the European Economic Area (EEA) third countries. It may also be processed by staff operating in ‘third countries’ who work for one of our Processers.
Destruction of Data
All waste paperwork is shredded and not put in the standard recycling bins.
Shredding is completed in-house or, in the case of bulk shredding, an authorised data shredding firm is used.
Electronic data is removed from our systems following the process detailed by our contracted IT service provider.
Where We hold data in offsite backup or disaster recovery environments, this data is removed without undue delay and in such a way as to render it unreadable and unrecoverable.
Third Party Processors
The rules around the appointment of Processors (the meaning of which is explained in ‘Key concepts of applicable data protection law’ above) are strict and amount to an organisational security measure. In the event that the Company were to suffer a personal data breach involving a third party Processor, the ICO would expect to see that appropriate due diligence had been conducted on that Provider and that an appropriate contract was in place.
The Company has ensured that it has a written contract which meets the requirements of GDPR in place with each Processor it uses. The Company must only use Processors that guarantee they will meet the requirements of the GDPR and will protect Data Subjects‘ rights.
Before engaging a Processor the Company will check that the Processor has appropriate technical and organisational measures in place to keep data secure and that the Processor’s staff who will be engaged in processing Personal Data on behalf of the Company are subject to a duty of confidentiality and receive regular training in data protection matters.
The Company will regularly review the activities and processes of any Processors it uses to check that the Processor is processing Personal Data in line with its internal processes, complying with relevant requirements under the Data Protection Legislation and its contractual commitments in respect of Personal Data. The Company will ensure that its contract with each Processor contains provisions concerning sub-contracting which meet the requirements of GDPR.
Any complaints regarding data protection should be made following the guidelines in the section above – Access to Personal Data.
You may also complain to the Information Commissioner’s Office (ICO) who are our supervisory authority. The ICO can be contacted via https://ico.org.uk/for-the-public/
On behalf of the Data Protection Team
Fairweather Insurance Services