PIER Investment Management Limited

Data Protection Policy

Introduction

Pier has a strict policy on data protection and compliance with the General Data Protection Regulation (GDPR) principles. All staff who come into contact with client data are responsible for complying with the requirements of the legislation. Pier expects staff to act with due care and diligence at all times. This is to ensure that client details are processed and dealt with securely and in accordance with our policy and procedures. Any breach of this policy may result in disciplinary action.

Background to the GDPR

The EU General Data Protection Regulation was implemented in the UK by the Data Protection Act 2018. It replaces the EU Data Protection Directive of 1995 and supersedes the laws of individual Member States that were developed in compliance with the Data Protection Directive 95/46/EC. Following Brexit, the EU GDPR no longer applies to the UK, instead we comply with the Data Protection Act 2018, however the provisions of the EU GDPR have been incorporated directly into UK laws. The Data Protection Act 2018 and Privacy and Electronic Communications Regulation continue to apply alongside UK GDPR. Its purpose is to protect the “rights and freedoms” of living individuals, and to ensure that personal data is not processed without their knowledge, and wherever possible, that it is processed with their consent.

Definitions used (drawn from the GDPR):

Territorial scope – The GDPR will apply to all controllers established in the UK & EU , who process the personal data of data subjects, in the context of that establishment under ‘adequacy laws’. It will also apply to controllers outside of the EU that process personal data to offer goods and services or monitor the behaviour of data subjects who are resident in the UK & EU.

Establishment – The main establishment of the controller in the UK & EU will be the place in which the controller makes the main decisions as to the purpose of its data processing activities. The main establishment of a processor in the EU will be its administrative centre. If a controller is based outside the UK & EU, it will have to appoint a representative in the jurisdiction in which the controller operates, to act on behalf of the controller and deal with supervisory authorities.

Personal data – Any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special categories of personal data – Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Data controller – The natural or legal person, public authority, agency, or other body which, alone or jointly , determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law. The controller or the specific criteria for its nomination may be provided for by Union or Member State law. We as the firm are the data controller for our clients.

Data subject – Any living individual who is the subject of personal data held by an organisation.

Processing – Any operation or set of operations which is performed on personal data, or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Profiling – Any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyse, or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behaviour. This definition is linked to the right of the data subject to object to profiling and a right to be informed about the existence of profiling, of measures based on profiling and the envisaged effects of profiling on the individual.

Personal data breach – A breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. There is an obligation on the controller to report personal data breaches to the supervisory authority and where the breach is likely to adversely affect the personal data or privacy of the data subject.

Data subject consent – Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.

Child – The GDPR allows for those aged 16 and above to consent to processing of their personal data, if being used as the lawful basis. The Data Protection Act states 13 and over. If the child is under these ages, parental or custodian consent is needed.

Third party – A natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Filing system – Any structured set of personal data, which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

All staff are required to complete GDPR training on joining the firm and annually thereafter. They can also request further training through their Line Manager or the Compliance Team.

Failure to adhere to the Pier Data Protection and IT Security guidance contained in this document is a disciplinary matter.

Obtaining Consent to Process Data

All clients will be asked to complete the Pier Customer Privacy Notice by their financial adviser who should explain the details of this along with how we handle client data. Where the client does not agree to Pier storing their details in accordance with our policy, we will not be able to do business with them.

Clients will be asked to reconfirm their preferences when something changes in their personal circumstances, or where data privacy procedures change. Clients must also be re-issued with the the Customer Privacy Notice if it is altered.

How Pier Controls Data

Protecting documents in the office

Pier prioritises paperless working, but on the occasion that we have physical client paperwork, or other sensitive documentation, the following processes are in place:

  • Every member of staff has a locked drawer which must be used to retain documents being worked on until they can be scanned (as necessary) and securely shredded.
  • We have a ‘clear desk’ policy to avoid documents being left on desks and on view.
  • We have ‘secure’ bins that are emptied monthly by a specialist company for document shredding.

IT Security

We employ a third party company Viper IT to deliver IT and systems support. Viper also provide our staff with regular training on IT security concerns such as phishing emails and the potential for online fraud.

Data can be stored temporarily on laptops where the laptop hard drive is encrypted and protected by a secure password and/or biometric methods. It is fundamental that flash/USB drives are not used to store confidential data under any circumstances.

By using these systems and approaches, Pier is able to remove data in accordance with the GDPR policy when required and can also respond to information requests accurately.

Our staff are instructed to follow these examples of good practice (not a full list):

  • Ensure you have enough time to undertake all work tasked with sufficient care.
  • Do not store passwords, or login details, on paper in or around your desk.
  • Do not share passwords, or login details, with colleagues or other users.
  • Ensure that you login to a computer with your own credentials.
  • Do not leave your PC logged in when moving away from your desk.
  • Use complex three word phrases with special characters, numbers and both upper & lower case letters for password creation.

When undertaking a mailing or promotion to clients, the staff member should ensure that they have suitable permission to contact the intended recipient/s by reviewing the consent form on file for the client/s.

In accordance with Data Protection Principle 5, Pier will periodically assess whether the data they are holding is still appropriate and whether there is a business need to continue to store and process that data. Where it is deemed that it is no longer required, it can be archived on IO using the applicable process.

Protecting intellectual property

These are the additional means by which we ensure that our intellectual property, and the goodwill of the business, is kept secure from unauthorised access.

Staff

Staff are made aware of their obligations through:

  1. Staff Handbook / Employment Contract / Self-employed Contract.
  2. Induction process which covers this Data Protection policy.
  3. Annual training on data security.
  4. Updates on changes to the Data Protection policy.
  5. Annual online test on data protection.

Use of all business equipment is governed by the Staff Handbook which ensures that:

  1. All business equipment is logged against staff members.
  2. Laptops must be locked away and not left in insecure locations, e.g. car overnight.
  3. Files may not be taken home.
  4. Staff may not undertake work on personal computers without prior approval.
  5. Staff may not email work to personal email accounts.

Staff leavers

The business is protected from employed and self-employed staff who leave by the following:

  1. All property including business cards, must be returned to the office on leaving.
  2. Staff can be placed on ‘gardening leave’ on resignation.
  3. Restrictive covenants are in place to prevent solicitation of clients post departure.
  4. The Employment Contract and Staff Handbook make explicit reference to confidential information and ownership of client data.

Access rights

Access rights to information on the network and on emails are controlled using an access policy which ensures that:

  1. Access is granted to data only where required and in line with an individual’s role.
  2. Temporary access to data must also be time limited, and privileges revoked after that date, or an extension expressly granted by the Compliance Officer.
  3. All staff who access client / sensitive information must complete annual training. Access rights are monitored and controlled by the Operations Manager.

Disclosing Secure Data

On occasions when a member of staff is required to send or disclose secure data to a client, provider, regulator, or other body, it is ensured that:

  • The data is being sent to the correct individual.
  • The individual is authorised to receive the information.
  • There is an agreement with the client that their data may be passed to a third party.

Examples where a member of staff may need to send data (not a full list):

  • The Financial Ombudsman is investigating a complaint.
  • Law enforcement agencies are investigating a crime.

Whilst these are not exhaustive lists, they outline scenarios where the member of staff should be aware of potential issues. It is up to the individual to use their own judgement and their training to assess whether they should proceed. If there is any doubt, they should always refer to a Line Manager or the Compliance Team.

Sending Secure Data

When sending data, the member of staff should be aware that email is not a secure method of transmission. Therefore the data should be posted, or sent securely using one of the methods below.

  • Data can be emailed using Microsoft’s secure encrypted process via emails. Documents & folders can also be individually password protected when emailed.

Personal Data Breaches

When a data breach occurs, or a member of staff suspects a data breach, the Compliance Team and Viper IT must be notified immediately. The Personal Data Breach Notification Procedure must be followed. It is essential that Pier acts as quickly as possible to assess the breach, or potential breach, and then reacts accordingly.

Data breaches and potential data breaches include (not a full list):

  • Loss of laptop or other portable device.
  • Loss of client data either in paper form or electronic.
  • Loss of memory sticks / disks / USB flash drives, etc.
  • Unauthorised persons in any office area where data is held or stored.
  • Client information passed onto an unauthorised third party.

The Pier Compliance Team will firstly look to ensure that where a breach has occurred, it is no longer happening. For example, this may involve taking IT systems offline, removing a website temporarily or securing client information.

Once the breach has been halted, the Compliance Team will then look to assess what data has been breached, the impact of this and what the possible implications are. The details of the breach, or suspected breach, will be recorded and kept updated in the Pier Data Protection Breach Register. Where there is any risk to clients, they must be notified at the earliest possible opportunity, but no later than 48 hours after the breach is reported.

The Compliance Team will complete the Information Commissioner’s Office (ICO) Personal Data Breach Self-Assessment Tool at the earliest opportunity and no later than 72 hours after the breach is reported. This can be accessed from the website address:

https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/

If the Self-Assessment Tool result requires an official ICO Personal Data Breach Report, this must be actioned as soon as possible and within 72 hours of the breach. The ICO reporting process is via an online form which is also accessible from the website address above.

The Head of Compliance will draft a report to the Senior Management Team which will detail:

  • The nature of the breach, how it happened and the circumstances surrounding it.
  • An assessment of the breach including details of what was disclosed/obtained and the likely impact and severity of the breach.
  • An assessment of whether there is a risk of financial harm to clients or staff as a result of the breach.
  • Confirmation of whether the ICO has been informed.• Confirmation of actions taken in light of the breach and any ongoing actions that are required.
  • Either at the time, or shortly after, details and recommendations of any procedures which need to be changed because of the breach to ensure that the risk of further events is minimised.
  • The internal data protection procedures that should be updated with any new policies.

Requests for Data

Any individual, or organisation, whose data is stored by Pier can request a copy of that data as well as its removal, or correction, at any time. As per the Pier Customer Privacy Notice, some information cannot be removed for regulatory or legal reasons and the data subject should be notified of this along with their rights.

Pier has a Data Subject Access request register which should be completed each time a request is made. There is also an authority form and a response letter which are to be used when data requests are made.

Data Protection Policy Review

Our Data Protection Policy is reviewed on a regular basis and at least annually. Further reviews and/or training may be prompted by changes in FCA guidance, feedback, or specific occurrences. Any changes will be communicated to all staff at the earliest opportunity.