DATA PROTECTION SYSTEM & COMPANY RULES (incorporating GDPR)
Africa Specialty Risk Limited (ASR), registered office St Clare House, 30-33 Minories, London, United Kingdom is an Appointed Representative of Crispin Speers & Partners Limited, a Lloyd’s broker who is authorised and regulated by the Financial Conduct Authority. Trading address St Clare House, 30-33 Minories, London EC3N 1PE. Our Permitted business is arranging general insurance contracts. Our FCA number is 923820
ASR Adopts CSP’s Data Protection System and Company Rules
GENERAL POLICY
Crispin Speers & Partners Ltd and its senior management are committed to ensuring client personal data is held securely and in accordance with data protection legislation and Financial Conduct Authority regulations.
CSP values the trust and respect of its clients and business partners. When information is entrusted to our care the responsible use of that information and its protection reflect the company’s values and are essential in maintaining our reputation as an insurance broker and intermediary.
Company rules have been designed ensure data is fully protected and secured concerning such personal data.
All staff are fully briefed on Data Protection rules and company procedures on joining the company and ongoing training is provided to ensure such rules continue to be followed.
CLIENT NOTIFICATION
All insurance proposal forms for completion by clients contain the following declaration:-
‘Our policy and procedures comply with all known legislation involving the collection, use, storage and disclosure of personal information. You are entitled to access the information we hold concerning you and we can supply a copy of our full policy and procedures on request.
We and our agents need to collect, use and disclose your information in order to consider your application for insurance and provide the cover you have selected, administer your policy and handle any claim. This may involve disclosing your information to third parties who assist in providing such services.
If you provide information concerning another person who you represent, eg as their broker or agent, you are confirming that you have made them aware that their information is being disclosed to us and that you have their authority to do so.
By supplying personal information to us you are confirming that you have understood the above and that it meets with your approval’.
CODE OF BUSINESS CONDUCT & ETHICS
Our code requires all employees to respect the confidentiality of client information concerning its business, employees and customers and to comply with data protection legislation and company procedures. Each new employee explicitly confirms their commitment to this code.
Any complaint concerning the handling of a client’s information, or where it is believed that it may breach any legislation in force should be reported to us for investigation. All clients also have the right to report such a matter to Lloyd’s or the regulator of their country of domicile.
DATA PROTECTION ACT REQUIREMENTS (GDPR)
The Act is based on Eight Principles (or rules for good information handling) and these are as follows:
• Personal Data must be processed fairly and legally – The Client must know why the data is being obtained/processed and must not be misled or deceived as to why the information is needed.
• Personal Data must only be obtained and used for specified and legal purpose – The Client must be fully aware of what the information obtained will be used for, and will not be used for any other unrelated purpose. Personal information will only be disclosed to third parties where the client has consented to this or where it is reasonably required in order to handle their business, or where required by law.
• Personal data obtained must be adequate, relevant and not excessive – Information should not be obtained simply because it may be useful in the future.
• Personal Data must be accurate and where necessary, kept up to date. Staff should take reasonable steps to check the accuracy of information they receive from Clients or anyone else.
• Personal Data processed must not be kept for longer than is necessary to fulfil the purpose it was received.
• Personal Data must be handled in accordance with the Clients rights – this includes their right to know what information is held about them, to prevent processing that is likely to cause damage/distress to themselves and others. They also have the right to claim compensation for damage/distress caused by breaking the conditions of the Act, prevent processing for direct marketing and have the right to take action to destroy inaccurate data.
• Personal Data must be kept safe and secure – The necessary security measures must be taken to protect against unauthorised access to or illegal data processing – This will relate to location of/access to files/documentation only to those staff that need to use the data held and technical issues relating to the Computer System. All necessary organisational and technical measures must be taken to prevent unauthorised or unlawful processing of personal data and against accidental loss/damage of such data.
• Personal Data must not be transferred outside of the European Economic Area (EEA) unless the Country/Territory ensures that rights and freedom of data subjects are protected. It is essential to make sure that personal data which is transferred outside the EEA is secure. Where client information is disclosed to parties outside the EEA the client will be advised accordingly. If a client does not wish its information to be disclosed externally they can opt-out by contacting us accordingly.
DATA PROTECTION STATEMENT – ‘PRIVACY NOTICE’
In accordance with Data Protection legislation, including General Data Protection Regulations (GDPR), we are advising you that any personal and/or sensitive data requested from you will be stored securely and will only be used in order to manage the contract of business, including insurance requirements, we are arranging for you where we have a legal obligation in handling your data. We may also have a legitimate interest in handling your data when dealing with third parties, such as your insurers. This information will only be made available to third parties, such as insurers or their claims handling agents, in order to further manage and service your insurance policy.
We will retain your information for a period of time which is necessary to ensure no further liability, such as any insurance claims, exists. This period will normally be 7 years from expiry of the policy but may be extended for certain types of business.
The types of data vary but typically include name, address, email address, telephone number and date of birth. Other details may be needed depending on the type of insurance required.
For certain types of business we may require sensitive information from you in order to arrange your insurance requirements or service any claims, for example, medical records, which may involve passing such information to insurers or their claims handling agents. If required we will seek your consent to this.
We will not transfer your data outside the EU. Your insurers and/or their third party agents may pass data outside the EU and if so, we will seek their confirmation that this is adequately protected.
You have the right to:- See a copy of the personal information we hold about you, free of charge Ask us to delete any of your personal data where there is no legitimate reason for continuing to hold it. To have any inaccurate or misleading data corrected or deleted Restrict the processing of your data Lodge a complaint with the Information Commissioners Office if you are unhappy with the manner in which we store or handle your data.
If you provide data to us about other people you must provide this notice to them before you pass their data to us. You must obtain their consent if this includes sensitive data such as health or criminal record data.
If at any time you wish to know what information we hold on you, or have any queries relating to the above, please contact our director responsible for Data Protection issues at:-
Telephone: 020 7977 5700 Email: [email protected] Or write to: Crispin Speers & Partners Ltd St Clare House 30-33 Minories London EC3N 1PE
INFORMATION SECURITY PROGRAM
CSP has a well defined risk-based Information Security Program designed to protect information according to the following security principles:-
Confidentiality – Protect information assets against unauthorized disclosure or unauthorized access. Integrity – Protect information assets from unauthorized changes by safeguarding the accuracy and completeness of information and processing methods. Availability – Protect information assets while making them available to designated staff to meet the needs of clients.
CSP’s Information Security Program and its associated policies and procedures are designed to enable its staff to provide a consistently high level of service internally and to its clients.
The program policies and procedures cover the following types of requirements:-
User-Related Policies and guidelines applicable to all information system users, including acceptable use, security awareness training, incident reporting, workstation security, email useage and monitoring, user ID’s and passwords, information handling, destruction and disclosure.
Information Technology Policies and standards applicable to individuals supporting IT systems and resources, including authorized network access, network server security, authentication, malicious code, encryption, wireless networking, IT assets, disaster recovery, backup and business continuity, system development and maintenance.
PHYSICAL SECURITY POLICIES
CSP’s physical security policies establish the following standards:-
– Access restrictions to office areas, LAN/server rooms, and other sensitive areas. – Instructions for securing computers at workstations, as well as laptop computers when out of the office. – Restricted access to sensitive hard-copy client information – Requirements for secure destruction of sensitive paperwork and electronic media. – Procedures for the proper handling and transport of sensitive client information.
MONITORING & OVERSIGHT
CSP manages its security programs on a continuous improvement model that enables our programs to evolve in accordance with experience in our operations and the wider context of conditions imposed by the regulator, the Financial Conduct Authority.
DANGERS OF DATA LOSS
The majority of data is not classified as ‘Sensitive Personal Data’ and therefore loss would not be considered critical. The loss of personal data itself could lead to loss of confidence with our clients and the potential for complaints leading to possible regulatory enquiries and action. Loss of the clients business could be possible. In very serious cases this could lead to personal censure of the directors or ‘Approved Persons’ by the FCA.
LOSS NOTIFICATION (BREACHES)
Any data loss of whatever type must be reported in the first instance to the Operations Director who would instigate enquiries into the facts of the incident and necessary remedial action to minimise the consequences of data loss. Such loss must be notified as soon as it has been discovered and within 24 hours of such a discovery.
DATA BREACH POLICY & PROCEDURES
DEFINITION
A personal data breach means a failure of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. It is therefore more than just losing someone’s information.
POLICY
Company policy is to report all potential breaches even if an occurrence does not eventually become a breach. The company operates a ‘no blame’ culture and staff are advised that not reporting a potential breach is a serious matter.
PROCEDURE
All potential breaches must be reported to a persons line manager/director and the Compliance Officer immediately. A breach reporting form must be completed by the individual in conjunction with their line manager/director and Compliance Officer. The Compliance Officer will maintain the company breach log. If it is believed that a breach has occurred the Compliance Officer will discuss what action needs to be taken with the acting Data Protection Officer.
REPORTING BREACHES
The relevant supervisory authority (ICO ) must be advised of a breach where there is likely to result in a risk to the rights and freedoms of individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or other significant economic or social disadvantage. An example would be where the loss of data could result in a persons identity being stolen and used to open false bank accounts, etc. Notification must be made within 72 hours of the breach being discovered and contain the following information:-
– Nature of the breach, background etc, and likely consequences. – Approximate number of individuals affected – Contact details of the firm where the breach has occurred – Description of the measures taken, or about to be taken to deal with the breach and also to mitigate any possible side effects.
Individuals must also be notified where there is a high risk to those whose data has been lost. The threshold is therefore higher than that for just notifying the ICO. In such cases notification to the individuals must be made without delay.
MINIMIZING DATA LOSS RISK
The means of minimising the risk of data being lost are as follows:-
STAFF
– The integrity of new staff is vetted in accordance with FCA regulations concerning ‘Fitness & Propriety’ and a self-assessment form is completed by each joiner. The handling of confidential data is an area assessed by Human Resources during the recruitment process, including the obtaining of references. – All new and existing staff have access to the Staff handbook which details the rules of conduct for employees.
TRAINING
Ongoing training is provided to all staff of whatever level, from basic DP introduction to the latest developments affecting the company. The Information Commissioners Office (ICO) is used as a source of training material.
Training records are maintained for all staff which notes what training aids have been utilised.
GENERAL RULES
Rules issued to all staff include 3 general rules, namely:-
No personal data must be disclosed to anyone or any organisation, outside the company. This applies to any data which can be identified to an individual person.
Requests from other organisations for personal data as part of routine business, eg claims assessors or insurers, are covered by the business agreements we have with our clients. This will cover basic information such as name/address details. Any other requests must be referred to a manager or director.
On no account can sensitive data such as bank account details be disclosed to anyone without the specific written permission of the person concerned.
FILING (PAPER RECORDS)
All client papers are maintained in secure files which are held in suitable cabinets during out of office hours. Critical files containing client data are not removed from the office without express permission from a manager or director. Such removal of files should only be necessary for business visits or occasional home working. CSP does not have any full-time home-working staff.
Critical paper records are backed-up by being held electronically, either on the ’Sector’ ‘GPM’,or ‘Bross’ systems, in Microsoft Excel spreadsheets, scanned or in pdf format.
A routine system of file audits carried out independently by an external consultant in order to ensure that all files and documentation are maintained accurately and completely in accordance with the Company’s agreed business handling procedures. The resulting audit reports are reviewed by the Operations Director and Compliance Officer and any remedial action undertaken.
In addition external audits are undertaken by the company’s external E&O insurance provider, Griffin Mutual Insurance Association and action taken on their findings, if required.
ELECTRONIC RECORDS
All client data held on electronic databases is held in a secure environment with proprietary IT products utilised to protect the company from external electronic infiltration. Such IT software is regularly updated to reflect current or new dangers.
All company systems are only accessible by users with bona-fide passwords and staff are only able to access the internal systems appropriate to their work or responsibility.
A formal system of authority limits for signing-off critical documents is in operation.
BACK-UP and DISASTER RECOVERY
A full Disaster Recovery Plan is in place designed not only to protect the company itself from dangers to its operation, but also to protect our clients information from damage or loss. Such plan is routinely tested for robustness and adequacy.
DOCUMENT DESTRUCTION POLICY
A detailed document destruction policy is in existence which covers the timeframes that different types of document must be retailed, either from a Lloyd’s FCA regulatory, accounting or business needs requirement.
COMPANY EQUIPMENT
A small number of staff have laptop computers which can be used outside the office. Strict rules are in place to ensure these machines are securely located at all times and that for instance, they must not be left in unattended vehicles. Such laptops are password protected.
All requests for data to be placed on portable memory devices eg CD’s or memory sticks must be made to the IT Manager who will ascertain the reason for such requests.
DATA DISTRIBUTED EXTERNALLY
All electronic personal data distributed externally, for example on CD’s or memory sticks or attached to emails, are encrypted for protection.
ACCESS BY EXTERNAL SUPPLIERS
Few external suppliers are required by the company and if so, only for specific needs rather than general long-term assistance. Such suppliers are vetted by the company area requiring them and reviewed by a director before their relationship is formalised.
NEW BUSINESS PROCESS
A fully compliant procedure is in place whenever new clients are proposed for business with the company. Such procedures involve vetting the financial viability and regulatory position of the client as well as making appropriate enquiries to confirm the identity of such a client. Approval for new clients can only be given by the Compliance Officer or a director.
All clients are presented with a Terms of Business Agreement which must be agreed prior to business commencing. Such agreements can only be approved by the Compliance Officer or a director.
Confidentiality agreements can only be approved by the Managing Director, Finance Director or Compliance Officer.