Privacy & Data Protection
We are committed to protecting a data subject's privacy in accordance with the General Data Protection Regulation (GDPR). You can read more about GDPR on the Information Commissioner's Office (ICO) website by clicking on the below link.
Both TASH & TAP are registered with the ICO. You can view our certificates by clicking on the below buttons. Where we engage with a sub-processor, we insist they have their own ICO registration.
Privacy & Data Protection Policy
Our Privacy & Data Protection Policy explains when we collect personal data, why we require it, how we utilise it, how we try to keep it secure and the conditions under which we may disclose it to a third party authority. You can read more about this by clicking on the below link.
We will only use personal data when legally permitted. The most common uses of personal data are:
Where we need to perform a Contract for Services.
Where it is necessary for our legitimate interests (or those of a third party) and the data subject's interests and fundamental rights do not override those interests.
Where we need to comply with a legal or regulatory obligation.
Where we have been given consent. However, generally, we do not rely on consent as a legal ground for processing personal data as typically, we are able to demonstrate Contract, Legitimate or legal obligation.
Accountability and Governance
The GDPR applies to ‘controllers’ and ‘processors’:
A controller determines the purposes and means of processing personal data
A processor is responsible for processing personal data on behalf of a controller
WWhen we use the data our IFA firms provide us with (with their permission), we have a duty of care in terms of how we handle that data. There are specific responsibilities under GDPR that provide sufficient guarantees that the requirement of the GDPR will be met and the rights of the data subjects protected.
You can read about controllers and processors in more detail here
How we store data
We store our personal data electronic formats (pdf, word, excel etc) and occasionally paper. Paper files are retained within our secure alarmed premises. Occasionally, a client file containing personal data may be taken outside of our premises, such as when working away from the office.
Our electronic files containing personal data are stored/backed-up in two locations:
1. Internal Server, sited on our premises.
2. Dropbox, which is a US-based company which complies with EU-US Privacy Shield Framework
How long will we keep Personal Data
We will not keep a data subjects personal data for any longer than is necessary in light of the reason(s) for which it was first collected. A data subject’s personal data will therefore be kept for the following periods (or, where there is no fixed period, the following factors will be used to determine how long it is kept):
Until when it is no longer in our legitimate business interests to keep it.
We also reserve the right to retain data for longer than this due to the possibility that it may be required to defend a future claim against us. Please note that in the event of a pension transfer, a regulated IFA firm is required to hold client records indefinitely and if we believe we are part of this intermediary process, we may choose to also hold records indefinitely.
We recognise that a data subject has the right to request deletion of their personal data and we will comply with this request, subject to the restrictions of our legal or regulatory obligations and legitimate business interests as noted above.
If we receive a specific request from an IFA firm that we delete all data relating to a data subject, then you waive the right to any future claim of errors and omissions.
Our emails are of SSL (Secure Sockets Layer) standard, which is a protocol that helps secure communications over computer networks, and is most often used with email. Our system encrypts at 256-bit key rate which is the standard level of Banking encryption. Our internal emails never leave our host email server (located in Manchester UK) and are therefore always encrypted at 256-bit key rate. When we send external emails, we cannot be held responsible for the level of security of the receiving server. However, in order to protect personal data as best we can, as a minimum we will always password protect personal data.
Please note however, regulated firms are responsible for providing a method for the secure transmission of a data subject's personal data to us, whether that is by email encryption, or through a secure communication portal.
We strongly recommend that you have appropriate technology in place, enabling the secure transmission of personal data, in line with the expectations of current data protection legislation.
The PCs which are kept on our premises have two layers of security. Stage 1 is Windows 10 encryption and Stage 2 is Window's user profile password entry.
All laptops used away from the office have the same two levels of security, but DESlock Encryption is used in place of Windows encryption.
Only management level staff use mobile devices (phones and iPad) for work activities. All devices require either a 6 digit pass-code or fingerprint recognition and automatically lock after 1 minute of inactivity. All devices are Apple products and Apple automatically build in encryption to their products, which you can read about here - https://www.apple.com/privacy/approach-to-privacy/
Across all our devices (excluding mobile phones and iPad) we have installed ESET end-to-end protection which monitors all our PCs and laptops to ensure that our Firewalls & Anti-virus software remain up to date. This is monitored by our IT partners Ahead4, whose details are provided below.
Third parties and Data Sharing
We are committed to the protection of a data subject's personal data.
We will not sell or rent personal data to third parties under any circumstances.
We will not share personal data with third parties without the data controllers permission.
We will not share personal data with third parties for marketing purposes.
We keep a list of the software platforms we use to operate our business. A list is available upon request.
We may share personal data with third parties, such as back-office systems, cloud-based document storage, technical or research software providers, product providers or investment companies, which assist us in providing a Contract for Service.
We do not usually transfer any personal data outside of the EU except when we need to perform pre-contractual measures (credit and ID checks) or because the checks we request are necessary for important reasons of public interest.
All our employees and sub-processors will be required to undertake annual training with respect to data protection requirements to demonstrate their understanding of data protection requirements.
In the event of a data breach, we have processes to manage, investigate, and mitigate the impact of data breaches.
Links to other websites
Review of this Policy
We keep this Policy under regular review. We are committed to continuous implementation of technical and organisational measures to ensure we are doing the best we can at all times. Supervision of our commitment to the protection of personal data is the responsibility of our senior management.
This Policy was last updated in May 2018.
You may also contact us via telephone 01245 200425.