|The Financial Ombudsman Service||www.financial-ombudsman.org.uk|
|London||email – firstname.lastname@example.org|
1 POLICY STATEMENT
1.2 The Company is required to notify the Information Commissioner of what data it processes, and how that data is used, before it processes any data. The Company has a current notification with the Information Commissioner which is attached at Appendix 1.
1.3 This policy has been approved by the board of directors. The board of directors are ultimately responsible for ensuring the Company complies with the Act. The Company's Data Protection Compliance Officer is responsible for ensuring day to day compliance with the Act and with this policy. The Data Protection Compliance Officer is Chris Downes, who can be contacted via email at - email@example.com This policy is not part of any contract of employment with the Company and the Company may amend it at any time. However, it is a condition of employment that employees will adhere to the rules of this policy.
1.4 The Company processes personal information to enable us to promote our goods and services, to maintain our accounts and records and to support and manage our staff.
2 ACQUISITION AND USE OF PERSONAL DATA
2.1 The Company needs to collect personal information about people with who it deals in order to carry out its business as a credit broker and to provide other marketing services. We process personal information about our employees, customers, suppliers and service providers, advisers, consultants and other professional experts and enquiries.
2.2 In addition, we may occasionally be required to collect and use certain types of personal information to comply with the requirements of the law. No matter how it is collected, recorded and used (e.g. on a computer or on paper) this personal information must be dealt with properly to ensure compliance with the Act.
2.3 Personal information can be factual (such as name, address or date of birth) or it can be opinion (such as a performance appraisal).
2.4 The lawful and proper treatment of personal information by the Company is extremely important to the success of our business and in order to maintain the confidence of our employees and customers. All employees of the Company have a responsibility for ensuring that the Company respects personal information and deals with it in a lawful and correct manner.
2.5 The Company is a data controller under the Act, as we determine the purpose for which and the manner in which any personal data are processed.
3 TYPES OF DATA
3.1 There are two types of data protected under the Act: personal data and sensitive personal data.
3.2 Personal data is data that relate to a living individual who can be identified from those data or from those data and other information which is in the possession of or is likely to come into the control of a data controller. It also includes any expression of opinion about a person.
3.3 Sensitive personal data is information relating to a person’s:
3.3.1 racial or ethnic origin;
3.3.2 political opinions;
3.3.3 religious or other similar beliefs;
3.3.4 trade union membership;
3.3.5 physical or mental health;
3.3.6 sexual life; and
3.3.7 criminal proceedings or convictions (including any alleged offence).
3.4 There are more stringent restrictions under the Act for the processing of sensitive personal data. Although we will not ordinarily be acquiring sensitive personal data from our customers, we may process such data in connection with employees. We will only ever process such data when we have the express written consent of the data subject to do so.
Processing is, essentially, anything that can be done to the information, including; obtaining, storing and transferring the data. All processing must be done in accordance with the Act, which restricts how data can be processed.
5 DATA PROTECTION PRINCIPLES
5.1 We support fully and comply with the eight data protection principles of the Act which are summarised below:
5.1.1 Personal data shall be processed fairly and lawfully.
5.1.2 Personal data shall be obtained for one or more specific purpose(s) and processed in a manner compatible with that or those purpose(s).
5.1.3 Personal data held must be adequate, relevant and not excessive.
5.1.4 Personal data must be accurate and kept up to date.
5.1.5 Personal data shall not be kept for longer than necessary.
5.1.6 Personal data shall be processed in accordance with the rights of data subjects.
5.1.7 Personal data must be kept secure.
5.1.8 Personal data shall only be transferred to a country outside the European Economic Area (EEA) if there is adequate protection in that country for data subjects.
6 DATA TRANSFER OUTSIDE THE EEA
6.1 Global Response Partners LLC is a US registered limited liability company within the same group as the Company. Therefore, we may need to transfer data to Global Response Partners LLC which is located outside of the EEA. Any transfers made will be in compliance with principle 8 as set out above.
6.2 Given the recent decision of the European Court of Justice in Case C-362/14: Maximillian Schrems v Data Protection Commissioner, we no longer rely upon Global Response Partners LLC’s safe harbor membership to facilitate such transfer but implement additional protections to ensure equivalent protection.
6.3 For guidance as to when data can be transferred outside the EEA, please contact the Data Protection Compliance Officer.
7 FAIR AND LAWFUL PROCESSING
7.1 Our employees, customers and any third parties whose data we acquire and process must be fully informed of the fair and lawful processing the Company will be undertaking and should not be taken by surprise. We must ensure that they are provided with:
7.1.1 the identity of the data controller i.e. the Company;
7.1.2 if applicable, the identity of a nominated representative with whom they can raise any data protection issues;
7.1.3 the purpose for which the data is intended to be processed; and
7.1.4 any further information necessary to enable data processing in a fair way.
7.3 The Company will process data about its employees in accordance with the Information Commissioner’s Employment Practices Code. This will include regular checks to be carried out by the Data Protection Compliance Officer to ensure that records are not irrelevant, excessive or out-of- date.
8 PROCESSING FOR SPECIFIED PURPOSES
9 ADEQUATE, RELEVANT AND NOT EXCESSIVE
9.1 Personal data will only be collected to the extent that it is required for a specified purpose notified to the customer or employee. It is not true that the more data we hold, the better our records are.
9.2 We will not collect data from a data subject on the off-chance that it may be needed in the future.
10 ACCURATE DATA
Personal data will be accurate and kept up to date. Information which is incorrect or misleading is not accurate and steps will therefore be taken to check the accuracy of any personal data at the point of collection and at regular intervals afterwards. Inaccurate or out-of- date data will be destroyed.
11 DATA RETENTION
11.1 Personal data should only be kept as long as it is necessary i.e. the Company should only keep data for as long as it serves its purpose.
11.2 We will retain personal data for a minimum of six years which is the limitation period for a claim for a breach of contract. Data may be retained longer where appropriate (for example, if a customer is longstanding for over six years).
12 PROCESSING IN ACCORDANCE WITH RIGHTS OF DATA SUBJECTS
12.1 Data will be processed in accordance with the data subject's rights. Data subjects are entitled to:
12.1.1 request access to any data held about them by a data controller (known as a subject access request);
12.1.2 prevent the processing of their data for direct-marketing purposes;
12.1.3 ask to have inaccurate data amended;
12.1.4 prevent processing that is likely to cause unwarranted substantial damage or distress to themselves or anyone else; and
12.1.5 object to any decision that significantly affects them being taken solely by a computer or other automated process.
12.2 A subject access request must be made in writing, so if you receive an oral request, you should ask for it to be put in writing. A fee of £10.00 is also payable. If you receive a subject access request, you should pass it immediately to the Data Protection Compliance Officer, who will deal with it appropriately, as the Company is required by law to respond to a subject access request within 40 days. The Company's guidance on responding to Subject Access Requests is attached at Appendix 2.
13 DATA SECURITY
13.1 The Company must ensure that appropriate security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. Individuals may apply to the courts for compensation if they have suffered damage or distress from such a loss.
13.2 The Act requires the Company to put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Maintaining data security means guaranteeing the confidentiality, integrity and availability of the personal data, defined as follows:
13.3 Confidentiality means that only people who are authorised to use the data can access it.
13.4 Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
13.5 Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore only be stored on the Company's central computer system and not on individual desktop PCs.
13.6 When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.
13.7 These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
13.7.1 when not required, the paper or files should be kept in a locked drawer or filing cabinet;
13.7.2 employees should make sure paper and printouts are not left where unauthorised people could see them, like on a printer; and
13.7.3 data printouts should be shredded and disposed of securely when no longer required.
13.8 When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts.
13.8.1 Data should be protected by strong passwords that are changed regularly and never shared between employees. You should also always lock or log of your computer, laptop, ipad or other electronic device when left unattended.
13.8.2 If data is stored on removable media (like a CD, DVD or USB stick), these should be kept locked away securely when not being used.
13.8.3 Data should only be stored on designated drives and servers.
13.8.4 Servers containing personal data should be sited in a secure location, away from general office space.
13.8.5 Data should be backed up frequently. Those backups should be tested regularly, in line with the Company’s standard backup procedures.
13.8.6 Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
13.8.7 All servers and computers containing data should be protected by approved security software and a firewall.
13.8.8 Where appropriate, data must be encrypted before being transferred electronically.
13.8.9 Employees should not save copies of personal data to their own computers. Always access and update the central copy of any data.
13.9 Any stranger seen in entry-controlled areas should be reported.
14 MARKETING LISTS
14.1 The Company may sell or disclose contacts/marketing lists to selected third parties or Broker Partners, including those individuals/organisations that help us to provide our services or promote products or service of others. Such disclosure will only be undertaken in accordance with the principles, with the consent of the data subjects and subject to the authority of a director or senior member of staff.
14.2 The Company will complete its due diligence checklist in relation to any organisation that sells a marketing list to the Company before we use the list. The Company must be satisfied that the third party has obtained the necessary specific and informed consent for us to market to the individuals on the list. A copy of the due diligence is at Appendix 3. The Company will conduct on-going monitoring and will conduct an audit every six months.
14.3 Any employee found to have disclosed personal data to anyone outside of the Company, selected third parties, or anyone other than the data subject him/herself may face disciplinary proceedings. In serious cases, the employee may face dismissal.
15 GENERAL CONSENT
15.1 We strive to ensure that none of our customers or employees feels aggrieved by the way in which we process their personal data.
15.3 In certain situations, we can infer that consent has been provided by an individual. For instance, if we take a call from a potential customer and they provide their name and telephone number in order for someone to call them back, we can infer that they have consented to us recording those details for the purposes of returning their call.
15.4 If we are to collect sensitive personal data from a data subject (whether that individual is a customer or an employee), we must obtain the data subject's explicit consent before we collect and process the information.
16 ELECTRONIC COMMUNICATIONS AND CONSENT
16.1 We are able to send electronic marketing messages (such as emails, text messages and other mobile marketing) to our customers if the customer has previously provided consent to receive such electronic marketing. The electronic marketing message must identify who we are and must allow the individual to opt-out of receiving more emails from us.
16.2 However, we do not need the individual's prior express consent to send electronic marketing messages if we can satisfy the following three criteria (known as the “soft opt-in”):
16.2.1 the contact's personal data was supplied in the course of a sale/negotiations for a sale;
16.2.2 the promotional messages relate to the Company’s similar products (i.e. similar to those originally offered/sold); and
16.2.3 the contact was originally given the opportunity to opt-out of receiving the promotional messages but did not take it.
16.3 We cannot rely on the soft opt-in where we pass personal data to third parties for those third parties to send electronic marketing communications. In such circumstances we must obtain express opt-in consent which is specific and informed.
16.4 The Data Protection Compliance Officer should be consulted before electronic communications are sent.
17 EMPLOYEE OBLIGATIONS
17.1 All employees will, through appropriate training and responsible management:
17.1.1 observe all forms of guidance, codes of practice and procedures about the collection and use of personal information;
17.1.2 understand fully the purposes for which the Company uses personal information;
17.1.3 collect and process appropriate information only in accordance with the purposes for which it is to be used by the Company to meet its business needs or legal requirements;
17.1.4 only access personal data that they require to carry out their jobs properly;
17.1.5 ensure the information is inputted correctly into the Company’s systems by following the Company's standard format;
17.1.6 employees should all take reasonable steps to ensure that data is kept as accurate and up to date as possible, including updating data as inaccuracies are discovered and confirming customer’s details when they call;
17.1.7 ensure the information is destroyed (in accordance with the provisions of the Act) when it is no longer required;
17.1.8 on receipt of a request from an individual for information held about them by or on behalf of the Company immediately notify the Data Protection Compliance Officer; and
17.1.9 deal with all personal information in accordance with the Company’s security procedures.
17.2 Any breach of the Act and the Company’s data protection policy shall be viewed as misconduct and in extreme cases may lead to summary dismissal.
18 DATA PROTECTION COMPLIANCE OFFICER AND ICT DIRECTOR
18.1 The Data Protection Compliance Officer is responsible for:
18.1.1 keeping the board updated about data protection responsibilities, risks and issues;
18.1.2 reviewing all data protection procedures and related policies;
18.1.3 arranging data protection training and advice for the people covered by this policy;
18.1.4 dealing with subject access requests;
18.1.5 checking and approving any contracts or agreements with third parties that include the transfer or use of personal data.
18.1.6 ensuring all systems, services and equipment used for storing data meet acceptable security standards;
18.1.7 ensuring that the due diligence checklist (at Appendix 3) is completed before the Company sends marketing communications to individuals on any such list;
18.1.8 performing regular checks and scans to ensure security hardware and software is functioning properly; and
18.1.9 evaluating any third-party services the company is considering using to store or process data.
19 COMPANY OBLIGATIONS
19.1 The Company will:
19.1.1 provide training for all staff members who handle personal information (if an employee is unsure of his or her responsibilities he or she should notify the Data Protection Compliance Officer who will consider whether further training is necessary);
19.1.2 provide clear lines of reporting and supervision for compliance with data protection;
19.1.3 carry out regular checks to monitor and assess new processing of personal data and to ensure the Company’s notification to the Information Commissioner is updated to take account of any changes in processing of personal data; and
19.1.4 undertake suitable and sufficient monitoring, including spot checks without notice, to ensure that the Act and this policy are being complied with by the Company and all its employees
INTRODUCTION / POLICY STATEMENT
Global Response Partners LLC (GRP) considers it the duty of its employees, contractors, and members of its broker network (also referred to as Broker partners) to deal with all individuals they come into contact with respectfully and professionally. In particular, we realise the importance of protecting vulnerable people. We aim to follow the Financial Conduct Authority’s recommended best practices in encouraging a consistent and best practice approach towards consumers in the financial market.
This Policy sets out our approach to dealing with vulnerable consumers. It is implemented within the business and all Broker partners are required to confirm compliance with the terms of this Policy as part of their contractual agreement with GRP.
Under FCA rules, in particular those set out in the Consumer Credit Sourcebook (CONC), we are required to establish and implement clear, effective and appropriate policies and procedures for ensuring the fair and appropriate treatment of customers who we understand or reasonably suspect to be particularly vulnerable.
This policy sets out the Company’s approach to the recognition and appropriate treatment of vulnerable customers, in order to ensure that the service provided is suitable for their needs and that the customer is not placed at risk of detriment as a result of their vulnerability.
We do not expect employees, representatives or Broker partners to be health professionals or social workers, but we do require common sense judgements to be made to ensure that we achieve fair outcomes for consumers.
Breaches of this policy or the underlying procedures will be considered as a disciplinary matter or (in the context of Broker partners) as a potential contractual breach.
WHAT IS A VULNERABLE CONSUMER?
Vulnerability is hard to define, as it is a subjective term in part. The Financial Conduct Authority broadly describes a vulnerable consumer as someone, due to their personal circumstances, is especially susceptible to detriment.
A person can be vulnerable due to a large number of both short and long term problems.
Short term problems may include unemployment, bereavement or caring responsibilities, long term problems can include financial literacy, health and an ageing society, all of which can temporarily push consumers into vulnerable circumstances. The following are all potential indicators of vulnerability
These categories are by no means exhaustive, nor do they mean that a consumer is automatically vulnerable if they experience these problems, however, if these problems are apparent, this must be treated as an indicator that a consumer is more likely to be vulnerable than the average consumer, and the provisions of this Policy should be applied in all dealings with that customer throughout the period they remain vulnerable.
Vulnerability can manifest itself in a number of ways when looking at people’s use of consumer credit, for example, people can choose the wrong product, pay a high price due to poor credit choices, and fail to obtain the right product for their needs or be treated unfairly by their credit provider. The most significant detriment can occur when people get into unmanageable, or problem debt through the use of consumer credit.
WHAT IS A LACK OF MENTAL CAPACITY?
A person's ability to make a decision is their mental capacity. This allows a consumer to understand, remember, and choose from the relevant information provided to them and to reach and communicate a responsible decision based on that information.
Any person who may not have the mental capacity to make such a responsible decision is classed as being a consumer in a vulnerable person although not all consumers in vulnerable circumstances will have issues regarding mental capacity.
GLOBAL RESPONSE PARTNERS APPROACH
Our policy objective is to ensure that vulnerable consumers are recognised and protected and to prevent and reduce the risk of any harm to vulnerable adults from abuse or other forms of exploitation in connection to the service we, and or our partners or members of our Network provide.
ACCESS TO CONSUMER CREDIT MEDIUMS.
There are two main mediums operated by GRP and its network members.
Our Broker partners operate call centres where interaction with consumers is carried out over a telephone collecting personal data from consumers seeking to secure some form of consumer credit. All our Broker partners are required to train their staff and have in place policies to ensure they are able to identify a consumer who may be vulnerable, including, but not limited to, a consumer who demonstrates difficulties with language, age or understanding of the product they have applied for.
Through the Internet
Our Broker partners operate websites through which consumers may apply for consumer credit products. This medium restricts the degree of interaction with consumers as it is a medium that is almost exclusively electronic and distant in its contact.
It involves gathering personal data from consumers who are searching for consumer credit in order for a lender to assess the information, and reach a decision either to grant or refuse the application for a loan. Once a lender, product or service provider has made their decision, GRP and its Broker partners hand over the responsibility to the product provider.
In this instance, it may be difficult for the assessment of vulnerability to be conclusive as an application form does not always demonstrate that the consumer lacks the mental capacity to make a responsible decision. However, where factors are identified which give rise to concerns, for example inconsistent or contradictory information being offered by a customer, GRP and its Broker partners will intervene to seek to assess whether this is an indication of vulnerability. Such intervention may involve contacting the customer directly to discuss their on-line application.
Regardless, all elements of our business have treating consumers fairly at its core. This includes a focus on recognising when a consumer demonstrates signs of being vulnerable and ensuring the service that we and our Broker partners provide is suitable for their needs and does not place them at risk of detriment as a result of their vulnerability.
The Company aims to achieve the following outcomes when dealing with vulnerable customers:
GRP and our Broker partners may be the first point of contact for a customer, before they reach the lender, product or service provider. Whilst the lenders or providers of consumer credit products will have their own vulnerability policies in place, we believe that all parts of the consumer’s journey must ensure that wherever possible, vulnerable consumers are recognised and protected by taking the following steps:
1. GRP and our Broker partners may have cause to communicate directly to consumers and as such, the correspondence may demonstrate that the consumer is vulnerable, training on how to deal with this vulnerability has been provided at all stages on the consumers journey both directly, and through those we deal with.
2. GRP and our Broker partners take precautions within any advertising or marketing to ensure that consumers, including vulnerable consumers, are provided with clear and fair information about the service or product they may be offered and not misled or improperly incentivised to take up the offer of this product to their detriment.
3. If any form of direct interaction with a consumer brings GRP or our Broker partners to conclude that the consumers is vulnerable, appropriate steps will be taken to ensure this is communicated to our Broker partners to ensure they are able to act upon their own vulnerable consumer policies. This will normally involve declining the customer from the promotion or service.
4. GRP and our Broker partners will bring to the attention of the Director any identification of a vulnerable person for additional support, and record these requests for additional support in line with data protection requirements. These requests will be communicated with those who interact directly with the consumer within the framework of the consumer's journey.
Currently the UK Director, Chris Downes, has the day to day responsibility for enforcing the vulnerable consumer policy which will be maintained and reported at the regular GRP board meetings and through regular interaction within our network and its members.
The treatment of vulnerable consumers is constantly reviewed and forms part of our broader compliance policy, our approach will be adjusted and optimised based on any such monitoring.
This policy will be reviewed at a minimum of annually, or upon changes within the regulatory framework or as a result of developments within our monitoring activities.
INTRODUCTION / POLICY STATEMENT
GRP is committed to providing the highest standard of products and services to our customers. Customer satisfaction is at the heart of our service and to achieve this, ensuring all customers are treated fairly is at the centre of the business. This forms part of our overall compliance policy, our committed to treating our customers fairly in accordance with the Financial Conduct Authority’s Treating Customers Fairly (TCF) Principles.
All of our staff are fully trained on commencement of their employment, and continue to receive further training, to ensure that customers are treated fairly and that our TCF Principles are fully adhered to.
This TCF policy is designed to follow the six key guidelines as outlined by the FCA:
1. Consumers can be confident that they are dealing with firms where the fair treatment of customers is central to the corporate culture.
2. Products and services marketed and sold in the retail market are designed to meet the needs of identified consumer groups and are target accordingly.
3. Consumers are provided with clear information and are kept appropriately informed before, during and after the point of sale.
4. Where customers receive advice, the advice is suitable and takes account of their circumstances.
5. Consumers are provided with products that perform as firms have led them to expect, and the associated service is both of an acceptable standard and as they have been led to expect.
6. Consumers do not face unreasonable post-sale barriers imposed by firms to change product, switch provider, submit a claim or make a complaint.
CONDUCT RISK – DELIVERING TCF THROUGH OUR BUSINESS.
GRP’S role is to introduce consumers to Product or service offerings through its Broker Partners. GRP recognises that it has an obligation to meet the FCA's principles for business in all its dealings with customers and trading partners to ensure that customers are treated fairly in the provisions of fair, clear and transparent information, which does not mislead directly or indirectly by content, format or omission to facilitate them making informed choices when using our services or the services of any lender or other financial services or product provider to which we may introduce them to.
The following areas are where GRP’s activities present particularly high risks and our controls and procedures to avert such risks:
Breach of Conduct of Business Standards for a Credit Broker
GRP is a credit broker which makes introductions to providers of credit products and services to consumers. To ensure the interests of the customer are always put first, GRP do not collect data from the consumer and merely display a selection of offers for the consumer to consider, without giving any guidance, advice or bias towards any product or service offered by the Broker Partners of GRP. The service is provided equally and fairly to all customers.
Risks exist in promoting one service over another, or guiding or suggesting that a product is suitable for the needs of the consumer, without firstly understanding the circumstances of the individual consumer. Accordingly, GRP shall implement the following mitigation procedures:
Consumer Confusion in relation to Credit Brokers vs. Lenders
An adverse potential confusion is a consumer understanding the difference between a credit broker, lender, and other consumer credit based service providers. This generates a risk of unfairness and a lack of transparency as consumers may be confused and think that all promotions they receive are by direct lenders.
GRP will mitigate this risk of confusion by the following methods:
In order to introduce consumers to financial service providers, GRP must make consumers aware of lenders, product and service providers that can provide these financial services.
Accordingly, GRP will be involved in financial promotions through its Broker Partner network and its own data sources.
There are specific advertising standards and regulations, in particular the consumer credit products or services to which GRP will promote to consumers, including CONC 3, governing financial promotions relating to consumer credit. Accordingly, GRP must ensure that its introductions are to regulated consumer credit lenders, product and service providers, and are suitable to the consumers needs. Accordingly, the following procedures will be adopted: