We're raising money for the Isle of Wight Branch of the MND Association
As a provider of financial planning advice, Rouse Limited (the “data controller”) collects, stores and processes personal information (“personal data”) about you (the “data subject”) in accordance with the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).
This policy therefore sets out the arrangements for holding and using your personal data.
DEFINITION OF DATA PROTECTION TERMS
- Data subjects, for the purpose of this policy, include all living individuals about whom we hold personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal data.
- Personal data means data relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal data can be factual (such as a name and address) or it can be an opinion (such as the level of investment knowledge).
- Data controllers are the people who, or organisations which, determine the purposes for which, and the manner in which, any personal data is processed, all in line with GDPR. We are the data controller of all personal data used in our business.
- Data processors include any person whose work involves using personal data and processes data on behalf of a data controller. They have a duty to protect the information they handle by complying with this data protection policy.
- Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
WHY WE NEED YOUR DATA
We need your data in order for us to:
- Provide financial planning services to you, which may include, but not limited to, giving you financial advice and making recommendations as to investments and financial products which are suitable for you, taking into account current financial markets and economic conditions, availability of products and the providers of those products, as well as a detailed analysis of your personal circumstances and requirements.
- Comply with our regulatory obligations imposed by the Financial Conduct Authority (the Regulator) in regard to the relevant “know your client” obligations.
- In addition, to comply with the Regulator’s requirements for record keeping for the purposes of audits and reviews, records of transactions undertaken and customer histories for prescribed periods of time as directed.
- Respond to any legitimate legal requests for information about them to the Regulatory authority or pursuant to an order of any court or tribunal having relevant jurisdiction, or as required by law for the purposes of, but not limited to, combatting fraud, money-laundering and criminal activities.
- Carry out our legitimate business and professional management responsibilities which include, but are not limited to, preparing, verifying and auditing of statutory accounts and tax returns, monitoring and reviewing levels and types of business for marketing and quality control, assessing business risks and standards of services or investigating and resolving complaints.
THE INFORMATION WE COLLECT ABOUT YOU
We collect and process a variety of personal data about you when you engage us for the purposes of providing advice, administration and management services and (subject to various provisions) related marketing activities.
Personal data is information that can identify you as a living individual, including where used in conjunction with other information. Common examples of personal data, which may be collected and used by us in our day-to-day business activities, include:
- Name and address
- Telephone number and other contact details, including email addresses
- Date of birth and gender
- Marital status and family/social circumstances
- Financial details, such as salary and other income
- Employment details
Depending upon the types of products and services them require, the information collected and processed may also contain more sensitive personal data (special category data) as to:
- Racial or ethnic origin
- Their political opinions, religious or similar beliefs
- Their physical or mental health or condition
- Genetic and/or biometric data for the purpose of identifying them as a natural person
- Sex life or sexual orientation
- The commission or alleged commission of any offence
- Any proceedings for an offence committed or alleged to have been committed, including the outcome or sentence in such proceedings
- In limited circumstances, their membership of a trade union
As with personal data, you have the freedom of choice when it comes to your decision as to whether you provide us with special category data. In addition to your right to request that we stop processing your personal data and special category data at any time, you have an opportunity to choose not to provide special category data to us at all.
We may also collect information when you voluntarily complete client surveys or provide feedback to us.
Information relating to usage of our website is collected and analysed by Google Analytics. Google Analytics generates statistical and other information about website use by means of cookies, which are stored on a user’s computer. The information generated relating to our website is used to create reports about the use of the website. Google’s privacy policy is available at www.google.com/privacypolicy.html
HOW WE USE THE INFORMATION ABOUT YOU
We may process your personal data and special category data for the following reasons:
- The administration, management and provision of advice in relation to financial services products.
- Our legitimate business processes and activities including internal audit, accounting, business planning and proposed and actual transactions (including joint ventures and disposals of business).
- Compliance with legal (including dealing with claims), regulatory and other good governance obligations.
This list is not exhaustive and may be updated from time to time as business needs and legal requirements dictate. Some of the personal data that we maintain will be kept in paper files, while other personal data will be included in computerised files and electronic databases.
All the personal information you provide electronically is stored on our secure (password- and firewall- protected) servers, which includes the secure messaging system within Nutshell, our personal finance portal.
HOW WE HOLD AND REVIEW YOUR DATA
All storage of data, whether active data or archived data, will be in accordance with good industry practice and will be undertaken in accordance with organisational systems and procedures, which will be regularly reviewed, to maintain the security of data.
In principle, your personal data should not be held for longer than is required under the terms of our contract for services with you. However, we are subject to regulatory requirements to retain data for specified minimum periods. We also reserve the right to retain data for longer than this owing to the possibility that it may be required to defend a future claim against us.
We will regularly review the data we hold on you on a regular basis to ensure compliance with data protection law. In the course of any review, we will:
- Update the data to ensure that any errors or inaccuracies are corrected.
- Archive data where, in our opinion, such data has ceased to be active and will only be processed in limited circumstances.
- Delete any data which is trivial or transitory in nature.
- Subject to the data retention periods, as detailed below, securely delete the data when it is identified that we no longer need to hold it.
We may retain and process your data for the following periods. In the event that more than one period applies to the same data, we will retain the data to the last such period to expire:
- We will hold any agreements between you and us for a period of six years from the termination or expiry of our agreement, unless we have been notified of any claim or circumstance which might give rise to a claim under any such agreement.
- We will process data relating to investments which we have provided advice on and/or arranged for you. We will process such data throughout the entire period you are, and remain, a client of the firm and for a period of not less than six years following our ceasing to provide services to you in regard to those investments. In the case of long-term investments, we may process your data until the date of maturity.
- We will hold data as required by any Regulator until the end of any limitation period imposed by that Regulator. In the case of the Financial Conduct Authority, this is currently six years for all types of business undertaken, except for Occupational Pension Schemes (which can include Defined Benefit Transfers and Scheme Money Purchase Transfers), whereby the data retention period is indefinite.
- We will hold data as required by any relevant third party until the end of any limitation period imposed by that relevant third party, unless we are notified that any period is considered “open” by HMRC in which case it will be until we are notified the period is “closed”.
- We will hold data as required for the purposes of any legal proceedings for a period of six years following the conclusion of any such proceedings unless a longer period is required pursuant to any court rule or enactment. Proceedings will be taken to have concluded on the expiry of any period given for appealing any final judgment or on the date of concluding any settlement staying all relevant claims if the proceedings were settled before judgement.
In any case, we will not retain your personal data for longer than 50 years.
WHO WE SHARE YOUR DATA WITH
In order to carry out our legitimate business and to deliver our financial planning services to you effectively, we will share your personal data with other regulated entities/companies, such as product and platform providers that we use to arrange financial products for you.
We will also share your information with various UK-based companies for the purposes of responsible management, human resources, accounting, audit, compliance, information technology and other corporate staff.
Where third parties are involved in processing your data, we will have a contract in place with them to ensure that the nature and purpose of the processing is clear, that they are subject to a duty of confidence in processing your data, and that they will only act in accordance with our written instructions.
Where it is necessary for your personal data to be forwarded to a third party, we will use appropriate security measures to protect your personal data in transit.
It may sometimes be necessary to transfer personal information overseas. When this is needed, information may be transferred to countries and territories around the world. Any transfers made will be in full compliance with all aspects of the latest legislation.
Contact details for the data controller for third party entities are available to you on request.
To fulfil our obligations in respect of prevention of money-laundering and other financial crime, we may send your details to third party agencies for identity verification purposes.
Certain personal data will also be reported to government authorities and external parties, as required by legislation, or by legal process, for tax or other purposes.
We will not share your information for marketing purposes.
We will not sell your personal data to any third party.
YOUR RIGHTS
You have the right to review your personal data, and any special category data, held by us and have any inaccurate information about you corrected.
If you would like a copy of some or all of your personal information, you should write to or email our Data Protection Officer, using the contact details noted below. The data held about you, both in paper files and computerised/electronic files, will be sent to you within 40 days of the initial request.
You have the right to request deletion of your personal data. We will comply with this request, subject to the restrictions of our regulatory obligations and legitimate interests, as noted above.
If, at any time, you wish us to cease processing your personal data or special category data, or contacting you for marketing purposes, you should write to, or email, our Data Protection Officer, using the contact details noted below.
If your spouse/partner is not a client of Rouse Limited and we receive a request for information from your spouse/partner, we will only disclose information on an investment, product etc held in both your names (unless we have received a letter of authority).
If you purchase a product from us or have previously asked us for information on our services, we may retain your details for future mailings and telephone contact. We may send you such information by post, fax and email or contact you by telephone.
From time to time, we may wish to contact you with information that you may find interesting, or with details of other investment, pension or financial products and/or services that we think may be beneficial to you.
If you do not wish to be contacted by us in regard to additional investment or financial products and services, or for any other marketing purposes, you should write to, or email, our Data Protection Officer, using the contact details noted below.
On the termination or expiry of any agreement to provide services to you, and on your written request, we will, subject to our right to retain copies of data for the purposes set out above, agree to return any data you have provided to us in a structured, commonly used machine-readable format, or transfer the same to a new data controller nominated by you.
WHAT WE DO IN THE EVENT OF A DATA BREACH
A data breach may apply to a whole client record or just part of it. It can be the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
In the event of a data breach, we will review what data has been disclosed and assess the likelihood of a risk to the rights and freedoms of an individual (or individuals). A report will be written providing an audit trail of events and conclusions reached. We will refer to guidance on the ICO website and legal advice will be sought where necessary. If required, the Information Commissioner’s Office (ICO) will be notified within 72 hours.
If you are unhappy about a breach of data relating to you or how your personal data is processed generally, you have a right to lodge a complaint with the ICO at:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Online: www.ico.org.uk
By telephone: 0303 123 1113 (local rate)
HOW YOU CAN STAY INTERNET SECURE
This data protection policy only applies to Rouse Limited so when you link to other websites from our website, you should refer to the particular data protection statements of those websites.
You should also be aware that internet communication, which includes email, is not secure and that we will not accept responsibility for unauthorised access by a third party or for the loss, theft or modification of your personal data while it is being sent to you by email.
You should be encouraged to use Nutshell, our personal finance portal, for secure messaging.
WHY WE RECORD TELEPHONE/VIDEO CALLS
For your security, and for training purposes, telephone and video calls may be recorded or monitored. You should also note that any recordings may be used in the event of a dispute with us.
OUR CONTROLS AND PROTOCOLS
Regular training is provided to ensure that staff are fully aware of the contents of this policy and to ensure that correct procedures are followed according to the particular event.
Procedure to follow in the event of a data request
| Action no | Action required |
| 1 | Data Protection Officer to check that the request is in writing ie email/letter. If by email, call the client to ensure it is legitimate. |
| 2 | Data Protection Officer to instruct administrator to take next actions. |
| 3 | Administrator to extract client record from CMS. |
| 4 | Administrator to check server for any additional data. |
| 5 | Administrator to check email records to ensure that all emails have been included in client record. |
| 6 | Administrator to check paper files for any additional data. |
| 7 | Administrator to agree how to provide the client with the data, either in printed form and posted, via the PFP or on an encrypted memory stick. |
| 8 | Administrator to note client record of actions taken. |
Procedure to follow in the event of an objection to processing personal data
| Action no | Action required |
| 1 | Data Protection Officer to check that the objection is in writing ie email/letter. If by email, call the client to ensure it is legitimate. |
| 2 | Data Protection Officer to determine why the client has placed this objection – what are their concerns? |
| 3 | If the client wishes to cease its arrangements with the firm, Data Protection Officer to confirm in writing that data processing has ceased and what the implications of this are (ie cannot proceed with given personal recommendations, cannot proceed with the financial plan, client may be charged for work completed to date as per the client agreement). |
Procedure to follow in the event of a request to restrict the processing of data
| Action no | Action required | |
| 1 | Data Protection Officer to check that the request is in writing ie email/letter. If by email, call the client to ensure it is legitimate. | |
| 2 | Data Protection Officer to check whether the data restriction request is viable, without risk to the firm in meeting its legal and statutory obligations (ie to give suitable advice and conduct suitability assessments). | |
| 3 | If the data restriction is viable, Data Protection Officer to note client record accordingly and confirm to client. | |
| 4 | If the data restriction is not viable, Data Protection Officer to explain position to client (within 10 working days). | |
Procedure to follow in the event of a data portability request
| Action no | Action required | |
| 1 | Data Protection Officer to check that the request is in writing ie email/letter. If by email, call the client to ensure it is legitimate. | |
| 2 | Data Protection Officer to instruct administrator to take next actions. | |
| 3 | Administrator to extract client record from CMS. | |
| 4 | Administrator to check server for any additional data. | |
| 5 | Administrator to check email records to ensure that all emails have been included in client record. | |
| 6 | Administrator to check paper files for any additional data. | |
| 7 | Administrator to collate all the data. | |
| 8 | Administrator to check data for any references to another individual and redact those references. | |
| 9 | Administrator to agree how to provide the client with the copy data, either via the PFP or on an encrypted memory stick. If the client requires the copy data to be sent to another data controller, then the administrator is to confirm that this will be on an encrypted memory stick. | |
| 10 | Administrator to note client record of actions taken. | |
Procedure to follow in the event of a data erasure request
| Action no | Action required | |
| 1 | Data Protection Officer to check that the request is in writing ie email/letter. If by email, call the client to ensure it is legitimate. | |
| 2 | Data Protection Officer to check whether the data being held is in accordance with the client’s personal data protection statement/agreement and without risk to the firm in meeting its legal and statutory obligations. | |
| 3 | If yes, Data Protection Officer to advise the client why the data (or some of the data) cannot be erased. | |
| 4 | If no, Data Protection Officer to confirm to the client that the data will be erased and instruct administrator to take next actions. | |
| 5 | Administrator to delete client record from CMS. | |
| 6 | Administrator to delete any additional data held on the server. | |
| 7 | Administrator to delete any email records. | |
| 8 | Administrator to shred any paper files. | |
Procedure to follow in the event of a (potential) data breach
| Action no | Action required |
| 1 | Staff member to advise Data Protection Officer of (potential) data breach as soon as possible by phone or, if unavailable, by email. |
| 2 | Staff member to produce a written statement, summarising the (potential) data breach. |
| 3 | Data Protection Officer to conduct an investigation into the (potential) data breach to ascertain whether personal data and/or sensitive personal data has been compromised and if so how. |
| 4 | Data Protection Officer to produce a written statement, confirming the outcome of the investigation, for review by management team. |
| 5 | Data Protection Officer to suggest what measures (if any) should be put in place to prevent a similar occurrence in the future, for agreement by management team. |
| 6 | In the event that the conclusion is that client should be notified, management team to agree how and when the communication will take place. |
| 7 | Data Protection Officer to update the breaches register. |
| 8 | Where appropriate, Data Protection Officer to notify the ICO (within 72 hours). |
CHANGES TO OUR DATA PROTECTION POLICY
We will keep our data protection policy under regular review and will make changes as necessary.
Indeed, in the event of any change in data protection law occurring, which requires the adoption of revised provisions dealing with data retention or portability, we will make the necessary changes to this policy.
OTHER LEGAL TERMS
If any provision, or part thereof, of this agreement is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions will remain in force.
HOW YOU CAN CONTACT US
You can write to our Data Protection Officer at:
Rouse Limited
Lugley House
Lugley Street
Newport
Isle of Wight
PO30 5EL
By email: advice@rouseltd.co.uk