Data Protection Act Policy
March 2011 v1.0

Amendments to this Policy

From time to time this policy will be updated to reflect changes to CEI Compliance Limited’s regulated business or changes to the regulations to which CEI Compliance Limited is subject. The Compliance Officer will ensure that all appropriate amendments are made to this manual, and this will be overseen by the Compliance Director.  The dates of the amendments are recorded below.  Please ensure that you have the most up-to-date version of this manual by confirming the correct version number with Compliance.

About Us:

• About CEI
• Our Consultants
• Testimonials
• Terms of Business
• Data Protection
• Conflicts of Interest
• Disclaimer & Privacy

We are proud members of:

Introduction

CEI Compliance Limited has a responsibility to satisfy itself that its operations are being properly run and have appropriate corporate governance. One of the ways in which this is achieved is to set policies.

It is a fundamental principle of CEI Compliance Limited that customers’ personal data will be processed in accordance with its obligations under the law. 

CEI Compliance Limited is a data controller in its own right in respect of its own customers. This Data Protection Policy sets out CEI Compliance Limited approach towards processing personal data thus ensuring its compliance with its statutory obligations.

CEI Compliance Limited Approach

CEI Compliance Limited approach to meeting the requirements of the relevant Data Protection Legislation consists of the following key elements:

Organisational Controls

Appointment and reporting lines

CEI Compliance Limited has appointed the Managing Director as and will maintain the role of Data Protection Officer (“DPO”).  In addition, a deputy DPO will be appointed to ensure that entity’s continued compliance with the requirements of the DPA in any temporary absence of the DPO.

The DPO role

The Board has charged its DPO with taking steps to oversee the entity’s compliance with the legal and regulatory requirements relating to the relevant legislation; the legislation relating to the Firm. Therefore the DPO has authority to act in this area across the entity and to escalate any aspect in accordance with the escalation procedures outlined above.

The DPO will:

• act as the contact point with the Information Commissioner for all dealings relating to the registration/notification requirements;
• take responsibility to ensure that the annual renewal of the register and any subsequent amendments is completed;
• advise all staff of the requirements in respect of data protection;
• review all material referred to Compliance concerning data protection obligations; and
• respond to all subject access requests received by the entity within 40 days of receipt
  

Definitions

The data protection legislation affecting CEI Compliance Limited is the Data Protection Act 1998 (as amended from time to time) and details can be found here. CEI Compliance Limited will adopt one overarching policy but the DPO should always be consulted on any specific matter.

Data

Data is information relating to individuals which can be either automated or manual and held on a filing system:

Automated Data

Information that:-

• is being processed by means of equipment operating automatically in response to instructions given for that purpose; or

• is recorded with the intention that it should be processed by means of such equipment

Manual Data

Information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system.

Relevant Filing System

Any set of information relating to individuals to the extent that it is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.

Processing

Under the legislation CEI Compliance Limited is classified as processing data when it is taking any of the following actions:

• Obtaining;
• Recording;
• Holding;
• Organising/adapting/altering;
• Retrieving/consulting/using;
• Disclosing by transmission, dissemination or otherwise making available; and
• Aligning, combining, blocking, erasing or destroying

Conditions for processing

Processing may only be carried out by CEI Compliance Limited when one of the following conditions has been satisfied:

• The individual has given his/ her consent to the processing;
• The processing is necessary for the performance of a contract with the individual;
• The processing is required by law;
• The processing is necessary to protect the vital interests of the individual or to carry out public functions;
• The processing is necessary for the administration of justice or exercise of Government or public office; and
• The processing is necessary in order to pursue the legitimate interests of the business (unless prejudicial to the interests of the individual)

Security

CEI Compliance Limited must take security measures to safeguard personal data.  Consequently all staff must ensure that customer’s personal data is protected against:

• Accidental or unlawful destruction, loss or alteration;
• Unauthorised disclosure or access; and
• All other forms of unlawful processing

Credit Reference Agencies

There are guidelines that require CEI Compliance Limited to inform individuals whenever it accesses information held by credit reference agencies about an individual. Consequently appropriate wording will be included in any documentation that the Firm sends out.  In addition CEI Compliance Limited must also inform individuals if it accesses information held by credit reference agencies to address its obligations under the anti-money laundering legislation. This will be addressed by the inclusion of appropriate wording in the relevant products terms and conditions.

Direct Marketing

In the context of this policy “direct marketing,” means any communication in the form of unsolicited mailings, of an advertising or promotional nature that is directed at certain individuals. CEI Compliance Limited customers must be able to ‘opt out’ of having their data used for direct marketing purposes and consequently all of our application forms, which accompany our terms and conditions, must provide our customers with this option. A record of all customers who have opted out is kept to ensure that the Firm does not inadvertently contact these customers.

Transfers Abroad

Personal data shall not be transferred to a country or territory outside the entity’s country unless that country or territory ensures an adequate level of protection. By adhering to this policy, and provided data is obtained in accordance with our standard procedures, this will ensure that we meet the relevant regulatory requirements while carrying out our normal business.

Principles of the Data Protection Legislation

There are nine data protection principles relating to personal data.

• Personal data must be processed fairly and lawfully and, in particular, must not be processed unless we have the consent of the customer.  Personal data must be processed fairly and no one must be deceived or misled as to the purpose for which their data is to be processed.  The terms and conditions for each of our products ensure that CEI Compliance Limited meets these requirements and all staff must ensure that our customers receive a copy of the relevant terms and conditions when they open an account with CEI Compliance Limited.

• Personal data we obtain must only be for specified and lawful purposes.  Provided data is obtained in accordance with our standard procedures this will ensure that we meet the relevant regulatory requirements whilst carrying out our normal business.

• Personal data shall be adequate, relevant and not excessive in relation to the purpose for which this is processed.  Provided data is obtained in accordance with our standard procedures this will ensure that we meet the relevant regulatory requirements whilst carrying out our normal business.

• Personal data shall be accurate and, where necessary, kept up to date. Consequently when CEI Compliance Limited is advised by our customers of specific changes in data details e.g. any change of name or address, we must ensure that our records are updated.

• Personal data processed for any purpose shall not be kept for longer than is necessary. Staff should follow CEI Compliance Limited archiving policy that addresses both the data protection legislative requirements and any other legal or regulatory requirements.

• Personal data shall be processed in accordance with the rights of data subjects under the legislation. Provided data is obtained in accordance with our standard procedures this will ensure that we meet the relevant regulatory requirements whilst carrying out our normal business. 

• Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data.  By adhering to this policy and provided data is obtained in accordance with our standard procedures this will ensure that we meet the relevant regulatory requirements whilst carrying out our normal business.

• Personal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection.  By adhering to this policy and provided data is obtained in accordance with our standard procedures this will ensure that we meet the relevant regulatory requirements whilst carrying out our normal business.

• A copy of an individual’s personal data must be given upon request. This “right of access” is subject to a limited number of exceptions. All communications received from customers relating to this matter must be referred to the entity’s DPO.

If staff encounter any problems in adhering to these principles they should refer the matter to the DPO.

Individual Rights

CEI Compliance Limited has a responsibility under the data protection legislation to recognise that individuals have certain rights with regard to the way in which their personal data is processed. All communications received from customers relating to this matter must be referred to the relevant entity’s DPO.

Registration/Notification

Each entity’s DPO is responsible for its registration and notification under the legislation. Notification is the process by which the DPO will inform the relevant authority of certain details about the processing of personal data carried out by the entity. Those details are then entered in a register that is available to the public for inspection.

The DPO is responsible for ensuring that the register entry is kept up to date. When any part of the entry becomes inaccurate or incomplete the DPO will advise the relevant authority in writing quoting the entity’s security number.

Annual Review

This policy must be reviewed by CEI Compliance Limited every year to ensure its alignment to appropriate legal and regulatory requirements and its continued relevance to CEI Compliance Limited current and future operations.  At the same time, the Board of Directors of CEI Compliance Limited’s must issue an up to date policy.

This policy was approved by the Board of Directors on 01 March 2011

Company Secretary

View the full PDF file

CEI Compliance Limited is registered with the Information Commissioner under the registration of Z1449155 in the name of CEI Compliance Limited. CEI Compliance Limited Directors are qualified by diploma with the Chartered Institute for Securities and Investment and are a member of the Association of Professional Compliance Consultants, The Compliance Institute & The Business Continuity Institute. CEI Compliance Limited is registered in England & Wales no. 6501824.

Please contact us to discuss your needs and how they can be satisfied effectively.

Call 0800 689 9 689 today for a free quotation.