Privacy policy
PREAMBLE
This document accompanies the internal Compton RE Limited (Compton) staff GDPR guidance.
This document does not directly relate to policy regarding data protection for staff and former staff which is covered in depth both in that document and in the annual compliance review and training sessions.
This document deals with the policy of the company in respect of information held relating to third parties which is considered private data.
GENERAL AND REGULAR RISK ASSESSMENT REVIEW
The directors of the company consider that there are two main areas in which it may hold personal data, firstly staff and HR matters and secondly documents held in relation to the identification of clients under the anti-money laundering (AML) procedures set out in our own and the HMRC guidance (updated 22nd June 2021).
Most work carried out by Compton is on a business to business basis and it is not foreseen that personal data will be held for any purpose other than Know Your Customer (KYC) as outlined above.
The company is aware of its duty in respect of the storage, usage and communication of this information and also the company’s duty to make its staff aware of this to ensure the efficiency of the policy.
MANNER OF DATA HELD
It is expected that the only private data held will, as referred to above, comprise of identification documents for the nominated representatives of clients. This may comprise scans of passport or other photo identity documents and also copies of domestic utility bills or similar supporting evidence of location.
Any information held for any other purpose will only arise once the GDPR compliance officer, Elliott Stern, is notified and has approved the retention.
STORAGE, ACCESS AND COMMUNICATION
All documents held in respect of third parties are considered to contain private data without exception. The electronic copies of such data can only be held in a secure environment with regulated access. There is a share point folder dedicated to this and access to this folder is restricted to the directors and associate directors of the company and any other persons deemed fit by the GDPR compliance officer. Lauren Bray and Elena Donnellan are appointed to administer receipt and storage of these personal documents.
It is not conceived that such information will ever need to be sent by the company to any others, with the possible exception of (and with the subject’s permission) passing on KYC details to others for purposes approved by the subject. Such transfer of data is only permitted by encrypted email or direct upload to secure server.
The directors have concluded that the purpose of holding private data (except in the case of HR/staff) is entirely for money laundering compliance purposes and, therefore, have concluded that such information will be required for at least six years following the transaction and will be stored securely until that time.
The company does not wish (nor is allowed to) hold data for any time longer than required, therefore each annual GDPR review will identify data held for longer than this period and, where has been no renewal of activity, erase such data.
The following notes are to be read together with this policy document for a better understanding of the aims and intentions of Compton’s GDPR policy.
Any queries regarding these matters or requests under GDPR are to be addressed to Elliott Stern – es@compton.london the internal GDPR Compliance Officer.
NOTES ON THE 7 KEY PRINCIPALS OF GDPR
- Lawfulness, fairness and transparency.
The company holds personal data relating to staff and clients (as defined in money laundering regulations) securely, for lawful purpose and in a fashion known to the subject. The company will pass this document back/onto any subject and update them with any changes should they desire.
- Purpose limitation.
The purpose of holding (non-staff) personal data is to fulfil the requirement set out in the HMRC guidance on money laundering published July 2021. Personal data will not be held for any other purpose unless authorised by the GDPR compliance officer. No such authorisations have so far been given and if this changes this paragraph will be updated.
- Data minimisation.
It is anticipated that two simple pieces of personal identification data is adequate for this purpose. Internal rules make it unlikely that further data will be requested (e.g. renewed passports or utility bills following a change of address) as this is unnecessary under our identification procedures. Any change to this should be known by the subject as they will have provided the additional data, however if obtained elsewhere they will be informed.
- Accuracy.
All data will either by provided by the subject or approved by the subject if they have authorised it to be provided by third parties. Unless the subject confirms the accuracy of this data it is not of use within our AML procedures, therefore we consider that a rectification policy is unnecessary at this time.
- Storage limitation.
As set out in the general notes on policy, the personal identification data will be held for 6 years following the transaction concerned and it is intended to dispose of this data securely at the next annual review following this period.
- Integrity and confidentiality.
The company does not intend to process any personal data, merely store it. The data will not be held outside of the UK, unless it be in a jurisdiction with an equally acceptable GDPR environment.
- Accountability.
The compliance officer, on behalf of the board, acknowledge that the company has a duty of care to any subject for whom personal data is held and a responsibility to ensure full training and rigorous regular reviews of the process.
GDPR POLICY GENERAL NOTES
• No information will be held relating to minors.
• No information regarding health, sickness, subjective data looks or appearance (except as evident within photographic identification documentation) will be held outside of HR/staff matters, which is dealt with separately and communicated to staff.
• If a subject leaves the employment for which s/he was identified – this data will still need to be held within the time limit set out in the document and money laundering regulations do not anticipate that this retraction may reasonably be requested by the subject.
• This document is intended to accompany the terms and conditions of the company for guidance.
• As a separate exercise, the GDPR officer regularly reviews not only the security of the systems within the office, but also external and individual access to the systems outside of the physical environment of the office.
• Bearing in mind the low level of data held and the fact that the company is not a processer of such data, it is considered low risk, however all personnel are trained in order to identify data breaches and other breaches of GDPR regulations so that these may be reported to the MLRO under guidance set out by the Information Commissioners Office for further consideration and possible reporting.