Search

	Recent News
	Archive

• 2012
• 2011
• 2010
• 2009
• 2008
• 2007
• 2006
• 2005
• 2004
• 2003

• -	December 2003
  -	November 2003
  -	October 2003
  -	September 2003
  -	August 2003
  -	July 2003
  -	June 2003
  -	May 2003
  -	April 2003
  -	March 2003
  -	February 2003
  -	January 2003

• 2002
• 2001
• 2000
• 1999

Home > News > 2003 > November 2003 > Barnett Waddingham Policy Statement on compliance with the 1998 Data Protection Act

Barnett Waddingham Policy Statement on compliance with the 1998 Data Protection Act

In relation to its responsibility as a Data Processor, Barnett Waddingham conforms to the Data Principles contained in the Data Protection Act 1998 ("the Act"), and obliges all Barnett Waddingham staff to abide by the guidelines set out in the below.

Overview
The following is the Firm's formal Data Protection Policy, which must be observed by all staff.

In brief, all data - whether paper or electronic - may contain personal information and must be handled properly. The following are mandatory:

• destroy unwanted data - this includes draft letters
• keep your desk clear
• put away all papers in cabinets out of hours
• only take papers or data off the premises when authorised to do so
• pass on personal information only when you are sure that the person you are writing / talking to is authorised to receive personal information
• follow the Firm's e-mail policy

Members of the Data Protection Committee monitor compliance in each office throughout the year and maintain a log of their compliance checks, which are reported to the Partners.

There are hefty fines for failing to comply with the Data Protection Act 1998. Transitional exemptions under the Act ended at midnight on 23 October 2001.

Introduction
All Partners and staff of the Firm will adopt the Data Principles contained in the Data Protection Act 1998 ("the Act").

The Data Principles are as follows:

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-
   • at least one of the conditions in Schedule 2 is met, and
   • in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of Data Subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of personal data. [The US is one such country. The US Department of Commerce maintains a register for checking that the receiving organisation is signed up to the "safe harbour" principles.]

Personal data and sensitive personal data

• Personal data is any data relating to a living individual (Data Subject) who can be identified from that data either on its own or with other data held by the Data Controller (trustees) or Data Processor (the Firm, scheme administrators and other advisers). The Data Subject may be a member, employee or other potential beneficiary of a pension scheme.
• Sensitive personal data includes data relating to physical or mental health, sexual orientation, race, religion and trade union membership.
• All new personal data must be checked to ensure that the Data Subject's consent to process it has been obtained. In the case of sensitive personal data, this consent must be explicit in referring to the purposes for which it will be held and processed.
• All existing and new personal data must be logged, stored or filed in such a way that all personal data referring to a Data Subject can be retrieved at short notice. (Note that data held on the pensions administration system in respect of members' spouses and other potential beneficiaries is not indexed, and therefore cannot be retrieved, by reference to them.)
• Any personal data which is unnecessary or out of date must be destroyed. This includes, for example, CVs received from unsuccessful job applicants. The Partner in charge of each client is responsible for ensuring that reviews and appropriate destruction of data are carried out. The majority of data held for pension schemes normally needs to be retained indefinitely.
• Some of the data held on the Firm's Address Book may be classified as personal data. For the avoidance of doubt, data extracted from the Address Book may only be extracted on an individual basis unless a Partner instructs otherwise and may only be used for communications between the Firm and the individual in question. Under no circumstances may data be provided to a third party unless expressly authorised by a Partner and only then if an appropriate data protection agreement specifying the purpose for which the data may be used is in place. Address Book records will be destroyed if they are unused for 18 months or on request from the individual concerned.
• On request and on payment of a fee of £10, a Data Subject must be provided with all of his personal data held by the Data Controller and the Data Processor(s) within 40 days (see "Subject access" below).
• Personal data may normally be passed between only the Data Subject, the Data Controller and the Data Processor(s) without the further consent of the Data Subject.
• Personal data may only be processed in accordance with the Data Controller's instructions.

Data security

• Access to the Firm's networked computer system is by password and all Partners and staff must abide by the Firm's password policy. The standard setup of all the Firm's PCs ensures that a passworded screensaver appears when a PC has not been in use for a short period of time; any Partner or staff whose passworded screensaver is disabled for any reason must ensure that it is reinstalled immediately. (Disabling screensavers is permitted for training sessions and demonstrations.)
• Access to software packages, such as benefits administration, payroll and accounts software, is separately passworded and again all Partners and staff must abide by the Firm's password policy when using these packages to access personal data.
• Manual records (paper and microfilm) must be stored in designated filing cabinets
• Archived manual records must be stored in a similarly secure environment (normally offsite with the Firm's selected secure archivists).
• All discarded manual records (including drafts and notes) must be shredded, torn or otherwise disposed of so that personal identifiers are destroyed.
• The identity of enquirers, whether by telephone, letter, fax or e-mail, and their authority to receive personal data in respect of a Data Subject must be verified before personal data may be released to them. (Note that the specific consent of the Data Subject will need to be obtained before personal data can be exchanged with a pension scheme from or to which he is considering transferring.)
• Personal data sent by post must, unless otherwise instructed by the recipient, be marked "Personal", "Private and confidential" or similar.
• Personal data sent electronically to clients, other advisers or Data Subjects or their agents must be securely passworded. (In some cases, data may be sent without personal identifiers, in which cases it does not technically constitute personal data, but nevertheless similar precautions must be taken.)
• Personal data must be anonymised when it is being provided to a party other than a related Data Controller or Data Processor. For example, personal identifiers should be removed when client data concerning a potential purchase or sale is being exchanged with a third party.
• No personal data may be left on desks within the offices overnight. All personal data must be stored in designated filing cabinets and not in desk drawers. Lockable cabinets must be locked and normal office security procedures observed.
• Partners or staff may occasionally need to work away from their office and may remove personal data (whether in the form of paper files, data disks or portable computers) temporarily provided that they take appropriate security measures for its safekeeping. Staff must obtain authorisation from a Partner or Associate and explain the measures they will take for its safekeeping before removing data from the office on each occasion that they do so.

Subject access

• On request from a Data Subject for access to his personal data, the identity of the Data Subject must be checked before any personal data is released to ensure that they do not contain details of any other living individual in respect of whom the Data Subject is not entitled to see personal data.
• Requests will normally be made direct to the Data Controller, who will then obtain personal data held by the Data Processor. However, the request may be made to the Data Processor inadvertently, in which case the Data Processor should request all personal data held by the Data Controller, or alternatively refer the request to the Data Controller, whichever is the normal practice for that pension scheme.
• The standard fee for releasing information is £10. This must be paid before information is released. (The fee will normally be paid to the client, with our costs being invoiced by us to the client.)
• Information relating to any person other than a Data Subject must not be released to the Data Subject. This means that all manual records must be checked before issue.
• Members may also request that obsolete data is destroyed, although in practice pension scheme data is rarely obsolete.
• The information to be provided, within 40 days of the request, is as follows:
• whether personal data relating to the Data Subject is being processed by or on behalf of the Data Controller,
• a description of the personal data of which that individual is the Data Subject (and the purposes for which it is being or is to be processed, and the recipients or classes of recipients to whom it is or may be disclosed), and
• in an intelligible form, the information constituting any personal data of which that individual is the Data Subject, and any information available to the Data Controller as to the source of those data, and
• where the processing by automatic means of personal data of which that individual is the Data Subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting him, to be informed by the Data Controller of the logic involved in that decision-taking.

Further notes

All sets of Trustees must be registered as Data Controllers for the purposes of the Act. They must also have formal agreements in place with their Data Processors (in-house or external administrators, legal advisers, auditors, insurers, etc.).

In most cases, the employer will also be a Data Controller in relation to the pension scheme, but note that the Firm will not normally have an agreement in place for this purpose with the employer i.e. a new agreement will be needed if any data is processed which is exclusively for the employer and not for the trustees.

There are various procedures that should be followed for job advertisements (e.g. application forms must state who information is provided for and how it will be used). Interview notes must record relevant information only, and recruitment records may only be retained for 12 months from the date of rejection (if not shortlisted) or 12 months from the date the candidate was informed of the decision (if shortlisted). Records can only be retained for future vacancies if the candidate is told and given the opportunity to object. If in doubt, refer to Personnel for more detailed instructions.

Schedule 2: Processing of personal data (extract): The Data Subject [e.g. member] has given his consent to the processing and/or the processing is necessary for the performance of a contract to which the Data Subject is or has requested to be a party and/or the processing is necessary for compliance with any legal obligation to which the Data Controller [e.g. Trustees or Employer/s] is subject, other than an obligation imposed by contract and/or the processing is necessary in order to protect the vital interests of the Data Subject and/or the processing is necessary for the purposes of legitimate interests pursued by the Data Controller or by the third party or parties to whom the data are disclosed (except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interest of the Data Subject).

Schedule 3: Processing of sensitive personal data (extract): The Data Subject has given his explicit consent to the processing of the personal data and/or the processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the Data Controller in connection with employment and/or the processing is necessary in order to protect the vital interests of the Data Subject or another person (but only where consent cannot be given by or on behalf of the Data Subject) and/or the processing is carried out in the course of its legitimate activities by any body or association which is not established or conducted for profit.

Barnett Waddingham, November 2003.

• Home
• |
• About Us
• |
• Services
• |
• Careers
• |
• News
• |
• Literature
• |
• Glossary
• |
• BWebstream
• |
• Contact Us
• |
• Legal Notice
• |
• Site Map