Company is Bloom Finance Group CIC
Policy is the Data Protection Policy (this document)
Data Controller is Bloom Finance Group CIC
The Data Protection Officer is Michael Grimsdale
Data Protection refers to the Data Protection Act 1998 (“DPA”)
and the Data Protection (Amendment) Act 2003
Data Subject an Individual who’s Personal Data is stored by Bloom Finance Group CIC
The Data Protection Officer is responsible for all Data Protection within the Company, as well as for the maintenance of this ‘Policy’.
The day to day implementation of the ‘Policy’ is delegated to Michael Grimsdale
Introduction (Data Protection Policy)
This Policy applies to:
- The Head Office of Bloom Finance Group CIC
- All associated and subsidiaries of Bloom Finance Group CIC
- All Executive and Non-Executive members of the Board of Directors Bloom Finance Group CIC
- All staff and volunteers Bloom Finance Group CIC
- All contractors, suppliers and other people working on behalf of Bloom Finance Group CIC
Bloom Finance Group CIC is required to gather and use certain information about an individual when that individual applies to access the products and services available through Bloom Finance Group CIC.
This can include information on:
- Business Contacts
- Individual and organisation in regular contact with Bloom Finance Group CIC
The purpose of this policy is to outline how any and all Personal Data must be collected, handled and stored to meet Bloom Finance Group CIC data protection standards; whilst at the same time ensuring:
- Compliance with Data Protection law and standards of good practice
- The protection of the rights of staff, customers and partner organisations
- The transparency of how Bloom Finance Group CIC stores and processes an individuals’ Personal Data
- Bloom Finance Group CIC is protecting itself from the risks of a data breach
‘Personal Data’ is defined as any information, facts and opinions regarding living/identifiable individuals and can consist of as little as their name and address or more specific information such as an individual’s disability (physical or mental), race/ethnicity, offending and criminal history.
All Personal Data must be processed in accordance with the Data Protection Act 1998 whether such data can has been electronically (e.g. part of a computer record) or manually recorded.
Data Protection Law
The Data Protection Act 1998 outlines how any/all organisations must collect, handle and store Personal Data regardless of whether they store data electronically, manually as paper files or on any other material.
To comply with the law, all members of staff, whether permanent or temporary, have a duty to abide by the Data Protection Act 1998 and the Data Protection (Amendment) Act 2003 – collecting and using Personal Data in a fair manner, storing information safely and securely and not disclosing this information unlawfully.
“Processing personal data must be fair, and fairness generally requires you to be transparent, clear and open … about how … information will be used”
All staff should be aware of the confidential nature of Personal Data acquired by the company, whether in regards to a client, potential client or where information is preserved on record by Bloom Finance Group CIC. Such confidentiality also applies to any other dealings or processes within Bloom Finance Group CIC.
All staff are required to read, understand and accept any policies and procedures relating to the handling of Personal Data which may occur during the course of their work.
Anyone processing Personal Data must comply with the eight enforceable principles of good practice; these are that data must be:
- Be processed fairly and lawfully
- Be obtained only for specific, lawful purposes
- Be adequate, relevant and not excessive
- Be accurate and kept up to date
- Not be held for any longer than necessary
- Processed in accordance with the rights of data subjects
- Be protected in appropriate ways
- Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection
Personal Data should only be made available to those who have a right to that information.
Data Protection Principles (Risks and Responsibilities)
All data held relating to an identifiable individual (even if that information falls outside of the Data Protection Act 1998) must be protected by Bloom Finance Group CIC. This can include:
- Name of individual
- Postal addresses
- Email addresses
- Telephone numbers
- … any other information relating to an individual
It is the responsibility of the Data Protection Officer to identify any potential or real data security risks and establish an efficient system of managing the safety of Personal Data provided to Bloom Finance Group CIC.
Risks may include:
- Breaches of confidentiality – the inappropriate provision of personal information
- Failing to offer choice – providing individuals with the information they require to make an informed choice on how Bloom Finance Group CIC uses data relating to them
- Reputational damage – how Bloom Finance Group CIC would deal with a breach should hackers be successful in gaining access to sensitive personal data
Everyone who works for, or with, Bloom Finance Group CIC has a responsibility for ensuring personal data is collected, stored and handled appropriately; as well as being processed in line with this policy and Data Protection principles. However, key areas of responsibility are indicated below:
Board of Directors
The Board of Directors is ultimately responsible for ensuring that all legal obligations of Bloom Finance Group CIC are met.
Data Protection Officer
The Data Protection Officer is responsible for:
- Keeping the Board of Directors updated on Data Protection responsibilities, risks and issues
- Reviewing all Data Protection procedures (and related policies) in line with an agreed schedule
- Arranging for Data Protection training and advise for all individuals covered by this policy
- Handling Data Protection questions from staff (and anyone else covered by this policy)
- Dealing with any requests from individuals to see the Personal Data Bloom Finance Group CIC holds on them (also known as ‘Subject Access Requests’)
- Checking and approving any contracts or agreements with third parties that may handle Personal Information for the company
- Breach of confidentiality (information being given out inappropriately)
- Insufficient clarity about the range of uses to which data will be put
- Failure to offer choice about data use when appropriate
- Breach of security by allowing unauthorised access
- Failure to establish efficient systems of managing changes leading to Personal Data not being accurate and up to date
- Harm to individuals if Personal Data is not kept up to date
- Data Processor contracts
The IT Manager is responsible for ensuring:
- All systems, services and equipment used for storing Personal Data meet acceptable security standards
- Regular checks and scare are performed to ensure security hardware and software is functioning properly
- Third-party services used by/or being considered for use by Bloom Finance Group CIC are evaluated considering the storage and processing of data (e.g. Cloud Computer Services)
It is the Marketing Managers responsibility to:
- Approve any Data Protection statements attached to communications (such as attachments to emails and enclosures with letters)
- Address any Data Protection queries from journalists or media outlets (e.g. newspapers)
- Where necessary, work with other staff to ensure all Marketing initiatives abide by Data Protection principles
Recording and Storing Personal Data
It is a requirement that all Personal Data be stored securely and within the guidelines set out by the Information Commissioner.
All records should be kept in such a way that Bloom Finance Group CIC (its staff members and/or support staff) would be happy for a customer to inspect them. When recording Personal Data, staff should also keep in mind that, at some point in the future, information recorded may be inspected by the Ombudsman Service, the Courts or another Legal official; therefore, records should be accurate, unbiased, unambiguous, clearly decipherable and up to date.
The below storage guidelines apply to all Personal Data stored electronically:
- Personal Data stored electronically must be protected from unauthorised access, accidental deletion and malicious hacking attempts
- Information should be protected by strong passwords which are changed regularly (these should never be shared between employees)
- Where Personal Data is stored on removable media (e.g. CD or DVD), these should be kept locked in a secure place when not being used
- Data should only be stored on designated drives and servers
- Information should only be uploaded to an approved cloud computer service
- Servers containing Personal Data should be sited in a secure location and away from general office space
- All information stored in an electronic format should be backed up regularly; backups should be tested frequently and in line with Bloom Finance Group CIC’s backup procedures
- Personal Data should not be saved directly onto laptops or any other mobile device (e.g. tablets, smart phones)
- All electronic devices used to access data should be protected by approved security software and a firewall
- All information will only be disposed of securely when it is no longer required by statute
Where Personal Data is being stored in a paper based format:
- Files should be kept in a secure place where unauthorised people cannot see it
- Paper files should be locked in draws and/or filing cabinets when not required
- Employees should make sure all paper and printouts are not left where an unauthorised person could see them (e.g. on the printer)
- All information should be shredded and disposed of securely when it is no longer required by statute
All relevant information should be kept for the life of the contract or the association with the customer, plus any additional period of years as required by the Regulator.
Questions regarding the safe storage of Personal Data should be directed to the IT Manager or Data Protection Officer.
Using Stored Data
The collection of Personal Data is of no value to Bloom Finance Group CIC unless the business can make use of the information provided. However, when Personal Data is accessed and used it can be at a greater risk of loss, corruption or theft.
As a result, employees should:
- When working with Personal Data, ensure that their computer is always locked when left unattended
- Not share Personal Information informally; in particular employees should ensure that information is never sent by email (as this form of information is not secure)
- Make sure all Personal Data is encrypted before it is transferred electronically (it is the responsibility of the IT Manager to explain how to send data to authorised external contacts)
- Make sure not to save copies of Personal Data to their own computers
- Always access and update the central copy of any Data stored
It is a legal requirement for any company to take reasonable steps to ensure the accuracy of any Personal Data it stores.
It is the responsibility of all employees working with Personal Data to make sure that these reasonable steps are taken, ensuring all information stored by Bloom Finance Group CIC is as accurate, complete and up to date as possible. At the same time, all members of staff must be constantly aware of the need to abide by the Data Protection principles by making sure Personal Data held by Bloom Finance Group CIC is adequate, relevant and non-excessive in relation to the purpose(s) for which it has been collected.
It is the responsibility of Staff Members to:
- Make sure Personal Data is held in as few places as deemed necessary and not create unnecessary additional data sets
- Take every opportunity to ensure Personal Data is kept up to date (e.g. by confirming a customer’s information with them when they call)
- Update any Personal Information stored by Bloom Finance Group CIC as inaccuracies are discovered
The Marketing Manager is responsible for:
- Ensuring all Marketing Databases are checked against industry suppression files (checked every 6 months)
It is the responsibility of Bloom Finance Group CIC:
- To make it easy for data subjects to update any/all information held by Bloom Finance Group CIC about them (e.g. via the company website)
All ‘Fact Finds’ should be updated during/after each conversation with an individual and reference should be made to any additional information obtained; any out of date or irrelevant information should be discarded, if no longer required.
Provision of Personal Data
Bloom Finance Group CIC aims to ensure that all individuals who have dealings with the company are aware of their data being processed and stored, and that they understand:
- How the data is used
- How to exercise their rights to access this data
To this end, Bloom Finance Group CIC has created a Privacy Statement*, setting out how data relating to an individual is used by the company.
Who can access Personal Data?
Personal Data should only be provided to:
- The Customer
- Relevant staff members
- Approved associates and subsidiaries of Bloom Finance Group CIC (these organisation should only have access to necessary data relevant to the business)
- The Regulators (e.g. the FCA, PRA etc), subject to prior authority from the Data Protection Officer
- Bloom Finance Group CIC Compliance Consultants, subject to prior authority from the Data Protection Officer
- The Ombudsman Service, the Courts or other Legal officials (when requested for inspection – see Disclosing data for other reasons)
It is important that staff, when giving information to a customer (particularly by telephone), are confident they have verified the individual’s identity. If there is any doubt regarding an individual’s identity, staff should ask questions to which only the individual is likely to know the answers. Do not give information to other parties, even if related, without prior written approval or the express permission of the customer (e.g. Appointee, Power of Attorney, Court of Protection Deputy etc).
Subject Access Requests
All customers are entitled, under the Data Protection Act 1998, to ask for confirmation of the information held by Bloom Finance Group CIC about them; this is known as a Subject Access Request (SAR).
All data subjects are entitled to:
- Ask what information is being held about them and why
- Ask how they can gain access to information being held by Bloom Finance Group CIC
- Be informed on how to keep all their Personal Data up to date
- Received information on how Bloom Finance Group CIC is meeting its Data Protection obligations
Individuals will be charged [£] per subject access request and the Data Protection Office will aim to provide the relevant information to the individual within  days.
All SARs must be made in writing and addressed to the Data Protection Officer*, who will be required to verify the individual’s identity before providing any information. All members of staff (including temporary staff and volunteers) are required to pass on any SAR, or possible SAR, immediately for the attention of the Data Protection Officer.
In the event of an individual who is not either known personally by the Data Protection Officer or a member of staff making an SAR request, their identity is required to be verified before any information can be provided.
Should a customer/data subject ask to see their full records, the Data Protection Officer should ask the individual to be specific about the nature of their enquiry (e.g. information relating to a certain account or application). Clarity must be requested immediately as requests are subject to a strict timetable.
SARs must be dealt with promptly in all cases and the requested information should be sent to the individual involved within  days.
In providing information to a data subject, the Data Protection Officer must provide a description of why and how the information has been processed, to whom the information has been disclosed and the source through which the data was received whilst at the same time ensuring the confidentiality of any/all other customer records.
The requested information will be provided in permanent form unless the applicant makes a specific request to be given supervised access in person.
*If the Data Protection Officer is not available, some other senior person within the Company must be informed.
Apart from the information obtained as part of an individual’s initial contact with Bloom Finance Group CIC, a customer’s Personal Data will not be stored without the express permission of the customer.
This permission will be given by individual, in most circumstances, by the signature of the customer at the end of the [customer contract/service agreement], in which it is stated:
“In order to advise you properly, we must obtain certain information from you about your financial and personal circumstances, to assess your suitability for particular products and services. We will also need to maintain certain other records:
You agree that the information we hold about you can be held on computer and/or paper files.
You agree that any information we hold about you may be disclosed:
- to third parties (e.g. credit agencies and product providers) for the purpose of processing your application;
- the Regulators (mainly the Financial Conduct Authority who have a legal authority to check all our records);
- our Compliance consultants, who help to ensure that, in your interests, we abide by the Financial Services Act and other regulations; but,
- must not be disclosed to any other parties (even if related) without your express permission in writing.
You agree that we may use the information that we hold about you to contact you from time to time by post, fax, e-mail or telephone to bring to your attention products, services or information about your existing contracts which may be of benefit to you. You may opt out of this condition by putting an X in the following box.
You understand that we have a legal obligation to ensure that the information within our records is kept up to date, but can only do so if provided with the up to date information by you.
You understand that you may withdraw the consent given by you to the above paragraphs 2) d. and 3) at any time by informing us in writing.”
Disclosing data for other reasons
In certain circumstances, the Data Protection Act 1998 allows for the disclosure of Personal Date to law enforcement agencies, without the prior consent of the data subject.
In these circumstances, Bloom Finance Group CIC will disclose the requested information. However, the Data Protection Officer will be required to ensure the legitimacy of any such request and seek assistance from the Board of Director, where necessary, before any information is pro-offered.
Transfer of Data outside the European Economic Area (EEA)
If Personal Data is required to be transferred outside of the EEA*, the specific consent of the data subject concerned must be obtained before any transfer can take place.
Alternatively, the transfer of Personal Data can be permitted if the non-EEA country to which it is being transferred has the equivalent Data Protection legislation**.
*The European Economic Area means the 27 EU member states plus Norway, Iceland and Liechtenstein.
**Currently only Switzerland, Israel, Canada and Argentina are recognised as countries having adequate protection.
In addition companies registered under the ‘Safe Harbor’ regime in the USA are also recognised.
All customers should be made aware of:
- The identity of the Data Protection Officer
- Any uses to which their Personal Data will be put
- Any proposed disclosure of their Personal Data to third parties
This must be done at the time the customer first provides the Personal Data.
In addition, all Personal Data must only be processed where the following conditions have been satisfied:
- The processing complies with both law and good practice
- The individual has given their consent to the processing of their Personal Data (this will always be a requirement when Sensitive Personal Data, such as details of the individual’s physical condition require disclosing)
- The processing is necessary to protect the vital interests of the individual
- The processing is necessary in order to pursue the legitimate interests of the Data Protection Officer or a certain third party (unless detrimental to the interests of the individual)
A record must be kept of those customers who have requested not to be sent Marketing materials.
Maintenance of this list is the responsibility of the Data Protection Officer, to who all customer requests should be given.
Should Bloom Finance Group CIC, at any time, make use of a mailing list to contact their customers, this list should be cross referenced against the “Suppression List”, ensuring an individual’s request is upheld.
Please read the Confidentiality Policy for further information.
General Staff Guidelines
- The only people able to access Personal Data covered by this policy should be those who need it for their work
- Personal Data should not be shared informally
- When access to confidential information is required, employees can request it from their line manager
- Bloom Finance Group CIC will provide training to all employees to help them understand their responsibilities when handling Personal Data
- Employees should keep all information secure, take sensible precautions and follow the guidelines outlined for them
- In particular, strong passwords must be used and they should never be shared
- Personal Data should not be disclosed to unauthorised people, either within Bloom Finance Group CIC or externally
- Information should be regularly reviewed and updated if it is found to be out of date
- If information is no longer required, it should be deleted and disposed of in a secure manner
- Employees should request help from [their line manager] or the Data Protection Officer if they are unsure about any aspect of data protection
Staff Training & Acceptance of Responsibilities
All staff (including temporary staff and volunteers) will have their responsibilities outlined during their induction procedures. Training will be given to all staff.
What to do if a breach occurs
A data security breach can happen for a number of reasons:
- Loss or theft of data or equipment on which data is stored
- Inappropriate access controls allowing unauthorised use
- Equipment failure
- Human error
- Unforeseen circumstances such as a fire or flood
- Hacking attack
- ‘Blagging’ offences where information is obtained by deceiving the organisation who holds it
In the event of Bloom Finance Group CIC suffering a security breach ICO has published Guidance on data security breach management at:
- Data Protection and the FCA
- The FCA considers Data Protection important. To help small firms manage their security it has provided guidance, which can be found at:
- Related Policies / DP Clauses
- Confidentiality Policy
- International Transfers of Personal Data – Clause
Members of staff should be constantly aware of the possibility of Personal Data being seen by unauthorised personnel - such as visible access to computer screens by the general public, visiting clientele and other visitors, as well as leaving confidential paperwork on desks overnight.
All staff have unlimited access to client records in order to perform their tasks. However, it is the responsibility of all staff members to:
- Confidential Personal Data is kept locked away when it is not in use (e.g. in draws or cupboards)
- Computer passwords are set as a requirement to avoid unauthorised access
- Backup discs are handed to the Data Protection Officer when not in use for storage
- No information is put on to the computer from outside sources (such as mailing lists), without the express authority of the Data Protection Officer
This policy has been approved by the Directors and any breach will be taken seriously and may result in formal action. Therefore, non-compliance by staff is considered a disciplinary matter which, depending upon the circumstances, could lead to dismissal.
It should be noted that a staff member can commit a criminal offence under the Act, for example by obtaining and/or disclosing Personal Data for their own purpose or personal gain without the consent of the Data Protection Officer.
Non-compliance with the requirements of the Data Protection Act 1998 by a member of staff could also lead to serious action being taken by third parties against the Company.
Any employee who considers that the policy has not been followed in respect of Personal Data about themselves should raise the matter with [their Line Manager] or [the Company’s Information Compliance Manager] in the first instance.
Data Protection Act registration number: Z3580570
The Information Commissioner can be contacted at:
Address Office of the Information Commissioner
Cheshire, SK9 5AF
Telephone 0303 123 1113
Fax 01625 524510