Alan Steel Asset Management is a Data Controller for the purposes of the General Data Protection Regulation (GDPR) as enacted by the Data Protection Act 2018 and as such must comply with the requirements of the legislation.
We collect, use and retain your data using the permission of Legitimate Interest, in other words we need the data we collect from you in order to provide the service you wish us to provide for you.
In a very limited way, for our marketing purposes, we will use Consent, in other words your express permission to send you something that may be of interest to you – our newsletters – Letter from Linlithgow and Informing You.
We may amend this privacy notice from time to time. If we do so, we will supply you with or make available to you a copy of the amended notice.
We collect and hold personal data about you, to enable us to carry out our business of giving financial advice. This will include but is not restricted to the following:-
We will collect and analyse personal data to enable us to understand your financial circumstances, needs and objectives.
If special data (e.g. health data) is required we will obtain your specific consent in order to collect and process such data. There is also a consent included within the Client Information Form. Please note that when you sign that form you are also signing the special consent.
We will provide you with financial advice based on this personal data.
To fulfil our obligations in respect of prevention of anti-money laundering and other financial crime we may send your details to third party agencies for identity verification purposes.
We will store, archive and retain this personal data about you.
In addition to the specific financial advice purposes for which we may process your personal data we may process your personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or out of court. This is covered by Legitimate Interest being the protection and assertion of our legal rights, your legal rights and the legal rights of others.
We may process your personal data in order to obtain or maintain insurance cover, manage risk, or obtain professional advice in order to properly protect our business against risks and as such we do so under Legitimate Interest.
Our Client Information Form sets out the type of personal data we need to collect depending on the areas of financial advice which interest you.
We may only ask for personal data that we really need and while it may seem that we are asking for a lot, we believe that we do need this personal data to enable us to give the best and most relevant advice we can. The data must be for specific, explicit and legitimate purposes. If you supply another person’s data on their behalf you are responsible for ensuring that it is accurate and that you have their permission to do so.
This is a contractual arrangement in order for us to do business on your behalf and as such is governed by Legitimate Interest and does not therefore require consent. You do not therefore have the right to withdraw from the exchange of personal data in the way that you can withdraw consent. If you choose not to provide the personal data requested, we may choose not to act on your behalf, or you may choose not to proceed with us as we do not provided services on a transactional basis.
We collect your personal data from you and/or from third parties with your permission. Whilst applying our financial advice process we may create new personal data in addition to the personal data you provided to us.
Where our client is a family group, involving the personal data of several individuals, it is our practice to use the head of the family or a nominated representative for communication. Consent will be required from each participating member of the family group. This consent may be withdrawn by any member at any time.
A husband and wife, civil partnership, joint relationship will be treated as one client and therefore data will be shared for both. If you do not wish this to happen please inform your consultant and/or the Compliance Manager, Karen Barlow. Her contact details are at the end of this notice.
Where our client is a trust, it is our practice to use a lead Trustee for communication. Agreement will be required from the other Trustees.
We do not deal directly with children however investments may be placed on their behalf by other family members. Where this occurs the child’s personal data will be stored within the records of the family member placing the investment until the child turns 18. At age 18 the child will become a client in their own right, if they wish to do so. They then may choose to act independently or to provide a consent to be dealt with within the family group as described above.
We do not process or hold your data outside the UK and the EEA. However, we may transfer your personal data outside the UK and possibly the EEA when we provide it to third parties such as insurance companies or fund managers. This transfer is inherent in the process of obtaining investments on your behalf and out with our influence. These third parties are required in turn to ensure that your personal data is adequately protected. They may be Data Controllers or Data Processors in their own right. If you have any particular concern you may check their respective websites and GDPR statements.
We only pass your information to other parties who enable us to provide our financial advice service. We never sell your information or pass it on to other parties for any other purpose.
Personal data must be processed lawfully, fairly and transparently. You must be able to understand what is happening to your data.
Any personal data we retain must be pertinent, accurate and held for an appropriate length of time. We rely on you to keep us informed of any changes to ensure that our records remain accurate.
We keep your personal data for differing time periods as determined by the requirements of GDPR, the Financial Conduct Authority, HMRC and the interaction of these with the requirements of our Professional Indemnity Insurance. In all matters of personal data retention the over-riding authority for us is the Financial Conduct Authority.
There are specified minimums as follows:
five years for investment business
three years for insurance business
indefinitely for pension transfers and opt outs
These are minimum time frames and we reserve the right to retain data for longer if we believe it is necessary to do so. The length of time we retain your data for will be relevant to the type of advice involved.
We care about the security of your personal data.
We have Palo Alto and Symantec based cloud, network perimeter and endpoint security. We have encrypted local backups and encrypted cloud backups. As of 03-09-2018 we will have SAN self-encryption on data at rest as well as local and network control policies.
Emails containing personal data are encrypted and identifiers within your personal data, relating to yourself or your investments, are kept to a minimum where possible.
Electronic communication between, us and you, and us and appropriate third parties are capable of data corruption and we do not accept responsibility for changes made after dispatch.
We do not permit staff to store your personal data on any portable device, laptop, tablet or smart phone unless using the protection of off-site access through Citrix. Any local storage directly onto the device is prohibited. The use of memory sticks is also prohibited and the office computers have their USB access locked.
You have rights under GDPR with regard to your personal data.
You may make an access request - that is to be provided with a copy of any personal data we hold about you. We may comply with this request either electronically or by paper. Any such request must be met within 30 days.
You also have the right to have your data transferred from one controller to another in a commonly used format.
You have the right to opt out of anything you have previously consented to should you change your mind. There will be an unsubscribe process to follow on each newsletter. You may also contact our Compliance Manager, Karen Barlow.
Once you have opted out your will receive no further communication of this type from us.
You have the right to be forgotten under GDPR - that is that you may request that all personal data held for you is destroyed. However, this is the main area where the Financial Conduct Authority requirements take precedent. We are obliged by our Regulator to retain personal data with regard to Financial Advice for differing periods of time depending on the nature of the data. The longest retention period is for pension advice which we are not normally allowed to destroy. It may be the case that we are unable to allow a right to be forgotten request in part or all depending on the nature of the financial advice.
You have the right to have any inaccuracy in your personal data corrected subject to confirmation of the corrected data.
You have the right to complain about the way your personal data is dealt with, stored, archived, retained or if there has been any breach with regard to the safety of your data. If there is a breach, under certain circumstances, there is a mandatory requirement for us to report to the ICO and there is a requirement for us to inform you.
Your complaint should be made to:
ICO Head Office (England):
Wycliff House, Water Lane, Wilmslow, Cheshire, SK95A7
Tel 0303 123 1113
Please contact us if you have any questions about our Privacy Notice or information we hold about you:
by email at firstname.lastname@example.org
or write to us: For the Attention of Karen Barlow (Compliance Manager)
Nobel House, Blackness Road, Linlithgow EH49 7HU