Quilter Financial Services (Quilter) is a financial services distribution network. Through its network of Appointed Representative (AR) Firms and Advisers, Quilter provides UK consumers with access to products and services from financial services companies, covering the entire spectrum of financial advice.
As a company, Quilter is committed to dealing with our AR firms, customers and employees with honesty and integrity. As part of this commitment, we will make every effort to ensure that all Personal Data is handled in accordance with the relevant Data Protection Law. Our policy framework sets out the necessary requirements and principles to manage and mitigate key risks and ensure compliance with Data Protection.
Quilter acknowledges that its business is underpinned by personal data, which is an important business asset and therefore must be kept secure, both to preserve the privacy of individuals and to safeguard Quilter’s reputation. Quilter will therefore take all steps necessary, to ensure that it adheres to the requirements of the data protection regulation.
This document is the Data Protection Policy (the “Policy”) for Quilter. It sets out and provides the high- level approach to implementing and maintaining an adequate and effective data privacy risk management framework which, alongside other policies, contributes to a system of internal controls.
This policy sets out Quilter’s approach to how it collects, processes, manages, transfers, discloses, retains and destroys any personal data either controlled or processed by Quilter, including the personal data of its employees.
This document should not be read in isolation. This policy is supported by a number of standards and guidance documents that provide more detail on the requirements. These guidance documents are included in the appendices. This policy is also linked to other policies which are listed in the appendices.
Data Privacy and security is a key area of regulatory focus and an expectation for all customers, clients and employees who share personal data with Quilter. In this context Quilter and AR member firms are required to implement robust technical and organisational controls to protect personal data, in all its forms processed by or on behalf of Quilter.
Data Privacy controls should be proportionate to the data protection risks, relevant to Quilter’s data processing activities, to ensure the appropriate balance between cost and risk mitigation. It is therefore important for the business to set the priorities for safeguarding privacy.
The objective of this policy is to ensure everyone in Quilter, including AR member Firms, understands their obligations to comply with the relevant Data Protection Law in order to:
Assure the data privacy of customers, staff, advisers and other individuals who interact with Quilter and AR firms
Mitigate against specific information risks
Ensure compliance with the relevant legislation
Scope of policy
This Policy applies to all processing of personal data by Quilter, Member (AR) Firms, Advisers and Employees and any 3rd party suppliers of services to Quilter, where ‘processing’ includes any operation undertaken on the data, including receipt, use, storage and disposal.
Employees are defined as permanent and fixed term contract employees engaged under a contract of employment or Executive Service Agreement and the following categories of individuals who provide services to or on behalf of the firm; Non-Executive Directors, temporary staff engaged via an agency, contractors (e.g. self-employed) engaged via a limited company or similar.
Member firms are defined as AR firms, Registered Individuals, trading styles, self-employed advisers and any further individuals who are engaged in the giving of advice as part of the Quilter network.
The Policy applies to data held in any format (electronic or hard copy/paper) or system, or processed by any means.
Policy owner and review
The Quilter Data Guardian is responsible for monitoring that this policy is, and remains, effective by seeking reasonable assurance that the relevant risks have been identified and assessed and that the relevant controls, and other mitigating actions, are adequately designed and operating effectively.
On a half-yearly basis, the Quilter Policy Owner is expected to attest to the Group Policy Owner that their Business is in compliance with the requirements of this Policy and must be able to provide suitable evidence to prove this.
This Policy is effective from 25th May 2018, and subject to review in the event of a significant change to the business impacting this policy.
Areas where the requirements set out in this Policy are perceived to be in conflict with legal and regulatory requirements applicable at Business level must be communicated to the Data Guardian who may escalate to Group Policy Owner.
Definition of personal data
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What is a data privacy risk?
Data Privacy Risk affects all personal data relating to all Quilter Member (AR) Firms, Advisers, Clients and Employees and any contractors or 3rd party suppliers of services to Quilter.
The Data Privacy Risk is defined below as:
‘The risk that personal data is not sufficiently secure or in not processed in accordance with legislative requirements with potential to cause detriment to individuals, resulting in financial loss, damage to reputation and / or regulatory fines/censure.’
Data protection principles and requirements
Data Protection Law establishes a framework of rights and duties which are designed to safeguard personal data. This framework aims to balance the legitimate needs of organisations to collect and use personal data for business and other purposes against the right of individuals to respect the privacy of their personal details.
Data Protection governs the collection, storage, use and disclosure of personal data, setting high standards that data controllers and data processors must adhere to when processing personal data.
Therefore, Quilter as controller and/or processor of personal data must ensure that it takes appropriate measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The Information Commissioner’s Office (ICO) is the independent Supervisory Authority in the UK, responsible for upholding information rights in the public interest. The ICO sets out guidance on the obligations of firms to meet data protection and information security obligations is required to cooperate, on request, with the ICO in the performance of its tasks.
More detailed information about Data Protection Law can be found by reading the Information
Commissioner’s Office guide which can be found at:
Data Protection Law broadly applies to all organisations in the EU, and those outside the EU that process data about individuals in the EU.
According to Article 3 (Territorial Scope) Data Protection Law applies to both:
a) any processing of personal data by a data controller that has its main establishment in the EU, and
b) any processing (including monitoring) of personal data of data subjects within the EU by a data controller with its main establishment outside the EU.
Further, according to Article 27, in the case of b) above, the controller shall designate in writing a representative located in the EU, to act as a contact point for regulators and data subjects with regard to the relevant processing.
In short, this means that Data Protection Law applies to Quilter and all AR member firms.
Data Protection is underpinned by a number of principles which drive compliance:
Further detail about the responsibility of data controllers can be found in the Joint Data Controller Guidance document in the appendices.
Lawfulness, fairness and transparency
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Personal data shall be accurate and, where necessary, kept up to date
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
Integrity and confidentiality
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
The controller shall be responsible for, and be able to demonstrate compliance with the relevant Data Protection Law
Data protection requirements and Quilter guidance
Data Protection Law itself can be complex; however, it is underpinned by the following requirements which ensure that Quilter, Member (AR) Firms, Advisers and Employees are able to comply with their Data Protection requirements.
Underneath each of the requirements is a summary of the Quilter policy and guidance response and where it can be found.
DPP1 AR firms must appoint an appropriately qualified individual who is:
Fully resourced, independent, without conflicts of interest, and has access to the highest level of management,
Accountable for monitoring compliance with data protection legislation and this Policy,
The contact point for data protection supervisory authorities and data subjects, and
The lead subject matter expert for privacy matters within their firm.
Individual with data protection responsibilities guidance – appendix A
This document outlines the standards applicable to firms and to clarify the need for a Data Protection Officer (DPO) within AR firms and the roles responsibilities they have. The guidance also provides best practice guidelines and the need to have someone within AR firms who are responsible for data protection.
DPP2 Each data controller must:
Register with the appropriate supervisory authority, and pay any fees, as required.
Nominate, in writing, an EU representative if they are outside the EEA.
Maintain a register of processing activities that they undertake in a Data Register.
Recording processing activities guidance – appendix B
Guidance for AR firms on how to understand the data they hold and create a Data Register. The guidance will provide support and standards for firms on how to document what personal data they hold, where it came from and who they share it with. The Data Register must also identify where all the information is held, what the data is used for, how the information flows through the business, and where data is transferred to 3rd Parties.
DPP3 All processing of personal data must adhere to the data protection principles. Records must be maintained of each processing activity that involves personal data, which demonstrate compliance with the following principles in each case.
- Fairness, transparency and lawfulness.
- Purpose limitation
- Data Minimisation
- Storage Limitation
- Confidentiality and Integrity
Lawful basis for processing guidance – appendix C
For processing to be lawful, we need to identify a lawful basis before we can process personal data as some data subjects’ rights will be modified depending on the lawful basis. The “Lawful basis for Processing Guidance” document outlines the lawful basis we have for processing data, and provides standards to firms on how to review the types of processing activities they carry out and to identify their lawful basis for doing so. This will include data processing for both customers and employees.
Data controller guidance – appendix D
The “Data Controller Guidance” document provides an explanation of the data controller responsibilities that are on AR firms and the relationship between Quilter and AR firms. It also outlines the data processing activity that falls into joint responsibility and what activity AR firms are solely responsible for.
Special categories & criminal/civil offence data guidance – appendix E
The Special Categories and Criminal Offence Data Guidance outlines the Data Protection requirements with respect to special category data and criminal offences data, and the approach AR firms should take when processing this type of data including how and when they should gather consent to process this information.
Data retention policy – appendix F
Data Retention policy outlines the approach to retaining data with legislative and regulatory requirements.
Data retention schedule – appendix G
The Data Retention schedule presents the period of retention by data type.
Data disposal guidance – appendix H
The disposal guidance document which provides the standards for disposing of data at the end of a retention period and/or when a request is made by a data subject.
Data management guidance – appendix I
Data Management guidance provides support for all areas of good data management including:
- Data Accuracy
- Data Minimisation
- Data Sharing – e.g. only sharing it with those you should be sharing it with Purpose limitation – e.g. only use data for the purposes it was collected
Third party supplier guidance – appendix J
Guidance on firms’ interactions and agreements with 3rd parties.
DPP4 Processes and procedures must be maintained to assure data subjects’ rights to be informed, have access to their data, to rectification, to object to or restrict processing, to erasure, to portability, and to not be subject to automated decision-making, in accordance with the criteria set out in Data Protection Law.
Individual data rights policy – appendix K
The Individual Data Rights (IDR) policy document outlines the increased rights of data subjects which are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to object
- The right to restrict processing
- The right to data portability
- The right not to be subject to automated decision-making including profiling
Individual data rights guidance document – appendix L
The Guidance/Process document provides the process that Quilter, employees, AR firms and advisers must follow to adhere to these rights and guidance to allow AR firms to apply the same approach to non-network/non-joint data controller activity and employees that may make a request.
Automated decision making and profiling guidance – appendix M
DPP5 Processes and procedures must be maintained to ensure any data protection incident is reported to the supervisory authority within 72 hours of awareness, where this results in a risk to the rights or freedoms of individuals, and that affected individuals are notified and supported as appropriate.
Data protection incident guidance – appendix N
Any incident or suspected data protection incident must be immediately reported. The Incident Reporting Process outlines the approach for AR firms, employees and advisers and provides guidance on what constitutes an information security and data protection breach.
DPP6 Information about data collection and processing to be provided to data subjects in concise, easy to understand way using clear language
Data privacy notice guidance document - appendix O
Guidance on what information is contained within a Privacy Notice, who needs one and when you need to provide it to clients. The guidance also includes when AR firms need to use a Privacy Notice for non- network clients and employees.
Privacy notice (AR to clients) – appendix P
Privacy Notice to be used by AR firms for their network clients
Internet version of privacy notice (AR to clients) - appendix Q
Internet version/summary of Privacy Notice to be used by AR firms for their network clients
Corporate advice privacy notice – appendix T
Privacy Notice to be used by AR firms for their corporate clients
DPP7 Children’s personal data should be treated with extra sensitivity and care and additional safeguards put in place when relying on consent to process data
Use of children’s data guidance – appendix R
Although none of the specific scenarios where Data Protection Law requires additional safeguards should form part of our, or our ARs, business, there are some instances where children’s data will be gathered. The “Use of Children’s Data Guidance” outlines the approach firms and advisers should take to children’s data, and the additional procedures that firms should put in place to safeguard this data.
DPP8 Processes and procedures must be maintained to assess the privacy risks of any new data processing activities and to support the aims of Privacy by Default and Privacy by Design.
Data privacy by design (DPIA) guidance – appendix S
Quilter have a general obligation to implement technical and organisational measures to show that we have considered and integrated data protection into our processing activities. One of the key ways in which we can demonstrate this is through Data Privacy Impact Assessments (DPIAs).
The DPIA policy and guidance outlines how and when firms need to apply a DPIA to changes in their business.
The Corporate Privacy notice and guidance recognises that firms who have corporate clients may be undertaking multiples roles and may handle data differently to a standard direct retail client relationship. The Corporate Guidance and Privacy Notice is to help firms meet their obligations with respect to this aspect of their business.
Corporate privacy notice – appendix T Corporate guidance – appendix U
Cooperating with supervisory authorities
Article 31 states that the controller (Quilter and AR member firms) shall cooperate, on request, with the supervisory authority in the performance of its tasks.
Accountability is one of the core principles of Data Protection Law. Data Controllers will need to demonstrate that any processing activities undertaken comply with Data Protection requirements and keep records of those activities to be made available to supervisory authorities on request.
Under Data Protection Law, various sanctions can be imposed on firms for a breach of requirements including fines of up to 4% of annual worldwide turnover or EUR 20,000,000, whichever is greater in respect of serious breaches. Firms therefore need to be prepared for the possibility of the ICO taking stricter enforcement action. Sanctions under are required in each individual case to be “effective, proportionate and dissuasive” and will depend on a range of factors including the measures and procedures put in place by the data controller.
This means that firms should be prepared to demonstrate data protection compliance upon request from the supervisory authorities.
Governance and oversight
Data Guardian/office of the DPO
Quilter has appointed OMW Group to fulfil its obligations to have in place a suitably qualified and experienced Data Protection Officer (DPO). At local level, Quilter will have in place a Data Guardian to assist the data protection office in their role and to inform and advise local controllers and processors of their obligations under the regulation. The Data Guardian shall be free of all conflicts of interest with unrestricted access to the group DPO and senior management.
Within Quilter, it is the responsibility of the Team Managers to ensure their team adhere to Data Protection Law and that all current and future employees are instructed in their data protection responsibilities. This means employees:
Understand the principles of Data Protection Law and how it affects what they do and have read and understood policy and guidance in Appendix A that is relevant to them;
Complete the data protection and information security training which is mandatory for all employees, including contractors, consultants and those employed through 3rd parties.”
Are aware of their accountability and that ‘wilful’ failure to comply or report a potential breach of data is potentially a disciplinary offence which may include action up to and including summary dismissal, following the Disciplinary Procedure in the Quilter Employee Handbook.
The team manager Data Protection “checklist” should assist in ensuring that team managers and their team adhere to the relevant requirements.
Employees are responsible for ensuring they act in accordance with the Data Protection requirements outlined in this document and do not cause a breach of customer data as a direct result of their actions.
Member firm principal
It is a Member Firm Principal’s responsibility to ensure their firm, advisers and employees act in accordance with Data Protection Law and are instructed in their data protection responsibilities.
It is also Member Firm Principal’s responsibility to ensure their advisers and employees:
Are trained and understand the principles of Data Protection, how it affects what they do and adhere to the Guidance provided to them.
Complete any mandatory data protection and information security training
Have read this policy along with the Data Security Policy & Procedures.
Are aware of their accountability and that ‘wilful’ failure to comply or report a potential
Breach of data is potentially a disciplinary offence.
Monitoring and risk management
Quilter Supervisors work ‘in the field’ with Member Firms to review their Data management arrangements and ensure the Quilter Data Privacy and Data Security procedures are implemented.
The Supervisor is responsible for seeking evidence from the Member Firm to demonstrate they have adequate procedures in place and to ensure the Member Firm can be accredited as part of their on-going competency assessment program.
Risk management team
This team is responsible for monitoring the overall risk posed by activities of AR firms including data protection and security. Findings from the field-based supervision team are fed to the Risk Management team and they will use this MI to highlight potential risks through regular reporting.
Complaints handling and contact
Any complaints in relation to data protection and breaches should be referred to The Office of Data Protection or to the AR firm’s DPO if appointed.
The Office of Data Protection Quilter Financial Services Group Wiltshire Court
Swindon SN1 5AH
If the data subject is not satisfied with the response, or believe we are not processing their personal data in accordance with the law, they can complain to our regulator:
Information Governance Department
Information Commissioner's Office
Wilmslow Cheshire SK9 5AF
0303 123 1113