Privacy Policy

Our privacy statement covers the following aspects:

  • who we are – our status as data controllers and the identity of our information security officer;
  • how we use personal data – the purposes for processing;
  • the lawful bases on which we rely;
  • whether personal data is shared and if so, with whom;
  • retention periods, or criteria used to determine retention periods;
  • the existence of the data subject’s rights;
  • the right to withdraw consent at any time;
  • the right to lodge a complaint with a supervisory authority;
  • the right to object to direct marketing;
  • whether the provision of data is part of a statutory or contractual requirement, and the possible consequences of failing to provide the personal data;

Ashbridge Partners Ltd is a regulated financial services firm authorised and regulated by the Financial Conduct Authority and a Data Controller registered with the Information Commissioners Office. We always undertake to comply with the provisions of General Data Protection Regulation and keep confidential all personal data processed for the purposes of our services.

Our nominated Information Security Officer is: Bob Chisholm.   He has overall responsibility for:

  • making sure that our policy and procedures are maintained;
  • staff training;
  • periodic testing of our procedures;
  • responding to requests from Data Subjects for Data Access/Deletion or Correction.

Obligations for Organisations

We understand that personal data is any information relating to an identifiable person who can be directly or indirectly identified; we are required to process a wide range of personal data in the course of providing regulated services.   We ensure that personal data is:

  • processed lawfully, fairly and in a transparent manner in relation to individuals;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

 

Relevant Lawful Bases for Processing Data

The lawful bases that we rely upon are:

  • contract: the processing is necessary for a contract that we have entered into with the data subject, or because the person has asked us to take specific steps before entering into a contract;
  • legal obligation: the processing is necessary for us to comply with our statutory obligations as a regulated financial service firm;
  • legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

 

Right of Access

We are aware that individuals have the right to obtain:

  • confirmation that their data is being processed;
  • access to their personal data;
  • supplementary information over and above contained in our privacy notice if this is relevant.

We firstly verify the identity of the person making the request to ensure that it is the data subject or a person to whom the data subject has given authority (such as a power of attorney).

We aim to provide information within one month, though this can be extended to two months if requests are complex or numerous, and we have explained this to the individual.

We do not make a charge unless we are required to provide the same information more than once, in which case we make a charge to cover our administrative costs.

If we decide to refuse to respond to a request on the grounds that it is unfounded or excessive, we will explain our reasons to the individual and inform them of their right to complain to the supervisory authority without delay and within one month.

 

Right to Rectification

We will normally rectify inaccurate or incomplete data within one month of the request; or within two months for complex matters. We will notify third parties to whom we have passed the data unless this will be disproportionately burdensome for us. Should we refuse to rectify data we will explain why and inform the individual of their right to complain.

 

Right to Erasure

This right applies in the following circumstances, all of which may be relevant to us at some time in the normal provision of our services:

  • the personal data is no longer necessary for the purpose for which it was originally processed;
  • the individual withdraws consent;
  • the individual objects to the processing and there is no over-riding legitimate interest for continuing the processing;
  • the personal data was unlawfully processed (i.e. in breach of GDPR);
  • the personal data must be erased in order to comply with a legal obligation;
  • the personal data is processed in relation to the offer of information society services to a child.

Where we erase personal data we will tell other recipients (if relevant) unless to do so would be disproportionately burdensome for us.

 

Right to Restrict Processing

We are aware that we must restrict processing of data in the following circumstances:

  • the individual contests the accuracy of the data – processing must be restricted until the accuracy is verified;
  • where an individual objects to the processing for legitimate interests’ purposes, whilst we are considering whether the legitimate interests over-ride those of the individual;
  • when processing is unlawful and the individual requests restriction rather than erasure;
  • where we no longer need the data but the individual needs it in connection with a legal claim.

If we have disclosed the data to others we will inform them of restrictions, unless to do so would be disproportionately burdensome for us. We will also inform individuals when restrictions are lifted.

 

Right to Object

If an individual objects to our processing their data on the grounds of our legitimate interests (other than for direct marketing purposes) we will stop processing the data unless:

  • we can demonstrate compelling legitimate grounds for the processing which override the interests and freedoms of the individual; or
  • the processing is in connection with legal claims.

If we receive an objection in connection with direct marketing, there are no exemptions or grounds to refuse, and we will immediately cease processing the data.

 

Confidentiality

Our privacy statement sets out the circumstances where personal data is shared with third parties.  These notes concern matters of general confidentiality and the care taken to ensure that client confidentiality is not inadvertently breached.

All staff are trained to maintain utmost confidentiality of any information acquired by members of the firm regarding clients, potential clients, or records kept.  Such confidentiality also applies to any other dealings or processes within the firm.

Information may only be given out to a third party who is acting for the client if written authority is obtained from the client.

When giving information to a client, particularly by telephone, it is most important that the client’s identity is verified.  If in doubt, questions should be asked of the client, to which only he/she is likely to know the answers.  We will not give information to other parties even if related.  For example: we will not give details of a wife’s insurance or investment contracts to the husband, without the express permission of the client (the wife).

 

Recording of Data

Records will be kept in such a way that we are happy for the client to inspect them.  It should also be born in mind that at some time in the future the data may be inspected by the Ombudsman, the courts or some legal official.  It should therefore be correct, unbiased, unambiguous and clearly, decipherable / readable.

 

Keeping Data Updated

Out of date information will be discarded if no longer relevant, or a line put through it if out of date but needed to support other evidence.  Fact finds will be updated at each meeting with the client and reference made on both the new information sheet and previous one. Information will only be kept as long as needed, and the retention periods for many of our records are prescribed by the FCA’s rules and Money Laundering Regulations.

 

Subject Access Requests

Subject access requests are referred to the Information Security Officer to be dealt with in accordance with GDPR Right of Access provisions outlined above.

 

Suppression List

A list will be kept of clients who have not given consent for us to make unsolicited contact in the future.

 

Security of Data

All papers are locked in cabinets / desk drawers when not in use.

The use of computer passwords is a requirement of the firm to avoid unauthorised access, and each staff member maintains a separate, password-protected account for access to secure data. The Information Security Officer is responsible for controlling and monitoring the appropriate allocation and removal of data access rights, e.g., for new members of staff and when staff leave.  Staff members have access to customer data where required for that individual to fulfil their role/perform their tasks. The sharing of passwords between staff members is strictly forbidden.

Our computers are fully protected by up-to-date anti-virus and anti-malware software.  Media from outside sources may only be used with the prior consent from the Information Security Officer.

When working away from the office, as far as is possible, client information will be accessed from the Company server via password protected computers. If information is, exceptionally, briefly, held on a laptop/computer this will only be whilst it is being used and will be deleted from the laptop/computer as soon as possible.

Where it is necessary to take physical client information out of the office, we understand that the security risk increases dramatically. To manage this, the member of staff will keep the information under close personal control and in such a way that unauthorised access is avoided.  Where possible, laptops should be encrypted when away from the office

Data is backed up regularly using an online system / backed up in-house using discs / storage devices.  Discs / storage devices are encrypted and kept in the office in our fire-proof safe.

Our due diligence on third party suppliers includes an assessment of their information security measures.

 

How to complain

You can also complain to the ICO if you are unhappy with how we have used your data.

The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113