The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. This replaces the 1995 EU Data Protection Directive and supersedes the Data Protection Act 1998 and went into force on the 25th May 2018.
Hunters Financial Ltd must abide by these rules within the day to day running of the business. As a result, it is mandatory that all staff are familiar with this policy before dealing with any case within the business.
What is GDPR?
GDPR regiments Data Protection laws across all 28 EU Countries and imposes strict rules on the controlling and processing of personally identifiable information. As it involves all EU Countries, the regulation applies to all organisations which hold and process any EU residents personal data, regardless of geographic location.
Due to the seriousness of the regulation, fines for noncompliance are large. It can be as high as €20 million (around £17.5 million) or 4% of a company’s total global revenue, whichever is larger. These are the maximum fines that can be imposed for the most serious violations, however they are tiered depending on the seve
What client data do we hold?
We collect data from clients in order to compile an income and expenditure assessment with a view to arranging an IVA proposal through a third party fulfilment partner.
To comply with relevant Insolvency legislation, guidance, and best practice, we require evidence to assess, analyse, and demonstrate the financial position of a client before the IVA is referred to one of our fulfilment partners to propose. This may include, but is not limited to, obtaining evidence of and keeping copies of (when applicable):
- Wage slips, contracts of employments, P60s, invoices, tax returns or equivalent
- Evidence of benefit award from award notices and government documents
- Bank statements
- Mortgage, secured loan, rental statement, proof of board payments
- Hire purchase or lease agreements
- Creditor statements
- Passport, Driving license or another photographic ID
- Other documents to support your financial position
- Land Registry searches
- Credit searches
- Verbal confirmation of Household composition
- Details of client assets i.e. life insurance, shares, savings, PPI or other potentially mis-sold products
- Recordings of telephone conversations between us and the client(s)
What is the lawful basis for collecting and processing client data?
Potential clients contact Hunters Financial Limited with a view to proposing an Individual Voluntary Arrangement (IVA), a statutory form of debt relief. An IVA is legislated under the Insolvency Act 1986 (as amended), Insolvency Rules 2016, Money Laundering Regulations 2017, Bribery Act 2010, and other relevant standards such as “Statements of Insolvency Practice”, “Dear IP” and the “IVA Protocol”.
Under the above legislation we therefore have a legal obligation to collect, process, and share client data. However, to ensure our clients are both completely satisfied and comfortable with how their data is being used, we also ask clients to consent to their data being used before we formally act on their behalf.
When do Hunters Financial Ltd destroy client data?
Insolvency legislation requires that we keep client records for 6 years post their IVA closing. However, if the IVA is not approved then we will destroy the client data as below:
A client discusses their financial affairs with HF Ltd, and we:
||The client’s file will be destroyed after 12 months from the date we close the file|
|We contact their creditors, but the IVA proposal is not accepted||The file will be destroyed 6 years after the IVA is rejected, or the client tells us they no longer wish to proceed|
|The IVA is accepted by the creditors||The file will be destroyed 6 years after the IVA is closed|
Although the client data is removed from the live system within those above described timescales, they will remain on a back-up system for a period of 90 days afterwards. After this point, the data will be permanently erased.
Who do we share this data with?
In order to package an IVA case ready for the fulfilment partner, we do have to share client information with relevant 3rd party bodies. This is a variety of information for the relevant purpose which the organisation requires it for and may include government bodies. The below list is not exhaustive and information could be shared with other bodies if required:
|The Insolvency Service||Register your IVA as a requirement of insolvency legislation|
|Kingsbridge Insurance Brokers||Insolvency legislation requires that we hold an insurance bond to protect your IVA|
|HM Land Registry||Complete a property search and register an RX1 in the event you own a property|
|Creditors, and their appointed representatives||Send your IVA proposal to creditors to obtain their acceptance, and to provide ongoing statutory reports and data as required by legislation to ensure the smooth running of your case|
|My Insolvency Report||Secure online platform to share information with creditors (and yourself) for your IVA|
|Signable||Online platform used to issue documents for you to read and sign within your IVA|
|Financial Wellness Group||Primary 3rd party IVA fulfilment partner and joint Nominee
Also FCA authorised debt advisor.
|Bennet Jones Ltd||3rd party Insolvency Practitioner firm|
|Vanguard Insolvency Practitioners Ltd||3rd party Insolvency Practitioner firm|
|HubSolv||Case Management System provider|
|Connex; San IT||These organisations host our telephone and IT systems to contact you and store your data|
|Insolvency Practitioners Association (IPA)||Our regulator for insolvency services|
|Ibby (HubSolv application)||Allows us to completed credit checks on potential and existing customers|
Once the data which we gathered is no longer required, we are legally obligated to remove what we have collected. This is not only with us but also with other third party bodies who also cannot continue to hold this data.
As Hunters Financial Ltd currently specialise in preparing an IVA case before it is passed to a fulfilment partner, client files will be destroyed 6 years from the date the case is referred (regardless of whether the referral related to a potential IVA proposal or Debt Management Plan).
Hunters FInancial may also record a clients potential interest in future products during our initial conversations for marketing purposes. These products may include mis-sold financial products, insurances and personal credit.
The Principles of Data Protection
- Right to be informed
Any changes which are made to this which affects them would then need to be reissued to the client(s), however it is unlikely this will be the case unless GDPR regulation changes.
- Right of access
All our clients have the right to request all the personal data that we hold for them, which is commonly known as a Data Systems Access Request (DSAR). This can be requested verbally or in writing, and may include notes, documentation and call recordings. These need to be provided to the client within one month of their request free of charge.
- Right to Rectification
It is in the interest of both Hunters Financial Ltd and our clients to ensure that their information is correct and up to date. As Insolvency legislation states that the client must provide a full and accurate disclosure of their circumstances and have no material irregularity within their paperwork, it is vital that any information is amended quickly and accurately if it is found to contain errors/inaccuracies.
Most changes will be completed verbally, however they can also be written by email and post. If written, then we may need to complete further checks to ensure the source of the content is from the client. Once we have verified the source, then we need to ensure a copy of the request is saved within the case folder of the client.
Whilst most changes will be instant, we do have up to one month to comply with the clients request. As mentioned before, due to the nature of our work, we would want to limit the timescale for any sort of update.
- Right to Erasure
Everyone has the ‘right to be forgotten’ and therefore removed from our systems. We would automatically remove them from our systems within 6 years.
The client can request the removal or their data verbally or written and we would have one month to resolve this for them. Please bear in mind that a removal of the client data does not just include their case on HubSolv;. other third party sites such My Insolvency Report, Connex (phone calls) and Whatsapp will also need to be considered, as well as trackers and documents which reference the client and make them identifiable.
- Right to Restriction of Processing
Clients have the right to request we restrict the processing of their personal data in the following circumstances:
- The individual contests the accuracy of their personal data and we are verifying the accuracy of the data
- The data has been unlawfully processed (i.e. in breach of the lawfulness requirement of the first principle of the GDPR) and the client opposes erasure and requests restriction instead
- We no longer need the personal data but the client needs you to keep it in order to establish, exercise or defend a legal claim; or
- The client has objected to us processing their data under Article 21(1), and we are considering whether our legitimate grounds override those of the client
In real terms, if we are not able to process the clients data then we would struggle to maintain an IVA arrangement. Whilst the above is extreme, the client still has the option to request this to happen.
- Right to Portability
Everyone has the right in order to be able to port their information from ourselves to another organisation. Their information would not only need to be transferable but also fully readable and operational.
We would have one month to comply with this request unless the data we hold for the individual is complex.
- Right to Object
Clients have the right to object to the processing of their data, however this is only in certain circumstances.
- Direct Marketing – If a client objects to this, we have no option but to adhere to their request. Under no circumstances can we reject this request from an individual. That is under Article 21 of the GDPR
- Processing based upon public task or legitimate interests, including research purposes – The client can object to us using their data for public research or tasks which we are looking to complete. These can be tasks which relate to the public interest and wider research which is carried out. Whilst the client can object to this, it is down to the specific circumstances of the case. We can continue to process if there are legitimate grounds to do so.
- Right to Automated Decision Making
There are some companies and indeed industries which rely on automated decision making as part of their day to day running.
Some examples of this include websites which make a decision whether to award a loan or recruiters using an aptitude test which uses pre-programmed algorithms and criteria to select candidates to move forward with.
Hunters Financial Ltd don’t operate any of these systems and as such all decisions are made by employees in relation to the clients circumstances.