Data Protection Policy – Customers
This document reflects the Data Protection Policy of BHP Community Ltd t/a BHP Insurance.
The EU General Data Protection Regulation 2016 is effective from 25 May 2018. The Data Protection Act 2018 transposes the GDPR into Irish law. Reference must be made to the GDPR, the Data Protection and the Statutory Instrument which gives effect to the legislation. Collectively in this document references to the above will be under the single heading of GDPR.
The GDPR replaces earlier legislation and is designed to enhance the data protection rights of individuals, known as data subjects. Data protection is concerned with personal information in relation to natural persons i.e. living individuals, and so does not relate to corporate information (unless such corporate information includes personal information of individuals).
The GDPR applies to our business relationships with our customers, but applies equally to our relationships with our staff i.e. Directors, Shareholders, Management, Staff.
It is company policy of BHP Community that all Staff, Directors, Consultants and support service providers must comply at all times with both the letter and the spirit of the GDPR and respect the customers rights to data privacy and data security at all times.
Our Data Protection Policy and Procedures will be subject to annual review.
Data Protection Principles
There are 6 fundamental principles within the GDPR, as follows:
• Data must be processed lawfully, fairly and in a transparent manner
• Data must be collected for specified, explicit and legitimate purposes
• Data must be adequate, relevant and limited to what is necessary
• Data must be accurate and where necessary, kept up to date, or where inaccurate be rectified or erased
• Data can only be retained for as long as necessary
• Data must be processed in a manner that ensures appropriate security of personal data
It is the policy of BHP Community to adhere to the above principles at all times, and to ensure that our policies, procedures, and practices reflect the principles.
It is also the stated objective of BHP Community to promote accountability and ensure that Data Protection is an inherent part of our business model at all times.
In order that we can understand our obligations under GDPR it is necessary to have a context and so the following key definitions need to be understood:
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Any information relating to an identified or identifiable natural person (‘data subject’).
Special categories of personal data
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Data Subject Consent
Means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by the European Union or Member State law, the controller or the specific criteria for its nomination may be provided for by the European Union or Member State law.
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Protection Officer
BHP Community is not required to make a formal appointment of a person to the role of Data Protection Officer. The rationale for this approach taken by BHP Community is that the core activities of BHP Community do not consist of processing operations which require regular and systematic processing of individuals data on a large scale or processing of sensitive/special categories of data or data relating to criminal convictions or offences.
Data Protection Principles
The following are the 6 key Data Protection Principles contained with the GDPR:
Principle 1 – Data to be processed lawfully, fairly and in a transparent manner.
The requirement is to ensure that we provide information to our customers in a transparent manner so that they fully understand the reasons why data is collated and for what purposes it will be used.
The specific information which must be provided to our customers at initial point of contact is set out in our Data Privacy Notice. The key information which must be included in a Data Privacy Notice, as required under GDPR is as follows:
• the identity and the contact details of the controller and, if any, of the controller’s representative;
• the contact details of the Data Protection Officer, if applicable – this is not applicable in the case of BHP Community;
• the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
• the period for which the personal data will be stored;
• the existence of the rights to request access, rectification, erasure or to object to the processing, and the conditions (or lack of) relating to exercising these rights, such as whether the lawfulness of previous processing will be affected;
• the categories of personal data concerned;
• the recipients or categories of recipients of the personal data, where applicable;
• where applicable, that the controller intends to transfer personal data to a recipient in a third country and the level of protection afforded to the data;
• any further information necessary to guarantee fair processing.
Principle 2 – Personal data can only be collected for specific, explicit and legitimate purposes.
Data collected can only be used for the purposes for which it was provided to BHP Community. It is therefore critical to ensure that our customers understand the specific purposes for which we intend to use their data, to ensure that we have been explicit with our customers, and that the purposes are legitimate.
BHP Community provides advice to clients in the areas of financial services. Therefore, information collated can only be used for such purposes. Our Terms of Business set out the range of services which we provide and how data is used. Customers are asked to provide consent for the use of their data in the provision of such services.
Principle 3 – Personal Data must be adequate, relevant and limited to what is necessary.
Data collected must be adequate, relevant and limited bearing in mind the services and/or products required by our customers. Completion of a Knowing the Consumer exercise, based on the requirements of the Central Bank’s Consumer Protection Code, is considered to meet this requirement. Supplementary information may be necessary, however this will depend on the nature and complexity of the product and/or service to be provided, and the nature of the business relationship with the customer.
Supplementary information e.g. information from the clients Accountants or Legal Advisors, may be necessary to enable a service to be provided. Such supplementary information can only be obtained from a third party with the customers consent.
Principle 4 – Personal Data must be accurate and kept up to date with every effort to erasure or rectify without delay.
Our procedures require the completion of a Knowing the Consumer exercise. In collating data, we must engage directly with the customer and ensure that the customer fully understands the importance of providing complete and correct information. On occasion, we may have to obtain the customers consent to obtain information from a third party e.g. an insurer or professional adviser, in order to verify information provided. In our dealing with our customers we must ensure that they understand that the information obtained from a third party will form the basis of any advice we provide.
Data must be updated whenever a customer wishes to avail of further services e.g. annual review or policy renewal, and we must ensure this is done.
In the event that a customer advises that information which we hold is inaccurate or out of date, we must rectify our records to reflect this.
Principle 5 – Personal data must be kept in the form such that the data subject can be identified only as long as is necessary for processing.
Our Data Retention Policy sets out periods of time for which certain data will be held on our paper and or electronic files. Any data held in excess of the specified time periods set out must show the rationale for the extended retention of data.
Principle 6 – Processed in an appropriate manner to maintain security.
Data security is imperative to ensuring the protection of our customers data. In the event of a data breach the risks to our customers can be personal, financial, reputational, and potentially involve identity theft. In addition, there is the potential damage to our business should a breach occur, particularly in the areas of the loss of trust of our customer, business reputation, financial, and regulatory sanction. We must ensure that we adhere at all times to our Information Security Policy and procedures.
Given the potential impact, should our security systems be breached, we must be aware of company policy in relation to Information Security Policy, and in particular:
• Password protection of PC’s;
• Updating passwords on a regular basis, using passwords that are not easily identifiable;
• Automatic locking of idle terminals;
• Keeping computer terminal screens out of sight of customers and others who should not view them;
• Internet access and usage, and email usage policies;
• Our practices in relation to USB keys or other portable data devices;
• Maintaining up to date virus checking software and firewalls;
• Conducting virus checks on all IT hardware on a regular basis;
• A strict policy of updating IT systems and access when staff change e.g. new employees, people who leave the organisation, changes in roles, with access to data on a ‘need to know’ basis;
• Encryption of devices that leave the organisations premises such as laptops.
Rights of Data Subjects
Data subjects have enhanced rights under the GDPR. These are as set out below:
Right 1 – Right to information
A data controller must ensure a data subject is provided with, or has made available to him or her, the information provided set out below in relation to personal data relating to him or her within a reasonable period after the date on which the controller obtains a subject access request for personal data.
The information which must be supplied is as follows:
• The identity and contact details of the controller;
• The contact details of the data protection officer of the controller, where applicable;
• The purpose for which the personal data are intended to be processed or are being processed;
• Information detailing the right of the data subject to request from the controller access to, and the rectification or erasure of, the personal data;
• Information detailing the right of the data subject to lodge a complaint with the data protection commission and contact details of the commission;
• In individual cases where further information is necessary to enable the data subject to exercise his or her right, any such information including the legal basis for the processing of the data concerned, the period for which the data concern to be retained, or where it is not possible to determine the period at the time of the giving of the information, the criteria used to determine the said period and, where applicable, each category of recipients of the data.
We provide the above information to our customers by way of our Data Privacy Notice – Customer Summary on our website.
Right 2 – Right of Access
An individual may request BHP Community to provide him/her with any personal data that we may hold in relation to that individual. If a request is received we must provide the following in writing:
• Whether or not we hold personal data relating to him or her, and
• Where such data has been or is being processed, be provided by the controller with the following information:
A description of:
the purposes of the processing;
the categories of personal data concerned;
the recipient(s) or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations;
where possible, the envisaged period for which the data will be stored, or, if not possible, the criteria used to determine the said period;
Information detailing the right of the subject to request from the controller rectification or erasure of the personal data concerned;
Information detailing the right of the data subject to lodge a complaint with the Data Protection Commission and the contact details of the Commission;
Any available information as to the origin of the personal data concerned, unless the communication of that information is contrary to the public interest.
A controller must provide the above information to the data subject as soon as possible and in any event not later than one month after the date on which the request is made.
When making a request, the individual making the request must provide the data controller with such information as the controller may reasonably require to satisfy itself of the identity of individual and to locate any relevant personal data or information.
Where a data controller has previously complied with the request to provide information as above, the controller is not obliged to comply with subsequent identical or similar request for the same individual, unless a reasonable interval has elapsed since compliance with the last request
A data controller must take all reasonable steps to ensure that the information is provided in a concise, intelligible and easily accessible form, using clear and plain language. In communication with the data subject the information may be provided in the same form as the request was made e.g. if the request is made electronically for information a response may be provided electronically.
Right 3 – Right to rectification or integration and restriction of processing
Where a data subject is of the opinion that the controller is processing personal data relating to him or her that are inaccurate, the data subject may make a request in writing to the controller for the controller to rectify the data concerned.
Where a request to rectify data is concerned, the data must be rectified as soon as possible in any event no later than one month after the date on which the request is made.
When making a request, the individual making the request must provide the data controller with such information as the controller may reasonably require to satisfy itself of the identity of the individual and locate any personal data or information.
In certain circumstances, a data controller is not required to raise certain information on record. We must also be cognisant of our legal obligations under other regulatory obligations, e.g. Central Bank, AML/CFT, FSPO.
Right 4 – Right to restriction of processing
1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
(d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.
Right 5 – Notification obligation regarding rectification or erasure of personal data or restriction of processing
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
Right 6 – Right to data portability
1. The data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
(a) the processing is based on consent, and
(b) the processing is carried out by automated means.
2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.
3. The exercise of the right referred to in paragraph 1 is without prejudice to Article 17 of the GDPR. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
Right 7 – Right to object
1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
4. At the latest time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
5. In the context of the use of information society services, the data subject may exercise his or her right to object by automated means using technical specifications.
6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the GDPR, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest. This does not apply in the case of BHP Community.
Right 8 – Automated individual decision-making, including profiling
1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2. Paragraph 1 shall not apply if the decision: (a) is necessary for entering into, or performance of, a contract between the data subject and a data controller; (b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or (c) is based on the data subject’s explicit consent.
3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1) of the GDPR, unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place. It is not envisaged that this section will impact on BHP Community.
Purposes for holding information
In order that we can provide customers with our services and advice we need to collect certain personal data. We generally use the information which they initially provide to enable us to make contact with them so that we can have a more detailed discussion in relation to advice, products, and services which are appropriate to their needs.
Types of information collected
We collect and retain two types of information:
We will hold:
• data to identify the customer, including contact and general information i.e. name, address, telephone number(s), email address, gender, date of birth, occupation, PPS number, photographic identification, nationality;
• financial details/financial circumstances as necessary i.e. employment, income, assets, liabilities, bank account details (where applicable);
• marital or civil status;
• other sensitive information e.g. medical information, where necessary for the service to be provided;
• information provided by others e.g. spouse/partner, professional advisors, etc.;
• information provided which the customer has consented to us using;
• other personal information, if applicable e.g. criminal conviction data, driving penalty points;
• telephone recordings of conversations; and
• information provided when exercising a customers rights.
Like most websites, we gather statistical and other analytical information collected on an aggregate basis of all visitors to our website. This non-personal data comprises information that cannot be used to identify or contact a customer, such as demographic information regarding, for example, user IP addresses where they have been clipped or anonymised, browser types and other anonymous statistical data involving the use of our website.
Purposes for which we hold information
We will process any personal data received for the purposes of contacting a customer if required in connection with a query or to respond to any communications sent to us. We also process the data when providing the service, product, or transaction required.
We use the non-personal data gathered from visitors to our website in aggregate form to get a better understanding of where it comes from and to help better design and organise the website.
We must only use the information provided to us to provide customers with the range of insurance, investment, and other products which they request and/or which we believe may be in their best interest or to meet our regulatory obligations. We will therefore only circulate information to our staff, consultants, support service providers, or at the customers request to other parties, or as required in order to meet our legal obligations.
We may provide non-personal data to third parties, where such information is combined with similar information of other users of the website e.g. we might inform third parties regarding the number of unique users visit our website, the demographic breakdown of other community users of our website, or the activities that visitors to our website engage while on our website. The third parties to whom we may provide this information may include potential or actual advertisers, providers of advertising services (including websites tracking services), commercial partners, sponsors licensees, researchers, and other similar parties.
Please refer to our Security Policy for further information on data security measures undertaken by BHP Community Ltd.
Updating, verifying and deleting personal data
Where a customer informs us of any changes in personal data held we will update or delete the personal data accordingly.
Effective Date: 18 September 2020