The ICO (Information Commissioner's Office) regularly receives complaints about disputes between firms and individual advisers, or employees, over who can decide how information is used. The most common scenario is where a financial adviser, either employed or self-employed leaves their position to join another firm. The adviser may consider customers as his/her clients rather than clients of the firm and may take personal information with them when they leave.
The Seventh Data Protection Principle requires firms to take appropriate technical and organisational measures to protect personal data. If a client can show that they have suffered damage as a result of the unauthorised use of their information, this could lead to a claim in the courts for compensation and could damage a firms reputation. Furthermore, if an adviser or other employee takes personal data without permission from a firm, that individual could have committed a criminal offence.
Firms need to ensure that they are clear on what they can and cannot do with personal information, including to whom it can be disclosed. Firms may wish to include clauses in employment contracts to clarify who controls the personal information. Firms should also have a clear policy on what will happen to information if an adviser or employee leaves the firm. Firms should also be careful not to use personal information they hold in a way which is outside what the customers would reasonably expect.
Many firms may wish to send marketing material to clients in order to promote their business and products and services they sell, if so, firms should tell individuals from the outset that they will do so in order to give them the opportunity to object. If the individual does object, either when the firm collects the personal information or later, the firm must not send that individual direct marketing again unless the individual specifically asks for it.
If firms use personal information to give advice on financial products and services and keep this information on computer, they will need to notify the Information Commissioner about their processing of personal information.
Good Practice recommendations
When processing personal data, firms should consider the following recommendations which will help compliance with the Act.
- Make sure employees are clear about what they can and cannot do with personal information and who it can be disclosed to;
- Make sure employees are clear what use they can make of personal information in the event they leave the firm;
- Make sure customers know whose client they are, what their information will be used for and to whom it may be disclosed.
The full article and other good practice notes can be found on the ICO website by clicking .