1 Why we collect data
2 How your data is protected
3 What data is collected
4 Sources of data
5 If you choose not to provide data
6 Advice to children
7 How your data is used
8 Anti-money laundering
9 Call recording
10 Mailing software
11 Google analytics
13 Who we share your data with
14 Sending data outside of the European Economic Area (EEA)
15 Communication methods
16 Email encryption
17 Archiving data
18 Our retention periods
19 Your rights
21 How to contact us
From our first contact with you, we start collecting data, with a view to entering into a contract to provide financial planning and/or tax planning. The data that we collect is essential for us to be able to carry out the services that you require from us effectively. Without collecting your personal data, we would be unable to fulfil our contractual or regulatory obligations.
As a regulated firm, we are governed by a strict code of conduct. We also adhere to internationally recognised data and cyber security standards to prevent your data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Paradigm Norton aims to establish firm and clear goals for your future and this starts with us understanding what you are seeking to achieve. To help us do this we may ask you or other organisations to share data, which could include the following:
- Personal information
Your name, marital status, national insurance number, tax code, date of birth.
- Contact details
Your address, phone and email details and how you would prefer us to use them.
- Financial details
Your income and expenditure, savings, existing investments, goals and ambitions.
- Transactional data
Details about payments to and from you and other details of services we have provided to you.
- Family relationships
Information relating to your partner and dependents.
- Official documents
A copy of your birth certificate, marriage certificate, drivers licence, passport, wills.
- Your other advisers
Solicitors, accountants, powers of attorney, trustees, beneficiaries.
- Usage data
Details about your use of our website.
- Marketing and communications data
Details concerning your preferences in receiving marketing from us and third parties.
- Special categories of data
Some data is particularly sensitive and has special treatment in law. In order for us to provide an effective financial planning service, we will often need to collect data that falls under this category, particularly in relation to health, and we will only collect or use this type of data if you explicitly consent to us doing so.
You are our primary source for your data. This is provided when you speak, write, email, text, or use our website. For example, communications may be formally recorded in documents created specifically for collection of data, e.g. fact finds, risk profiles & application forms or they could be recorded in telephone or meeting notes. In some circumstances we will voice record our meetings with you. We will always inform you that this is happening and request your permission before recording takes place.
Sometimes, it is necessary to obtain your data from other organisations. This will be so that we can better understand your personal and financial position, for example, contacting organisations where you have pension, investment or protection arrangements either arranged by us or by a previous financial planner, HMRC, Department for Work and Pensions or a previous tax adviser/accountant, or other organisations should regulations dictate such collection. In these situations, we will always make you aware of this contact. In addition, the organisation releasing your data will require your authority before it is provided. We consider this a necessary factor in fulfilling our contractual requirements to you.
We will also receive data about you from providers of payment services and providers of client identification and money laundering verification services.
Information you provide on others
During our discussions, you may provide data on people who will not be entering into a contract with us, but their data may be relevant to us providing you with best advice. Examples could be details of your partner, dependents or professional connections. Paradigm Norton will work on the basis that you have made the individual aware that you are passing their data to us prior to discussing it with us. It is important to note that in these circumstances, we are required (where possible) to make those individuals aware of how and why we will process their data and their legal rights in respect of this data (details of which are set out in paragraph 19 Your Rights).
When we receive data from other sources.
Where we obtain data from other sources, you will have the same or equivalent rights to those set out under paragraph 19 Your Rights.
We will inform you where your data originated from and whether it came from publicly accessible sources, where we are required to do so.
We shall not be obliged to notify you:
- Where you are already aware that we have this data;
- Where we are prohibited by law or professional standards;
- Where disclosure would render impossible or severely impair the achievement of the reasons for which your data is to be processed, but in such cases we will do what we can to protect your rights and freedoms with respect to our processing of your data.
We may also collect data when you voluntarily complete client surveys or provide feedback to us.
We may need to collect data from you that is required by law, or to enter into or fulfil our contractual agreement with you. If you choose not to give us this information, it may prevent us from fulfilling our legal or contractual duties. This may mean that we cannot continue to provide you with advice or continue to manage your financial or tax planning arrangements. Similarly, if we are unable to collect or use the data of any relevant individual (as referred to in Information you provide on others above), this may affect our ability to manage your financial or tax planning arrangements.
We will only use your personal data where the law allows us to in one or more of the following circumstances:
- When we have your explicit consent to do so
- Where we need to perform the contract we have entered into with you
- Where we have a legal obligation
- Where it is necessary for our legitimate interests (or those of a third party)
Generally, we will not rely on consent as a legal basis for processing your personal data.
We may need to use your data to do the following:
- To provide you with a fully comprehensive financial planning service which will typically include an annual planning meeting to review your circumstances and needs to ensure that our advice and recommendations remain suitable;
- To provide personal tax compliance and business services to comply with annual taxation and corporate regulatory requirements, to carry out detailed reviews of your tax and/or business affairs and to provide you with suitable advice;
- To comply with relevant ‘Know Your Client’ obligations and other requirements imposed by the appropriate regulatory bodies in the interests of combatting fraud, money-laundering and other criminal activities;
- To use systems that provide results based on the personal data that we enter, to assist us, for example, to create a lifetime cash flow plan for you, or measure your appetite for taking risk.
- To respond to legal requests for information from regulatory bodies or pursuant to an order of any court or tribunal having relevant jurisdiction;
- To comply with the requirements of regulatory bodies in respect of our professional business conduct, including participating in audits and reviews conducted by or on behalf of the FCA and maintaining records of transaction and customer histories;
- To carry out our own business and professional management, including maintaining adequate records so that we are able to fully respond to your queries, investigate and resolve complaints, prepare, verify and have audited our statutory accounts and complete our tax returns;
- In the event of any legal proceedings in which you or we may be involved, to investigate the basis for any claims and our or your position with respect to them, obtain legal advice, and defend, pursue or settle such legal proceedings to the best of our ability, including complying with relevant directions with respect to evidence and the production of documents;
- To provide you with information and updates.
We will only use your data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
We have a regulatory requirement to ensure that our services are not being used for financial crime, and where possible we will use a credit referencing agency for this purpose. We will only share the necessary data required to conduct a search, which would normally be your full name, known address(es) and date of birth. Using this service allows us to confirm your identity, prevent financial crime, comply with regulations and fulfil our contract with you. We will ensure that we have appropriate legal terms in place with the credit referencing (or other) agency for the protection of your data in accordance with paragraph 13 Who we share your data with.
All calls to and from our offices are recorded for regulatory purposes. They are required and may be used in the event of a complaint being raised and if required by law enforcement agencies. Please note that records will be available for at least five years.
We occasionally use mail software. Our communication will be of a generic nature, but the software collects information such as your email address, if the email was opened, how it was opened and what type of device was used e.g. mobile phone, tablet or PC.
You can disable and delete cookies by changing the appropriate setting within your browser’s ‘Help’, ‘Tools’ or ‘Settings’ menu. Please note that by disabling cookies you may not benefit from some of the features of our site. You can find out more about deleting or controlling cookies by visiting aboutcookies.org.
To deliver our services to you effectively, we may share your data with other organisations such as those that we engage for professional compliance, accountancy, regulatory or legal services, IT support, system and software providers, as well as product and platform providers that we use to arrange financial products for you.
Where other organisations are involved in processing your data, we will have a contract in place with them to ensure: that the nature and purpose of the processing is clear; that they respect the security of your data and treat it in accordance with the law; that they have sufficient safeguards in place; that they do not employ the services of, or transfer the data to, any other company without our consent;
that they do not use the data for their own purposes; and that they will only process the data for specified purposes and in accordance with our written instructions.
Where it is necessary for your personal data to be forwarded to another organisation, we will use appropriate security measures to protect your personal data in transit.
We will not share your information for marketing purposes with companies outside our group of companies.
The data we collect may be transferred to, and stored at, destinations outside of the European Economic Area (EEA) in the provision of services agreed to in your contract with us. If we do transfer your data outside of the EEA, we will make sure that it is protected in the same way as if it was being used in the EEA, by ensuring that at least one of the following safeguards is implemented:
- We will only transfer your data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission as having adequate privacy law.
- By putting in place contracts approved by the European Commission with the recipient detailing how your data will be used and ensuring that they protect it to the same standards as if your data were being processed in the EEA.
- Where we use providers in the US, we may transfer your data to them if they are part of the Privacy Shield. This is a framework that which requires them to provide similar protection to personal data as if it were being processed in the EEA.
From your initial contact with Paradigm Norton, you will be asked how you would prefer us to communicate with you, which could be by phone to your mobile, home or professional number, by text, email, post or online portal, along with giving you control over what you receive (where this is possible). This will also be confirmed within the engagement paperwork and can be changed, by you, at any time.
We may occasionally send you communications regarding significant events (e.g. volatile market movements, budget summaries, year-end tax planning articles, and changes in regulatory or legal requirements). We consider these provisions to be part of our contractual agreement with you.
We will encrypt email communication wherever possible. We enforce a Transport Layer Security (TLS) which is an encryption protocol for all email communications. This is used to protect data in transit between our computers and yours, providing privacy and data integrity.
Should your computer not support an encrypted connection, then the email will default to a less secure non-encrypted connection. However, most modern email services are capable of using TLS.
In addition to the reviews of data for accuracy and currency which we carry out, we will continually review data we are processing, and where in our opinion such data has ceased to be active data, we will archive it and process it only as archived data.
Access to archived data will be restricted to personnel having specific duties and training with respect to data protection law and this data will only be processed where necessary in response to legal proceedings or where a request is made by law enforcement bodies, e.g. police.
All storage of data whether active or archived, will be conducted in accordance with good industry practice and will incorporate appropriate organisational and technological measures.
We will only keep your data for as long as it is necessary and will review it on a regular basis to ensure it is correctly recorded. At your annual planning meeting we will take the opportunity to share your most relevant information (e.g. personal, contact, family, income, expenditure and financial data) so that you can ensure our records are accurate.
The service we provide is long term financial planning, investment advice and tax planning which may include pensions, life assurance products and other tax planning structures, for example ISAs. As you would expect, we need to retain your data throughout our relationship but it is likely that we will need to retain your data when our contract ends and we are no longer providing you with financial or tax planning. The reason for retaining your data will be based on our business need or for legal or regulatory requirements. For example, we are required to hold pension transfer information indefinitely.
Data protection law provides you with the following rights, in certain circumstances, with respect to your data:
- A right of access
You may request that we confirm if we are processing your data, what that is, and a copy of the information included in the data.
- A right to rectification
You may request that we rectify any inaccurate and/or complete any incomplete personal data.
- A right to erasure
You may request that we erase your data and will delete any records that we no longer require and do not have a purpose to keep. Note, however, that we may not always be able to comply with your request for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- A right to restrict processing
You may request that we restrict processing your data, which if applied, means that we could only resume processing your data when you provide consent to do so.
- A right to data portability
A right to have your data provided to another company in a way they can easily upload to their systems.
- A right to object
You may request that we stop processing your personal data.
- A right to withdraw consent
You may withdraw your consent if this is the legal basis upon which we have been processing your data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.
- A right to prevent processing for direct marketing
You have a choice regarding whether you receive direct marketing.
Please contact us on the details set out in paragraph 21 if you wish to exercise any of the above rights.
You will generally not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
You also have the right to complain, with respect to any processing of your data and any breach of the above rights, to the relevant supervisory authority, who in the case of the United Kingdom is the Information Commissioner’s Office.
Information Commissioner’s Office
Tel: 0303 123 1113 (local rate)
In addition, you may have a right to claim compensation for damage or loss caused by a breach of the Data Protection Act 2018.
Last updated: 16 January 2019