DATA PROTECTION POLICY

This is a statement of the data protection policy adopted by Ferret Information Systems Limited (“Ferret”). Responsibility for the updating and dissemination of the policy rests with Ferret’s Information Protection Officer. The policy is subject to regular review to reflect the changes to the services offered by Ferret. All staff are expected to apply the policy and to seek advice when required.

Ferret Information Systems needs to collect and use certain types of information about people who are evaluating their financial position in relation to tax and welfare benefits. These include the clients of Advisers working within the Financial Services Authority regulations and the clients of other Advice Agencies. We will treat all personal information received by us as private and confidential and none of this information will ever be disclosed without authorisation or in accordance with a legal requirement. In addition, Ferret may occasionally be required by law to collect and use certain types of information to comply with the requirements of government departments. This personal information must be dealt with properly however it is collected, recorded and used – whether on paper, electronically, or other means - and there are safeguards to ensure this in the Data Protection Act 1998(“the Act”).

We regard the lawful and correct treatment of personal information by Ferret as important to the achievement of our objectives and to the success of our operations, and to maintaining confidence between those with whom we deal and ourselves. We therefore need to ensure that our organisation treats personal information lawfully and correctly.

To this end, we fully endorse and adhere to the Principles of data protection, as set out in the Data Protection Act 1998.

The eight Principles require that personal information:

1) shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met;

2) shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes;

3) shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;

4) shall be accurate and, where necessary, kept up to date;

5) shall not be kept for longer than is necessary for the specified purpose(s);

6) shall be processed in accordance with the rights of data subjects under the Act;

7) shall be subject to appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of personal data, or the accidental loss, destruction, or damage to personal data;

8) shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

In light of these obligations, Ferret, through appropriate management and controls, will:

• observe the conditions regarding the fair collection and use of personal information;
• meet our legal obligations to specify the purpose(s) for which the personal information is to be used;
• collect and process personal information only to the extent that it is needed to fulfil our operational needs or to comply with any legal requirements;
• ensure the quality of the personal information used;
• ensure that personal information is held for no longer than necessary;
• ensure that the rights of people about whom the information is held can be exercised under the Act e.g. the right to access one's personal information, to prevent processing in certain circumstances and to correct, rectify, block or erase information where it is wrong etc.
• take appropriate technical and organisational measures to safeguard personal information;
• ensure that personal information is not transferred outside the EEA without appropriate safeguards being in place.

In order to achieve compliance with the Act and its principles, Ferret has:

• created and implemented various internal policies and procedures, available to all staff, outlining individual and organisational data protection responsibilities and providing detailed guidance on Ferret internal data protection procedures