This is a statement outlining how the Financial Services Compensation Scheme Limited ("FSCS") meets its obligations under the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR").
The statement is subject to regular review to reflect, for example, changes to legislation or to the structure or policies of FSCS. The statement is made available to all FSCS staff, who are expected to apply it.
FSCS needs to collect and use certain types of information about people with whom it deals in order to operate.
These include: current and previously authorised persons; live, insolvent and departed firms including all forms of authorised firms; current, past and prospective claimants; FSCS's own employees; suppliers and others with whom FSCS conducts business.
In addition to carrying out our own statutory functions, FSCS may occasionally be required to collect and use certain types of information of this kind to comply with the requirements of other government departments or legislation.
FSCS regards the lawful and correct used of personal information as important to the achievement of our statutory objectives, to the success of our operations and to maintaining confidence between those with whom we deal and ourselves. We therefore aim to ensure that our organisation treats personal information lawfully and correctly.
To this end, we fully endorse and adhere to the principles of data protection, as set out in the GDPR.
The Data Protection Principles under GDPR are:
1. Lawfulness, fairness and transparency. Personal data must be processed fairly and lawfully and in a transparent manner.
2. Purpose. Personal data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes.
3. Data minimisation. Personal data must be adequate, relevant and limited to what is necessary in relation to the purpose(s) for which it is processed.
4. Accuracy. Personal data must be accurate and, where necessary, kept up-to-date.
5. Storage limitation. Personal data must not be kept in a form which permits identification of data subjects for longer than is necessary for the specified purpose(s).
6. Integrity and confidentiality. Personal data must be processed in a manner which ensures its appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
7. Accountability. FSCS, as data controller, is responsible for and must be able to demonstrate compliance with the other data protection principles (as set out above).
In light of these obligations, FSCS, through appropriate management and controls, will:
In order to achieve compliance with the GDPR and its principles, FSCS has created and implemented various internal policies and procedures, available to all staff, outlining individual and organisational data protection responsibilities and providing detailed guidance on FSCS internal data protection procedures.