Data Protection and

Information Security
Openwork Training 2021

01 February 2021
Mark Hicks
Data Protection Officer
 Introduction
• This module has been created to provide you with an overview of the issues relating to Data
Protection and Information Security that can affect your work as part of Openwork.

• It will also point you in the direction of additional supporting documentation that you may need to
refer to as you train. You’ll find links to these downloadable documents throughout the module.

• These days our personal information is more likely to fall into the wrong hands than ever before.

• Identity theft is big business for criminals. They’re constantly on the lookout for names, addresses,
dates of birth, credit card numbers, policy details, expiry dates and security codes.

• That’s precisely the kind of information about your clients that you, your firm, or the product providers
you recommend often hold. And it’s information you hold in quantity too. How many clients are on a
typical adviser’s laptop at the moment? A hundred? 200? 500? And what about within Openwork’s
systems?

2 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Introduction
• Just think for a minute what might happen if your laptop was lost. The average cost to the victim of
identity theft in the UK is somewhere in the region of £1000.

• And you would be liable. Appointed Representatives, Openwork and product providers are all
registered as Data Controllers – and therefore responsible for the security of the information they hold
and process.

• So you need to get this right – and this programme will help you with that.

3 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Introduction
• These are the key areas we’ll cover:
- Information Security
- Physical Information Security
- Staff Security
- Technology Security
- Communications Security
- Data Protection – Key Definitions
- The Principles of Data Protection
- Right of access to data
- Transferring information outside the European Union
- Third Party Risk
- Privacy Impact Assessments
- Reporting
• Please try to view this module in conjunction with our module on Financial Crime. As you’ll see, the two
areas are closely linked.

4 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Information Security
• Holding and processing sensitive information is an integral part of our jobs – so it’s no surprise that
Openwork takes this subject very seriously indeed.

• Our Policy and Procedures are intended to ensure that personal information is always hard to steal and
that only authorised people have access to it. We make a promise, in our standard Privacy Notice, of
telling clients that they can be sure we’ll keep their personal information confidential and use it with
care.

• This means:
- Keeping it secure
- Only sharing it when we need to
- Only allowing fit and proper people to see it.
- And using it skilfully.

5 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Information Security
• We’re required to do this by both the Information Commissioners Office (ICO) and the General Data
Protection Regulation (GDPR) that came into force in May 2018
• The ICO has identified a clear link between the loss of personal information, identity theft and financial
crime, and expects all regulated firms to take appropriate care of client personal information.
• We also recognise that each Openwork Adviser firm is a unique business and will need to assess and tailor
the way their advisers and administrators work. To help with this, Openwork is drawing all its requirements
together into a Security Strengthening Programme to help reinforce the standards in place.
• We look at the GDPR in more detail elsewhere in this module – but for now you should be aware that one of
its guiding principles is that personal data should be processed in a manner that ensures its security,
including protection against unauthorised or unlawful processing, and accidental loss, destruction or
damage.
• Meanwhile, before we get stuck into detailed procedures, let’s not forget that Information Security is mostly
a matter of common sense. Ask yourself how you’d expect your own personal information treated, and you
won’t go far wrong.

6 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Physical Security
• This is an area that’s very easy to take for granted.

• We’ve probably all made the mistake of leaving paper files open on our desk while we nip to the coffee
machine. Most of the time this doesn’t matter – but confidential client information can be stolen in a
matter of seconds.

• We carry out a programme of Mystery Shops. In one, an adviser left the client alone in the office with
other clients’ papers on the desk and his laptop switched on and fully accessible.

7 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Physical Security
• Whatever the size of your business, you need to control access to client information in a number of
ways:
- Locking cabinets, rooms, and the building
- Possibly fitting a burglar alarm to the premises – and making sure it’s regularly tested and serviced.
- Using password protected screensavers, that automatically activate after ten minutes – so if you get held up
away from your desk you know no-one can glance at your screen.
- Restricting access to your building, and ensuring any reception desk is always staffed.
- And operating a clear desk policy. This means keeping desks and other surfaces clear of any client information
and records of logins and passwords. It limits the risk of client information being seen by a visitor – and it
reduces the possibility of opportunistic theft.
• Most of us are now working with mobile devices and every time you open one up, you’re opening up
your office.
• If they’re so inclined, no amount of password protection’s going to stop someone looking over your
shoulder – so think before you use your device on the train – or in any public place. This isn’t just a
theoretical issue – such matters involving our advisers have been reported to us.

8 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Staff Security
• We all think we know the people we work with – but every firm takes on new staff from time to time –
and even if you know your people well, their circumstances can change, and sometimes lead them to
do things you wouldn’t have imagined. Locking cabinets, rooms, and the building

• We had an application form from a prospective adviser. By checking his background we discovered he
was a mortgage fraudster before we took him on.

• From an Openwork perspective, staff in firms break down into a number of categories. Some are
subject to direct vetting by Openwork. These are:
- Enterprise Principals
- Advisers
- Shareholders in an Enterprise (20% or greater)
- Introducers (including at least one Principal)
- Openwork Employees

9 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Staff Security
• The firm itself is responsible for vetting and keeping records on staff that aren’t vetted by Openwork.
These records should include proof of identity, using the template provided on the Information Security
page of the Portal. This is similar to the way we obtain ID on clients.

• This identification should be tested as far as possible with recourse to publicly available information
sources.

• References should also be obtained from previous employers in the last 12 months. These should not
be provided by the staff member themselves.

• If a credit check is required, or the enterprise decides to carry out a Disclosure and Barring Service
(formerly CRB) check, the staff member must give permission first.

• Click here for the template.

10 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Staff Security
• Not all staff have access to client information, so this level of vetting doesn’t apply to everybody.
However if you don’t vet somebody you need to keep a record explaining why.

• And if you haven’t vetted someone because they don’t have access to client information, make sure
you do if their role changes.

• All these vetting procedures also apply to any third party employees that might gain access to
confidential information. IT support firms are an obvious example, but cleaning and maintenance staff
and firms often have access to office areas – in and out of working hours. We’ll cover third parties in
more detail later.

• A critical time for staff security comes when a staff member leaves a firm. It’s easy for them to take
confidential information with them, whether deliberately or by accident,

11 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Staff Security
• So saying goodbye to a colleague means more than just wishing them luck with a bottle of champagne.
You also need to make sure they’ve surrendered keys and swipe cards.

• Cancelled all their personal computer passwords and user accounts.

• Returned portable IT equipment that belongs to the business – and removed Openwork software and
client data from machines they own themselves.

• Changed any other passwords they might know.

• And notified FIRST so that their Portal Access is removed.

12 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Staff Security
• Finally, every firm needs to provide training to ensure Practice Principals, advisors and administrators
understand the importance and relevance of information security.

• The good news is, this module fulfils that requirement!

13 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Technology Security
• Why is it important for us all to pay attention to technology security?

• This is the big one. Devices that hold client data are a massive risk – and the more portable they
become the bigger the risk.

• An adviser lost an unencrypted data stick, and a member of the public sent it to the FCA. Despite the
adviser’s insistence that it only contained 2 or 3 files, it turned out to have 540 files, including NI
numbers, policy numbers, and addresses for 75 clients. As a result the adviser had to write to all these
clients to explain and offer them a credit monitoring facility at his expense. It became a major problem
not just for him but for every person whose details he’d stored.

• You’ve probably lost count of the number of times in recent years when a government official has got
into trouble for leaving a laptop in the back of a taxi, on a train or on a device that ended up in
someone else's hands.

14 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Technology Security
• Well, it’s not just government officials – it’s anyone who holds confidential information. That means you.

• And it’s not just laptops. Data sticks are incredibly easy to lose. Tablets and smartphones can disappear in the
blink of an eye.

• The first golden rule is THINK. Don’t be casual about where you open your device. Treat portable devices like
valuable items of jewellery: they can be worth as much, if not more. You wouldn’t leave your car outside
with the engine running, this is no different.

• And the second golden rule is ENCRYPT. Openwork adviser firms are required to encrypt all PCs using AES
256 bit hardware encryption to protect clients against their details being lost or stolen. Openwork Support
Centre laptops are already encrypted.

• All data sticks must also be encrypted using AES 256 bit hardware encryption.

• All smartphones and tablets must be PIN protected as an absolute minimum and you should have the ability
to remotely wipe their contents in the event of loss or theft.

15 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Technology Security
• Of course encryption is only one measure you can – and must – take. All your devices must be
equipped with anti-virus software which is kept up to date.

• Passwords should be checked and changed regularly.

• And you should maintain up to date and securely stored backups.

• Like any physical record, devices should also be securely disposed of when they come to the end of
their useful life. Always remove information before you dispose of a computer, either by physically
destroying the hard drive or storage medium or by using specialist software to erase the disks.

• Any email accounts you use should also be protected using Multi Factor Authentication (MFA).

• You can find detailed advice on all these and many other aspects of IT security on the Information and
IT Security section of Openwork’s Portal.

16 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Communications Security
• What do we mean by communications security?
• Any way we communicate with each other! These days that usually means email but it includes verbal
communication as well.
• We terminated an adviser because of his involvement in mortgage fraud. During the investigation he
corresponded with us via email. After he had left, he accidentally copied us in to an email he sent to another
adviser, inciting HIM to commit mortgage fraud! As a result we were able to advise law enforcement. .
• You only have to look at some of the leaked emails that come out of the government to realise that email is
never a secure means of communication.
• It’s happened to us all. Emails can be wrongly addressed, forwarded accidentally, intercepted by third parties
maliciously or otherwise, or simply viewed on the recipient’s screen.
• So the message is simple. Never communicate personal information by email unless:
- You’ve got permission from the subject – and have evidence to show it.
- Or you’ve used adequate password or encryption protection

17 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Data Protection
• With the introduction of GDPR, Openwork’s standard leaflet on Data Protection has been replaced by a new
Privacy Notice.

• Advisers use this to explain to clients how we collect, control, and protect their personal information and
must always give a copy to the client when they first begin to collect information, usually at the first meeting.

• But what does it mean for you? What are your precise obligations – and what can go wrong?

• The short answer is ‘a lot’. Any individual has the right to sue a data Controller for financial loss, physical
harm, and distress arising out of a breach of the GDPR. Remember that Advisers and Openwork are data
Controllers.

• But it’s not just the potential financial cost that should concern you. Failing to look after a client’s personal
information is a breach of trust, and fails to meet our standards of treating a customer fairly. You or
Openwork might survive a fine – but think about the reputational damage that would occur. Would our
clients trust us with their information in future?

18 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Data Protection
• What sort of punishment can Openwork or advisers expect if they breach the GDPR?

• Sanctions range from a written warning in cases of first and non-intentional breaches, regular periodic
data protection audits, through to fines of up to 20M Euros or 4% of worldwide turnover. The regulator
can also take enforcement action against companies that lose personal information because of the links
to financial crime.

• How often does this happen?

• Every case is different, but just to give you an idea, in 2020/21 the Information Commissioner’s Office
recorded that 2,594 breaches had been reported by organisations. 28% were due to cyber crime, 7%
due to the loss/theft of information, and 26% due to information being sent/emailed to the wrong
person.

• So – you need to do more than hand out the Privacy Notice and get it signed. You need to understand it
– and that’s what we’ll look at in the next two sections.

19 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Data Protection – The Key Definitions
• A Data Controller is any person or organisation who determines the purposes and means of the processing of
personal information. The term applies to firms, sole traders, or self-employed Advisers and Openwork itself
– basically anyone who handles personal information and holds a Data Protection licence. As a Controller, you
are responsible and liable to prosecution if things go wrong.

• A Data Processor is any person or organisation who processes information on behalf of a Controller. The
Processor is responsible for keeping personal data secure from unauthorised access, loss or destruction.
However, if you are a Controller, you are not relieved of your obligations where a processor is involved – the
GDPR places obligations on you to ensure your contracts with processors comply with the GDPR.

• The Data Subject is the person whose personal information is being used.

• The GDPR exists to regulate and control the processing of personal information. It gives everyone the right to
know what information is held about them, and sets out rules to make sure this information is handled
properly.

• But what exactly does it mean by personal information?

20 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Data Protection – The Key Definitions
• The GDPR has expanded the criteria of what constitutes personal information, and information is now
considered personal as soon as it consists of something that allows a living person to be directly or indirectly
identified from it. For example, a client’s address on its own is now personal information.

• The GDPR continues to draw a distinction between basic personal information and sensitive personal
information, though the scope of what constitutes sensitive information has been extended and now
encompasses information on a living individual’s ethnic origin, political opinion, religion, trade union
membership, sexual life, and genetic and biometric data.

• In order to hold and process this information, you must formally explain to your client why you are doing so,
provide details about the information you hold and correct any errors. You should then notify your client how
the data will be processed and to whom it may be disclosed…

• And ensure they’ve given their explicit permission for this to happen by signing a Privacy Notice. This must be
uploaded to OWS before business is submitted.

• For more information, go to the Data Protection page of the Portal.

21 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Data Protection – The Principles
• The GDPR sets out the principles with which you need to comply. These are reflected in broad, client-
friendly terms in the new Privacy Notice. Get these principles right and you won’t have any problems.

1. Processing must be lawful, fair and transparent

• Only share information with the client’s consent, and in the ways that are explained in the Privacy
Notice. This means:
- Checking if clients have opted out of mailings and publicity campaigns.
- Checking clients against Openwork’s list of Persons Insisting on No Contact (the PINC list).
- Checking clients against the Telephone or Mailing Preference Services.
- Making sure that any lists you buy have also been checked

• If you use a third party partner business promoted by Openwork, you can be sure they’ve been subject
to Due Diligence assessment, but if you use any other business you will be responsible for completing
due diligence.

22 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Data Protection – The Principles
2. Processing must always be for a specific, explicit and legitimate purpose and not further processed in
a manner that is incompatible with that purpose.

• This means that if you intend to use client data for any purpose that’s not covered by the Privacy
Notice, you must get the client’s agreement – and always use only relevant information. This means
that, as an adviser, if you collect Client information and then leave Openwork, you cannot use the
information in connection with your new business, because it was collected for the purpose of giving
Openwork advice.

23 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Data Protection – The Principles
3. Data must be adequate, relevant and limited to what is necessary for the purpose of the processing

4. Data must be accurate and kept up to date.

• Every reasonable step must be taken to ensure that data is accurate, and that inaccurate information is
erased or rectified without delay. That doesn’t mean you have to go back to every client every month
and make sure nothing has changed, but whenever you contact an existing client you should take the
opportunity to make sure the data you hold for them is accurate. If you have an annual review meeting
that would be the perfect opportunity to do so. Keying dummy phone numbers and email addresses for
clients on submission systems doesn’t meet the requirements of the rules.

• If we hold inaccurate or out of date information on clients, it can be very detrimental. Even simple
things like not keeping names and addresses and marketing preferences up to date can lead to clients
being unfairly refused credit or a mortgage, or being charged the wrong amount for life insurance. A
record of a sale is the position at that time and is unlikely to change, but if you want to make contact or
carry out any marketing in the future you’ll need to keep the client’s information up to date.

24 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Data Protection – The Principles
5. Data must be kept for no longer than is necessary for the purpose for which it is processed.

• But how long is that? Openwork’s Retention Policy breaks it down as follows:

• Full details of the Retention Policy are available on the GDPR Portal page.

25 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Data Protection – The Principles
• The GDPR includes a right to erasure, also known as ‘the right to be forgotten’, but that right is
overridden where we have regulatory requirements to retain the records. Where a client asks for their
information to be destroyed, that should only occur once it falls outside the timeframe set out in the
record keeping guidelines.

6. Information must be processed in a manner that ensures appropriate security of the information,
including protection against unauthorised or unlawful processing and against accidental loss,
destruction or damage.

• We looked closely at how to keep information secure earlier in this module. Here are a few more
practical pointers:

• A lot of advisers have the sort of relationship with clients where they can recognise their voices easily
over the phone. But if you’re in any doubt, you must always ask for name, address, and date of birth,
and back this up with one additional question - something only the caller can know about their policy or
situation.

26 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Data Protection – The Principles
• You know you need to password protect your devices – but do you know how to choose a strong
password? Here’s a typical weak password - “Chelsea” no matter what you think of the team...

• And here’s a strong one – “Dcgh90b!3m” a mixture of upper case and lower case letters, numbers and
symbols.

• It’s not just about having a good password – it’s keeping that safe as well. Never send a password by
email – even between Openwork email addresses.

• If you do need to send personal information to a non-Openwork address, never include it in the body of
the mail itself. Always create a password protected attachment and send the password via another
medium such as a text message.

• If information was lost or stolen, would you actually know what was missing? It’s vital you keep a secure
backup so if something goes wrong you can evaluate the risks and only need to contact those clients
who are directly affected.

27 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Right of access to data
• Any individual has the right to access their personal data and any supplementary information held.

• If a client asks for their information, they can make a Subject Access Request to an adviser or
Openwork. The GDPR have changed the conditions for such requests, and we must now provide the
information free of charge, and within one month of receiving the request.

• The only exception to these rights is when the request is from the police. If they need information to
prevent or detect a crime, or to catch or prosecute a subject you should release it – but only when you
receive a Production or Court Order. And you must be satisfied that it would prejudice the police’s work
if the information was not released.

28 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Transferring information outside the European Union
• The GDPR imposes restrictions on the transfer of personal data outside of the European Union, to third
countries or international organisations. These restrictions are in place to ensure that the level of
protection of individuals afforded by the GDPR is not undermined.

• Information can be transferred between countries within the European Economic Area (EEA) because
they provide an equivalent level of protection. If you have any doubts about this or any other aspect of
the Data Protection Principles, don’t hesitate to contact Openwork’s Data Protection Officer.

• One of the key things to consider is when you want to transfer any client information in a Cloud based
service. Bear in mind that the data will actually be stored on a server somewhere, and this might be
outside the EEA. The USA does not meet our requirements so check this out BEFORE you upload any
information.

• Please note that Brexit has not affected these requirements.

29 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Third Party Risk
• Earlier we covered the need to carry out due diligence on third parties. Any third party that you engage with
to carry out any task on your or Openwork’s behalf may have access to your client data. This might range
from your whole client bank in the case of an IT provider or to whatever you’ve left out on your desk in the
case of a cleaner.
• Remember that you and Openwork are the Data Controllers for the purposes of GDPR. This means that if your
third party supplier / provider has access to your data and loses / misuses it, it’s still YOUR responsibility.
Here’s some of the things you should consider:
- Understand exactly what data they will have access to, and limit it wherever possible.
- How will you send data to them? Think about encryption.
- How / where will they store that data? Again, encryption should be considered as well as remembering that we
shouldn’t be transferring data outside the EEA,
- When they’ve finished processing it, how will they return / destroy it?
- What vetting processes do they have in place for staff and how do they make sure they are trained?
- What are their processes for letting you know if something goes wrong?
- Make sure you have a formal contract with them that covers the above.

• There is more information available here.

30 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Privacy Impact Assessments
• If you engage a new provider to process your client data or engage in a major new project that involves using
client data, the GDPR requires you to assess whether you need to undertake a Data Privacy Impact
Assessment. (DPIA)
• You must carry out a DPIA for processing that is likely to result in a high risk to individuals but it is also good
practice to do a DPIA for any other major project which requires the processing of personal data.
• Your DPIA must:
- describe the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks.

• To assess the level of risk, you must consider both the likelihood and the severity of any impact on
individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious
harm.
• You should consult Openwork’s Data Protection Officer if you think you need to carry out a DPIA. A template
is available to help you assess whether one is needed and to carry it out if you do.

31 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Privacy Impact Assessments
• Your DPIA must:
- describe the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks.

• To assess the level of risk, you must consider both the likelihood and the severity of any impact on
individuals. High risk could result from either a high probability of some harm, or a lower possibility of
serious harm.

• You should consult Openwork’s Data Protection Officer if you think you need to carry out a DPIA. A
template is available to help you assess whether one is needed and to carry it out if you do.

32 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Reporting
• So what happens if it all goes wrong – and despite your best efforts data goes missing or is given to the
wrong person?

• The important thing is to act immediately, by telling the Data Protection Officer at Openwork.

• Don’t keep quiet. If we know there’s been a potential breach, we can take the correct course of action
to mitigate the risks.

• We can contact clients – and the police – if necessary.

• We can also learn lessons and improve procedures.

• And if you’re in any doubt, or concerned about something that might have happened, get in touch.

• Remember, being able to demonstrate that we took reasonable precautions helps protect against the
consequences we talked about earlier.

33 CONFIDENTIAL – FOR INTERNAL USE ONLY

 Thank you!

• Good luck with your exam.

34