IF1 Module 10 Flashcards
What is UK General Data Protection Regulation GDPR and what does it mean?
The UK GDPR applies to data controllers and data processors.
Processors are required to maintain records of personal data and processing activities. Controllers must ensure their contracts with processors comply with the UK GDPR.
Consent under UK GDPR must be freely given by a form of positive opt-in.
The UK GDPR applies directly to firms operating in the EEA post-Brexit, and to any organisations in Europe that send data to firms in the UK.
What is the Data Protection Act (DPA) 2018?
The main elements of the Data Protection Act 2018 include:
- ensuring that sensitive health, social care and education data can continue to be processed, to ensure confidentiality in health and safeguarding situations;
- restricting the rights to access and delete data where there are legitimate grounds for doing so (e.g. for national security purposes);
- setting the age from which parental consent is not needed to process data online; and
- providing the Information Commissioner’s Office (ICO) with enhanced powers to regulate and enforce data protection laws.
What are the Powers of the Information Commissioner’s Office (ICO)?
For the most serious data breaches, the ICO can levy fines of up to £17.5 million or 4% of annual global turnover.
It can also bring criminal proceedings against a data controller or processor if they have altered records following a Subject Access Request (SAR) with the intent to prevent disclosure.
What are the six data protection principles that UK GDPR requires data users to abide by?
These principles require that personal data should be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
All businesses handling personal data must register with?
The Public Register of Data Controllers (maintained by the ICO)
Firms must also provide informationabout the type and purpose of the data they process and identify who has access to it.
The UK GDPR introduces a duty on all organisations to report certain types of breach to the relevant supervisory authority (the ICO in the UK), and in some cases to the individual.
What rights do UK GDPR give to individuals in respect of information held about them by others?
The UK GDPR provides the following rights to individuals:
The right to be informed.
The right of access.
The right to rectification.
The right to erasure.
The right to restrict processing.
The right to data portability.
The right to object.
Rights in relation to automated decision making and profiling.
The Chartered Insurance Institute (CII) is the professional development body for insurance professionals in the UK. It has developed a Code of Ethics for all members to follow, what are the five principles in the code of ethics?
Integrity
Compliance
Fairness
Client’s interest
Service
Training and competence rules apply to anyone who gives advice on general insurance contracts to consumers. The main requirements for firms with employees are?
- Assess and maintain competence
Assessing an employee as competent must follow clear criteria and procedures.
Once competent, the maintenance of competence must take account of technical knowledge and its application, skills and expertise and changes in the market, products, legislation and regulation.
The Insurance Distribution Directive requires those selling insurance to do at least 15 hours of professional training or development per year.
- Ensure adequate supervision
It is necessary to supervise employees until such time as they demonstrate the necessary competence to carry on an activity.
Subsequently, supervision is expected to be less intense.
- Keep appropriate records to demonstrate compliance with rules
Firms must have a detailed written manual indicting how they deal with the assessment of competence and how it is maintained.
A firm must make appropriate records to demonstrate compliance and keep them for three years after an employee who works in general insurance stops carrying on the activity.
What is the FCA definition of a complaint?
Any oral or written expression of dissatisfaction, whether justified or not, from, or on behalf of, a person about the provision of, or failure to provide, a financial service, which alleges that the complainant has suffered (or may suffer) financial loss, material distress or material inconvenience.
What is the FCA definition of a complaint?
Any oral or written expression of dissatisfaction, whether justified or not, from a person about the provision of, or failure to provide, a financial service, which alleges that the complainant has suffered (or may suffer) financial loss, material distress or material inconvenience.
A firm must appoint a senior individual (such as a director, chief executive or partner) to oversee the firm’s compliance with the FCA’s complaint handling rules and the overall complaints handling function within the firm.
Complaints must be recorded, investigated and a decision made that is appropriate, timely and fair by someone independent of the original complaint. Records of complaints must be kept for three years from the date of the complaint.
What classes as an eligible complaint?
Any complaints from consumers; micro-enterprises; charities with an annual income of less than £6.5m; a trustee of a trust which has a net asset value of less than £5m; a consumer buy-to-let (CBTL) consumer; a small business at the time the complainant refers the complaint to the respondent; or a guarantor.
Eligible complainants are subject to the FCA complaint handling rules and have a right of access to the Financial Ombudsman Service (FOS) if not satisfied with a firm’s response.
How long do complaints have to be retained by firms?
All complaints files must be retained for at least three years from the date the complaint was received, and a record must be kept of measures taken for its resolution.
Most firms will have a complaints form that must be completed and kept on file or a master complaints log – this will be used to track the progress of the complaint.
Within what time period do the FCA expect that almost all complaints will have been addressed and either a ‘final’ or ‘written’ response sent out to the complainant?
The FCA expects firms to have provided either a final or written response within eight weeks.
A written response differs from a final response insofar as it is a holding note advising the complainant why they have not received a final response and informing them of their right to refer the complaint to the FOS if they so wish.
Complainants unhappy with a final response have six months to refer it to the FOS.
What is the Financial Ombudsman Service?
The FOS is an independent mechanism for dealing with disputes from eligible complainants.
Internal complaints procedures within the authorised firm need to be exhausted before a complaint can be referred to the FOS.
The maximum award the FOS can make is £375,000 for complaints referred on or after 1 April 2022 about acts or omissions by firms on or after 1 April 2019. It can recommend a higher figure if appropriate, but it will not be binding on the insurer. Lower limits apply for complaints referred in earlier years.
If the insured accepts the FOS’s decision, the insurer must pay out up to the £375,000 ceiling.
If the insured rejects the decision, they will need to issue legal proceedings to take their complaint any further.
What does the Financial Services Compensation Scheme (FSCS) do?
The FSCS protects private individuals and small commercial customers of authorised insurance and investment firms and deposit taking companies where the firm is either unable, or likely to be unable to meet its liabilities (e.g. because the firm has gone out of business or has been declared insolvent).
It also protects policyholders of compulsory insurance policies no matter the size of the business.
The scheme covers policies issued in the UK and in some cases the European Economic Area, the Channel Islands and the Isle of Man.