On 25 May 2018, the European Commission will enforce The General Data Protection Regulation (GDPR), affecting the way personal data is stored and managed. We are committed to ensuring we do the right thing for all of our clients.
What are we doing about it?
Phoenix Healthcare (UK) Ltd is, and always has been, committed to protecting the privacy of our clients; we have always ensured full compliance with the existing Data Protection Act 1998 and maintained the highest level of cyber security. In light of the forthcoming changes in Regulation, we initiated a review of our services, suppliers and the data we hold to ensure our compliance prior to the implementation of the GDPR by 25 May 2018.
Our plan has been designed to ensure that our business processes, procedures, systems, suppliers and providers are regularly reviewed, documented and staff are trained on the requirements of the GDPR. This also forms part of our wider compliance structure.
The primary elements include:
- We have undertaken a data mapping exercise for the identification of all information assets, so we know what data we have, where it’s held, how we access it, the classification of the data, what data we share and flow charts to show how it moves between systems.
- A review of technical security measures, encryption, access restrictions, physical access, breach notification procedures and regular testing of our security.
- We undertake extensive due diligence of all our third-party suppliers and providers, including information on their compliance with the GDPR and their breach notification policy.
- Our policies and procedures have been updated to address privacy, data protection and information security to address changes in regulation.
- We have modified our training and increased awareness amongst our team members, so they are fully aware and compliant with our updated processes and procedures in relation to GDPR, information security and compliance.
- We are in the process of updating our contracts with third party suppliers in light of the changes in regulation.
- Our data privacy incident and breach management plan, which we review on an ongoing basis, has been updated to incorporate the breach notification requirements that form part of the GDPR.
- We always aim to achieve the highest standards of compliance and client satisfaction, so cyber security and data protection forms part of our overall compliance programme.
- We conduct ongoing internal compliance audits across all aspects of our business to make sure we’re doing the right thing and to identify areas for continuous improvement.
We are not able to commit to bespoke security obligations of each client. We are prepared to review and accommodate any reasonable security requirements, where these do not conflict with our existing security arrangements.
When liaising with providers/suppliers that will process personal data, we take steps to ensure that the security and protection of an individuals’ personal data is maintained. The processing of data or information received is not outsourced to any third party.
Where is our client data stored?
All data is externally hosted using secure encrypted cloud services hosted in the EEA.
Save where required by law, or specifically instructed otherwise by Client in writing, we shall retain the Client data until the one-year anniversary of the date on which Phoenix Healthcare (UK) Ltd. ceases to provide services to Client.
Who has access to client data?
We are committed to keeping personal information secure and have put in place procedures intended to safeguard and secure the information provided to us. All members of staff have a legal duty to respect the confidentiality of this information, and access to this information is restricted to those with assigned security access.
Data subject access requests (DSAR)
Data subjects have the right to request a copy of the information we hold on them, and the following high-level information:
- Purpose of the processing
- Categories of data processed
- Recipients or categories of recipients’ the data have been disclosed to
- Period for which the data will be stored (or criteria used to determine the period)
- Existence of right to rectification, restriction, erasure, or processing, and also the right to object to processing.
- Where data are not collected from the subject, information as to its source such as employer or previous insurer.
- Right to complain to supervisory authority.
We understand that our clients want to work with a Company that will safeguard their personal data and interests, respecting their individual privacy rights.
We do not undertake any electronic marketing, and do not share information with any person/organisation other than the intended Data Controller.
What is the difference between a Data Controller and a Data Processor?
The Data Controller is a person/organisation who determines the purpose for which, and the manner in which any personal data are, or are to be processed. The Data Controller exercises overall control over the ‘why’ and the ‘how’ of a data processing activity.
A Data Processor is a person/organisation who processes the data on behalf of the Data Controller. The Data Processors are those who hold personal data and process it under the instructions of someone else.
Want to know more about the GDPR?
To read more about the changes you can visit the ICO website: ico.org.uk
Information About Us
Phoenix Healthcare (UK) Ltd. is an independent insurance intermediary, trading at The Stables, 17 Church Street, Oadby, Leicester, LE2 5DB. Registered office: Cawley House, 149-155 Canal Street, Nottingham, NG1 7HR. Company number 04264245.
Phoenix Healthcare (UK) Ltd is authorised and regulated by the Financial Conduct Authority (“FCA”), the independent watchdog that regulates financial services. Our FCA Register number is 622572. Our permitted business includes insurance advising and arranging. You can check this by visiting the FCA’s website www.fca.gov.uk/register or by contacting the FCA on 0800 111 6768.