This Privacy Statement relates to The Ancient Order of Foresters Friendly Society Court No. 8143 “Pride of Sarnia” (“Foresters”).
Foresters is a Guernsey-based Court of a Friendly Society established in the United Kingdom and is registered with the Office of the Data Protection Authority as a data controller. The clients / policyholders dealt with by Foresters are resident in the Bailiwick of Guernsey. Foresters has appointed Orion Insurance Management Limited as a data processor.
Foresters has to comply with applicable legislation in respect of data protection, being the Data Protection (Bailiwick of Guernsey) Law, 2017 and any other data protection laws or regulations having effect in the Bailiwick of Guernsey.
Additionally, Foresters has contractual confidentiality obligations which are owed to clients, prospective clients, Service Providers and potentially others.
In the ordinary course of business, Foresters comes into possession of personal and / or confidential information (“Data“) in respect of individuals (“Individuals”), such as:
- Clients/policyholders (who may also be categorised as members) & prospective clients/policyholders (who may also be categorised as prospective members)
- Complainants, correspondents and enquirers
- Advisers, consultants and professional experts and their directors, officers, employees, agents and representatives
- Directors and employees (including temporary and casual workers) of Foresters
Foresters will process personal data for the following purposes:
- Accounting, bookkeeping and related services
- Advertising, marketing and public relations
- Customer & client administration
- Insurance administration
- Membership administration
For the purposes of this privacy statement, Data may include personal information, contracts and related documents between Foresters and other parties (whether or not Individuals) including the service providers to Foresters (“Service Providers”), and includes any information that relates to an identified or identifiable living Individual from which that Individual can be identified (whether from that information alone, or in conjunction with other information which Foresters has or is likely to obtain) (“Personal Data”).
Personal data is defined in the relevant legislation, the data classes that Foresters may process includes:
- Personal details
- Employment details
- Financial details
- Goods or services provided
Foresters may also process special categories of data or sensitive data, including:
- Physical or mental health or condition
- Trade union membership
In obtaining and using Personal Data in connection with shareholders or prospective investors, Service Providers and others (as may be applicable), Foresters will act as a data controller.
The Data may be held electronically, processed via automated processes, or held in general files, and where processed on Foresters’ behalf by Service Providers, will be subject to written contracts governing that processing and setting out the security and confidentiality measures which the Service Providers have committed to implement.
This document sets out Foresters’ policies and guidelines with regard to the obtaining, storing, processing, use, disclosure, transfer and safeguarding of Data as data controller.
For the avoidance of doubt and notwithstanding anything to the contrary in this privacy statement, nothing in this privacy statement shall prevent Foresters from complying with any legal or regulatory obligation to disclose data in accordance with applicable law or regulation.
Obtaining and Using Personal and Confidential Data
Personal Data may only be processed if the data subject has given his / her consent, or if the processing is necessary for the performance of a contract to which the data subject is party, for the taking of other pre-contractual measures at his / her request, where processing is otherwise necessary for compliance with legal obligations, to protect the vital interests of the data subject; or is otherwise necessary for legitimate interests or on public interest grounds.
As a Data Controller, Foresters is responsible for, and must be able to demonstrate, compliance with the Data Protection Principles:
- Data must be processed fairly, lawfully and in a transparent manner
- Data must be collected for specified, explicit and legitimate purposes, and not further processed in a manner which is incompatible with those purposes
- Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is collected
- Data must be accurate and, where necessary, kept up to date, and reasonable steps must be taken to ensure that Personal Data that is inaccurate is erased or corrected without delay
In addition, Foresters imposes confidentiality obligations on its Service Providers and is subject to confidentiality obligations regarding shareholders (and prospective investors) and Service Providers.
- Only Data, which is strictly necessary for the purpose of a share subscription and / or the contract between Foresters and a shareholder or prospective investor or a Service Provider, should be requested or obtained from the relevant party
- Through the application forms,
privacy statement(s) and prospectus makes shareholders, prospective investors,
Service Providers and relevant Individuals aware of;
- the identity of Foresters;
- the purposes for which the Data relating to that relevant Individual will be stored and used;
- the legal basis for that processing
- where that legal basis is a legitimate interest of Foresters or a third party, a description of those legitimate interests and the right to object to the processing; and
- where the legal basis is consent, the right to withdraw consent;
- the recipients or categories of recipients (if any) of the Data;
- where applicable, details of international data transfers;
- details of storage and retention periods;
- details of any automated decision-making, including any profiling;
- the right of Individuals to get access to their Personal Data, to rectify any such Personal Data, and their other rights applicable to data protection laws;
- the right to lodge a complaint with the Office of the Data Protection Authority (“ODPA”), which can be contacted at email@example.com or by telephone on +44 (0) 1481 742074.
- Foresters will not use Data other than for the purposes which have been brought to the attention of the relevant Individual and, if consent is required, to which the relevant Individual has consented.
- Where Service Providers process Data
for Foresters pursuant to contracts between Foresters and the Service
Providers, the Service Providers act as data processors of Foresters. Foresters will ensure that:
- appropriate due diligence is undertaken on such Service Providers to confirm that the Service Providers provide sufficient guarantees to implement appropriate technical and organisational security measures so as to meet the requirements of applicable law and to ensure the protection of the rights of the Individuals with regard to their Personal Data; and
- any contracts with such Service Providers impose obligations on the Service Providers which are required under applicable law and which assist Foresters in complying with its own obligations under applicable law.
- Where Service Providers are dealing with existing shareholders, the Service Providers have confirmed that they have procedures in place to verify on behalf of Foresters that all existing Data held relating to those existing shareholders is accurate and up to date.
Recipients of Data held by Foresters may include:
- Employees and agents of Foresters
- Another organisation acting on behalf of Foresters (a data processor)
- Debt collection, tracing & private investigation agencies
- Ombudsman & Regulatory Authorities
- Government Departments
- The individual or customer themselves
- Relatives, Guardians or Other Persons Associated with the Customer or Individual
- Current, Past or Prospective Employers of the Individual
- Suppliers, Providers of Goods or Services
- Healthcare, Social & Welfare Advisers or Practitioners
- Trade, Employer Associations & Professional Bodies
Storage and Security of Data
Each of Foresters and the Service Providers is obliged to implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, or accidental loss, alteration, unauthorised disclosure or access. This applies particularly where such Personal Data will be transmitted over a network. Similar security measures should also apply to the other Data.
Generally, Foresters shall, and where it appoints the Service Providers, shall ensure that the Service Providers shall:
- considering the state of the art, the
costs of implementation and the nature, scope, context and purposes of
processing, as well as the risk of varying likelihood and severity for the
rights and freedoms of Individuals, implement appropriate technical and organisational
measures to ensure a level of security appropriate to the risk, which shall
include, as appropriate:
- pseudonymisation and encryption;
- the ability to ensure ongoing confidentiality, integrity, availability and resilience;
- the ability to restore availability and access in a timely manner in the event of a technical incident;
- a process for regular testing, assessing and evaluating the effectiveness of those measures;
- take all reasonable steps to ensure that employees and other agents are aware of and comply with the security measures which have been implemented, including training of their respective relevant employees and agents;
- ensure that technical security controls are implemented to limit access to the Data on a “need to know” basis;
- ensure that all hard copies of Data are securely stored and are only accessed on a “need to know” basis.
Foresters is obliged to retain certain information to ensure accuracy, to help maintain quality of service and for legal, regulatory, fraud prevention and legitimate business purposes.
It is obliged by law to retain customer-related identification and transaction records for five years from the end of the relevant investor relationship or the date of the transaction respectively. Other information, including personal data of the directors and business contact information, will be retained for no longer than is necessary for the purpose for which it was obtained by Foresters or as required or permitted for legal, regulatory, fraud prevention and legitimate business purposes. In general, Foresters (or its service providers on its behalf) will hold this information for a period of seven years from the termination of the relevant business relationship, unless it is obliged to hold it for a longer period under law or applicable regulations. Certain director information may be held indefinitely where it forms part of the statutory books and records of Foresters.
Foresters (or its service providers on its behalf) will also retain records of telephone calls and any electronic communications for a period of five years from the date of such call or communication.
In accordance with applicable data protection laws, Foresters will be obliged to notify the ODPA of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data (each a “personal data breach”) within 72 hours of becoming aware of same, unless the personal data breach is unlikely to result in risks to Individuals. Furthermore, Foresters will need to notify any impacted Individuals without undue delay where a personal data breach is likely to result in a high risk to those Individuals.
In the event of a personal data breach:
- Foresters shall consider the likely risks arising from the Personal Data breach, taking into account the nature and scope of the personal data in question, the extent of the breach, the period of the breach, and any security measures which may militate against risk, such as encryption. In doing so, the potential consequences for the affected Individuals will be considered;
- any incident in which Personal Data
has been put at risk will be reported to the ODPA within 72 hours of Foresters
becoming aware of the incident. Where a
report is made to the ODPA, Foresters will provide such information and detail as
is required under applicable data protection laws or as the ODPA may request,
which shall include:
- a description of the nature of the personal data breach, including where possible, the categories and approximate numbers of impacted Individuals, and the categories and approximate number of personal data records concerned;
- a description of the likely impact of the personal data breach;
- a description of measures to mitigate possible adverse effects;
- reporting to the ODPA may be conducted in phases where the full extent of the personal data breach is not known within 72 hours of Foresters becoming aware of same. Any such phased reporting will be conducted in consultation with the ODPA;
- any incidents which are likely to result in high risk to Individuals will be notified to the impacted Individuals without undue delay unless this would involve disproportionate effort. In this latter case, a public communication or similar equally effective notification measure shall be implemented by Foresters;
- Where, having considered the matter, Foresters comes to a determination that no notification need or will be made to the ODPA and / or the affected data subjects, Foresters shall in any event keep a summary record of each incident which has given rise to the risk of unauthorised disclosure, loss or alteration of personal data, which will include an explanation as to why Foresters did not consider it necessary to inform the ODPA.
- Records of security incidents will be made available to the ODPA on request.
Foresters shall ensure that the Service Providers notify Foresters without delay of any security incident and provide all reasonable assistance to Foresters to enable it to comply with its obligations under data protection law.
Privacy Impact Assessments
Foresters may be required to undertake privacy impact assessments in relation to the processing of Personal Data in certain circumstances and will undertake an impact assessment where the processing in question, taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to Individuals.
Without limitation, the following may be indicative of high risk processing:
- a significant change to the processing operations relating to the Personal Data, including where implemented by one of the Service Providers;
- processing involving evaluation, scoring, monitoring or profiling of Individuals;
- Combining of two or more data sets arising from separate processing operations conducted for different purposes;
- Innovative use of technologies or of organisational measures to protect Personal Data;
- Data transfers across borders outside the European Economic Area (the “EEA”) or equivalent jurisdictions (including Guernsey).
Any privacy impact assessment shall include:
- a systematic description of the envisaged processing operations and the purposes of the processing, including where applicable the legitimate purposes pursued by Foresters;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to Individuals; and
- the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure protection of personal data and to demonstrate compliance with applicable data protection laws taking into account the rights and legitimate interests of Individuals.
Foresters shall consult with the ODPA where necessary in accordance with applicable data protection laws, and where appropriate shall seek the views of Individuals or their representatives.
Foresters shall ensure that the Service Providers notify Foresters without delay of any new processing or change in processing arrangements (including implementation of any new technology) to facilitate Foresters in determining whether the processing is likely to result in high risk to Individuals and shall provide all reasonable assistance to Foresters to enable it to comply with its obligations under applicable data protection laws with regard to undertaking a privacy impact assessment.
Transfers of Data from the EU or equivalent jurisdictions
The transfer and distribution of Personal Data, whether to a Service Provider or a third party, is restricted, and is only permitted in limited circumstances. Particular restrictions and limitations apply to the transfer of Personal Data to countries outside of the EEA or those that do not have equivalent levels of data protection.
No transfer of data outside of the EEA or equivalent countries will be permitted unless the board of Foresters has approved both the transfer and the measures implemented at the recipient company.
Subject Access Requests
Where an Individual makes a subject access request in writing, there is an obligation on the data controller to provide certain information to the data subject.
Accordingly, on receipt of any data subject access request, Foresters shall within 30 days:
- inform the Individual as to whether
the data processed by or on behalf of Foresters includes Personal Data relating
to the Individual, and where it does, to provide a description of:
- the categories of the Personal Data;
- the Personal Data constituting the data;
- the purposes for which they are being or are to be processed;
- the recipients or categories of recipients to whom they are or may be disclosed;
- information as to source, where not obtained directly from the Individual;
- where possible, the envisaged storage period, or alternatively the criteria used to determine that period;
- the right to lodge a complaint to the Office of the Data Protection Authority;
- details of any automated decision making or profiling;
- the appropriate safeguards with regard to international data transfers.
- provide the Individual with a copy of the information Personal Data of the Individual;
- provide the relevant information to the Individual free of charge, in an easily visible, intelligible and clearly legible manner within one month of a proper request from the data subject, unless an exception applies under applicable data protection laws.
If Foresters does not intend taking action at the request of the data subject, Foresters shall inform the Individual without delay and the reasons for not taking action, as well as the right of the Individual to complain to the ODPA.
Foresters shall ensure that the Service Providers notify Foresters without delay of any data subject access request and provide all reasonable assistance to Foresters to enable it to comply with its obligations under applicable data protection laws in relation to any data subject access requests.
Other Data Subject Rights
Individuals have the following rights, in certain circumstances:
- the right to rectify Personal Data
- the right to restrict processing
- the right to object to processing
- the right to be forgotten
- the right to data portability.
Foresters shall comply with applicable data protection laws in honouring Individual rights as set out above. However, if Foresters does not intend taking action at the request of the data subject, Foresters shall inform the Individual without delay and the reasons for not taking action, as well as the right of the Individual to complain to the ODPA.
Foresters shall ensure that the Service Providers notify Foresters without delay of any data subject requests to enforce the above rights and provide all reasonable assistance to Foresters to enable it to comply with its obligations under applicable data protection laws in relation to any such data subject requests.
Foresters can be contacted at its registered office:
29 Glategny Esplanade
St Peter Port,
Foresters has nominated David Le Poidevin as the individual responsible for data protection, who can be contacted at David@Foresters-insurance.co.uk or on 728864.
Updates to this Privacy Statement
Any changes Foresters makes to its Data protection and Privacy Statement in the future will be posted on its website, please check back frequently to see any updates or changes.