Privacy and data at Wealth Wizards

Regulation and compliance

We are fully regulated by the FCA and take responsibility for our advice

Wealth Wizards Benefits Limited is authorised and regulated by the Financial Conduct Authority and is entered on the Financial Services Register under reference 596641. Registered Address: Wizards House, 8 Athena Court, Tachbrook Park, Leamington Spa, CV34 6RT.

Our registered address is:

Wealth Wizards Benefits Limited
Wizards House
8 Athena Court
Tachbrook Park
Leamington Spa
CV34 6RT

Complaints

If you’re unhappy with the experience you have with Wealth Wizards Benefits Limited we’d like to put it right for you. Please let us know if you want to make a complaint by writing to us or dropping us an email.

If you’re still unhappy with the outcome of your complaint, you have the right to contact the Financial Ombudsman Service (FOS). The FOS is a statutory body established to provide consumers with a free, independent service for resolving disputes with financial firms. Their decisions are binding on us. You can visit the FOS website for further information.

Compensation

You may be entitled to compensation from the Financial Services Compensation Scheme if we cannot meet our obligations. This depends on the type of business and the circumstances of the claim. Further information is available from the FSCS.

‍

Terms of use

This website is provided by Wealth Wizards Benefits Limited which is authorised and regulated by the Financial Conduct Authority and is entered on the Financial Services Register under reference 596641, and registered in England & Wales Company No 06030782. Wealth Wizards® is registered as a trading style of Wealth Wizards Benefits Limited with the Financial Conduct Authority.

These terms should be read carefully. Access to this website is on the basis that you agree to these terms.

Our services are intended for customers in the United Kingdom. Services featured on the website do not amount to an invitation to customers outside the United Kingdom.

The website and these terms are governed by the law of England and Wales.

We try to ensure that our website is available for access 24 hours a day, 7 days a week. However it may, on occasions be necessary to close or suspend provision of any of the services on the website for the purposes of repair, maintenance or development. Access to the website or operation of any of the services may be interrupted by circumstances beyond our control.

Wealth Wizards Benefits Limited takes care to ensure that the contents of this website are as clear, accurate and as easy to use as possible, but cannot accept responsibility (to the extent permitted by law) for any interruption or delay in access to the website or for any inaccuracies, incompleteness of information, errors or omissions in respect of information on our website or on any to which our website may be linked. The information is subject to change at any time without notice and Wealth Wizards Benefits Limited does not warrant that any of the services mentioned on the website are available. No warranty is given as to the freedom of this website from errors, defects or viruses.

If you request one of our email services you acknowledge that email is not completely secure or confidential and agree to that risk. We do not routinely encrypt emails. We do adhere to a rigorous Privacy Policy and we make all reasonable endeavours to keep your information confidential.

Parts of our website are provided by third parties. We try to ensure that our sources of information are reputable and that they take due care in preparing the information. However, we do not verify the information ourselves, and we do not guarantee that it is correct. We are also not responsible for any information on this site or any site linked to this site which is being marketed by a third party.

Wealth Wizards Benefits Limited cannot be held responsible for the accuracy of the contents or information contained within any linked sites accessible from this site.

This site and the material and brands on it are the intellectual property of Wealth Wizards Limited and Wealth Wizards Benefits Limited, and all resulting rights are reserved; no right or license is granted to use such intellectual property, save for the purposes of reviewing the website. Wealth Wizards®, Pension Wizard ®, Retirement Wizard ® and the wizard hat logo are registered trademarks; the trademarks, trade names, and logos on this website, and the copyright and pending patent applications are used by Wealth Wizards Benefits Limited under licence from Wealth Wizards Limited. Pension Tidy-up, Pension Predictor, Money Wizard, Advisor Wizard, Mortgage Wizard, Protection Wizard, Investor Wizard, Investment Wizard, Insurance Wizard, and ISA Wizard are trademarks and logos of Wealth Wizards Limited. © 2016 Wealth Wizards Limited. Wealth Wizards Benefits Limited is a wholly owned subsidiary of Wealth Wizards Limited.

This page was last updated on 1st January 2019

Privacy policy

Wealth Wizards takes the privacy of your data seriously. We’re committed to safeguarding your privacy while providing a personalised and valuable service. This Privacy Policy statement explains the data processing practices of the Wealth Wizards Group businesses. If you have any personal information requests or any queries about these practices please contact our Governance and Information Security Officer by e-mail : governance@wealthwizards.com.

Personal information is collected by the Wealth Wizards Group of companies listed below. Each of these Wealth Wizards companies are registered with the UK’s Information Commission as Data Controllers in accordance with the General Data Protection Regulation. References in this privacy policy to “WW”, “we”, “us”, “our” or similar refer to the Wealth Wizards Group of companies:

Wealth Wizards Benefits Limited

Registered Office: Wizards House, 8 Athena Court, Tachbrook Park, Leamington Spa, CV34 6RT, Company No: 6030782, Data Protection Registration No: ZA163085, FCA No: 596641

Information collected

We collect personally identifiable information about you (your “data”) through:

the use of enquiry and registration forms
your use of any our products or services
the provision of your details to us either online or offline
the provision of your details supplied to us by your employer

The elements of your data that we collect may include:

Name
Job title
Company name
Company address, phone and fax number
Home address and phone number
Mobile telephone number
E-mail address
Date of birth
NI Number
Salary
Pension contribution details
Educational history, work experience and other information from your CV if you provide this to us

We also collect information that we request from you when you use our service or that we collect automatically when you visit our sites. Please see our Cookie Policy for more details.

Use and disclosure of personal information

We collect information from you and, with your permission, from your investment providers. We use this information about you to manage the relationship with you, manage our advice to you and offer you our products and services. Where you consent to provide us with this information we will take appropriate measures to protect your sensitive personal data.

We may need to disclose your details to our trusted partners and service providers for these purposes. Please note we require these third parties to maintain the same level of security and confidentiality of your personal information.

We use your data for purposes which include:

providing our users with a personalised service
processing registrations and enquiries
providing you with information about products and services we offer (if you agree to receive such information)
sharing your data with trusted partners and service providers who provide information relating to financial advice given
contacting you about specific recruitment opportunities if you register search criteria information on our recruitment sites
monitoring compliance with our Terms and Conditions
improving our products and services – your data will be treated with the same level of privacy of all data and wherever possible anonymised

We are regulated by the Financial Conduct Authority. They may wish to audit sample transactions from time-to-time including our customer records to assess our compliance with their rules. Strict confidentiality conditions are always in place should this occur.

We also may extract certain information from your data for the purpose of generating statistics but it is not possible to identify you from these statistics.

If you wish to receive information about the Wealth Wizards Group products or services, please indicate your preferences using the consent boxes when providing us with your data.

In order to deliver our services to you effectively we may send your details to third parties such as those that we engage for professional compliance, accountancy or legal services as well as product and platform providers and quote engines, that we use to arrange financial products for you. We also use Client Relationship Management systems, HR and payroll companies. Where third parties are involved in processing your data we’ll have a contract in place with them to ensure that the nature and purpose of the processing is clear, that they are subject to a duty of confidence in processing your data and that they’ll only act in accordance with our written instructions.

We may also disclose your information to business partners and to third party suppliers we engage to provide services which involve processing data on our behalf, successors in title to our business or in accordance with a properly executed court order or as otherwise required to do so by law. We reserve the right to fully co-operate with any law enforcement authorities or court order requiring or requesting us to disclose the identity or other usage details of any user of our site.

We use tracking on some of the pages of our website, which record user movements, including page scrolling, mouse clicks and text entered. The data we collect in this way helps us to identify usability issues, to improve the assistance and technical support we can provide to users and is also used for aggregated and statistical reporting purposes.

Automated decision making and profiling

If you use MyEva, your personal data will be gathered through the information that you give us. Your data is collected in order for us to carry out our service to you. If you’re unsure about the outcome of the automated process you can contact us to discuss or to challenge the outcome.

We take measures to ensure the security of your data (Industry best-practice is followed at all stages of the data-lifecycle and we are always working to improve on the methods employed to secure your data. e.g. data is encrypted when in transit across public internet links. Data is also stored in an encrypted format in our systems along with the backups of those systems). We don’t use any special category data (such as data about your health) in the automated process unless it’s strictly necessary to deliver our service and we have obtained your explicit consent to do so.

We regularly check our systems for accuracy and bias and feed any changes back into the design process.

Use of cookies and other tracking devices

As is common practice with almost all professional websites, this site uses cookies, which are tiny files that are downloaded to your computer, to improve your experience. This page describes what information they gather, how we use it and why we sometimes need to store these cookies. We will also share how you can prevent these cookies from being stored however this may downgrade or ‘break’ certain elements of the sites functionality. You can read our full cookie information here.

Telephone calls

As part of our commitment to provide the highest quality of service, we may record or monitor telephone conversations in order to improve our service standards and for staff training purposes.

Security policy

The Wealth Wizards Group has appropriate measures in place to ensure that our users’ data is protected against unauthorised access or use, alteration, unlawful or accidental destruction and accidental loss. User data may be transferred outside the Wealth Wizards Group to data processors but they will act only on our instructions to provide the services required.

Storage of your personal data

We follow strict security procedures in the storage and disclosure of personal information which you have provided via this website, to prevent unauthorised access. The security of personal information about you is our priority. We protect this information by maintaining physical, electronic, and procedural safeguards that meet applicable law.

We train our employees in the proper handling of personal information. When we use other companies to provide services for us, we require them to protect the confidentiality of personal information they receive.

User access and control of data

If you wish to amend any of the data which we hold about you, or update your marketing preferences, please contact governance@wealthwizards.com or visit the “Contact Us” section of our website.

If you’re a user of other Wealth Wizards Group products and you wish to amend any of the data that we hold about you, or update your marketing preferences, you can call, email or write to us on the numbers or address below. Please note that calls made to these numbers may be recorded for training and quality control purposes.

Telephone: 01926 671469

Email: Governance@wealthwizards.com

Address: Governance and Information Security Manager, Wizards House, 8 Athena Court, Tachbrook Park, Leamington Spa, CV34 6RT

All users

In accordance with the General Data Protection Regulation (GDPR), you may request a copy of the personal information we hold about you by contacting the Governance and Information Security Manager by e-mail at governance@wealthwizards.com or writing to:

Governance and Information Security Manager, Wizards House, 8 Athena Court, Tachbrook Park, Leamington Spa, CV34 6RT

Your rights and choices:

You may opt out of receiving marketing materials.

You may request we correct inaccurate information.

Using public areas of our website

We won’t collect any personally identifiable information about you when you use public areas of the website (i.e. where you don’t have to enter your security details) unless your use follows a visit to the secure area, at which point web logs will monitor your use.

The details you give us when you use tools in the public areas, such as calculators, will not be stored unless you specifically ask us to save it, in which case we will ask you to register.

Personal information provided when entering competitions or prize draws, or completing questionnaires will be used in accordance with the instructions and rules provided.

Links to other websites

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Children under 13

We do not allow anyone under 18 to use our products. In the collection of information during the fact find process we may note the number of children you have along with ages, but no other information is recorded.

What can you do if you're unhappy with how your personal data is processed?

You also have a right to lodge a complaint with the supervisory authority for data protection. In the UK this is:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, 0303 123 1113 (local rate).

Changes to this policy

We keep our privacy policy under regular review and from time to time we may make changes to this privacy policy statement to reflect any changes in accordance with changes to legislation, best practice or website enhancements. We will place any updates on this web page to inform you of any changes when they occur. This policy is effective from 14 June 2018.

This page was last updated on 7th November 2019

‍

Cookie policy

What are cookies?

As is common practice with almost all professional websites this site uses cookies, which are tiny files that are downloaded to your computer, to improve your experience. This page describes what information they gather, how we use it and why we sometimes need to store these cookies. We will also share how you can prevent these cookies from being stored however this may downgrade or ‘break’ certain elements of the sites functionality.

How we use cookies

We use cookies for a variety of reasons detailed below. Unfortunately in most cases there are no industry standard options for disabling cookies without completely disabling the functionality and features they add to this site. It is recommended that you leave on all cookies if you are not sure whether you need them or not in case they are used to provide a service that you use.

Disabling cookies

You can prevent the setting of cookies by adjusting the settings on your browser (see your browser Help for how to do this). Be aware that disabling cookies will affect the functionality of this and many other websites that you visit. Disabling cookies will usually result in also disabling certain functionality and features of the site. Therefore, it is recommended that you do not disable cookies.

The cookies we set

If you create an account with us then we will use cookies for the management of the signup process and general administration. These cookies will usually be deleted when you log out however in some cases they may remain afterwards to remember your site preferences when logged out.

We use cookies when you are logged in so that we can remember this fact. This prevents you from having to log in every single time you visit a new page. These cookies are typically removed or cleared when you log out to ensure that you can only access restricted features and areas when logged in.

This site offers newsletter or email subscription services and cookies may be used to remember if you are already registered and whether to show certain notifications which might only be valid to subscribed/unsubscribed users.

From time to time we offer user surveys and questionnaires to provide you with interesting insights, helpful tools, or to understand our user base more accurately. These surveys may use cookies to remember who has already taken part in a survey or to provide you with accurate results after you change pages.

When you submit data to through a form such as those found on contact pages or comment forms cookies may be set to remember your user details for future correspondence.

Third party cookies

In some special cases we also use cookies provided by trusted third parties. The following section details which third party cookies you might encounter through this site.

This site uses Google Analytics which is one of the most widespread and trusted analytics solution on the web for helping us to understand how you use the site and ways that we can improve your experience. These cookies may track things such as how long you spend on the site and the pages that you visit so we can continue to produce engaging content.

For more information on Google Analytics cookies, see the official Google Analytics page.

Third party analytics are used to track and measure usage of this site so that we can continue to produce engaging content. These cookies may track things such as how long you spend on the site or pages you visit which helps us to understand how we can improve the site for you.

As we sell products it’s important for us to understand statistics about how many of the visitors to our site actually make a purchase and as such this is the kind of data that these cookies will track. This is important to you as it means that we can accurately make business predictions that allow us to monitor our advertising and product costs to ensure the best possible price.

We also use social media buttons and/or plugins on this site that allow you to connect with your social network in various ways. For these to work the following social media sites including; Twitter, will set cookies through our site which may be used to enhance your profile on their site or contribute to the data they hold for various purposes outlined in their respective privacy policies.

More information

Hopefully that has clarified things for you and as was previously mentioned if there is something that you aren’t sure whether you need or not it’s usually safer to leave cookies enabled in case it does interact with one of the features you use on our site. However, if you are still looking for more information then you can contact us through one of our preferred contact methods.

By continuing to browse and use the site, you are agreeing to our use of cookies.

Security

We take security seriously here at Wealth Wizards.

We are a regulated business, comply with all relevant data protection standards, and employ cutting edge cybersecurity to keep our customers safe.

We have a company wide, ISO 27001 certified quality management system called Remus.

We are independently ISO/IEC 27001 certified: Click here to download our Certification
We are regulated by the Financial Conduct Authority: Registration number 596436
We are compliant with the EU Data Protection Directive, To learn more, please read our Data Protection Policy (link in the tab above)

‍

Our Security Approach

Wealth Wizards takes security seriously. We follow three key principles:

Shared – We treat Information Security as a shared responsibility.
Systematic – Managing Information Security is a systematic, continuous activity.
Safe – Ultimately our approach is about keeping our customers and ourselves safe.

‍

Our Management System

We have a comprehensive and innovative Management System – Remus. Remus holds all our policy, risk and control information, and raises and tracks tasks to ensure these are continuously reviewed and improved.

Our Organisation

We employ a Three Lines of Defense model:

First line – Operational and business teams – Remus ensures that controls are in place and are monitored to treat the risks which we and our customers face. Our Platform team implements and monitors security controls on our end user and platform infrastructure.
Second line – We have dedicated risk, compliance and platform teams which monitor the performance of Remus, and provide subject matter expertise for its improvement.
Third line – We run an internal audit programme, and employ external auditors to monitor the performance of our Remus and first and second line teams.

Information Security is a standing agenda item for all of our key committees, up to and including our main board.

Our Policies

We have a comprehensive set of controlled policies covering Information Security. Each is owned by a specific individual in the second line of our defense, with a defined review cadence and approval process.

Our relevant policies include:

Business Continuity Management Plan
Continuous Improvement
Data Handling Policy
Data Protection
Data Protection Impact Assessments (DPIA)
Data Protection Policy
Data Retention Policy
Data Retention Schedules
Group Security Policy
Information Security Consolidated Communication Plan
Information Security Incident Handling Procedure
Information Security Policy
Information Security Roles & Responsibilities
Internal Audit Process
Personal Data Breach Notification
Platform Security
Privacy Policy
Risk Management Policy
Risk Treatment Process
Security in the Software Delivery Life Cycle
Third Party Purchase Procedure

‍

ISO 27001

ISO/IEC 27001:2013 (ISO 27001) is the international standard that describes the requirements for an ISMS (information security management system). It is supported by its code of practice for information security management, ISO/IEC 27002:2013.

Wealth Wizards holds accredited certification to ISO 27001. This provides independent, expert assessment that our information security is managed in line with international best practice and business objectives. We have extended the approach to manage risks across our entire business.‍

‍

Our approach to risk management

We have a unified approach to Risk Management. It’s based on internationally recognised best practice (specifically ISO27001, IS1 and CISSP), and has been designed to be engaging and understandable across our organisation.

The approach covers the assessment and treatment of risk against our agreed risk appetite, and includes consideration of the confidentiality, integrity and availability aspects of each risk.

Risk assessments are triggered;

when any new system is implemented;
when there is a significant change to our risk appetite;
when there is a significant change to our security requirements;
at a cadence appropriate to the area of risk (at least annually);
ad hoc when raised as a concern via our incident management system; or
on a specific event such as a near miss incident.

Risk assessments cover all aspects of our business including:

Our physical assets & security
Our people
Our processes (in particular those relating to data security and handling)
Our suppliers
Our systems
Our platform

Whilst our impact and probability assessment scales are consistent to allow us to compare risks across all domains, our methods are tailored according to best practice in that area.

Security domains

Information cuts across all aspects of our business.

People

We undertake the following checks on all our people:

Verification of name and address
Verification of identity
Verification of previous two years employment history
Disclosure and Barring Service (DBS) check

In addition we perform the background checks required by the Financial Conduct Authority (FCA) for our Financial Advisors.

Security responsibilities are included in all job descriptions, and people receive security awareness training (and undertake qualifications) appropriate to their role. Individual awareness, training and qualifications are reviewed as part of our mastery framework.

Asset management

End user devices

We maintain a complete, real-time inventory of all our End User devices. Our workstations and laptops have anti-virus software included as part of the standard build we deploy across all devices:

We don’t store any data locally on laptops, and we do not allow the use of detachable, portable media (e.g. memory sticks)
We encrypt all local disc storage (to protect cached information)
We use Mobile Device Management allows us to monitor laptop usage, and to remotely wipe/lock down devices
Internet access and network connectivity is routed through our network, with access to services locked to our office locations

Data

We ensure that all data has an appropriate level of protection, and unauthorised access or deletion is prevented:

All data we hold is classified and processed in accordance with our data handling policy
We have procedures in place to ensure that all data is deleted in accordance with the retention period applicable to its classification
We have procedures in place to ensure that any data transferred between us and our customers is secure
Data is encrypted at rest, and in transit across public internet, in accordance with industry best practice
PII Data is further encrypted at column level in datastores.

Access management

Access to our systems is strictly limited to those who are authorised to do so:

User responsibilities are documented, and users held accountable for safeguarding the data they have access to
We employ multi-factor authentication, and password complexity requirements in line with the National Cyber Security Centre guidelines
Access is managed by designated administrators of each given system, and processes are in place to manage access and removal from all systems
Customer and user requests are administered via our Service Desk
Access is segregated where required to ensure that it is controlled and appropriate to the system content
Processes are in place to ensure that access rights are removed in a timely fashion

Cryptography

We operate an encryption policy to protect confidentiality and integrity of information:

PII data is encrypted at column level in data-stores.
All data is encrypted at rest.
Real time application data is transmitted over encrypted TLS connections
We use unique encryption keys for each customer and secrets management and rotation to protect API keys and other access related information

Physical security

We use third parties and our own controls to prevent unauthorised access to our locations:

We use Amazon Web Services (AWS) to host our applications. Details of their approach to physical security can be found here: https://aws.amazon.com/compliance/data-center/controls/
We operate a paper free environment, scanning and shredding all paper documents
All our office locations are protected by key and fob access and appropriate alarm systems
Additional physical devices (such as screen protectors) as used where necessary

Operations security

Although we use third parties to host our information processing infrastructure, we use their Infrastructure as a Service (IaaS). This means we put in place the controls needed to secure our account and platform configuration (the shared responsibility model).

Our controls ensure that our infrastructure is secure, and protected against malware and data loss:

We define our infrastructure as code in version controlled repositories
All our live servers are torn down and replaced by the up to date image on a frequent basis
Pattern updates to anti-malware software are checked at least once a day, with virus scans conducted in real time where possible (and daily where not)
All data is backed up in an encrypted format to encrypted AWS S3 buckets.
We use a third party service to continually scan our infrastructure for vulnerabilities and suspicious activity
We hold immutable logs on system and network activity, and store these centrally
We have a system of alerts which are triggered if any suspicious activity is detected
All applications and services are managed through reviewed, version controlled configuration stores with fully automated deployment systems.
We frequently benchmark our systems against the appropriate Centre for Internet Security (CIS) benchmarks, which represent Industry best practice

Communications security

We employ a variety of processes and technologies to ensure that our communications are protected within our network, and in transit to/from our customers:

We use WPA2 and Active Directory authentication to protect our Wifi network
We use encrypted VPNs for all remote connections to our internal systems
We use a third party, managed, Host Intrusion Detection System (HIDS)
We employ a separate third party to conduct penetration testing on our Infrastructure and applications
We segment our networks by security value
We separate our proving and production environments (and never store user data in non-production environments)
We have procedures in place to ensure that any transfer of information to and from customers is protected by TLS

System acquisition, development and maintenance

Security is an integral part of our entire Software Development Life Cycle:

We train all our people in the relevant technologies for their job role
Our developers undertake OWASP training and refresher sessions
Our code review process covers OWASP vulnerabilities, adherence to secrets policy and the security of our endpoints
We make extensive use of automated testing – this is executed as part of our build process, and also overnight for all our test environments
We maintain a balanced pyramid of tests, automating unit, contract, system and performance tests
All tests are executed as part of our automated build pipeline
We do not make use of any client data for testing purposes
All code is held in configuration managed repositories

We have processes in place to ensure that the third party software and libraries we us are safe:

We automatically check our code libraries for known vulnerabilities
All third party products are risk assessed and reviewed for GDPR compliance:
When we are considering using a new product
When an existing product undergoes a major upgrade
When we change the way we are using an existing product

Release Management

We have controls in place which ensure the software we release is code reviewed, tested and configuration managed:

We use an automated build pipeline to ensure changes are:
reviewed
tested
committed to our configuration managed repositories
scanned for code vulnerabilities
We employ additional governance around the release process where changes can affect the advice which our products give – this requires:
adviser approval
compliance approval

Supplier Relationships

In order to protect the data we hold, we employ a number of controls to manage our interaction with suppliers:

We have a supplier risk assessment tool (Dora) which covers the suppliers financial and security obligations
Our contractual terms cover all aspects of Data Protection compliance, including notification requirements
We regularly review supplier service delivery in line with the agreements we have in place

Incident Management

We have controls in place which ensure a consistent and effective approach to the management of security incidents:

We have a dedicated Service Desk which allows customers and our own people to raise incidents quickly and easily
We have established an open culture which encourages the raising of incidents
We have dedicated roles and responsibilities which cover all aspects of incident management:
Identification
Triage
Containment
Resolution
Communication
We retrospectively analyse all incidents to allow trends to be analysed, and improvements to be put in place

Business Continuity Management

Information security is an integral part of our Business Continuity Plan (BCP):

We maintain a central BCP, with processes for the containment and communication of any continuity event
We rehearse our BCP at least annually
By storing all aspects of the configuration of our systems in code, we are able to rapidly rebuild and redeploy them to other geographical locations in the event of a disaster
We train all our people in remote working safely
We maintain very little of our own infrastructure meaning we are largely unaffected by non-availability of any of our office locations

Compliance

We are a regulated business, and maintain a range of controls to ensure we comply with legal, statutory, regulatory and contractual obligations:

We conform to all the requirements placed upon us by the FCA, Information Commissioner and our certification auditors
We maintain registers for all compliance related events in our management system, Remus
We maintain a registry of relevant legislation, and its impact on the organisation of Security
We run an internal audit programme which verifies our adherence to our obligations
We have an exception process to respond to non-conformances
We employ third party experts to validate our technical approach, and to ensure we are up to date with expert community best practice

This page was last updated on 1st May 2019

‍

Data protection policy

This is the policy of the ‘Wealth Wizards Group’, which is Wealth Wizards Limited and its subsidiaries from time to time including Wealth Wizards Benefits Limited.

The Legislation

Data Protection Act 2018 (DPA 2018)

Data protection obligations are currently set out in the Data Protection Act 2018 (DPA 2018). The DPA 2018 sets out when personal data can lawfully be processed and how it should be processed. It governs processing by data controllers of personal data relating to data subjects.

Reform of the law at EU level: GDPR

In April 2016, the European Parliament approved a general data protection reform package, thereby bringing to a close nearly four years of work overhauling the EU’s data protection rules.

Data Protection Bill (DPB)

In June 2017, the government announced that the DPA 1998 would be replaced by a new Data Protection Bill (DPB). It is intended that the DPB, supplemented by the GDPR, will modernise data protection law in the UK given the demands of an increasingly digital economy and society. When the UK leaves the EU, the GDPR will be incorporated into UK domestic law under the European Union (Withdrawal) Bill currently before Parliament.

The four main areas covered by the DPB are:

General data processing (which will be relevant to an employer’s day-to-day dealings with its workforce).
Law enforcement data processing (the DPB will implement the DPLED).
Data processing for national security purposes (including processing by the intelligence services).
Regulatory oversight and enforcement by the Information Commissioner’s Office (ICO).

Wealth Wizards Limited is a data processor. Wealth Wizards Benefits Limited is a data controller and is registered with the Information Commissioner’s Office.

The Information Commissioner’s Office (ICO)

The Information Commissioner’s Office (ICO) is an independent public body responsible for upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The GDPR requires every member state to provide one or more independent public authorities to be responsible, as a “supervisory authority”, for monitoring its application, in order to protect the fundamental rights of individuals in relation to processing and to facilitate the free flow of personal data within the EU (Article 51(1)). The DPB confirms that the ICO will continue and will be the supervisory authority in the UK (clauses 112(1) and 113(1)).

Data controllers, and (where applicable) their representatives must co-operate on request with the ICO in the performance of its tasks (Article 31, GDPR).

The GDPR and DPB: concepts and definitions

The GDPR and DPB together create a new regime which will govern the processing by data controllers of personal data relating to data subjects. As it is put in recital 11 to the GDPR:

”Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States.”

Under the new regime, the definition of personal data is more detailed and reflects changes in technology and the means organisations use to collect information about people. Data controllers will still be required to comply with a set of principles for processing personal data. The new principle of accountability requires data controllers to show how they have complied with the principles. For example, data controllers will not only need to have policies which demonstrate that they comply with the principles, but they will also need to be able to show how the policies have been implemented.

Definitions

Data Subject – the identified or identifiable living individual to whom personal data relates.

Personal data – data held or likely to be held about a living individual who can be identified from the data, including any expression of opinion about the individual. Personal data includes;

CCTV footage if it could be used to match an image to a photo, description or physical image of an individual.
An identifier such as a name, an identification number, location data or an online identifier.
One or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
Web based tracking technology used with the intention of linking the web user to a name and address would also be considered personal data.

The GDPR does not apply to the personal data of the deceased.

Special categories of personal data (currently sensitive personal data) – Under the DPB, read with the GDPR, there are slight changes to the categories of sensitive personal data currently identified by the DPA 1998 and which are now identified as “special categories of personal data” (Article 9(1), GDPR). This includes information about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health, sex life and sexual orientation.

Processing of the special categories of personal data is prohibited unless an exception applies (Article 9(2), GDPR).

The commission or alleged commission of any offence and criminal proceedings are no longer included in the special categories of personal data. They are dealt with separately under the new regime, Criminal convictions and offences.

Data Controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU law or member state law, the controller or the specific criteria for its nomination may be provided for by EU law or member state law (clause 5(1), DPB and Article 4(7), GDPR).

Data Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8), GDPR).

Pseudonymisation – the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person (Article 4(5), GDPR).

Recital 28 of the GDPR recognises that applying pseudonymisation to personal data can reduce the risks to the data subjects concerned and enable data controllers to meet their obligations. Pseudonymised personal data can still be covered by the GDPR if, with additional information, the personal data can be attributed to a particular person.

It should be possible for a controller to use pseudonymisation in internal processes, as long as care is taken to identify those authorised to process the data and as long as the additional information needed to attribute the personal data to a specific data subject is kept separate (recital 29, GDPR).

Anonymisation – there is a distinction between information that has been pseudonymised and information that is anonymous. The GDPR does not apply to anonymous information, namely information which does not relate to an identified or identifiable person, or to personal data which has been anonymised so that the data subject is not, or is no longer, identifiable (recital 26, GDPR). This means that the processing of anonymous information for statistical or research purposes is not covered by the GDPR.

The ICO produced Anonymisation: managing data protection risk code of practice, which provides guidance on the way in which data can be rendered anonymous and retained in a form in which identification of the data subject is no longer possible.

Processing personal data – The processing of personal data means an operation (or set of operations) which is performed on personal data (or on sets of personal data), such as:

Collection, recording, organisation, structuring or storage.
Adaption or alteration.
Retrieval, consultation or use.
Disclosure by transmission, dissemination or otherwise making available.
Alignment or combination.
Restriction, destruction or erasure.

Processing of personal data must be carried out in accordance with the data protection principles.

Automated decision-making (including profiling) – Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal, or similarly significant, effects. Recital 71 of the GDPR gives e-recruiting practices which have no human intervention as an example of automated processing. There are limited exceptions to this right which are considered below.

The circumstances in which data subjects can be subject to a decision based solely on automated decision-making, including profiling, are those in which the decision is:

Necessary for entering into, or performance of, a contract between the data subject and a controller.
Based on the data subject’s explicit consent.
Authorised by EU law or member state law to which the controller is subject, and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests.

In the first two of the exceptions, the data controller must implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, being at least the right to:

Obtain human intervention.
Express their point of view.
Contest the decision.

Decisions may not be based on the special categories of personal data unless either the data subject has given explicit consent or the processing is necessary for reasons of substantial public interest and, in either case, suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests have been put in place.

Profiling – Profiling is any automated processing of personal data which evaluates an individual in order to analyse or predict such things as their performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements.

Recital 71 of the GDPR suggests that in order to ensure fair and transparent processing, taking into account the specific circumstances and context in which the personal data is processed, the controller should:

Use appropriate mathematical or statistical procedures for the profiling.
Implement technical and organisational measures appropriate to ensure, in particular, that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimised.
Secure personal data in a manner that takes account of the potential risks involved for the interests and rights of the data subject and that prevents, inter alia, discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation, or that result in measures having such an effect.

Processing personal data in the context of employment – Under the GDPR, it is open to member states to provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context, in particular for:

The purposes of recruitment.
The performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements.
The management, planning and organisation of work.
Equality and diversity in the workplace.
Health and safety at work.
Protection of the employer’s or customers’ property.
For the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment.
For the purpose of the termination of the employment relationship.

Any such rules must include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to:

The transparency of processing.
The transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place.

The DPB makes specific provision for the processing of special categories of personal data when it is necessary for the carrying out of rights or obligations under employment law.

Data protection principles

The GDPR sets out a number of principles with which data controllers must comply when processing personal data (Article 5).

Lawfulness, fairness and transparency: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

‍Purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purpose.

‍Data minimisation: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

‍Accuracy: Personal data shall be accurate and, where necessary, kept up to date.

‍Storage limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

‍Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

‍Accountability: The controller shall be responsible for, and be able to demonstrate compliance with the GDPR.

Conditions for lawful processing under Article 6(1)

Processing personal data will be lawful only if, and to the extent that, at least one of the conditions in Article 6 of the GDPR is met. Those conditions (which are similar those under the DPA 1998) are that:

The data subject has given consent to the processing of their personal data for one or more specific purposes
The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of a data subject prior to entering into a contract
The processing is necessary to comply with a legal obligation to which the controller is subject
The processing is necessary to protect the vital interests of the data subject or another person
The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests and fundamental rights and freedoms of the data subject which require protection of personal data, especially were the data subject is a child.

Criminal Offence Data

The GDPR rules for sensitive (special category) data do not apply to information about criminal allegations, proceedings or convictions. Instead, there are separate safeguards for personal data relating to criminal convictions and offences, or related security measures, set out in Article 10.

Article 10 also specifies that you can only keep a comprehensive register of criminal convictions if you are doing so under the control of official authority. Article 10 says:

“Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.”

This means you must either be processing the data in an official capacity, or have specific legal authorisation – which in the UK, is likely to mean a condition under the Data Protection Bill and compliance with the additional safeguards set out in the Bill. We will publish more detailed guidance on the conditions in the Bill once these provisions are finalised.

Even if you have a condition for processing offence data, you can only keep a comprehensive register of criminal convictions if you are doing so in an official capacity.

Data Controller Requirements and Duties

Notifying the Information Commissioner

The Data Protection Act 1998 requires data controllers to give details about their processing of personal information to the Information Commissioner for inclusion in a public register, unless they are exempt.

The registration must be renewed annually.

The Data Protection registration number for Wealth Wizards Benefits Limited is: ZA163085.

Notification process

The details to be notified are:

name and address of the data controller or their representative
description of the information being processed
purpose of processing the information
those to whom the information will be or may be disclosed
countries outside the European Economic Area (the EU plus Norway, Iceland and Liechtenstein) where data may be transferred
certain details on information security measures

Notification can be initiated by calling the Information Commissioner Notification Line on Telephone: 01625 545 740.

The period of notification is one year. Notifications must be renewed annually. There is an annual fee of £35. Changes to a notification entry must be notified as soon as possible and are made free of charge.

Wealth Wizards Benefits Limited is the Data controller and responsible for all the data held on their clients. The DPC for Wealth Wizards Benefits Limited is the Governance & Information Security Manager.

‍