4. Data protection and sensitive personal data
Certain information that a client gives an adviser is defined as ’sensitive personal data’ by the Data Protection Act 2018 (DPA 2018). Before you can record this type of information, you need to obtain the ’explicit consent’ of the client to do so. You must ensure you follow your responsibilities under the DPA 2018 by ensuring that the client has received an explanation of how their information will be processed and that they have given explicit consent for this to happen. This explanation must include why their data is being collected, how it will be recorded, used, shared, stored and deleted, and when this will take place. You must also explain to the client that they can withdraw their explicit consent at any time and the process for doing so.
If an adviser or agency breaches the DPA 2018, they can both be sanctioned by the Information Commissioner’s Office. This can include a hefty fine for serious continual breaches.