Data Protection Act 2018
Advisers must recognise their legal duties under the Data Protection Act 2018 (DPA 2018) to ensure they can correctly collect, respond to and store information about their clients. The DPA 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).
The key elements are as follows.
•Collect relevant information: advisers should record relevant details about a client’s situation; this can be used to identify vulnerability. Explain to the client why the information is being collected, to improve trust and rapport.
•Adviser’s legal duty: the adviser’s organisation must have a policy on what information needs to be collected and how it will be used, stored and disposed of under the DPA 2018.
•Explicit consent: information on a client’s vulnerability is ‘special category data’ (sensitive data). The client must give their explicit consent for this data to be recorded. Explain why this information is being collected, how it will be used and who it will be shared with. The client can withdraw their consent at any time.
•Data processing: information held about the client must be adequate, relevant and not excessive. It must be up to date and not kept longer than needed. The adviser must review the information with the client, especially if their situation changes, and update case notes accordingly.