We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Should I expect a financial adviser to keep my finances confidential?
Options
Comments
-
I am partly playing devil's advocate,
Its been an interesting thread nonetheless.
I know - and agree, it is what these forums are about.
.... here is a real world scenario for you. I work for a large financial institution and was involved the implementation for GDPR.
Couple with joint mortgage. Mr can't work as is ill - mortgage goes into arrears - bank call home line and Mrs answers - she passes identify verification - we are not allowed to refer to Mr's health and employment situation without his express authority to disclose, even through Mrs is jointly liable for the full debt. Crazy world!0 -
I too have had to organise data protection as part of a responsible organisation that takes it's responsibilities seriously in terms of security including data protection. The original DP act had requirements and associated good practice. GDPR made a lot of the good practice mandatory i.e. a legal requirement.
To support those who seem to know about GDPR rather than those who seem to perhaps be considering 'how a FA does his job'.......
I can well understand how sharing of financial data (assets, income, aims, whatever) between associated people (such as but not limited to spouses) makes for best financial advice and the lack of share makes giving good or correct advice rather difficult, if not impossible.
However under GDPR the data controller (here the FA) cannot make the presumption that sharing of data from associated persons is implied.
From the ICO web pages on GDPR:
[QUOTEArticle 5(1)(f) of the GDPR concerns the ‘integrity and confidentiality’ of personal data. It says that personal data shall be:'Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures'][/QUOTE]
The protection against 'unauthorised' processing includes confidentiality applies to both processing within an organisation and release to third parties where not authorised (There are a few exceptions but they do not apply here). It is also required that a risk assessment is conducted and authorisation needs to be sought by the Data Controller (here it is assumed that it is the FA or another person in the organisation).
It is not sufficient to assume there is consent owing to custom and practice, to perform the service or that financial data sharing between spouses is common and usually accepted.
Unauthorised disclosure is a breach of GDPR.
Well that is my understanding. Perhaps those (respected) financial posters can point to where those general comments I make do not apply in the financial world and the legal justification to support that? (Yes there are a few circumstances where disclosure is required by law but I cannot see any that might apply in the OP's circumstances.)
Now whether the OP's FA disclosed personal data in an unauthorised manner and was GDPR breached (on one or more counts) cannot be answered here. It is for the Information Commisioner to rule on that given all the evidence.0 -
....and yes danm's example does seem crazy......
.....but, uder GDPR, there ought to have been a risk assessment up front (or when GDRP came in) that identifies that joint accounts can have those type of problems and authorisation sought prior to that risk materialising?
A lot of work......YES0 -
I designed, perhaps, the largest consumer database of PII Information that you have never heard of (around 500 million people and rising up to 1 billion)Heedtheadvice wrote: »I too have had to organise data protection as part of a responsible organisation that takes it's responsibilities seriously in terms of security including data protection.
.
Hence my interest in the subject - and the fact the past three years of my life has been in this area
As you say the most important thing to remember is explicit consent
You cannot assume anymore that consent is given just because the couple is married0 -
Heedtheadvice wrote: »
Unauthorised disclosure is a breach of GDPR.
Well that is my understanding. Perhaps those (respected) financial posters can point to where those general comments I make do not apply in the financial world and the legal justification to support that? (Yes there are a few circumstances where disclosure is required by law but I cannot see any that might apply in the OP's circumstances.)
Now whether the OP's FA disclosed personal data in an unauthorised manner and was GDPR breached (on one or more counts) cannot be answered here. It is for the Information Commisioner to rule on that given all the evidence.
GDPR resolves around personal data which can be used to identify someone - things like a name, email address, NI number.
It's really bad practice but I'm not convinced there is a breach of /personal/ data here, because the spouse is already known to the OP and financial details doesn't constitute identifiable data.0 -
Sorry, but you're missing the point - the Data Protection Act 2018 (the UK's implementation of GDPR) defines it as: "Personal data" means any information relating to an identified or identifiable living individual.MaxiRobriguez wrote: »GDPR resolves around personal data which can be used to identify someone - things like a name, email address, NI number.
It's really bad practice but I'm not convinced there is a breach of /personal/ data here, because the spouse is already known to the OP and financial details doesn't constitute identifiable data.
There is no requirement for the data to be used to identify someone for it to be a breach, and so disclosing financial data belonging to an identifiable individual without their explicit consent is clearly a breach, even if such disclosure is to someone who already knows the subject.0 -
MaxiRobriguez wrote: »GDPR resolves around personal data which can be used to identify someone - things like a name, email address, NI number.
It's really bad practice but I'm not convinced there is a breach of /personal/ data here, because the spouse is already known to the OP and financial details doesn't constitute identifiable data.
The IFA produced a report which contained information about an individual's financial assets/ activities and presumably included personal data which can be used to identify them, e.g. their name - either right next to the data, or in the title of the report.
They sent the report to a second person. The report sent to the second person included the financial information of both the individuals. As a consequence, the second person has obtained the financial information of the first person together with the identifying information (e.g. name) of the first person.
Whereas, under the UK data protection regulations, the second person should not have been able to obtain financial information (portfolio, transactions, balances etc) together with identifying information showing that the portfolio, transactions, balances etc related to the first person.0 -
Could the financial adviser attempt to rely on the exemptions in Regulation 6(1)(b) and (c) of the GDPR, which permit processing of personal data as follows?
"processing is necessary for the performance of a contract to which the data subject is party"
"processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party"
As others have pointed out, knowledge of each spouse's financial situation is necessary to provide complete/proper financial advice.
Even if there is a GDPR breach here, it is very minor and in understandable circumstances. The chances of the IFA being fined or punished are close to zero.0 -
Personally I don't believe that the above exemptions would permit the IFA to disclose one person's data to another without consent - if the IFA (understandably) felt that the quality of advice would be better if a holistic approach was adopted then they'd be quite entitled to suggest this to both parties so as to gain their consent, but IMHO it in no way gives the adviser carte blanche to share data without such consent....0
-
There is absolutely zero chance of the IFA getting fined, or any kind of investigation for this, even if reported. In fact even if he had accidentally sent it to the wrong address and a complete stranger opened it, I doubt there would be any chance of a fine.
The ICO publish a list of all fines levied and you will not find a single example of any organisation/individual being fined for anything this small.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.6K Spending & Discounts
- 244K Work, Benefits & Business
- 598.9K Mortgages, Homes & Bills
- 176.9K Life & Family
- 257.3K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards