Data Protection and Client Confidentiality
Confidential Information
Confidential information is information which is not public and which is imparted or (in the case of information belonging to Messels) developed in circumstances which would reasonably be understood to indicate it should be kept confidential. The law makes a general assumption that unpublished information communicated in a business context is confidential. It is not possible to provide a comprehensive list of Confidential Information, but it includes non-public client information.
In the normal course of business, Employees may come into possession of Confidential Information. This could relate to clients or clients, or Messels itself. Messels’ duty of confidentiality, the insider dealing legislation, the Market Abuse Regulation and, where applicable, the requirements of data protection legislation will all apply to the treatment of this information. Messels must ensure that all Confidential Information is handled carefully and properly.
Confidential Information should only be disclosed on a ‘need to know’ basis. Any disclosure should take into consideration legal, regulatory and contractual restrictions for use and distribution of such information. Confidential Information must not be disclosed or used for either the personal gain of the recipient or the benefit of any person who has not been properly authorised to receive the information.
Data Privacy
Data privacy (of clients and personnel) has become a major political and legal issue in many jurisdictions. A variety of laws in each of those jurisdictions governs the collection, storage, dissemination and use of personal information and patient health information. These laws can work to limit transfers of such data across borders.
Messels will comply with all provisions of these laws including the privacy, security and electronic transmission of financial, health and other personal information. Messels must keep all data confidential in accordance with the Compliance Manual. Note also the General Organisational Requirements in Chapter 4.
Observing Strict Confidentiality on Client Positions and Information
We owe a clear duty of confidentiality to all our clients. We undertake in writing in our standard Terms of Business to keep all information we receive in connection with any business done with the client under those Terms of Business private and confidential, confirming that it will not be disclosed to any other person except if:
a) the client gives their prior consent;
b) we are required to disclose information to a regulator having jurisdiction over us; or
c) we need to disclose information in order to carry out our obligations under the Terms of Business.
As a consequence, Employees may never discuss any aspect of any client’s business, even in the most general terms, with any other person except:
the client themselves;
and, with the full prior knowledge and involvement of the Compliance Oversight Officer, any relevant regulators.
The General Data Protection Regulation (GDPR)
The GDPR sets out seven key principles:
• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability Article 5 of the GDPR sets out seven key principles which lie at the heart of the general data protection regime.
Article 5(1) requires that personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Article 5(2) adds that:
The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)
The principles lie at the heart of the GDPR. They are set out right at the start of the legislation and inform everything that follows. They do not give hard and fast rules, but rather embody the spirit of the general data protection regime - and as such there are very limited exceptions.
Compliance with the spirit of these key principles is therefore a fundamental building block for good data protection practice. It is also key to Messels’ compliance with the detailed provisions of the GPDR.
In addition to potential harm to the interests of clients and reputational damage to Messels, failure to comply with the principles may leave Messels open to substantial fines.
Messels’ Policy
Messels’ policy governing the use of personal data is set out in the Data Protection Policy, available on the website.