top of page

Privacy Policy

Key in the Lock

Privacy Policy

Date of last update: April 2023

 

Introduction
The website www.SJSAdmin.co.uk (the “website”) is owned by SJS Admin (“we/us”).

If you are reading this you have found our website.  We try to get you to read our website by creating information that is useful for you.

This policy sets out the basis on which any personal information we collect from you, or that you provide to us, through this website will be processed by us.  We are committed to ensuring that your privacy is protected.  Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement.   If you don’t contact us and give us your details, we don’t have your details.

If you have any questions about how we handle other data (which we hold, but which was not collected through this website), please read our Privacy Policy below:.

 

By providing us with your data, you warrant to us that you are over 13 years of age.

SJS Admin is the data controller and we are responsible for your personal data (referred to as “we”, “us” or “our” in this privacy notice).

We are committed to protecting the privacy of visitors to our Website and complying with all applicable laws in the use of the information we collect about you.   Please read the following policy carefully to understand our views and practices regarding your personal information and how we will treat it, including what type of information is collected and tracked on the website, how the information is used, and with whom the information is shared.

If you are not happy with any aspect of how we collect and use your data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We should be grateful if you would contact us first if you do have a complaint so that we can try to resolve it for you.

 

Who is holding your information?

 Our registered office is 30 Beverley Close, Wylde Green, Sutton Coldfield, B72 1YF,  Jane Perry and Sarah Wilde are the two Partners and between us we are SJS Admin. 

 

Changes to our Privacy Policy

We may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes.  This policy was last updated 1st April 2023.

 

Data sharing

We do not sell, exchange or share the data we hold with organisations who may want to sell you something or use your data for research or other purposes. Nor are we planning to do so.  If at any point we decided to exchange lists with another organisation, we would ask you to ‘opt-in’ to such a system. Our continuing silence means we are not doing so.

 

Who has access to your data?

We restrict who can access data that is held, and this is limited to the Partners and employees/colleagues of SJS Admin only, and also a number of individuals who are authorised to back up our data.

What data do we collect, and how do we use that data?

We might collect data from you, from any one of three places, within our Website:

Our enquiry form on our Contact Us page

If you complete the enquiry form on our Contact Us page, this might include:

• Name

• Email address

• How you heard about us

• The nature of your enquiry

Your personal information will be treated as confidential by us and held in accordance with current Data Protection Legislation. By submitting an enquiry form via our website, you consent to being contacted by SJS Admin Limited without prior notice or arrangement by using the contact details provided on the form, and as such we will contact you in relation to our services. 

We require this information to understand your needs, to deal with your enquiry, and also to potentially provide you with a service, should you become a customer.  Your details will never be shared with anyone else.  Furthermore your details will never be used for direct marketing purposes. 

 

Sensitive data

We do not collect any Sensitive Data about you through our website. Sensitive data refers to data that includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. We do not collect any information about criminal convictions and offences.

 

Where is your data located?

In common with most small businesses, we do not have any tailor-made software – we use mainstream packages for everything we do.  All of our data is held on our secure server, and all data remains in the UK. Access to our secure server is encrypted and password protected.  Access is restricted based on security groups and permissions using Dual Form Factor authentication, and secured direct point to point connections provides further security.  There are no paper records held. 

 

Data security
We are committed to ensuring that your information is secure. We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know such data. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. 

 

Data retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

 

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

 

Your legal rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data. These include the right to:

– Request access to your personal data

– Request correction of your personal data

– Request erasure of your personal data

– Object to processing of your personal data

– Request restriction of processing your personal data

– Request transfer of your personal data

– Right to withdraw consent

 

If you wish to exercise any of the rights set out above, please contact us at: info@SJSAdmin.co.uk

   

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.  We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

  

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. 

 

Queries about privacy

If you have any questions/comments or requests about privacy, please feel free to contact us at:  info@SJSAdmin.co.uk

Privacy Policy: Privacy Policy

Data Protection 

The Contract

Data Protection 

 

SJS Admin is not regulated by the FCA.  However, we directly support firms who are, and who rely on our service.  

The responsibility for any outsourced business activities, and compliance with the FCA rules, remain with you, as the regulated firm.  That’s why it’s so important that we are able to provide you with reassurance, in terms of how we’ll handle your client data.

 

GDPR

The General Data Protection Regulation (GDPR) was implemented in May 2018, replacing the Data Protection Act.  It’s a complex piece of legislation, and firms now need to demonstrate greater responsibility in terms of how they handle client data.  This was the most important change in data privacy legislation in 20 years, and all businesses in the UK have had to comply. 

Under the GDPR rules, data controllers (financial advisers) have a responsibility to ensure that they are only working with firms that can demonstrate compliance with GDPR.  When you outsource, the firm that you outsource to is effectively your data processor.  Before engaging with a third party, you should carry out due diligence on that firm to ensure that they can comply with the requirements.

 

Where Does SJS Admin Hold Data?

We access and use data owned by regulated firms with their permission, during the period of engagement.

As intermediaries, financial advisers are classed as ‘data controllers’ and when we use their data (with their permission), we have a duty of care in terms of how we handle that data, and to ensure that security and confidentiality is maintained.  We are effectively the “data processors”.

The regulated firm may grant us permission to access their data through various different mediums.  For example:

– Back-office system

– Cloud-based filing

– Third-party investment platform

– Product provider online services

– Within an email account at their domain

– Within their own server or hosted desktop

The regulated firm retains ownership of the data, and control in terms of access rights to all third-party mediums. The regulated firm dictates to us where their data sits, and remains responsible for the assessment of whether these different platforms are secure, and compliant with current data projection legislation. If data goes outside of the EEA, the regulated firm is responsible for informing the data subject, or for seeking consent, wherever it may be appropriate to do so.

Within the course of business, data may be received into an SJS Admin email account which sits within a secure hosted platform.  Data for each regulated firm is entirely segregated, and access rights are restricted based on security groups and permissions within the firm.  Access is password controlled, and all data remains within the UK.

Furthermore, if a regulated firm has asked to share data with us through Dropbox, data may also be held within our Dropbox account. (This is only if requested by the regulated firm).  The regulated firm retains control over the access rights to their data within Dropbox, and access can be withdrawn at any time.

Should a regulated firm disengage from our service, all data held by SJS Admin that is owned by the regulated firm will be deleted from our server within 2 weeks.  (We will ask the regulated firm if they require copies before we delete the data).

 

Who Does SJS Admin Share Data With?

In terms of client data owned by the regulated firm, we do not share this data with anyone, (unless instructed to do so by the regulated firm in providing an administrative service).   In terms of data held about the regulated firm, and our contact with them, again, we do not share this data with anyone. 

 

Secure Transmission of Data

We use Office365, One Drive, Dropbox and ESET Endpoint encryption Secure Messaging Service when sending confidential data from our SJS Admin email accounts, which is a user-friendly, cloud-based secure channel for sending and receiving sensitive information via email.  Sensitive information never leaves the Secure Messaging portal, but is facilitated by email. In addition to this protection all devices are encrypted with ESET security in place.

Please note however, regulated firms are responsible for providing a method for the secure transmission of their data, whether that is by email encryption, or through a secure communication portal.  When using an email account at a regulated firm’s domain, the regulated firm owns the email account, and is responsible for the server on which the email account sits.  We access a regulated firm’s email account during the period of engagement, but the regulated firm remains responsible for the purchase, installation and maintenance of encryption software on the email accounts that they own.

We strongly recommend that you have appropriate technology in place, enabling the secure transmission of your data, in line with the expectations of current data protection legislation.  If you do not have appropriate technology in place, we can discuss implementing a procedure for you whereby we password protect PDF documents attached to your emails.  Please feel free to ask for further details.

 

Internal Policies
We work to extremely strict guidelines when handling client data, and we adhere to the following internal policies:

Data Protection 

Privacy
Cyber Security
Email Usage Policy
Colleague Confidentiality
Colleague Code of Conduct

Our Data Protection and Security Policy covers various areas, including:

Remote Working

Authentication of caller
Authentication of emails
Secure Desk Policy
User ID and Password Policy
Confidential waste
Personal computers, laptops and mobile phones

Colleagues are required to confirm their understanding of, and adherence to, the firm’s policies and procedures annually.  

 

 

Colleague Training

Every colleague undertakes annual training and testing on:

– Anti-Money Laundering & Financial Crime

– Data Protection

 

Operational Procedures

We have documented procedures and best practice guidelines in place for our colleagues.  When supporting you, we will also adhere to your company procedures, whilst taking account of our own best practice guidelines.  For example, if you don’t have a method of capturing a clear and documented audit trail, we’ll still ensure that an audit trail is maintained at all times.

 

Business Continuity

We have a robust business continuity plan in place, which is reviewed and updated regularly. 

 

Data Protection Registration

SJS Admin is registered with the Information Commissioner’s Office for data protection.  ICO reference: ZA783874

 

Non-Disclosure

As you would expect, confidentiality forms part of our Service Agreement and our contract with you. However, if you would also like us to sign your own non-disclosure agreement, we’ll be happy to do so. 

Privacy Policy: Data Protection
bottom of page