25 thMay 2018
About this policy
Robertson & Co operates as both a data controller and a data processor. During the course of our legitimate business activities Robertson & Co process various types and categories of personal data, and do so in a fair and lawful basis.
Who we are and how to get in touch with us
Robertson & Co (Investigations) Ltd are a claims validation and investigation company who operate within the public and private sectors on behalf of insurance companies, their legal suppliers and other legitimate third parties. We therefore process personal information for the purposes of providing lawful and ethical investigation and claims validation services.
Our contact details are as follows:
Address: Unit 21, Fyfield Business & Research Park, Ongar, Essex, CM5 0GN
Tel: 01277 366 900
How we collect your personal information
During the course of our legitimate business activities we will collect personal information about you. Information that is derived from a number of sources.
Sometimes information is obtained directly from you such as when you contact us via our online enquiry form, send us an email, write to us or contact us by telephone. Such personal data may include information such as your name, email address and telephone number for instance. At times we may also process sensitive personal information that you have directly provided to us during the course of our interactions (such as during a witness or employment interview).
When there is a lawful basis for doing so, we may also collect information about you from selected third parties such as our insurer, legal or corporate clients and other applicable regulatory organisations.
This information will typically include your name and contact information as well as any other additional information that they provide us at the time of engagement. This information may consist of sensitive personal information that you have provided to our client (such as details of convictions, medical conditions or ethnic background), but only when it is relevant and necessary to our involvement and enquiries.
Information may also be collected from publicly available sources such as online directories, the electoral register, social media and other open websites.
Robertson & Co use ‘Cookies’ and Google Analytics to help us monitor how many people view each page of our website and how they found our site in the first instance. These cookies do not allow us to see who you are or any of your personal information other than your IP address.
Cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any other information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may however prevent you from taking full advantage of the website.
The ways in which we use your personal information
In the event that we collect and process your personal information, we will only use it for the purpose in which it was collected for in the first instance and when we have a necessary and lawful basis for doing so. These are made up of a number of Robertson & Co’s legitimate interests which include:
- Communicating directly with you following an initial enquiry that you prompted.
- Communicating information via direct marketing regarding products and services similar to those that were originally of interest to you. You can opt out of such communications at any time by emailing email@example.com.
- Conducting pre-employment reference and financial probity checks, if you have approached us relating to a vacancy.
- Undertaking and provision of our legitimate business interests of claims validation and investigation services.
- Preventing and detecting unlawful acts and offences such as fraud.
- Protecting the public against dishonesty.
Under no circumstances will Robertson & Co sell personal data to any third parties.
Who your personal information is shared with
As we are typically appointed to assist in the validation or investigation of an insurance claim or similar dispute, we are contractually obliged to share your information with our client/your insurer. If you are a customer of our client, and you fail or refuse to provide necessary information to us then this may impact their ability to process or progress your claim.
Robertson & Co may on occasions provide personal information to a select and approved number of third parties who have a relevant and necessary role to play in our processing activities. Such parties may include law enforcement agencies (if a police report is being sought in relation to an incident), the DVLA and translation service providers.
Robertson & Co also retain the right under law to provide information to law enforcement agencies and other industry regulating organisations in the interests of preventing or detecting criminal offences.
Your personal information is not transferred outside of the European Economic Area during the course of our normal processing activities. If a need to do so arises (such as the transfer is necessary for legal proceedings) then appropriate assurances and safeguards will be sought to ensure that your rights are not at risk.
How we securely store your personal information and how long for
Robertson & Co use appropriately secure physical and electronic safeguards in order to protect your personal information from any unauthorised access or unlawful processing.
Any physical documentation containing personal information is stored in locked filing cabinets which are kept in a secure environment which is subject to restricted access.
Any personal information held or transferred electronically on computers and computer systems is:
- Held on ISO 27001 standard networks with appropriate technical safeguards in place.
- Subject to our Encryption Policy. Any documentation containing personal data is encrypted with a password before it is sent electronically.
- Subject to strict ‘Access Controls’ so that only relevant personnel have authorised access to stored personal data, necessary for the undertaking of their role.
Robertson & Co will only keep your personal information for as long as is necessary and where there exists a genuine business need. This duration may be determined by a number of factors, including:
- The original purposes for which we processed the information in the first instance and whether it is necessary for meeting our legitimate interests.
- Whether or not we have a lawful basis to continue to process the information.
Due to the typical lifecycle of an investigation, claim and subsequent legal proceedings, Robertson & Co will retain data related to our core business activities for a period of 7 years where there remains a legitimate business need.
A shorter retention period of 3 months is set for the personal data of those individuals who make enquiries via our website and also candidates who have been involved in a recruitment process but ultimately not offered a position of employment.
After this time, your personal information will be securely destroyed or deleted where appropriate.
Your legal rights and requesting access to your personal data
Under data protection legislation, you have the right to request access to information about you that we hold. Before we can provide this, in order to protect your personal information we will need to verify your identity. Where the information we hold is insufficient for this purpose, it may be necessary for us to request further information and assurances in the form of original documentation.
To make a request for your personal information, please contact:
Sean Littlejohn, Data Protection Officer,
c/o Robertson & Co, P O Box 5026, Ongar, Essex, CM5 0RS
You also have the right to:
- Object to our processing of your personal data in certain circumstances
- Object to decisions being taken by automated means and request human intervention
- Object to your personal information being used for the purposes of direct marketing
- Have inaccurate personal data rectified, blocked, erased or destroyed, in certain circumstances
- Request that processing of your personal data is restricted when you perceive that processing to be unlawful, the information is inaccurate or you disagree with our processing of your information under our legitimate interests
- Request the information you have provided to us to be transferred to another data controller, free of charge and in a common and accessible format
- Withdraw your consent at any time, where our processing of your personal information relies upon your agreement
On occasions where we collect your personal information from other sources other than directly from you, we may not be required to provide you with this information if:
- A necessary and lawful exemption from doing so exists
- Doing so would prejudice an ongoing legal dispute
- We are obligated to maintain confidentiality as part of our professional services and agreements with clients, and are legally entitled to do so under EU and UK law
For further information and guidance on your personal information rights under current data protection regulations, please visit the following page of the Information Commissioner’s website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
If you have a concern about the way we are collecting or using your personal data, we ask that you raise your concern with us in the first instance.
If, at the conclusion of our complaints procedure you do not feel that we have adequately dealt with your concern you may make a complaint directly to:
- Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow Cheshire, SK9 5AF
- Tel: 0303 123 1113
- Or alternatively go online at https://ico.org.uk/concerns/
From time to time, Robertson & Co may make changes to this Privacy Notice as required. However, in the event that we decide to use your personal information for a different purpose to which it was originally obtained, we will provide further information about its usage before commencing the processing. We will also seek your consent beforehand if appropriate.