Data Protection Policy
International General Insurance Group (IGI)
2
Authors
Author
Department
Role
Moore Stephens
Ownership
Document Name
Contributors
Contributors
Department
Role
Rawan AlSulieman
Legal Department
Chief Legal Officer -
Company Secretary
Reem Naouri
Compliance Department
Senior Compliance Officer
Reviewers
Reviewers
Department
Role
Sign-off Authorities
Sign-off Authorities
Date or reference of the meeting
Role
Risk and Audit Committee
Classification
Data Classification
Confidential
Public
Version Tracking
Version
Date
Requester of Change
Author
Change Description -
Comments
1.0
24/5/2018
GDPR requirements
Moore
Stephens
Distribution List
Version
Date
International General Insurance
Other (Name & Company)
1.0
24/5/2018
Change Mechanism
Any requirement for change must be addressed to the authors.
For documents with draft status, the authors may make changes at will.
For documents with controlled status, changes must be approved by the Head of Department Owner.
Any question, remarks or suggestions related to the present document should be addressed to Group Compliance at the following
email address: [email protected]
3
Contents
1.1 Policy Principles................................................................................................................................................. 4
2.0 Accountability and governance ............................................................................................................................ 4
2.1 Roles and responsibilities .................................................................................................................................. 4
2.2 Documentation ................................................................................................................................................. 5
2.3 Data protection by design and default ............................................................................................................. 5
2.4 Lawful basis for processing ............................................................................................................................... 5
2.5 Security ............................................................................................................................................................. 6
2.6 Contracts ........................................................................................................................................................... 6
2.7 International transfers ...................................................................................................................................... 6
2.8 Data breaches ................................................................................................................................................... 7
2.9 Compliance and reporting ................................................................................................................................ 7
2.10 Training and awareness .................................................................................................................................... 7
3.0 Individual rights ..................................................................................................................................................... 7
3.1 Right to be informed ......................................................................................................................................... 8
3.2 Right of access ................................................................................................................................................... 8
3.3 Right to rectification ......................................................................................................................................... 8
3.4 Right to erasure ................................................................................................................................................. 8
3.5 Right to restrict processing ............................................................................................................................... 9
3.6 Right to data portability .................................................................................................................................... 9
3.7 Right to object ................................................................................................................................................... 9
Appendix I - Data Audit ................................................................................................................................................... 11
Appendix II - Privacy Notice ............................................................................................................................................ 20
Appendix III Data Protection Impact Assessment ........................................................................................................ 20
Appendix IV - IGI - Data Breach Procedure ..................................................................................................................... 25
Appendix V Subject Access Request ............................................................................................................................ 27
4
1.0 Introduction and background
The purpose of this Policy is to outline how IGI has established measures to maintain compliance with the EU General Data Protection
Regulation (hereinafter referred to as the “GDPR”).
The Policy contains two components:
Section 2.0 measures to re-enforce accountability and governance
Section 3.0 measures to demonstrate the protection of information rights of the data subject.
1.1 Policy Principles
Article 5 of the GDPR requires that personal data shall be:
“a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those
purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are
inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal
data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving
purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the
appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of
individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
In addition, there is a requirement that:
The controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
2.0 Accountability and governance
This Policy outlines comprehensive but proportionate governance measures designed to achieve and maintain compliance with the General
Data Protection Regulation. These measures have been designed to minimise the risk of breaches and uphold the protection of personal data.
This section on accountability and governance considers:
Roles and responsibilities The responsibilities of the Board, Data Compliance Officers, information owners and general employees
Documentation IGI’s requirements in respect of documenting processing
Data protection by design and default - IGI’s requirements for Data Protection Impact Assessments.
Lawful basis for processing IGI’s Policy on determining the basis for processing.
Security Security Policy measures designed to protect information confidentiality, integrity and availability.
Contracts the measures that should be in place to ensure contractual relationships maintain GDPR compliance
International transfer Oversight measures for international transfer of data.
Data breaches Principles for detecting and responding to data breaches.
2.1 Roles and responsibilities
Background:
While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR's
emphasis elevates their significance. IGI is expected to put into place comprehensive but proportionate governance measures.
Policy requirements:
1. IGI has defined Michael Farah as the ‘Data Compliance Officer’.
2. The DCO’s responsibilities include:
o Informing and advising IGI and its employees about their obligations to comply with the GDPR and other data protection
laws.
o Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection
activities, advise on data protection impact assessments; train staff and conduct internal audits.
5
o Acting as the first point of contact for supervisory authorities and for individuals whose data is processed (employees,
customers etc).
3. The DCO reports to the Board of Directors of the relevant entity on a quarterly basis.
4. The Board’s responsibility is to provide effective governance over IGI’s affairs for the benefit the shareholders and to balance the
interest of its diverse stakeholders, including its customers, employees, international suppliers and communities.
5. Head of IT will report to the Enterprise Risk Management Committee (ERMC) any Data breach escalated to them.
6. Employees are obligated to report any breach to the DCO of the company as soon as they are aware of it.
2.2 Documentation
Background:
The GDPR contains explicit provisions about documenting IGI’s processing activities. IGI must maintain records on several things such as
processing purposes, data sharing and retention. IGI may be required to make the records available to the Information Commissioner Office
(the “ICO”) on request.
Policy requirements:
7. Where IGI is a controller for personal data, IGI maintains documentation in a manner consistent with Article 30(1) of the GDPR.
8. Where IGI is processor for personal data, IGI maintains documentation in a manner consistent with Article 30(2) of the GDPR.
9. If IGI processes special category or criminal conviction and offence data, IGI documents:
o the condition for processing under the Data Protection Bill;
o the lawful basis for processing; and
o whether the personal data is erased and retained in accordance with IGI Policy.
10. IGI conducts regular reviews of the personal data processed and updates documentation accordingly.
2.3 Data protection by design and default
Background:
Under the GDPR, IGI has a general obligation to implement technical and organisational measures to show that IGI has considered and
integrated data protection into processing activities.
Policy requirements:
11. IGI carries out a Data Protection Impact Assessment (‘DPIA’) (Appendix III) when:
o using new technologies; and
o the processing is likely to result in a high risk to the rights and freedoms of individuals.
12. Processing that is likely to result in a high risk includes (but is not limited to):
o systematic and extensive processing activities, including profiling and where decisions that have legal effects or similarly
significant effects on individuals.
o large scale processing of special categories of data or personal data relation to criminal convictions or offences. This
includes processing a considerable amount of personal data at regional, national or supranational level; that affects a large
number of individuals; and involves a high risk to rights and freedoms e.g. based on the sensitivity of the processing
activity.
13. The decision of whether to conduct a DPIA is supported by a documented risk assessment and is endorsed by theDCO.
2.4 Lawful basis for processing
Background:
Under the GDPR, there are six available lawful bases for processing. IGI has documented the relevant lawful basis for processing and the
purpose of that processing in its Information Asset Register.
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever IGI processes personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps
before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function
has a clear basis in law.
6
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a
good reason to protect the individual’s personal data which overrides those legitimate interests.
Policy requirements:
14. The lawful basis for processing must be considered and documented in line with the ‘Data Audit as detailed in Appendix I of this
Policy.
15. With new systems or processes, IGI must determine the lawful basis and purpose of processing before beginning processing (usually
as a part of the DPIA).
16. The IGI public privacy notice includes the lawful basis for processing as well as the purposes of the processing.
17. If IGI is processing special category or criminal offence data, both a lawful basis for processing and a special category condition for
processing must be documented in the Data Audit document and DPIA. IGI should document both the lawful basis for processing and
the special category condition to demonstrate compliance and accountability.
18. IGI obtains the consent of possible candidate to process the employment application through the website.
2.5 Security
Background
The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or
unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are
used.
Policy requirements:
19. IGI has defined and implemented an IT Security Policy and supporting management system to maintain effective and proportionate
security.
2.6 Contracts
Background:
The GDPR requires diligence and clarity in entering into third party relationships. Whether IGI is a processor or controller, there are
mandatory requirements relating to the contracts that are in place.
Policy requirements:
20. Whenever IGI acts as a controller a written contract must be in place with the processors. Standards to be applied to the contracts
have been defined by the Information Commissioner’s Office.
21. Whenever IGI acts as a processor, IGI must only act on the documented instructions of a controller (as specified in a valid written
contract). Standards to be applied to the contracts have been defined and are documented by the Information Commissioner’s
Office.
22. On an annual basis, the DCO will review third party relationships to determine the risk posed by processing. This will be documented
as a part of a DPIA.
23. Based on this assessment, the DCO will determine the most appropriate means to validate that contractual obligations in relation to
data processing are being adhered to.
24. The DCO will present this assessment, and the results of compliance visits, to the Board at least annually.
2.7 International transfers
Background:
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations.
These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
IGI may transfer personal data where the organisation receiving the personal data has provided adequate safeguards. Individuals’ rights must
be enforceable and effective legal remedies for individuals must be available following the transfer. Adequate safeguards may be provided for
by:
a legally binding agreement between public authorities or bodies;
binding corporate rules (agreements governing transfers made between organisations within in a corporate group);
standard data protection clauses in the form of template transfer clauses adopted by the Commission;
standard data protection clauses in the form of template transfer clauses adopted by a supervisory authority and approved by the
Commission;
compliance with an approved code of conduct approved by a supervisory authority;
certification under an approved certification mechanism as provided for in the GDPR;
contractual clauses agreed authorised by the competent supervisory authority; or
provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory
authority.
7
Policy requirements:
25. Requests for international transfer of data must be submitted to the DCO once for each function, and type of document.
26. The DCO must record requests for international transfer received.
27. The DCO will consider the DPIA in relation to this transfer and the appropriate means of adopting safeguards.
2.8 Data breaches
Background
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to,
personal data. This means that a breach is more than just losing personal data.
The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority. In some cases,
organisations will also have to report certain types of data breach to the individuals affected.
Policy requirements:
28. The DCO must be notified of all breaches to this Policy as soon as possible.
29. The DCO must record breaches and work with the information owner to consider the likely impact of the breach.
30. Where a breach is considered notifiable to the Information Commissioner, the DCO must immediately inform the Board.
31. A notifiable breach has to be reported by the DCO to the relevant supervisory authority within 72 hours of IGI becoming aware of it.
The notification must contain:
o The nature of the personal data breach including, where possible:
o the categories and approximate number of individuals concerned; and
o the categories and approximate number of personal data records concerned.
o The name and contact details of the data protection or other contact point for more information.
o A description of the likely consequences of the personal data breach.
o A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where
appropriate, of the measures taken to mitigate any possible adverse effects.
32. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, IGI will notify those concerned directly.
33. The DCO must present an analysis of breaches and near misses to the board at least annually.
34. All employees must be trained to recognise, and escalate breaches.
35. A detailed Data Breach Policy is found in Appendix IV.
2.9 Compliance and reporting
Background
Monitoring compliance with the GDPR is a key role of the Data Compliance Officer (‘DCO’). The DCO must also report compliance to the
Board.
Policy requirements:
36. The DCO is responsible for developing a compliance monitoring plan for this Policy.
37. The compliance monitoring plan should be submitted to the Board for approval at least annually.
38. Progress to deliver the plan, exceptions noted, breaches and near misses and updates on progress to address material deviations
from compliance with the Policy must be reported to the DCO to the Board at least quarterly.
2.10 Training and awareness
Background
Employee awareness of the GDPR, and their role to protect the privacy of data subjects, is core to IGI’s compliance programme.
Policy requirements:
39. Employees must be trained on the requirements of this Policy at least annually through the annual Compliance Training and the
induction training for new joiners.
3.0 Individual rights
The GDPR provides the following rights for individuals:
o The right to be informed
o The right of access
o The right to rectification
o The right to erase
o The right to restrict processing
o The right to data portability
8
o The right to object
o Rights in relation to automated decision making and profiling
3.1 Right to be informed
Background
The right to be informed encompasses IGI’s obligation to provide ‘fair processing information’, typically through a privacy notice.
Policy requirements:
40. IGI maintains a privacy notice and publishes this publically (Appendix II).
3.2 Right of access
Background
Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of
and verify the lawfulness of the processing.
Under the GDPR, individuals will have the right to obtain:
confirmation that their data is being processed;
access to their personal data; and
other supplementary information this largely corresponds to the information that should be provided in a privacy notice.
Policy requirements:
41. All requests from subjects for access to their data should be submitted immediately to the DCO using the form unde3r Appendix V.
The DCO must log the request and will:
o Consider whether the request is manifestly unfounded or excessive;
o Request copies of information held from information owners within IGI
o Review the information to ensure it does not impair the privacy of another data subject;
o Consider whether the request warrants a fee (if it requires a significant amount of data) and
o Respond to the original request.
42. A response to the request must be provided without delay and at the latest within one month of receipt. In the event the request is
particularly complex or numerous, the period of compliance can be extended by a further two months If this is the case, the DCO
must inform the individual within one month of the receipt of the request and explain why the extension is necessary.
43. Performance against the response target of one month must be reported to the Board by the DCO at least annually.
3.3 Right to rectification
Background
The GDPR gives individuals the right to have personal data rectified if it is inaccurate or incomplete.
Policy requirements:
44. Requests for rectification must be treated in the same way as requests for access. The following, additional, measures will apply:
o If IGI has disclosed the personal data in question to third parties, the DCO must inform them of the rectification where
possible.
o The DCO must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.
o The information owner will be responsible for ensuring the request for rectification are actioned on the information they
are responsible for.
o The DCO will be responsible for validating whether requests for rectification have been properly addressed.
3.4 Right to erasure
Background
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to
request the deletion or removal of personal data where there is no compelling reason for its continued processing.
The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent
processing in specific circumstances. These include:
Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
When the individual withdraws consent.
When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
The personal data has to be erased in order to comply with a legal obligation.
9
The personal data is processed in relation to the offer of information society services to a child.
Policy requirements:
45. IGI can refuse to comply with a request for erasure where the personal data is processed for the following reasons:
o to exercise the right of freedom of expression and information;
o to comply with a legal obligation for the performance of a public interest task or exercise of official authority.
o for public health purposes in the public interest;
o archiving purposes in the public interest, scientific research historical research or statistical purposes; or
o the exercise or defence of legal claims.
46. Requests for erasure of data should be submitted immediately to the DCO and will follow the same principles as for right to access
and right to rectification.
47. If IGI has disclosed the personal data in question to third parties, the DCO must inform them about the erasure of the personal data,
unless it is impossible or involves disproportionate effort to do so.
3.5 Right to restrict processing
Background
Individuals have a right to ‘block’ or suppress processing of personal data. When processing is restricted, IGI is permitted to store the personal
data, but not further process it.
IGI is required to restrict the processing of personal data in the following circumstances:
Where an individual contests the accuracy of the personal data, IGI should restrict the processing until IGI has verified the accuracy of
the personal data.
Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of
legitimate interests), and IGI considers whether its legitimate grounds override those of the individual.
When processing is unlawful and the individual opposes erasure and requests restriction instead.
If IGI no longer needs the personal data but the individual requires the data to establish, exercise or defend a legal claim.
Policy requirements:
48. Requests to restrict processing will be submitted to the DCO and will follow the same principles as for right to access and right to
rectification, with the following additional requirements:
o The DCO must inform individuals when IGI decides to lift a restriction on processing.
3.6 Right to data portability
Background
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows
them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to
usability.
The right to data portability applies:
to personal data an individual has provided to a controller;
where the processing is based on the individual’s consent or for the performance of a contract; and
when processing is carried out by automated means.
Policy requirements:
49. Requests for data under the right to data portability must be submitted to the DCO.
50. The DCO is responsible for recording these and requesting the information from the information owner(s).
51. The DCO will also review the data to ensure the privacy of other data subjects is not adversely impacted.
52. The DCO will provide the personal data in a structured, commonly used and machine readable form, submitted using a secure
transfer mechanism.
53. The information will be provided within one month of the original request.
54. Performance against this timescale must be reported by the DCO to the Board at least annually.
3.7 Right to object
Background
Individuals have the right to object to:
processing for purposes of scientific/historical research and statistics.
10
Policy requirements:
55. Requests that object to processing must be submitted to the DCO.
56. The DCO is responsible for recording and assessing these.
57. Where instructed by the DCO, IGI must immediately stop processing the personal data unless:
o There are demonstrable and compelling legitimate grounds for the processing, which override the interests, rights and
freedoms of the individual; or
o The processing is for the establishment, exercise or defence of legal claims.
58. IGI must inform individuals of their right to object “at the point of first communication” and in its privacy notice (Appendix II).
Appendix I - Data Audit
Department
What personal data is being processed? (for each
reason please fill all columns)
Why is
personal data
being
processed?
Whose
personal
data is
being
processed?
When is this personal data being processed?
Where is the data kept?
Type (personal data,
financial details, health
information, IP address,
KYC documents,
passports or national
identification,
biometrics, criminal
offences, education,
employment documents)
Source
(individual
, third
party,
both,
other such
as due
diligence
companie
s,
internet,
private
investigat
ors,
ciminal
record
checks,
governme
nt
agencies)
Legal Basis
(contract,
legitimate
interest,
legal
obligation,
performanc
e, consent)
(Staff
admnistration
, client
administratio
n, legal
obligations
like tax or due
diligence or
work permits,
Provisions of
goods and
service like
online or f2f,
monitoring
like security,
marketing,
revenue
calculation,
profiling)
(staff,
clients,
relatives of
staff,
business
contacts,
correspond
ents,
enquirers,
complaina
nts,
childrens,
suppliers)
Origin
ally
when
was it
obtain
ed
(appoi
ntmen
t, pre-
appoin
tment,
annual
, at
reques
t)
updat
ed (as
requir
ed,
regula
rly,
no)
Disclosur
e (to
whom or
in what
circumst
ances)
Retenti
on
period
(# of
years,
not
required
)
Determin
ed by
(law,
regualtion
, Code of
Conduct,
business
practice,
other)
Location
(cloud
sevice,
external
host, in-
house
systems,
third party
system,
electronic
records,
manual
records)
Country
(location
of data
stored)
Compliance
KYC Documents (KYC
questionnaire that
includes BOD info,
company info, and
shareholders info,
address, phone number,
contact email and name)
financial Statements,
registration certificates,
Broker
(third
party)
/internet
legal
obligation
legal
obligations
(due
diligence)
AML
requirements
)
Clients
Pre-
bindin
g the
busine
ss,
during
the
proces
s.
depen
ding
on the
risk:
high-
every
year
mediu
m -
every
NA
Not
determi
ned (by
law
possible
6 years)
Law
Company
Servers
Jordan
12
licenses, organisational
chart.
2
years
Low -
every
3
years.
personal informaiton
Legal
departme
nt/
individuals
legal
obligation
legal
obligation
Board of
Directors
as
neede
d
as
requir
ed
NA
NA
NA
Company
Servers
Jordan
Employee CVs, Criminal
records, passport copies,
employement history
HR
departme
nt /
Employee
legal
obligation -
submission
of
information
to the PRA
legal
obligation -
submission of
information
to the PRA
Employees
as
neede
d
as
requir
ed
PRA
NA
NA
Company
Servers and
physical
files
Jordan
Employee screening
results (due diligence)
third party
(Vero
screening)
legal
obligation -
submission
of
information
to the PRA
legal
obligation -
submission of
information
to the PRA
Employees
as
neede
d
as
requir
ed
PRA
NA
NA
Company
Servers and
physical
files
Jordan
13
Underwriting
Part of our process is
saving all emails in the
shared folder which
might include CVs for
pilots, doctors and
Engineers containing
education and
employment record and
other personal info like
address....etc
Teams are CC'd on KYC
emails, content and
feedback of how
sensitive this is should be
confirmed by compliance
dept.
Details of law case,
claims record for
doctors.
3rd party
being
assureds,
brokers,
insurers
and
reinsurers
. Internet.
legitimate
interest
Part of our
process is
saving all
emails in the
shared folder
which might
include such
data, and for
future
refernce.
Provision of
services
Clients
being
assureds,
brokers,
insurers
and
reinsurers.
Origina
lly
when
slips
are
review
ed,
and at
reques
t if
reinsur
ence is
require
d
As
requir
ed
IGI staff,
reinsurer
s. In case
of FAC, it
could be
shared
with
other
brokers.
If slip
leader
informati
on could
be sent
to third
parties
as
lawyers,
loss
adjusters
,
engineer
s…
As per
Archivin
g policy,
we are
not
aware
of
details.
Business
practice,
local law
Electronic
records/
Emails and
shared
folders.
IGI offices
and info-
fort (3rd
party
storage
locations)
IGI offices
in
Amman,
Dubai,
London,
Casablanc
a,
Malaysia.
Info-fort
in Amman
(we are
not aware
of such
3rd party
facility if
the same
applies to
IGI
London)
HR IGI UK
Personal data, passport
copies, CV's - education
and employment
records, references from
former employers, pay
data
Employee
Files
Contractual
Legal
obligations
and duty of
care
Employees
pre
and
post
appoin
tment
yes
Employe
es
allowed
access to
own files
upon
request
whilst
employ
ee is
employ
ed and
post
employ
ment.
Currentl
y no
process
in place
to
remove
Law and
best
practice
Hard copy
employee
files in
secure
cabinets
UK
14
leaver
files
after a
certain
period
of time
Employee personal data -
name, address, date of
birth and pay
information
Payroll
supplier -
MoorePay
; Childcare
Voucher
Scheme,
Benefits
Broker -
SecondSig
ht -
passed on
to BUPA,
UNUM
and Aviva
for
employee
insurances
and
pension
purposes
Pay &
Benefits -
consensual
To enable
employee
benefits to be
processed
Employees
pre
and
post
appoin
tment
yes as
necess
ary
Only for
duration
of
employ
ment
Third party
systems
UK
Employee personal data -
no pay data
Vero
Screening
- pre
employme
nt checks,
third party
Legal
requiremen
t (to check
right to
work) and
best
practice
For pre
employment
checks and
FCA checks
where
required
Employees
pre joining
pre-
appoin
tment
no
requir
ed
complet
ed
referenc
es held
on
employ
ee file
Law and
best
practice
Third party
systems
UK
HR IGI
Group
Personal details name,
address, email,
telephone, date of birth,
Employee
s
Legal
obligation
Staff
Administratio
n
Current
Staff
pre
appoin
tement
Regula
ry,
when
chang
Dept.
heads
third
parties
retentio
n period
shall
remain
Law,
regulation
s,code of
conduct,
inhouse
systems,
thrid party,
electronic
headoffic
es and
branches
15
emergency contacts,
CV's etc.
es
occurs
for
current
employ
ees as
long as
they are
still
employ
ed & old
emp.
business
practice
records,
hardcopies
Financial details
company
&
employee
Legal
obligation
Legal
obligation /
staff admin
Current
Staff
pre-
appoin
tment
when
chang
es
occurs
legal
entities,
banks
Finance
Dept.
Insuranc
provider
(third
parties)
retentio
n period
shall
remain
for
current
employ
ees as
long as
they are
still
employ
ed & old
emp.
law and
business
practice
inhouse
systems,
thrid party,
electronic
records,
hardcopies
headoffic
es and
branches
Medical and Life
insurance information
Employee
s
Legal
obligation /
staff admin
Staff
Administratio
n
Current
Staff
appoin
tment
as
requir
ed
medical
and life
insuranc
e
provider
retentio
n period
shall
remain
for
current
employ
ees as
long as
they are
still
employ
business
practice
inhouse
systems,
thrid party,
electronic
records,
hardcopies
headoffic
es and
branches
16
ed & old
emp.
Employee Photos
Employee
staff admin
Staff
Administratio
n
Current
Staff
pre
appoin
tement
no
updat
e
medical
and life
insuranc
e
provider
and
IT Dept.
retentio
n period
shall
remain
for
current
employ
ees as
long as
they are
still
employ
ed & old
emp.
business
practice,
Law
inhouse
systems,
thrid party,
electronic
records,
hardcopies
headoffic
es and
branches
Employee Passports
Employee
s
Legal
obligation /
staff admin
Legal
obligation /
staff admin
Current
Staff
pre
appoin
tement
When
expire
d
residency
or work
permits,
visa
applicati
ons
retentio
n period
shall
remain
for
current
employ
ees as
long as
they are
still
employ
ed & old
emp.
business
practice,
Law
inhouse
systems,
thrid party,
electronic
records,
hardcopies
headoffic
es and
branches
National idendifications
Employee
s
Legal
obligation /
staff admin
Legal
obligation /
staff admin
Current
Staff
pre
appoin
tement
When
expire
d
insuranc
e
provider
Social
Security
dept. and
retentio
n period
shall
remain
for
current
business
practice,
Law
inhouse
systems,
thrid party,
electronic
records,
hardcopies
headoffic
es and
branches
17
third
parties
employ
ees as
long as
they are
still
employ
ed & old
emp.
Education and training
info
Employee
s
staff admin
staff admin
Current
Staff
pre
appoin
tement
as
requir
ed
thrird
party -
ministry
of labor
retentio
n period
shall
remain
for
current
employ
ees as
long as
they are
still
employ
ed & old
emp.
business
practice,
Law
inhouse
systems,
thrid party,
electronic
records,
hardcopies
headoffic
es and
branches
Social security number
Third
parties or
employee
Legal
obligation
Legal
obligation
Current
Staff
pre
appoin
tement
no
updat
e
third
parties
retentio
n period
shall
remain
for
current
employ
ees as
long as
they are
still
employ
ed & old
emp.
business
practice,
Law
inhouse
systems,
thrid party,
electronic
records,
hardcopies
headoffic
es and
branches
18
Employement details
Employee
s
Legal
obligation /
staff admin
legal
obligation
Current
Staff
pre
appoin
tement
as
requir
ed
third
party -
ministry
of
labor,soc
ial sec.
retentio
n period
shall
remain
for
current
employ
ees as
long as
they are
still
employ
ed & old
emp.
business
practice,
Law
inhouse
systems,
thrid party,
electronic
records,
hardcopies
headoffic
es and
branches
Work permits and
residency cards
third party
Legal
obligation /
staff admin
Legal
obligation /
staff admin
Current
Staff
Upon
appoin
tment
annual
renew
al
third
party -
ministry
of labor
retentio
n period
shall
remain
for
current
employ
ees as
long as
they are
still
employ
ed
business
practice,
Law
inhouse
systems,
thrid party,
electronic
records,
hardcopies
headoffic
es and
branches
Admin
Passport
individual
employee
legitimate
interest
Staff
admnistration
employees
at
reques
t
as
requir
ed
hotels &
travel
agent
not
required
business
practice
electronic
records
Jordan
Legal
Passports
individual
legtimate
interest
legal
obligations
Directors/
staff
pre
appoin
tment
as
requir
ed
banks at
request,
internal
use
not
required
business
paractice
electronic
records
Jordan
19
Personal Data
individual
legtimate
interest
legal
obligations
Shareholde
rs/
Directors
pre
appoin
tment
and at
reques
t
as
requir
ed
internal
use
not
required
business
paractice
electronic
records
Jordan
Financial Details
individual
legtimate
interest
adminstration
Shareholde
rs/
Directors
At
reques
t
as
requir
ed
internal
use
not
required
business
paractice
electronic
records
Jordan
Claims
Personal Data of clients
and experts i.e.
qualifiactions/education/
phone
numbers/emails/address
es
Third
party
companys
legitimate
interest
provisions of
goods and
services
third party
experts for
business
contract/su
ppliers
at
reques
t
no
no
N/A
N/A
in house
systems/ele
ctronic
Amman/L
ondon
Personal information of
medical history
clients/su
ppliers/thi
rd party
experts
legitimate
interest
Due
diligence/pro
vision of
goods and
services/clien
t
administratio
n
Clients/bus
iness
contacts
at
reques
t
no
no
N/A
N/A
in house
systems/ele
ctronic
Amman/L
ondon
20
Appendix II - Privacy Notice
International General Insurance Holdings Limited's Privacy Notice
Introduction and background
The purpose of this Notice is to outline how IGI has established measures to protect your privacy and information rights. To view the full detailed
Data Protection Policy, please follow the link.
Your rights
We recognise that you have rights as a ‘data subject’, and that we have an obligation to uphold these.
This Privacy Notice aims to outline how we maintain these rights. In particular, it outlines:
How we collect and process your information
Why we do this
How you can exercise your rights;
Who to contact in the event you’re unhappy with our performance.
Your information rights
Right
Explanation
Right to be informed
This encompasses the obligation for us to be transparent in how we collect and use your personal
data.
Right of access
You have the right to access your personal data and supplementary information.
Right to rectification
If the information we hold on you is inaccurate or incomplete, you can request we correct this.
Right to erasure
You can request we delete or remove personal data where there is no compelling reason us to
continue processing
Right to restrict processing
You have the right to request we cease processing your data, if:
You consider it inaccurate or incomplete;
Where you object to processing and we are considering whether we still have a legitimate
interest to process it.
Where we don’t need the data for the original reason we collected it, but may need it to
support a legal claim
Right to data portability
Where you have consented to our processing your data, or where the processing is necessary
for us to deliver a contract, you can request a copy of that data be provided to a third party in
electronic form.
Right to object
You have the right to object to our processing under certain circumstances.
This Privacy Notice should outline how we are transparent in our processing. Please get in touch with us through the ‘contact details’ section to
find out more or to exercise your information rights.
Information we collect
Please find in the following link Data Protection Policy under Appendix 1.
Transfer of data
We may pass your personal data on to third-party service providers contracted to IGI in the course of dealing with you. Any third parties that we
may share your data with are obliged to keep your details securely, and to use them only for the legitimate reasons they were obtained for
originally. When they no longer need your data, they will dispose of the details in line with IGI’s procedures as set out in the contracts signed
with them. If we wish to pass your sensitive personal data onto a third party we will only do so once we have obtained your consent, unless we
are legally required to do otherwise.
Data transfers out of the EEA: The data we receive may be sent to countries outside the European Economic Area (‘EEA’). When they do, there
will be a contract in place to make sure the recipient protects the data to the same standard as the EEA. This may include following international
frameworks for making data sharing secure.
Retention of data
21
IGI retains information in accordance with our data retention requirements. We may keep such information for up to 7 years in accordance
with regulatory requirements. If you object to this retention, please contact us details provided in the ‘Contact’ section.
Securing your information
International General Insurance Group places great importance on the security of all personally identifiable information associated with our
customers. We have security measures in place to attempt to protect against the loss, misuse and alteration of customer data under our control.
While we cannot ensure or guarantee that loss, misuse or alteration of data will not occur, we use our best efforts to prevent this through
implementing the following:
IGI has achieved the Cyber Essentials accreditation.
IT Security Policy and Procedures.
IT Risk and Control Register.
Active directory group policy with access control, password complexity/history controls, patching, windows updates and auditing
policies.
Physical protection of IGI Data Center and workplace.
Data center monitoring and notification system
Cisco firewalls with limited and controlled access, VPN site-to-site connections between offices and the use of Cisco AnyConnect VPN
client for end users, DMZ network for internet facing services like website and email traffic.
Kaspersky total security license with (endpoint protection, server protection, email protection and anti-spam, SharePoint protection,
web filtering) in addition to venerability scanning and fixing.
File server access controls.
Individual file protection with windows RMS.
Removable storage blocking for user PCs.
Hardware and software Vendor SLAs, signed NDA when required.
Security Penetration testing and venerability assessment by a third party.
Backup data encryption.
Non-personal information
We may collect non-personal information about you such as the type of internet browsers you use or the Website from which you linked to our
Website. You cannot be identified from this information and it is only used to assist us in providing an effective service on this Website. We may
disclose aggregate statistics about our Website users to prospective partners, advertisers and other reputable third parties, but these statistics
will include no personally identifying information.
Use of Cookies
Cookies are pieces of information that a Website transfers to your internet browsing device to store and sometimes track information about
you. Most web browsers automatically accept cookies, but if you prefer, you can change your browser to prevent that. However, you may not
be able to take full advantage of a website if you do so. Cookies are specific to the server that created them and cannot legally be accessed by
other servers, which means they cannot be used to track your movements around the web. We use cookies to estimate our audience size and
patterns; control how often visitors see similar ads; and track preferences and to improve and update our Website. Please see our cookies section
on the cookies we use and how we use cookies.
Below is a full list of the cookies used by IGI along with a description of what they are used for. Where a cookie is a third party cookie, visit the
providers’ website for more information.
Cookie Name
Cookie Description
_ga
Google Analytics - Uses cookies to:
- Determine which domain to measure
- Distinguish unique users
- Remember the number and time of previous visits
- Remember traffic source information
- Determine the start and end of a session
- Remember the value of visitor-level custom variables
__atuvc
This cookie is associated with the Add This social sharing widget which is commonly embedded in websites to enable
visitors to share content with a range of networking and sharing platforms. It stores an updated page share count.
_gid
Google Analytics - Uses cookies to:
- Determine which domain to measure
- Distinguish unique users
- Remember the number and time of previous visits
- Remember traffic source information
22
- Determine the start and end of a session
- Remember the value of visitor-level custom variables
__RequestVerifica
tionToken
Used as an antiforgery token to protect form data
_gat
Google Analytics - Uses cookies to:
- Determine which domain to measure
- Distinguish unique users
- Remember the number and time of previous visits
- Remember traffic source information
- Determine the start and end of a session
- Remember the value of visitor-level custom variables
Personal Data Breach
With regard to Personal Data Breach caused by IGI, IGI shall:
In accordance with GDPR Article 33 and 34, (i) notify you without undue delay in the event of any Personal Data Breach involving
Personal Data and (ii) provide reasonable assistance to you when you are required to communicate a Personal Data Breach to a Data
Subject.
Use reasonable efforts to identify the cause of such Personal Data Breach and take those steps as IGI deems reasonably practicable in
order to remediate the cause of such Personal Data Breach.
Provide reasonable assistance and cooperation as requested in the furtherance of any correction or remediation of any Personal Data
Breach.
Complaints
In the event that you wish to make a complaint about how your personal data is being processed by IGI (or third parties as described in our Data
Protection Policy), or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and
IGI’s Data Compliance Officer (DCO) at [email protected] or [email protected].
Contact details
We recognise that you may have questions on how we process and/or store your data, or may want to change either the data we hold on you
or how we communicate with you in the future.
If you have given consent for processing, you are free to withdraw that consent. To do so, please contact the DCO at
If you have any questions in respect of this Notice, or would like to exercise your rights as a data subject (for example, to correct data or to
exercise your right to access) please contact the DCO at [email protected]
If you are unhappy that we have responded to your query adequately, of if you have a further complaint, The Information Commissioner’s Office
can be contacted on 0303 123 1113 (local rate calls to this number cost the same as calls to 01 or 02 numbers). If you're calling from outside
the UK, you may not be able to use the 03 number, so please call +44 1625 545 700.
Other Websites
This Website contains links to other Websites and you may have linked to this Website from another Website. We are not responsible for the
Privacy Notice or the content of such Websites. Other associated Websites to International General Insurance Holdings Ltd may contain a Privacy
Notice that is different from this Privacy Notice. This Privacy Notice relates to this Website only. When visiting other associated Websites please
make sure that you read their Privacy Notices so that you can understand what personal information will be collected through or in relation to
that Website and for what purposes.
23
Appendix III Data Protection Impact Assessment
Data Protection Impact Assessment - Template
Project Name:
Description of project:
Completed by:
Date:
Section 1 Do I need a DPIA / High Level Risk Assessment
Question
Yes?
No?
Will the project involve the collection of
new information about individuals?
Will the project compel individuals to
provide information about themselves?
Will information about individuals be
disclosed to organisations or people who
have not previously had routine access
to the information?
Are you using information about
individuals for a purpose it is not
currently used for, or in a way it is not
currently used?
Does the project involve you using new
technology that might be perceived as
being privacy intrusive? For example, the
use of biometrics or facial recognition.
Will the project result in you making
decisions or taking action against
individuals in ways that can have a
significant impact on them?
Is the information about individuals of a
kind particularly likely to raise privacy
concerns or expectations? For example,
health records, criminal records or other
information that people would consider
to be private.
Will the project require you to contact
individuals in ways that they may find
intrusive?
Section 2 - Describe the information flows
provide an overview of how information will be processed and provide the basis for updating the information asset register.
Section 3 - Risk assessment and consultation requirements
Completed with: <<name business owner(s)>>
Question
Description of changes and risks to privacy
Will the project involve the collection of
new information about individuals?
Will the project compel individuals to
provide information about themselves?
Will information about individuals be
disclosed to organisations or people who
have not previously had routine access
to the information?
Are you using information about
individuals for a purpose it is not
currently used for, or in a way it is not
currently used?
24
Question
Description of changes and risks to privacy
Does the project involve you using new
technology that might be perceived as
being privacy intrusive? For example, the
use of biometrics or facial recognition.
Will the project result in you making
decisions or taking action against
individuals in ways that can have a
significant impact on them?
Is the information about individuals of a
kind particularly likely to raise privacy
concerns or expectations? For example,
health records, criminal records or other
information that people would consider
to be private.
Will the project require you to contact
individuals in ways that they may find
intrusive?
Step 4 - Identify treatment options
determine mitigating actions and document these as standards to support compliance monitoring.
Risk
Actions taken to address risk
Description of risks
Control (encryption eg)
Tolerate
Terminate
Transfer
Step 5 - Sign off the DPO and business owner (ideally the Board) should approve the outcome of the DPIA.
I am happy that (a) the documentation / IAR is up to date (b) the risks have been properly identified and (c) the risks
are properly managed / controlled
_____________________________ _________________________________
DPO Business owner
25
Appendix IV - IGI - Data Breach Procedure
This procedure applies to employees, temporary staff and contractors at across <<Organisation>>. This procedure
applies to all types of personal data held in hard copy, electronic files, and IT systems.
A data breach means:
the loss of personal information (i.e. leaving documents containing personal information on a train).
Access to personal information by an unauthorised individual
unauthorised disclosure of, personal information.
The General Data Protection Regulations (GDPR), introduces a duty on all organisations to report certain types of
personal data breach to the relevant supervisory authority (ICO) within 72 hours of becoming aware of the breach.
Failure to comply could result in <<Organisation>> incurring significant financial penalties.
If you become aware of a data breach you must act immediately!
Immediately after you discover a data breach, please follow these steps:
1. Notify your line manager, and
2. Notify the Data Compliance Officer, via insert email address, or insert extension, and
3. Complete the Data Breach Form overleaf, as fully as possible and email to the DCO via the details above.
The DCO will make an assessment on the severity of the data breach, based on the information provided.
If the DCO deems that there has been significant risk to the data rights of individuals, DCO will;
1. Notify the relevant supervisory authority (ICO) and outline next steps to remedy the breach and mitigate
the risk of the breach reoccurring.
2. Notify the data subjects and outline next steps to remedy the breach and mitigate the risk of the breach
reoccurring.
3. Log the data breach on the <<Organisation>> Data Breach Log.
This will ensure all the relevant details of the incident are recorded consistently and communicated on a need-to-
know basis to relevant staff so that prompt and appropriate action can be taken to resolve the incident.
26
Data Breach Report Form
Assessment of Breach Risk Please complete
Summary
Description
of the
breach:
Date:
Your
name:
Detail
Reference
Question
Response
1
How many data subjects (individuals) are
impacted by the breach?
2
Has 'special category' data been breached?
(i.e. race, ethnic origin, religion, trade union
membership, health, sexual orientation)
3
Has personal data been compromised?
4
Have other policies been breached? (if
relevant)
5
What is the impact on the individual? (Is the
breach likely to cause detriment to the data
subject?)
Outcome To be completed by the DCO
Based on the assessment of the responses to
questions outlined above, there is a significant
risk to the information rights of individuals.
Yes/No
DCO Signature:
Date:
27
Appendix V Subject Access Request
1. DATA SUBJECT DETAILS
Title
Mr
Mrs
Miss
Ms
Other:
Surname
First name(s)
Current address
Telephone number:
Home
Work
Mobile
Email address
Date of birth
Details of identification
provided to confirm
name of data subject:
Details of data requested:
2. DETAILS OF PERSON REQUESTING THE INFORMATION (if not the data subject):
Are you acting on behalf of the data subject with
their [written] or other legal authority?
Yes
No
If ‘Yes’ please state your relationship with the
data subject (e.g. parent, legal guardian or
solicitor)
Please enclose proof that you are legally authorised to obtain this information.
Title
Mr
Mrs
Miss
Ms
Other:
Surname
First name(s)
Current address
28
Telephone number:
Home
Work
Mobile
Email address
DECLARATION
I, ………………………………………………………, the undersigned and the person identified in (1) above, hereby request that
IGI provide me with the data about me identified above.
Signature: Date:
SAR form completed by (employee name):
I, ………………………………………………………, the undersigned and the person identified in (2) above, hereby request that
IGI provide me with the data about the data subject identified in (1) above.
Signature: Date:
SAR form completed by (employee name):
This form must immediately be forwarded to IGI’s Data Protection Officer / GDPR Owner.