Data protection policy

OAC PLC takes its obligations under the General Data Protection Regulation (Regulation (EU) 2016/679) and Data Protection Act 2018 very seriously and strives for the highest standards. OAC’s lead data protection supervisory authority is the Information Commissioner’s Office (ICO) in the United Kingdom.


  • Consent: Consent is given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
  • Data controller: The organisation or individual that determines the purpose and means of data processing.
  • Data processor: An organisation or individual that processes data on behalf of a data controller.
  • Data subject: An identified or identifiable natural (living) person.
  • Personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  • Personal data: Any data relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Processing: Any operation/set of operations which performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, and ‘process’ and ‘processed’ shall be construed accordingly.

General Data Protection Regulation

On 25 May 2018, the Data Protection Act 1998 was replaced by the European Union’s General Data Protection Regulation (GDPR). The GDPR forms part of the data protection regime in the United Kingdom, together with the new Data Protection Act 2018 (DPA 2018).

OAC is responsible for complying with the GDPR and its Data Protection Principles, along with the other provisions in the DPA 2018.

The GDPR includes the following rights for individuals:

  • The right to be informed (which is the right to be provided with clear, transparent and easily understandable information about how OAC uses your information and your rights relating to the information)
  • The right of access to the personal data which is processed and information about how it is being used.
  • The right to rectification if personal data is inaccurate or incomplete.
  • The right to erasure in certain circumstances where there is no reason for OAC to continue to process the data.
  • The right to restrict further processing of personal data.
  • The right to data portability of personal data between different service providers.
  • The right to object to certain types of processing, such as direct marketing.
  • The right not to be subject to decisions based solely on automated decision-making, including profiling.

There are six lawful bases for the processing of personal data. At least one of the following must apply whenever OAC processes personal data:

  • Consent: the individual has given clear consent to process their personal data for a specific purpose.
  • Contract: the processing is necessary for a contract with the individual, or because they have asked for specific steps before entering into a contract.
  • Legal obligation: the processing is necessary to comply with the law (not including contractual obligations).
  • Vital interests: the processing is necessary to protect someone’s life.
  • Public task: the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.
  • Legitimate interests: the processing is necessary for legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

OAC principles

OAC focuses pro-actively on compliance with data protection regulations and in addition, adheres to its own principles:

  • OAC staff are kept up-to-date and trained on data protection regulations and best practices for the safe handling of personal data.
  • OAC only deals with reputable organisations, and where there might be any grounds for suspicion it is alert to avoid being involved in what might be the improper use of personal data.
  • OAC adopts best practice in the administration and security of its computer systems and keeps up-to-date with technical developments and emerging risks to network integrity.
  • OAC monitors its computers systems and the personal data that they hold, which includes the access to and use of that data by its staff in order to ensure that only relevant data is accessible for the roles of individual staff, there is no misuse and that data is not put at risk.
  • OAC has a continuous data protection programme to ensure compliance and safeguards within all operations, which include activities such as privacy impact assessments, regular audits, policy reviews and updates, and training.

Personal data

Personal data covers both facts and opinions about an individual where that data identifies an individual. The personal data held by OAC falls into three categories:

  • Staff and associates of OAC, as well as possible recruits and past staff.
  • Individuals with whom OAC has a business relationship, such as clients, trade bodies, professional advisers, regulatory organisations and suppliers.
  • Individuals who hold investments, and other individuals whose investment and insurance needs are analysed by OAC in the course of its business as a professional firm.

Processing of personal data

OAC will only process personal data when a legal basis has been clearly identified.

Staff, associates, potential recruits: OAC processes employment details and other employment-related data for potential recruits, and current and former staff. OAC carries out this processing in order to prepare for and carry out employment contracts and to comply with legal obligations as an employer. Further details are available to employees in the Staff Handbook.

Individuals with whom OAC has a business relationship: OAC processes contact details of these individuals, such as names, addresses, email addresses and professional interests. If the individual has specifically opted-in, OAC uses this information to send out communications related to OAC’s business. Other business contact information is used by OAC for its legitimate business interests. This involves contacting specific people in connection with current business or future business issues. The information may be passed to third parties that provide services to OAC to enable OAC to carry out the purposes referred to above.

Individuals who hold investments/insurance: When OAC provides a service to an individual who holds financial investments, or to an individual whose financial investment and insurance needs are analysed by OAC as part of a service contract with an organisation, the only data OAC obtains is that required to provide the service. The data will be obtained from the individual directly or from elsewhere at the specific request of the individual via the relevant data controller. Upon the evaluation of data obtained for the performance of contracts, if OAC becomes exposed to information that is in addition to the information required to performing the required service, OAC will only use the information that is required to provide the service and will take measures, where possible, to limit such exposure. OAC has written contracts with the clients for whom OAC processes this information and OAC complies with their written instructions for how the information may be used.

Sensitive personal data

OAC may hold sensitive data about its staff which will have been provided to facilitate employment duties and information which would be relevant to their employment and relationships with other members of staff. Information relating to OAC’s use of personal information relating to staff is set out in the Staff Handbook.

Due to the nature of the services which OAC provides, OAC can hold sensitive personal data about individuals. This data may contain a variety of information including financial details (including historic), family details and health information. The situation arises because OAC provides services to independent financial advisers, insurance companies, regulators, solicitors, courts of law and others who in the course of their business need to consider the holdings of investments and investment and insurance needs of individuals, sometimes on the instructions of the individual but sometimes in an adversarial, monitoring or other capacity. OAC processes this information to comply with the service contracts that relate to the individuals.


OAC will only accept consent as any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

For further information about how OAC collects, looks after and uses personal data for its marketing, please read our Privacy Policy. Consent for these type of communications can be changed and withdrawn at any time through options available within these communications.

Retention of data

OAC will not retain personal data for longer than it is needed for its authorised purpose. Where OAC processes data on the basis of an individual’s consent, once consent has been withdrawn, our systems will be updated immediately and the personal data will be removed from use (as defined within the request for the withdrawal of consent) and will be deleted. For the performance of contracts, a defined period for the retention of data will be agreed with the data controller.

OAC periodically reviews the data held about individuals with whom OAC maintains a business relationship to ensure that it is still relevant to OAC’s business needs.

Subject access requests

OAC will provide access to personal data which it holds, upon request, subject to checking that the personal data may legally be provided and with agreement from the data controller (either OAC or client; whichever is the data controller).

There will be no charge for providing this information unless they are manifestly unfounded or excessive. OAC will ensure that the information is made available within 30 days. OAC may require further time (up to a maximum of 2 further months) if the request for information is complex – in this case, we will inform the data subject accordingly.

If OAC refuses a request for personal data, it will inform the individual of the reasons why and that they have the right to complain to the supervisory authority and to a judicial remedy.

To make a formal request to access personal data that we hold about you, please contact us.

OAC’s marketing communications will contain links to access and update the data subject’s core contact details and mailing and subscription preferences.

Data security

OAC provides highly secure computer systems, applications and devices for its staff. It also hosts a range of computer applications and services to organisations as part of a contract. Large volumes of data pass over this network of computers, applications and devices which contain adequate controls for the separation and management of data. OAC monitors the data and traffic in the capacity of a network administrator as well as in the capacity of the operator of its own business and as an employer. OAC makes it clear to all those individuals and organisations affected what roles it carries out in the operation of the network.

OAC staff will only have access to personal data that is relevant to fulfil their roles and for the performance of contracts.

OAC has strict policies and procedures for its staff around the use of computer systems, applications and devices to minimise the risks to personal data, which includes the use of personal data within external communications and systems outside the control and monitoring of OAC.

OAC policies and procedures extend to all other methods for containing personal data, which includes printed documents and all paper files.

Personal data breaches

OAC has procedures to effectively detect, report and investigate a personal data breach. If a personal data breach has been verified, then OAC will take immediate action by informing the data controller (if not OAC), and where appropriate informing affected data subjects (in liaison with the data controller), and the supervisory authority.

Further information

For all data protection matters, please contact us.