Data Protection and Privacy
NAM UK staff are subject to the procedures and policies contained within the Employee Handbook (the latest copy of the Employee Handbook is available on the Nomura Now intranet).
The Employee Handbook contains a Data Protection Policy (“Employee Handbook EMEA Personal Data Protection Policy”) which focusses on the collection and processing of your personal data, not the obligations for NAM UK and its staff to protect personal data on our clients.
NAM UK has prepared this Data Protection Policy (“Policy”) as an extension to the Employee Handbook DPP. You are required to read and follow the Employee Handbook DPP and this Policy.
Failure to comply with either policy could lead to disciplinary action.
(1) POLICY OBJECTIVES
The objective of this policy is to ensure that:
- proper procedures are in place for the processing and management of personal data
- individuals are assured that their personal data is processed in accordance with the data protection principles, that their data is secure at all times and safe from unauthorised access, alteration, use or loss
- all staff understand their responsibilities when processing personal data, and that methods of handling that information are clearly understood
- there is someone within the organisation who has specific responsibility and knowledge about data protection compliance
- data subject access requests are dealt with promptly
The General Data Protection Regulation 2018 (GDPR) sets six principals which govern how personal data is collected, held and processed by organisations. The GDPR has two aims:
1) to regulate the use by those (known as data controllers) who obtain, hold and process personal data on living individuals; and
2) to provide certain rights (for example, of accessing personal data) to those living individuals whose data is held.
Failure to comply with the GDPR can lead to a fine up to 4% of the group’s annual turnover, or EUR 20m, whichever is higher, for serious breaches. TalkTalk was fined £400,000 in October 2015 for security failings that allowed a cyber attacker to access customer data “with ease”.
NAM UK will process personal data in the normal course of our business activities and will therefore be a Data Controller. For example, during our staff members’ employment and for individuals we deal with through our business activities (e.g. individuals working for or connected to our clients’ accounts, colleagues, business suppliers, etc.).
Data controllers are required to appoint a Data Protection Officer (DPO) who is responsible for the administration of a data protection policy and providing guidance on data protection issues. All personnel must comply with any directions that the DPO may give to them and any guidelines issued from time-to-time regarding the processing of personal data.
In summary, the 6 Data Protection Principles are:
- Personal data shall be processed fairly, lawfully and in a transparent manner.
- Personal data shall be collected only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose(s) shall not be kept for longer than is necessary.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, personal data.
The GDPR applies to data held on computers and hard-copy data, such as paper files, which are structured either by reference to individuals or to criteria relating to individuals where that personal data is readily accessible.
4.2 Personal Data
Personal data means any information that can identify a living individual (”data subject”) and includes:
- phone number
- national insurance number, etc.
4.3 Sensitive Personal Data
All references to personal data shall include sensitive personal data which is a sub-set of personal data and consists of the following information:
- racial or ethnic origin
- political opinions
- religious beliefs or other beliefs of a similar nature
- membership of a trade union
- physical or mental health
- sexual life
- the commission, or alleged commission of, any offence
- any proceedings for any offence committed or alleged to have been committed and the outcome of such proceedings
Sensitive personal data does not include financial records or other information that individuals may regard as private or confidential.
(5) PURPOSES FOR WHICH PERSONAL DATA MAY BE PROCESSED
NAM UK collects personal data for two main purposes:
5.1 Personal Data about You
Personal data will be collected about you that is required for your employment with NAM UK, but only to the extent required by law.
NAM UK outsources its Human Resources function to NIp. The Employee Handbook DPP describes NIp’s policy for collecting, handling and processing employees’ personal data.
5.2 Personal Data Collected About Other Parties
You will liaise with many different parties for which you will gather personal data. For example, personal data on individuals i) working for our clients, brokers and custodians, ii) colleagues, iii) business suppliers, etc.
Personal data should be processed fairly and lawfully for the intended purpose for which it is collected.
(6) DISCLOSURE, SECURITY AND RETENTION OF PERSONAL DATA
6.1 Disclosure of Personal Data
Personal data may be transferred to NAM UK’s group companies, regulators, law enforcement agencies, benefit and pension providers, healthcare providers and other companies engaged in contractual or legal activities on NAM UK’s behalf.
NAM UK will not share personal data of its employees unless there is a lawful reason or obligation for doing so.
6.2 International Data Transfers
NAM UK conducts its business activities on a global basis. Personal data will only be transferred outside of the EEA where the Company is satisfied that the third party receiving the information has sufficient security measures in place to collect, handle and process the personal data securely.
NAM UK will only transfer data internationally where it has an agreement in place with the other party that states that they protect personal data in accordance with the GDPR.
6.3 Security of Personal Data
NAM UK takes appropriate technical and organisational measures to ensure the security of personal data that it processes. Only authorised and trained individuals are permitted to access personal data.
Access to certain personal data will only be granted to specified data users within NAM UK for specific and legitimate purposes.
6.4 Retention of Data
NAM UK will not keep personal data for longer than necessary to achieve the purposes for which the information was collected and will dispose of such data safely and securely.
(7) DATA SUBJECT ACCESS REQUESTS
A data subject has the right under the GDPR to request access to the records held by a Company about them. Requests must be made in writing and sent to the DPO. Under the GDPR, a Company cannot charge for the provision of such information. The Company has up to 30 days to provide the personal information.
If you receive a data subject access request, a complaint from a data subject or an official communication regarding Nomura’s data processing you should inform the DPO immediately.
All personal data processed within NAM UK is confidential. Furthermore, all NAM UK staff are required to comply with NAM UK’s Confidentiality Policy and Procedures.
NAM UK staff must not, except where authorised by the DPO, obtain or disclose personal data, or procure its disclosure to anyone else, without the consent of the person or body having legal responsibility for such data. If in doubt ask the DPO for guidance.
When creating or dealing with information about other individuals (including when writing about someone in an email or other documents) all personnel should bear in mind that the employee(s), as well as clients and others, may have the right to access data relating to themselves that the Company holds. Personal data should not be collected and/or processed if the subsequent release of that information may give rise to embarrassment and/or liability on the part of the Company or any personnel, or may bring the Company’s name or that of any personnel into disrepute.
(9) USE OF THIS POLICY
This policy will be reviewed by the Company from time-to-time to ensure that it follows the proper practice in relation to the protection of personal data.
All staff have a general duty to respect the obligations of the Company in relation to the protection of personal data. Personnel are expected to comply with all applicable laws with regard to the use of data and network resources at all times, whether or not expressly set out in this policy.
Date Policy approved by NAM UK Executive Committee, 28 August 2018
Privacy Framework 2020
What is General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is the law on data protection and privacy for all individuals within the European Union. It was brought in to create a consistent set of rules throughout Europe and to update the law to protect your personal data in our modern technology driven world.
The GDPR only allows businesses to process personal data if there is a valid lawful basis. Data processing means collecting, using, disclosing, retaining, or disposing of personal data. Personal data is any data that can be used to identify a person. Sensitive personal data includes information on things like health; racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; certain biometric data; and a person’s sex life and/or sexual orientation. Lawful reasons include collecting information that is needed to perform a contract for services or to meet a legal requirement or when an individual gives consent.
Who are we?
Nomura Asset Management is a leading global asset manager founded in 1959 in Tokyo, Japan and has investment offices throughout the world including London, Singapore, Malaysia, Hong Kong, Shanghai, Frankfurt and New York, with our global headquarters in Tokyo. The Nomura Asset Management Group (the “NAM Group”) had assets under management of $494 billion as at 31st December 2019. Alongside world class client service, the NAM Group provides its clients with a wide range of innovative strategies including global fixed income strategies, regional and single country Asian equity products, global emerging markets products, multi asset, and fundamental indexation solutions.
https://nomura-asset-management.co.uk / data-protection-and-privacy-statement/
We are a ‘data controller’ of the personal information we process. This means that we decide why and how personal information is used.
Within this privacy notice “NAM UK” refers to Nomura Asset Management U. K. Ltd.
What personal information we hold about you
We may collect and process different types of information depending on how we classify you and the type of relationship we have with you. When we collect your information, we will explain what is mandatory and what is optional. We are always happy to explain why we need your information.
• Additional data requested for AML / KYC purposes.
• Government identifiers – for example identification document information (driving licence, passport).
• third party information – where relevant we will have information such as the executor or power of attorney connected to your investment.
• Information about you – for example name, age, gender, title, date of birth and nationality. We need this information to help us identify you, but also to allow us to contact you, for example, for regulatory or service reporting reasons.
• Contact information – for example email, address, job title and phone number.
• Contractual information – for example details about your investments with us.
• Email exchanges – all emails sent and received by our corporate systems are stored for ten years to satisfy the regulatory regimes that we operate under.
• Audio or video recordings – for example voice recordings, all phone extensions in our office are recorded at all times for regulatory purposes. CCTV footage from the building security systems.
How do we get information about you?
Most of the information we receive is provided by you. We may also get personal information about you from other sources, such as:-
• Your employer – when an institution becomes our client, they may have provided your details as the person we contact.
• Risk & compliance portals – we use information from third-party portals to conduct regulatory checks.
• Events list – we also get names through lists of events that we sponsor. In this case, we ask the organiser to only share the contacts that agreed to be contacted.
• Platforms – some of the Platforms selling our funds send us the breakdown of the flows including names.
• Business intelligence portals – sometimes we get contact details of employees of institutions from portals that we subscribe to.
What are the legal grounds for the use of your information?
• Your freely given consent.
• The performance of a contract.
• Compliance with a legal obligation.
• Where we have a legitimate interest.
– Evolving our product / brand.
– Other parts of the NAM Group.
Who do we share with?
Our employees. We work on the basis that staff have only the minimum of access permissions required to perform their role and no more. We review system access on a regular basis.
It is sometimes necessary to share your data with third parties:-
• Transfer agents.
• Legal advisors and auditors.
• Identity authentication and fraud prevention agencies.
• HM Revenue & Customs, regulators such as the FCA and other regulatory organisations .
• Relevant overseas tax authorities.
• Companies you ask us to share your information with.
• Companies involved in the support of our IT systems: IT companies, offsite storage companies, confidential waste disposal.
• Other parts of the NAM group.
• We sometimes use third parties located in other countries to provide support services. As a result, your personal information may be processed in countries outside the European Economic Area (EEA).
• These services will be carried out by reputable entities on terms compliant with the European data protection requirements. Some countries have been assessed by the EU as being ‘adequate’, which means their legal system offers a level of protection for personal information which is equal to the EU’s protection. If a country has not been assessed as adequate, we would use additional contractual clauses.
• The European Commission has recognised ‘standard contractual clauses’ as offering adequate safeguards to protect your rights and we will use these where required, ensuring adequate protection for your information.
• For example we use those to provide the following services:-
– IT support and technology development with operations based in India.
We always ensure all personal information is provided with adequate protection and all transfers of personal information outside the EEA are done lawfully.
Once we receive your information, we use strict procedures and security features to protect your information from unauthorised access.
How long will we keep your information?
We keep your personal information for as long as it is considered necessary, for the purpose for which it was collected, and to comply with our legal and regulatory requirements. This will involve keeping your information for a reasonable period of time after your relationship with us has ended.
In the absence of specific legal, regulatory or contractual requirements, your personal information is kept in line with our data retention policy of ten years after your investment has ended.
Under data protection law you have a number of rights (set out below). Please note that these rights are not without limitation, and in some instances may not be available. Where applicable, you have the right to:-
• Access your personal information.
• Correct or update your personal information.
• Move, copy or transfer your personal information digitally.
• Object to the processing of your personal information for a legitimate reason.
• Withdraw approval for direct marketing.
• Restrict the use of your personal information.
• Obtain information about how we process your personal information.
• Request the deletion of your personal information.
Right to complain
If you have any questions please contact NAM-UK using the contact details provided. You have the right to complain to the UK Information Commissioner’s Office.
Information Commissioner’s Office
Telephone: 0303 123 1113
Fax: 01625 524510
Use of data for a new purpose
If we would like to use your personal information for purposes other than those that you have agreed to, we will contact you and seek you permission.
Changes to this notice
We reserve the right to update this privacy notice at any time, and we will notify you when we make any substantial updates.
This privacy notice was last updated on 9th March 2020.
You can contact NAM-UK if you have any questions about this privacy notice or information we hold about you.
Write to us at :
Data Protection Officer
Nomura Asset Management U.K. Ltd.
1 Angel Lane
London, EC4R 3AB, UK
In Dubai, you can refer your concerns directly to the DIFC Commissioner for Data Protection, the body that regulates the handling of personal data in the Dubai International Financial Centre (DIFC). The DIFC Commissioner for Data Protection can be contacted using the following details:
Phone: +971 4 362 2222
Mail: DIFC Commissioner of Data Protection, The Gate, Level 14, PO Box 74777 DIFC, Dubai, UAE