Privacy Statement

Introduction

This Privacy Statement relates to Orion Insurance Management Limited (“Orion”).

Orion is incorporated in the Bailiwick of Guernsey and is registered with the Office of the Data Protection Authority as a data controller. The clients / policyholders dealt with by Orion are resident in the Bailiwick of Guernsey and Bailiwick of Jersey. Orion is also a data processor for The Ancient Order of Foresters Friendly Society Court No. 8143 “Pride of Sarnia”, La Fraternelle Mutual Fire Insurance Society and La Fraternelle Holdings Limited.

Orion has to comply with applicable legislation in respect of data protection, being the Data Protection (Bailiwick of Guernsey) Law, 2017, the Data Protection (Jersey) Law, 2018 and any other data protection laws or regulations having effect in the Bailiwick of Guernsey or Bailiwick of Jersey.

Additionally, Orion has contractual confidentiality obligations which are owed to clients, prospective clients, Service Providers and potentially others. 

In the ordinary course of business, Orion comes into possession of personal and / or confidential information (“Data“) in respect of individuals (“Individuals”), such as:

  • Clients/policyholders (who may also be categorised as members) & prospective clients/policyholders (who may also be categorised as prospective members)
  • Complainants, correspondents and enquirers
  • Relatives, Guardians and Associates of the Data Subject
  • Shareholders of Orion and their officers
  • Advisers, consultants and professional experts and their directors, officers, employees, agents and representatives
  • Suppliers and their directors, officers, employees, agents and representatives
  • Directors and employees (including temporary and casual workers) of Orion

Orion will process personal data for the following purposes:

  • Accounting, bookkeeping and related services
  • Advertising, marketing and public relations
  • Customer and client administration
  • Insurance administration
  • Membership administration
  • Personnel, Employee and Payroll Administration

For the purposes of this privacy statement, Data may include personal information, contracts and related documents between Orion and other parties (whether or not Individuals) including the service providers to Orion (“Service Providers”), and includes any information that relates to an identified or identifiable living Individual from which that Individual can be identified (whether from that information alone, or in conjunction with other information which Orion has or is likely to obtain) (“Personal Data”).

Personal data is defined in the relevant legislation, the data classes that Orion may process includes:

  • Personal details
  • Family, lifestyle and social circumstances
  • Employment details
  • Education & training details
  • Financial details
  • Goods or services provided

Orion may also process special categories of data or sensitive data, including:

  • Physical or mental health or condition
  • Trade union membership
  • Offences (including alleged offences)

In obtaining and using Personal Data in connection with shareholders or prospective investors, Service Providers and others (as may be applicable), Orion will act as a data controller or a data processor as appropriate.

The Data may be held electronically, processed via automated processes, or held in general files, and where processed on Orion’s behalf by Service Providers, will be subject to written contracts governing that processing and setting out the security and confidentiality measures which the Service Providers have committed to implement. 

This document sets out Orion’s policies and guidelines with regard to the obtaining, storing, processing, use, disclosure, transfer and safeguarding of Data as data controller.

For the avoidance of doubt and notwithstanding anything to the contrary in this privacy statement, nothing in this privacy statement shall prevent Orion from complying with any legal or regulatory obligation to disclose data in accordance with applicable law or regulation.

Obtaining and Using Personal and Confidential Data

Personal Data may only be processed if the data subject has given his / her consent, or if the processing is necessary for the performance of a contract to which the data subject is party, for the taking of other pre-contractual measures at his / her request, where processing is otherwise necessary for compliance with legal obligations, to protect the vital interests of the data subject; or is otherwise necessary for legitimate interests or on public interest grounds.

As a Data Controller, Orion is responsible for, and must be able to demonstrate, compliance with the Data Protection Principles:

  • Data must be processed fairly, lawfully and in a transparent manner
  • Data must be collected for specified, explicit and legitimate purposes, and not further processed in a manner which is incompatible with those purposes
  • Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is collected
  • Data must be accurate and, where necessary, kept up to date, and reasonable steps must be taken to ensure that Personal Data that is inaccurate is erased or corrected without delay

In addition, Orion imposes confidentiality obligations on its Service Providers and is subject to confidentiality obligations regarding shareholders (and prospective investors) and Service Providers.

Accordingly:

  • Only Data, which is strictly necessary for the purpose of a share subscription and / or the contract between Orion and a shareholder or prospective investor or a Service Provider, should be requested or obtained from the relevant party
  • Through the application forms, privacy statement(s) and prospectus makes shareholders, prospective investors, Service Providers and relevant Individuals aware of;
    • the identity of Orion;
    • the purposes for which the Data relating to that relevant Individual will be stored and used;
    • the legal basis for that processing and
      • where that legal basis is a legitimate interest of Orion or a third party, a description of those legitimate interests and the right to object to the processing; and
      • where the legal basis is consent, the right to withdraw consent;
    • the recipients or categories of recipients (if any) of the Data;
    • where applicable, details of international data transfers;
    • details of storage and retention periods;
    • details of any automated decision-making, including any profiling;
    • the right of Individuals to get access to their Personal Data, to rectify any such Personal Data, and their other rights applicable to data protection laws;
    • the right to lodge a complaint with the appropriate body:-
      • Bailiwick of Guernsey Residents:
        Office of the Data Protection Authority,
        Block A, Lefebvre Court,
        Lefebvre Street,
        St Peter Port,
        Guernsey,
        GY1 2JP.
        Email: info@odpa.gg
        Phone: +44 1481 742074.
      • Bailiwick of Jersey Residents:
        Jersey Office of the Information Commissioner,
        2nd Floor, 5 Castle Street,
        St Helier,
        Jersey,
        JE2 3BT.
        Email: enquiries@jerseyoic.org
        Phone: +44 153 716530.
  • Orion will not use Data other than for the purposes which have been brought to the attention of the relevant Individual and, if consent is required, to which the relevant Individual has consented. 
  • Where Service Providers process Data for Orion pursuant to contracts between Orion and the Service Providers, the Service Providers act as data processors of Orion.  Orion will ensure that:
    • appropriate due diligence is undertaken on such Service Providers to confirm that the Service Providers provide sufficient guarantees to implement appropriate technical and organisational security measures so as to meet the requirements of applicable law and to ensure the protection of the rights of the Individuals with regard to their Personal Data; and
    • any contracts with such Service Providers impose obligations on the Service Providers which are required under applicable law and which assist Orion in complying with its own obligations under applicable law.
  • Where Service Providers are dealing with existing shareholders, the Service Providers have confirmed that they have procedures in place to verify on behalf of Orion that all existing Data held relating to those existing shareholders is accurate and up to date.

Where Orion is acting as Data Processor, it will only process data in accordance with its contract with the relevant data controller.

Recipients of Data held by Orion may include:

  • Employees and agents of Orion
  • Other Companies in the same group as Orion
  • Another organisation acting on behalf of Orion (a data processor)
  • Debt collection, tracing & private investigation agencies
  • Ombudsman & Regulatory Authorities
  • Government Departments
  • Police Forces
  • Healthcare, social & Welfare Advisers or Practitioners
  • The individual or customer themselves
  • Relatives, Guardians or other Persons associated with the Customer or Individual
  • Business Associates & Other Professional Advisers
  • Current, past or prospective employers of the individual
  • Financial Organisations & Advisers
  • Suppliers, Providers of Goods or Services
  • Trade, Employer Associations & Professional Bodies

Storage and Security of Data

Each of Orion and the Service Providers is obliged to implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, or accidental loss, alteration, unauthorised disclosure or access.  This applies particularly where such Personal Data will be transmitted over a network.  Similar security measures should also apply to the other Data.

Generally, Orion shall, and where it appoints the Service Providers, shall ensure that the Service Providers shall:

  • considering the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Individuals, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, which shall include, as appropriate:
    • pseudonymisation and encryption;
    • the ability to ensure ongoing confidentiality, integrity, availability and resilience;
    • the ability to restore availability and access in a timely manner in the event of a technical incident;
    • a process for regular testing, assessing and evaluating the effectiveness of those measures;
  • take all reasonable steps to ensure that employees and other agents are aware of and comply with the security measures which have been implemented, including training of their respective relevant employees and agents;
  • ensure that technical security controls are implemented to limit access to the Data on a “need to know” basis; 
  • ensure that all hard copies of Data are securely stored and are only accessed on a “need to know” basis.

Retention Periods

Orion is obliged to retain certain information to ensure accuracy, to help maintain quality of service and for legal, regulatory, fraud prevention and legitimate business purposes. 

It is obliged by law to retain customer-related identification and transaction records for five years from the end of the relevant investor relationship or the date of the transaction respectively.  Other information, including personal data of the directors and business contact information, will be retained for no longer than is necessary for the purpose for which it was obtained by Orion or as required or permitted for legal, regulatory, fraud prevention and legitimate business purposes.  In general, Orion (or its service providers on its behalf) will hold this information for a period of seven years from the termination of the relevant business relationship, unless it is obliged to hold it for a longer period under law or applicable regulations.  Certain director information may be held indefinitely where it forms part of the statutory books and records of Orion. 

Orion (or its service providers on its behalf) will also retain records of telephone calls and any electronic communications for a period of five years from the date of such call or communication.

Breach Notifications

In accordance with applicable data protection laws, Orion will be obliged to notify the relevant authority of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data (each a “personal data breach”) within 72 hours of becoming aware of same, unless the personal data breach is unlikely to result in risks to Individuals.  Furthermore, Orion will need to notify any impacted Individuals without undue delay where a personal data breach is likely to result in a high risk to those Individuals.

In the event of a personal data breach:

  • Orion shall consider the likely risks arising from the Personal Data breach, taking into account the nature and scope of the personal data in question, the extent of the breach, the period of the breach, and any security measures which may militate against risk, such as encryption.  In doing so, the potential consequences for the affected Individuals will be considered;
  • any incident in which Personal Data has been put at risk will be reported to the relevant authority within 72 hours of Orion becoming aware of the incident.  Where a report is made, Orion will provide such information and detail as is required under applicable data protection laws or as the authority may request, which shall include:
    • a description of the nature of the personal data breach, including where possible, the categories and approximate numbers of impacted Individuals, and the categories and approximate number of personal data records concerned;
    • a description of the likely impact of the personal data breach;
    • a description of measures to mitigate possible adverse effects;
  • reporting to the relevant authority may be conducted in phases where the full extent of the personal data breach is not known within 72 hours of Orion becoming aware of same.  Any such phased reporting will be conducted in consultation with the relevant authority.
  • any incidents which are likely to result in high risk to Individuals will be notified to the impacted Individuals without undue delay unless this would involve disproportionate effort.  In this latter case, a public communication or similar equally effective notification measure shall be implemented by Orion;
  • Where, having considered the matter, Orion comes to a determination that no notification need or will be made to the relevant and / or the affected data subjects, Orion shall in any event keep a summary record of each incident which has given rise to the risk of unauthorised disclosure, loss or alteration of personal data, which will include an explanation as to why Orion did not consider it necessary to inform the authority. 
  • Records of security incidents will be made available to a relevant authority on request.

Orion shall ensure that the Service Providers notify Orion without delay of any security incident and provide all reasonable assistance to Orion to enable it to comply with its obligations under data protection law.

Privacy Impact Assessments

Orion may be required to undertake privacy impact assessments in relation to the processing of Personal Data in certain circumstances and will undertake an impact assessment where the processing in question, taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to Individuals. 

Without limitation, the following may be indicative of high risk processing:

  • a significant change to the processing operations relating to the Personal Data, including where implemented by one of the Service Providers;
  • processing involving evaluation, scoring, monitoring or profiling of Individuals;
  • Combining of two or more data sets arising from separate processing operations conducted for different purposes;
  • Innovative use of technologies or of organisational measures to protect Personal Data;
  • Data transfers across borders outside the European Economic Area (the “EEA”) or equivalent jurisdictions (including Guernsey).

Any privacy impact assessment shall include:

  • a systematic description of the envisaged processing operations and the purposes of the processing, including where applicable the legitimate purposes pursued by Orion;
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks to Individuals; and
  • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure protection of personal data and to demonstrate compliance with applicable data protection laws taking into account the rights and legitimate interests of Individuals.

Orion shall consult with the relevant authority where necessary in accordance with applicable data protection laws, and where appropriate shall seek the views of Individuals or their representatives.

Orion shall ensure that the Service Providers notify Orion without delay of any new processing or change in processing arrangements (including implementation of any new technology) to facilitate Orion in determining whether the processing is likely to result in high risk to Individuals and shall provide all reasonable assistance to Orion to enable it to comply with its obligations under applicable data protection laws with regard to undertaking a privacy impact assessment.

Transfers of Data from the EU or equivalent jurisdictions

The transfer and distribution of Personal Data, whether to a Service Provider or a third party, is restricted, and is only permitted in limited circumstances.  Particular restrictions and limitations apply to the transfer of Personal Data to countries outside of the EEA or those that do not have equivalent levels of data protection.

No transfer of data outside of the EEA or equivalent countries will be permitted unless the board of Orion has approved both the transfer and the measures implemented at the recipient company.

Subject Access Requests

Where an Individual makes a subject access request in writing, there is an obligation on the data controller to provide certain information to the data subject.

Accordingly, on receipt of any data subject access request, Orion shall within 30 days:

  • inform the Individual as to whether the data processed by or on behalf of Orion includes Personal Data relating to the Individual, and where it does, to provide a description of:
    • the categories of the Personal Data;
    • the Personal Data constituting the data;
    • the purposes for which they are being or are to be processed;
    • the recipients or categories of recipients to whom they are or may be disclosed;
    • information as to source, where not obtained directly from the Individual;
    • where possible, the envisaged storage period, or alternatively the criteria used to determine that period;
    • the right to lodge a complaint to the Office of the Data Protection Authority (in respect of residents of Bailiwick of Guernsey) or the Jersey Office of the Information Commissioner (in respect of residents of Bailiwick of Jersey);
    • details of any automated decision making or profiling;
    • the appropriate safeguards with regard to international data transfers.
  • provide the Individual with a copy of the information Personal Data of the Individual;
  • provide the relevant information to the Individual free of charge, in an easily visible, intelligible and clearly legible manner within one month of a proper request from the data subject, unless an exception applies under applicable data protection laws.

If Orion does not intend taking action at the request of the data subject, Orion shall inform the Individual without delay and the reasons for not taking action, as well as the right of the Individual to complain to the ODPA. 

Orion shall ensure that the Service Providers notify Orion without delay of any data subject access request and provide all reasonable assistance to Orion to enable it to comply with its obligations under applicable data protection laws in relation to any data subject access requests.

Other Data Subject Rights

Individuals have the following rights, in certain circumstances:

  • the right to rectify Personal Data
    • the right to restrict processing
    • the right to object to processing
    • the right to be forgotten
    • the right to data portability.

Orion shall comply with applicable data protection laws in honouring Individual rights as set out above.  However, if Orion does not intend taking action at the request of the data subject, Orion shall inform the Individual without delay and the reasons for not taking action, as well as the right of the Individual to complain to the ODPA or JOIC. 

Orion shall ensure that the Service Providers notify Orion without delay of any data subject requests to enforce the above rights and provide all reasonable assistance to Orion to enable it to comply with its obligations under applicable data protection laws in relation to any such data subject requests.

Contacting Orion

Orion can be contacted at its registered office:   

Esplanade House,
29 Glategny Esplanade
St Peter Port,
Guernsey
GY1 1WR

Orion has nominated David Le Poidevin as the individual responsible for data protection, who can be contacted at David@orion-insurance.co.uk or on +44 1481 728864.

Updates to this Privacy Statement

Any changes Orion makes to its Data protection and Privacy Statement in the future will be posted on its website, please check back frequently to see any updates or changes.