The Senior Managers and Certification Regime (SM&CR) will apply to solo-regulated firms from 9 December 2019. In order to implement SM&CR and comply with it on an ongoing basis, such firms will have to process a significant amount of personal data about their staff.
We recommend SM&CR project leads and data protection officers ensure that data protection issues are addressed in your SM&CR project plan, including conducting a data privacy impact assessment and a review of fair processing notices as well as updating record retention policies and procedures.
SM&CR-related data processing
Many of the steps in a typical SM&CR project plan require firms to process personal data about their staff. This plan is likely to involve:
- Identifying in-scope functions.
- Documenting responsibilities.
- Notifying conduct rule breaches.
- Conducting fitness and propriety assessments.
To comply with the General Data Protection Regulation ((EU) 2016/679) (GDPR), firms must:
- Have a lawful basis for the processing.
- Inform staff about the processing (the “transparency” principle).
- Ensure that they can demonstrate compliance with the GDPR (the “accountability” principle).
For most SM&CR-related steps, this will be straightforward. Most processing will be of ordinary personal data and can be justified on the basis of the firm’s “compliance with a legal obligation” (since the regulatory requirements of SM&CR have a statutory underpin).
The SM&CR step that requires more thought from a GDPR perspective is the requirement on firms to assess the fitness and propriety of Senior Managers, Non-Senior Manager NEDs and Certification Employees on recruitment and at least annually.
The key issues are:
- Firstly justifying the processing of criminal offence and health data for fitness and propriety purposes.
- Secondly the impact on record retention policies, in particular as a result of the regulatory reference regime.
This blog focuses on the first of these issues.
Justifying processing special category data
In order to process criminal offence data and health data, one of the GDPR Article 6 processing conditions must apply. The most relevant for these purposes are:
- That the processing is necessary to comply with a legal obligation to which the controller is subject (“legal obligation condition”).
- That it is necessary for the purposes of the legitimate interests pursued by the controller or a third party (“legitimate interests condition”).
In addition, the processing must also satisfy one of the conditions from Schedule 1 to the Data Protection Act 2018 (DPA). The most relevant of these are:
- That the processing is necessary for the purposes of rights or obligations imposed or conferred by law on the data controller or the employee in connection with employment (the “employment condition”).
- That it is necessary for the purpose of complying with, or assisting other persons to comply with, a regulatory requirement which involves taking steps to establish whether another person has committed an unlawful act or been involved in dishonesty or other improper conduct (the “regulatory requirement condition”).
Firms will be able to rely on the legal obligation condition under Article 6 of the GDPR and either the regulatory requirements condition or the employment condition under Schedule 1 to the DPA to conduct criminal records checks on Senior Managers and Non-Senior Manager NEDs, as the FCA requires SM&CR firms to conduct criminal records checks on candidates for those roles. While the FCA does not require firms to undertake such checks on candidates for Certification Functions, it does require firms to be satisfied that their Certification Employees are fit and proper. Therefore, if the firm reasonably concludes that it needs to conduct such checks to ensure that candidates for Certification Functions are fit and proper, it ought to be able to rely on the same processing conditions.
For candidates in other roles, the position is more nuanced. It might be a stretch to argue that the firm needs to conduct criminal records checks on more junior staff to meet its general regulatory requirement to ensure it has an appropriate culture. The safer option therefore would be to rely on the legitimate interests condition under Article 6 of the GDPR and the employment condition under Schedule 1 to the DPA.
Impact assessments and fair processing notices
Notwithstanding the above, given the intrusive nature of a standard or basic criminal record check, it is a good idea to undertake a data privacy impact assessment (DPIA) in relation to this processing. This would help the firm comply with the accountability principle and demonstrate how it ensured the processing is proportionate and that appropriate steps have been taken to mitigate the effects of the processing (for example, regarding how the data is stored and who it is shared with).
However, carrying out a DPIA on its own is not enough. Staff must also be notified about the processing of their personal data in order to comply with the transparency principle. Firms (and group service companies, where applicable) should therefore review their employee and candidate fair processing notices (FPNs) to ensure that all the processing proposed to be undertaken for SM&CR purposes is captured. The FPNs will need to explain what personal data is being processed, who will be doing that processing, who the data will be shared with and for how long it will be stored.
The initialism inspired takeaway from this? SM&CR + GDPR = DPIA + FPN!
The SM&CR introduces new record keeping requirements, so firms should update their record retention policy. An up-to-date record retention policy is important as it helps demonstrate compliance with the transparency principle and the storage limitation principle (that is, the requirement that information is not processed for longer than necessary). In particular, firms will have to decide whether to retain all of the underlying materials which led to a relevant disciplinary or fitness and proprietary decision being made (or just to retain the decision record itself).
About DAC Beachcroft
DAC Beachcroft has a specialist SMCR team, comprising employment, regulatory, governance and data protection experts. If you would like to discuss any aspect of SMCR or GDPR please contact your usual DACB contact or David Sims (firstname.lastname@example.org) who leads our SMCR practice.