Main Portfolio Policies

Privacy and Cookies Policy

1. Introduction

Main Portfolio LTD (“we,” “our,” “us”) is committed to protecting and respecting your privacy. This Privacy and Cookies Policy explains how we collect, use, disclose, and protect your personal data when you visit our website at https://mainportfolio.co.uk/ (“Website”). It also explains how we use cookies and similar technologies on our Website. Please read this policy carefully to understand our views and practices regarding your personal data and how we will treat it.

By using our Website, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

We collect different types of information in order to provide and improve our services to you. The types of information we collect include:

2.1 Personal Data

Personal data refers to information that identifies you as an individual, such as:

Name
Contact details (email address, phone number, address)
Payment information (if applicable)
Account login credentials (username, password)
Your interactions with our Website (e.g., IP address, browser type, and device information)

2.2 Non-Personal Data

Non-personal data refers to information that does not identify you directly, such as:

Browser type and version
Device type and operating system
Pages you visited on our Website
Time and date of your visit
Referring website

3. How We Collect Information

We collect personal data in the following ways:

Directly from you: When you fill out forms on our Website (such as when registering for an account, making a purchase, or contacting us), we collect the information you provide.
Automatically: We automatically collect certain information when you visit our Website through the use of cookies and similar technologies (as explained in the Cookies section below).
Third parties: We may receive personal data from third parties such as social media platforms, advertising networks, or business partners if you interact with us via those channels.

4. How We Use Your Information

We use your personal data for the following purposes:

To provide, maintain, and improve our Website and services.
To process your transactions and deliver products and services you request.
To communicate with you, including sending you important updates, newsletters, or marketing communications (with your consent, where required).
To personalise your experience on our Website.
To comply with legal obligations and resolve disputes.
To protect our rights, property, and safety, and that of others.

5. Legal Basis for Processing Your Personal Data

We process your personal data based on the following legal grounds:

Consent: When you provide your personal data voluntarily (e.g., when you subscribe to newsletters or make a purchase).
Contractual necessity: To perform a contract with you or take steps prior to entering into a contract (e.g., processing your orders or providing customer support).
Legitimate interests: For our legitimate business interests, such as improving our Website or marketing our products/services, provided this does not override your rights and freedoms.
Legal obligations: When necessary to comply with a legal obligation.

6. Sharing Your Information

We may share your personal data with third parties in the following circumstances:

Service providers: We may share your personal data with third-party service providers who assist with operations such as payment processing, hosting, marketing, and analytics.
Legal requirements: We may disclose your personal data when required by law or to protect our rights, property, and safety.
Business transfers: In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the new owner.

We ensure that any third parties we share your personal data with are compliant with applicable data protection laws and regulations.

7. Security of Your Data

We are committed to ensuring that your personal data is secure. We use appropriate technical and organisational measures to protect your data from unauthorized access, alteration, disclosure, or destruction. However, no method of transmission over the internet is entirely secure, and we cannot guarantee the security of your data.

8. Your Rights

Under the UK Data Protection Act 2018 and GDPR, you have certain rights regarding your personal data, including:

Right to access: You can request a copy of the personal data we hold about you.
Right to rectification: You can request that we correct any inaccuracies in your personal data.
Right to erasure: You can request that we delete your personal data, subject to certain exceptions.
Right to restriction: You can request that we restrict the processing of your personal data under certain circumstances.
Right to object: You can object to our processing of your personal data for direct marketing purposes or on the basis of legitimate interests.
Right to data portability: You can request a copy of your personal data in a machine-readable format to transfer to another provider.

To exercise any of these rights, please contact us using the details in the Contact Us section.

9. Cookies and Tracking Technologies

9.1 What are Cookies?

Cookies are small text files placed on your device when you visit our Website. They help us improve the Website’s functionality, enhance your experience, and gather information for analysis.

9.2 Types of Cookies We Use

Strictly Necessary Cookies: These are essential for the functioning of the Website (e.g., for login and security purposes).
Performance Cookies: These cookies collect data about how visitors use the Website, such as the pages viewed and time spent on the site, to improve the Website’s performance.
Functionality Cookies: These cookies remember your preferences and settings (e.g., language preferences) to improve your experience.
Targeting/Advertising Cookies: These cookies track your browsing habits and allow us to deliver tailored advertising based on your interests.

9.3 How to Manage Cookies

Most web browsers automatically accept cookies, but you can modify your browser settings to reject cookies or alert you when cookies are being sent. However, please note that disabling cookies may affect your ability to use some features of our Website.

10. International Transfers of Personal Data

If you are located outside the UK, your personal data may be transferred to, and processed in, countries outside of the UK. If we transfer your personal data to a country that does not have adequate data protection laws, we will ensure that appropriate safeguards are in place to protect your information, such as using standard contractual clauses.

11. Changes to This Policy

We may update this Privacy and Cookies Policy from time to time. Any changes will be posted on this page, and the “Effective Date” will be updated accordingly. We encourage you to review this policy regularly to stay informed about how we are protecting your personal data.

12. Contact Us

If you have any questions or concerns about this Privacy and Cookies Policy or our data practices, please contact us at info@mainportfolio.co.uk.

Last Updated: January 2025

Website Terms and Conditions

1. Introduction

These terms and conditions (“Terms”) govern the use of the website https://mainportfolio.co.uk/ (“Website”) operated by Main Portfolio LTD, a company registered in England and Wales under company number 14832483 with its registered office at K2 Tower 60 Bond Street, Silvester St Entrance, Hull, England, HU1 3EN (“we,” “our,” or “us”). By accessing or using the Website, you agree to be bound by these Terms, as well as any other applicable laws and regulations. If you do not agree to these Terms, please do not use the Website.

2. Definitions

“User” refers to any individual, whether a registered user or a guest, accessing or using the Website.
“Services” refers to the products, services, and features provided through the Website.
“Content” refers to all text, graphics, images, videos, logos, and other materials published on the Website.

3. Acceptance of Terms

By using this Website, you confirm that you have read, understood, and agree to be bound by these Terms. We may update these Terms from time to time, and such updates will be posted on the Website. You are advised to review these Terms regularly. Any changes to these Terms will take effect when posted, unless stated otherwise.

4. Use of the Website

You agree to use the Website for lawful purposes only and in a manner that does not infringe on the rights of, restrict or inhibit the use of this Website by any third party.
You must not:

Engage in any unlawful or fraudulent activity via the Website.
Use the Website to transmit harmful content, including viruses or malware.
Attempt to gain unauthorised access to any part of the Website, server, or database connected to the Website.
Reproduce, duplicate, copy, sell, or resell any part of the Website without our express written permission.

5. Account Registration

If any part of the Website requires registration, you agree to provide accurate, current, and complete information. You are responsible for maintaining the confidentiality of your account information and for all activities that occur under your account.
You must notify us immediately of any unauthorised use of your account.

6. User-Generated Content

You may be able to submit or upload content (such as reviews, comments, or feedback) to the Website. By submitting content, you grant us a non-exclusive, royalty-free, transferable license to use, reproduce, distribute, and display that content in connection with the Website and our business operations.
You must ensure that any content you submit does not infringe on the intellectual property rights of third parties or violate any laws.
We reserve the right to remove or modify any content that we consider inappropriate, offensive, or in violation of these Terms.

7. Intellectual Property Rights

All Content on the Website, including text, graphics, images, logos, trademarks, and software, is the property of Main Portfolio LTD or its licensors and is protected by copyright, trademark, and other intellectual property laws.
You may not use any part of the Website’s Content for commercial purposes without our express written consent.
We grant you a limited, non-exclusive, non-transferable license to access and use the Website for personal, non-commercial use, subject to these Terms.

8. Privacy and Data Protection

Your use of the Website is also governed by our Privacy Policy, which outlines how we collect, use, and protect your personal information.
By using the Website, you consent to the collection and use of your data as described in our Privacy Policy.

9. Products and Services

The Website may offer products or services for sale. All products and services are subject to availability, and we reserve the right to withdraw or modify any product or service at any time without notice.
Prices for products or services are listed on the Website and may be subject to change without notice.
All purchases made via the Website are governed by our Terms of Sale (if applicable), which provide details on payment, delivery, and returns.

10. Limitation of Liability

The Website is provided “as is” and we do not make any representations or warranties regarding its availability, functionality, or accuracy.
To the extent permitted by law, we exclude all liability for any loss or damage arising from the use of the Website or reliance on its Content, including but not limited to indirect, consequential, special, or punitive damages.
Nothing in these Terms excludes or limits our liability for death or personal injury caused by our negligence or for fraud.

11. Indemnity

You agree to indemnify and hold harmless Main Portfolio LTD its employees, directors, agents, and affiliates from any claim, liability, damage, loss, or expense arising from your use of the Website, violation of these Terms, or any third-party rights.

12. Third-Party Websites

The Website may contain links to third-party websites or resources. We do not control or endorse these websites and are not responsible for the content, privacy practices, or terms of use of any linked websites.
Access to third-party websites is at your own risk, and we encourage you to review the terms and privacy policies of any third-party sites you visit.

13. Termination

We may suspend or terminate your access to the Website at any time, without notice, if we believe that you have violated these Terms or engaged in illegal or harmful activity.
Upon termination, all provisions of these Terms which by their nature should survive termination will remain in effect, including intellectual property rights, indemnity, and limitations of liability.

14. Governing Law and Dispute Resolution

These Terms are governed by and construed in accordance with the laws of England and Wales.
Any dispute or claim arising from or related to these Terms will be subject to the exclusive jurisdiction of the courts of England and Wales.

15. Force Majeure

We will not be liable for any failure or delay in performance of our obligations under these Terms if such failure or delay is caused by events beyond our reasonable control, including but not limited to acts of God, war, natural disasters, or government actions.

16. Entire Agreement

These Terms constitute the entire agreement between you and Main Portfolio LTD regarding the use of the Website and supersede all prior agreements or understandings, whether written or oral, relating to such use.

17. Contact Information

If you have any questions or concerns about these Terms, please contact us at info@mainportfolio.co.uk.

Last Updated: January 2025

Data Protection Policy Statement

1. Introduction

1.1. Background to the UK-General Data Protection Regulation (‘UK-GDPR’)

This Policy is based on the UK-GDPR and the ICO’s guidance on the UK-GDPR and also complies with the Data Protection Act 2018, which defines the law of processing data on identifiable living people and most of it does not apply to domestic use. Anyone holding personal data for other purposes is legally liable to comply with this Act, with a few notable exceptions.
This Policy applies to all personal information processed by, or on behalf of our Company.
All personal data must be handled and dealt with appropriately however it is collected, recorded and used, and whether it is on paper, in electronic records or recorded in other formats, on other media, or by any other means. It includes information held on computers (including email), paper files, photographs, audio recordings and CCTV images.
The purpose of this Policy is to help you understand what personal data our Company collects, why we collect it and what we do with it. It will also help you to identify what your rights are and who you can contact for more information, to exercise your rights or to make a complaint.

1.2. Definitions according to Article 4 of the UK-GDPR

Personal data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Data controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
Data processor – means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Personal data breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Consent of the data subject – means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Child – the UK-GDPR defines a child as anyone under the age of 13 years old. The processing of personal data of a child shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
Third party – a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
Filing system – means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
Third country– means a country or territory outside the United Kingdom.

2. Data Protection Policy Statement

2.1. Main Portfolio LTD, is committed to compliance with all relevant domestic laws in respect of personal data, and the protection of the “rights and freedoms” of individuals whose information we collect and process in accordance with the UK-GDPR.

2.2. Compliance with the UK-GDPR is described by this Policy and other relevant policies such as the Information Security & Risk Management Policy along with connected processes and procedures.

2.3. The UK-GDPR and this Policy shall apply to all of our Company’s data processing functions, including those performed on customers’, clients’, employees’, suppliers’, and partners’ personal data, and any other personal data the organisation processes from any source.

2.4. Our Company has established objectives for data protection and privacy, which are in the Personal Information Management System (PIMS).

2.5. Main Portfolio LTD shall be responsible for reviewing the register of data processing annually in the light of any changes to the Company activities and to any additional requirements identified by means of Data Protection Impact Assessment (DPIA).

2.6. This Policy applies to all Employees/Staff/Contractors/Clients/Partners and third-party providers of our Company. Any breach of the UK-GDPR will be dealt with as described under our Data Breach Notification Procedure and may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities.

2.7. Partners and any third parties working with or for our Company, and who have or may have access to personal data, will be expected to have read, understood and to comply with this Policy. No third party may access personal data held by our Company without having first entered into a Data Confidentiality Agreement, which imposes on the third-party obligations no less onerous than those to which our Company is committed, and which gives us the right to audit compliance with the agreement.

3. Personal Information Management System & Information Security & Risk Management Policy

3.1. To support compliance with the UK-GDPR, our Board has approved and supported the development, implementation, maintenance and continual improvement of a documented PIMS, which is integrated within the Information Security & Risk Management Policy, for our Company.

3.2. All our Employees/Staff and third-party providers identified in the inventory are expected to comply with this Policy and with the PIMS/ Information Security & Risk Management Policy that implements this Policy. All Employees/Staff will receive appropriate training.

3.3. Scope:

The scope of the PIMS will cover all of the PII (Personally Identifiable Information) that the organisation holds including PII that is shared with external organisations such as suppliers, cloud providers, etc.

3.4. In determining its scope for compliance with the UK-GDPR, we consider:

any external and internal issues that are relevant to our purpose and that affect our ability to achieve the intended outcomes of its PIMS/ Information Security & Risk Management Policy;
specific needs and expectations of interested parties that are relevant to the implementation of the PIMS/ Information Security & Risk Management Policy;
organizational objectives and obligations;
the organisation’s acceptable level of risk; and
any applicable statutory, regulatory, or contractual obligations.

3.5. The PIMS is documented within the Information Security & Risk Management Policy system, maintained in our Intranet. Our Company’s objectives for compliance with the UK-GDPR are consistent with this Policy, measurable, take into account UK-GDPR privacy requirements and the results from risk assessments and risk treatments, monitored, communicated and updated as appropriate.

4. Responsibilities & Roles under the General Data Protection Regulation

4.1. We are a data controller for staff and marketing data and a data processor for client data under the UK-GDPR.

4.2. All those in managerial or supervisory roles throughout our Organisation are responsible for developing and encouraging good information handling practices within our Company.

4.3. Main Portfolio LTD and our Board of Directors for the management of personal data within our Company and for ensuring that compliance with data protection legislation and good practice can be demonstrated. This accountability includes development and implementation of the UK-GDPR as required by this Policy, and security and risk management in relation to compliance with the Policy.

4.4. The Legal Compliance Department has been appointed to take responsibility for our Company’s compliance with this Policy on a day-to-day basis and has direct responsibility for ensuring that our Company complies with the UK-GDPR.

4.5. The Legal Compliance Department shall have specific responsibilities in respect of procedures such as the Subject Access Request Procedure and is the first point of call for Employees/Staff seeking clarification on any aspect of data protection compliance.

4.6. Compliance with data protection legislation is a responsibility of and obligation for all our Employees/Staff who process personal data.

4.7. Our Company’s Training Policy sets out specific UK-GDPR training and awareness requirements in relation to specific roles of our Employees/Staff generally.

4.8. Our Employees/Staff are responsible for ensuring that any personal data about them and supplied by them to our Company is accurate and up-to-date.

5. Data Protection Principles

5.1. All processing of personal data must be conducted in accordance with the data protection principles as set out in Articles 5 and 6 of the UK-GDPR. Our policies and procedures are designed to ensure compliance with the principles.

5.2. Personal data must be processed lawfully, fairly & transparently

Lawfully – you must identify a lawful basis before you can process personal data. These are often referred to as the “conditions for processing”, for example, consent.
Fairly – in order for processing to be fair, the data controller has to make sure that personal data are handled in ways that the data subject would reasonably expect and not use it in ways that have unjustified adverse effects on it.
Transparently – Transparent processing is about being clear, open and honest with people from the start about who you are, and how and why you use their personal data. We ensure that we tell individuals about our processing in a way that is easily accessible and easy to understand. You must use clear and plain language.

5.3. The specific information that must be provided to the data subject must, as a minimum, include:

the identity and the contact details of the controller and, if any, of the controller’s representative;
the contact details of the DPO (if a DPO is appointed) or the contact details of the relevant Department to appointed by the Organisation to responsible to establish GDPR compliance);
the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
the period for which the personal data will be stored;
the existence of the rights to request access, rectification, erasure or to object to the processing, and the conditions (or lack of) relating to exercising these rights, such as whether the lawfulness of previous processing will be affected;
the categories of personal data concerned;
any further information necessary to guarantee fair processing.

Personal data can only be collected for specific, explicit and legitimate purposes

Personal Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
The Privacy Procedure sets out the relevant procedures.

5.5. Personal data must be adequate, relevant and limited to what is necessary for processing

The Legal Compliance Department is responsible for ensuring that we do not collect information that is not strictly necessary for the purpose for which it is obtained.
All data collection forms (electronic or paper-based), including data collection requirements in new information systems, must include a fair processing statement or a link to privacy statement and approved by the Legal Compliance Department.
The Legal Compliance Department will ensure that, on an annual basis all data collection methods are reviewed by internal audit to ensure that collected data continues to be adequate, relevant and not excessive.

5.6. Personal data must be accurate and kept up to date with every effort to erase or rectify without delay

Data that is stored by the data controller must be reviewed and updated as necessary. No data should be kept unless it is reasonable to assume that it is accurate. The Legal Compliance Department is responsible for ensuring that all staff are trained in the importance of collecting accurate data and maintaining it.
Employees/Staff/clients/contractors and third-party providers should be required to notify the Company of any changes in circumstance to enable personal records to be updated accordingly. It is the responsibility of the Company to ensure that any notification regarding change of circumstances is recorded and acted upon.
The Legal Compliance Department is responsible for ensuring that appropriate procedures and policies are in place to keep personal data accurate and up to date, taking into account the volume of data collected, the speed with which it might change and any other relevant factors.
On at least an annual basis, the Legal Compliance Department will review the retention dates of all the personal data processed by our Company, by reference to the data inventory, and will identify any data that is no longer required in the context of the registered purpose. This data will be securely deleted/destroyed.
The Legal Compliance Department is responsible for responding to requests for rectification from data subjects within one month. This can be extended to a further two months for complex requests. If our Company decides not to comply with the request, the Legal Compliance Department must respond to the data subject to explain its reasoning and inform them of their right to complain to the supervisory authority and seek judicial remedy.

5.7. Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing.

Where personal data is retained beyond the processing date, it will be minimised/ encrypted/ pseudonymised in order to protect the identity of the data subject in the event of a data breach. Personal data will be retained in line with the Information Security & Risk Management Policy and, once its retention date is passed, it must be securely destroyed as set out in this procedure.
The Legal Compliance Department must specifically approve any data retention that exceeds the retention periods defined in the Information Security & Risk Management Policy and must ensure that the justification is clearly identified and in line with the requirements of the data protection legislation. This approval must be written.

5.8. Personal data must be processed in a manner that ensures the appropriate security

The Legal Compliance Department will carry out a Data Protection Risk Assessment (DPIA) taking into account all the circumstances of our Company’s controlling or processing operations.
In determining appropriateness, the Legal Compliance Department should also consider the extent of possible damage or loss that might be caused to individuals (e.g., staff or customers) if a security breach occurs, the effect of any security breach on the Company itself, and any likely reputational damage including the possible loss of customer trust.

5.9. When assessing appropriate technical measures, the Legal Compliance Department shall consider the following:

Password Protection
Automatic locking of idle terminals;
Removal of access rights for USB and other memory media;
Virus checking software and firewalls;
Role-based access rights including those assigned to temporary staff;
Encryption of devices that leave the organisations premises such as laptops;
Security of local and wide area networks;
Privacy enhancing technologies such as pseudonymisation and anonymisation;
Identifying appropriate international security standards relevant to the Company’s procedures.

5.10. When assessing appropriate organisational measures, the Legal Compliance Department shall consider the following:

The appropriate training levels throughout our Company;
Measures that consider the reliability of employees (such as references etc.);
The inclusion of data protection clause in employment contracts;
Identification of disciplinary action measures for data breaches;
Monitoring of staff for compliance with relevant security standards;
Physical access controls to electronic and paper-based records;
Adoption of a Clear Desk Policy;
Storing of paper-based data in lockable fire-proof cabinets;
Restricting the use of portable electronic devices outside of the workplace;
Restricting the use of employees’ own personal devices being used in the workplace;
Adopting clear rules about passwords;
Making regular backups of personal data and storing the media off-site.

5.11. These controls have been selected on the basis of identified risks to personal data, and the potential for damage or distress to individuals whose data is being processed. Our Company’s compliance with this principle is contained in its PIMS, which has been developed in line with the Information Security & Risk Management Policy.

5.12. The controller must be able to demonstrate compliance with the UK-GDPR’s other principles (accountability)

The UK-GDPR includes provisions that promote accountability and governance. These complement the UK-GDPR’s transparency requirements. The accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.
Our Company will demonstrate compliance with the data protection principles by implementing data protection policies, adhering to codes of conduct, implementing technical and organisational measures, as well as adopting techniques such as data protection by design, DPIAs, breach notification procedures and incident response plans.

6. Personal Data Individuals’ Rights

6.1. Each individual shall have the following rights regarding data processing, and the data that is recorded about them:

To make access requests regarding the nature of information held and to whom it has been disclosed.
To prevent processing likely to cause damage or distress.
To prevent processing for purposes of direct marketing.
To be informed about the mechanics of automated decision-taking process that will significantly affect them.
To not have significant decisions that will affect them taken solely by automated process.
To sue for compensation if they suffer damage by any contravention of the UK-GDPR.
To take action to rectify, block, erase or destroy inaccurate data.
To request the supervisory authority to assess whether any provision of the UK-GDPR has been contravened.
To have personal data provided to them in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another controller.
To object to any automated profiling that is occurring without consent.

6.2. Our Company ensures that individuals may exercise these rights by making data access requests as described in the Acceptable Use Agreement, which shall include the Subject Access Request Procedure. This procedure also describes how our Company will ensure that its response to the data access request complies with the requirements of the UK-GDPR.

6.3. Individuals shall also have the right to complain to the Company related to the processing of their personal data, handling of a request from a data subject and appeals from a data subject on how complaints have been handled in line with the Complaints Procedure.

7. Consent

7.1. Our Company understands “consent” to mean that it has been explicitly and freely given, and a specific, informed and unambiguous indication of the data subject’s wishes that, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The data subject can withdraw their consent at any time.

7.2. Our Company understands “consent” to mean that the data subject has been fully informed of the intended processing and has signified their agreement, while in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information will not be a valid basis for processing.

7.3. There must be some active communication between the parties to demonstrate active consent. Consent cannot be inferred from non-response to a communication. The Controller must be able to demonstrate that consent was obtained for the processing operation.

7.4. For sensitive data, explicit written consent of individuals must be obtained unless an alternative legitimate basis for processing exists.

7.5. In most instances, consent to process personal and sensitive data is obtained routinely by the Company using standard consent documents e.g., when a new client signs a contract, or during induction for participants on programmes.

7.6. Where our Company provides online services to children, parental or custodial authorisation must be obtained. This requirement applies to children under the age of 13. Our Company does not routinely process data in this category.

8. Security of Data

8.1. All Employees/Staff are responsible for ensuring that any personal data that our Company holds and for which they are responsible, is kept securely and is not under any conditions disclosed to any third party unless that third party has been specifically authorised by our Company to receive that information and has entered into a confidentiality agreement.

8.2. All personal data should be accessible only to those who need to use it, and access may only be granted in line with the Company’s Policies.

8.3. Care must be taken to ensure that PC screens and terminals are not visible except to authorised Employees/Staff of the Company. All Employees/Staff are required to enter into an Acceptable Use Agreement before they are given access to organisational information of any sort, which details rules on screen time-outs.

8.4. Manual records may not be left where they can be accessed by unauthorised personnel and may not be removed from business premises without explicit written authorisation. As soon as manual records are no longer required for day-to-day client support, they must be removed from secure archiving.

8.5. Personal data may only be deleted or disposed of in line with the Information Retention procedure. Manual records that have reached their retention date are to be shredded and disposed of as “confidential waste”. Hard drives of redundant PCs are to be removed and immediately destroyed.

9. Disclosure of Data

9.1. The Company must ensure that personal data is not disclosed to unauthorised third parties which includes family members, friends, government bodies, and in certain circumstances, the Police. All Employees/Staff should exercise caution when asked to disclose personal data held on another individual to a third party.

9.2. It is important to bear in mind whether or not disclosure of the information is relevant to, and necessary for the conduct of our Company’s business.

10. Retention & Disposal of Data

10.1. The Company shall not keep personal data in a form that permits identification of data subjects for longer a period than it is necessary, in relation to the purpose(s) for which the data was originally collected.

10.2. The Company may store data for longer periods if the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of the data subject.

10.3. The retention period for each category of personal data will be set out in the Information Retention procedure along with the criteria used to determine this period including any statutory obligations the Company has to retain the data.

10.4. The Company’s information retention and information disposal procedures apply in all cases.

10.5. Personal data must be disposed of securely in accordance with the sixth principle of the UK-GDPR. Any disposal of data will be done in accordance with the secure disposal procedure.

11. Data Transfers

11.1. On 28 June 2021 the EU Commission adopted decisions on the UK’s adequacy under the EU’s General Data Protection Regulation (EU GDPR) and Law Enforcement Directive (LED). In both cases, the European Commission has found the UK to be adequate. This means that most data can continue to flow from the EU and the EEA without the need for additional safeguards.

11.2. All exports of data from the UK and the European Economic Area (EEA) to non-European Economic Area countries (referred to in the UK-GDPR as “third countries”) are unlawful unless there is an appropriate “level of protection for the fundamental rights of the data subjects”.

11.3. The broader area of the EEA is granted “adequacy” on the basis that all such countries are signatories to the GDPR. The non-EU EEA member countries (Liechtenstein, Norway and Iceland) apply EU regulations through a Joint Committee Decision.

11.4. Binding Corporate Rules:

The Company may adopt approved binding corporate rules for the transfer of data outside the EU. This requires submission to the relevant supervisory authority for approval of the rules that the Company is seeking to rely upon.

11.5. Model Contract Clauses:

The Company may adopt approved model contract clauses for the transfer of data outside of the UK and the EEA. If the Company adopts the model contract clauses approved by the relevant supervisory authority there is an automatic recognition of adequacy.

11.6. Exceptions:

In the absence of an adequacy decision, Privacy Shield membership, binding corporate rules and/or model contract clauses, a transfer of personal data to a third country or international organisation shall only take place on one of the following conditions:

the individual has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
the transfer is necessary for the performance of a contract between the individual and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defence of legal claims; and/or
the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.

12. Data Inventory

12.1. The Company has established a Data Inventory and Data Flow process as part of its approach to address risks and opportunities throughout its UK-GDPR compliance project. The Company’s Data Inventory and Data Flow determines:

business processes that use personal data;
source of personal data;
volume of data subjects;
description of each item of personal data;
processing activity;
maintains the inventory of data categories of personal data processed;
documents the purpose(s) for which each category of personal data is used;
recipients, and potential recipients, of the personal data;
the role of the Company throughout the data flow;
key systems and repositories;
any data transfers; and
all retention and disposal requirements.

12.2. Our Company is aware of any risks associated with the processing of particular types of personal data:

The Company assesses the level of risk to individuals associated with the processing of their personal data. Data Protection Impact Assessments (DPIAs) are carried out in relation to the processing of personal data by the Company, and in relation to processing undertaken by other organisations on behalf of the Company.
The Company shall manage any risks identified by the risk assessment in order to reduce the likelihood of a non-conformance with this Policy.
Where a type of processing, in particular using new technologies and taking into account the nature, scope, context and purposes of the processing is likely to result in a high risk to the rights and freedoms of natural persons, our Company shall, prior to the processing, carry out a DPIA of the impact of the envisaged processing operations on the protection of personal data. A single DPIA may address a set of similar processing operations that present similar high risks.
Where, as a result of a DPIA it is clear that the Company is about to commence processing of personal data that could cause damage the Company and/or distress to the data subjects, the decision as to whether or not the Company may proceed must be escalated for review to the Legal Compliance Department.
The Legal Compliance Department shall, if there are significant concerns, either as to the potential damage or distress, or the quantity of data concerned, escalate the matter to the supervisory authority.
Appropriate controls will be selected, as appropriate and applied to reduce the level of risk associated with processing individual data to an acceptable level, by reference to the Company’s documented risk acceptance criteria and the requirements of the UK-GDPR.

Last Updated: January 2025

Data Retention Policy

1. Purpose

1.1. The purpose of this Policy is to detail procedures for the retention and disposal of information and personal data. This Policy refers to both hard and soft copy documents, unless specifically stated otherwise.

2. Scope

2.1. This Policy covers all data collected by and stored on the Company owned or leased systems and media, regardless of location. It applies to both data collected and held electronically (including photographs, video and audio recordings) and data that is collected and held as hard copy or paper files.

2.2. The need to retain certain information may be mandated by federal or local law, federal regulations and legitimate business purposes, as well as the EU General Data Protection Regulation (GDPR).

3. Reasons for Data Retention

3.1. The Company retains only that data that is necessary to effectively conduct its program activities, fulfil its mission and comply with applicable laws and regulations. Reasons for data retention include:

Providing an ongoing service to the data subject (e.g. sending a newsletter, publication or ongoing program update to an individual, ongoing training or participation in the Company’s programs, processing of employee payroll and other benefits).
Compliance with applicable laws and regulations associated with financial and programmatic reporting by the Company to its funding agencies and other donors.
Compliance with applicable labour, tax and immigration laws.
Other regulatory requirements.
Security incident or other investigation.
Intellectual property preservation.
Litigation.

4. Review

4.1. Each department processing personal data must go through its ‘closed records’ at least every 6 months to determine whether the records should be destroyed, retained for a further period or transferred to an archive for permanent preservation.

5. Retention Period for Paper Records

5.1. Records should only be kept for as long as they are needed to meet the operational needs of the business, and to fulfil legal and regulatory requirements.

If any (or more) below applies then you must determine the length the records should be kept for, otherwise the records must be destroyed in line with this Policy.

Is it necessary as a source of information for operations at Main Portfolio LTD?	Is it necessary as evidence of business activities and decisions?	Is it necessary because of legal or regulatory retention requirements?

6. Destruction of Records

6.1. No destruction of a record should take place without assurance that:

The record is no longer required by any part of the business;
No work is outstanding by any part of the business;
No litigation or investigation is current or pending which affects the record;
There are no current to pending Subject Access Requests which affect the record.

Records should be destroyed in the following ways:

Non-sensitive information

Information/records that are clearly in the ‘public domain’ can be placed in a normal recycling rubbish bin

Confidential information

Must be cross cut shredded and placed in paper rubbish sacks for collection by an approved disposal firm.

Electronic devices containing information (must be overseen by the Head of IT)

Option 1 – ‘Factory’ system restore

Option 2 – destroy all information using

specialised software programs.

Main Portfolio LTD may work with approved contractors to recycle redundant
IT equipment and must securely sanitise all hard drives. A certificate confirming the complete destruction of records must be provided by
the contractors.

Equipment must be kept in a secure location until collected.

Managers of each department must ensure locally stored confidential information is removed as appropriate before a device is reassigned
to another person in their team.

7. Audit Trail

7.1. There is no requirement to document the disposal of records which have been listed on the records retention schedule.

7.2. If records are disposed of earlier or kept for longer than listed on the records retention schedule, then they must be recorded for audit purposes.

7.3. This will provide an audit trail for any inspections conducted by the Information Commissioner Office and will aid in addressing Subject Access Request, where we no longer hold the material.

Disposal Schedule (Should you become aware of any records missing from the schedule, please notify the Company so that they may be added at the next opportunity).
Heading	Description	Retention Period	Comments
Payroll	Employee pay records	for the period of employment plus six 6 years after the employee leaves the organisation
	Salary records	for the period of employment plus six 6 years after the employee leaves the organisation
	Copy of payroll sheets	for the period of employment plus six 6 years after the employee leaves the organisation
Employee Files	Paper and hardcopy employee files	for the period of employment plus six 6 years after the employee leaves the organisation	Limitations Act 1980
Income Tax Records and Wages	Income Tax and NI returns, Income tax records and correspondence with the Inland Revenue	At least 3 years after the end of the financial year to which they relate.	The Income Tax (Employments) Regulations 1993
Income Tax Records and Wages	Wages/salary records (including overtime, bonuses, expenses)	for the period of employment plus six 6 years after the employee leaves the organisation	Taxes Management Act 1970
Income Tax Records and Wages	National minimum wage records	3 years after the end of the pay reference period following the one that the records cover	National Minimum Wage Act 1998
Pensions and Retirement	Autoenrollment member and scheme details	for the period of employment plus six 6 years after the employee leaves the organisation	Autoenrollment regulations
Sickness records	Statutory Maternity Pay records, calculations, certificates (Mat B1s) or other medical evidence	3 years after the end of the tax year in which the maternity period ends	The Statutory Maternity Pay (General) Regulations1986
Sickness records	Statutory Sick Pay records, calculations, certificates, self- certificates	3 years after the end of the tax year to which they relate	The Statutory Sick Pay (General) Regulations 1982
Employee Files – General Exceptions	Records relating to working time	2 years from the date on which they were made	The Working Time Regulations 1998
Employee Files – General Exceptions	Accident books, accident records/report	3 years after the date of the last entry	The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995.

WHERE TO GO FOR ADVICE AND QUESTIONS

Questions, comments, complaints and requests regarding this Policy are welcomed and should be addressed to our office address, K2 Tower 60 Bond Street, Silvester St Entrance, Hull, England, HU1 3EN or to our Legal Compliance Department at legal@mainportfolio.co.uk.

In addition, please do not hesitate to contact us if you suspect any privacy or security breaches.

OTHER RELEVANT POLICIES

This Policy supplements and should be read in conjunction with our other policies and procedures in force from time to time, including without limitation our:

Data Protection Policy;
Data Breach Management Policy;
Information Security & Risk Management Policy;
IT data related policies, which are available on the Portal; and
Code of Professional Ethics.

Last Updated: January 2025

Data Breach Management Policy

All users need to read, understand, and comply with this Policy

1. Introduction

1.1. The Company collects, holds, processes and shares large amounts of personal data and has an obligation to ensure that it is kept secure and appropriately protected.

1.2. Information is a key Company asset and as such ensuring the continued confidentiality, integrity and availability is essential to support the Company operations. The Company is also required to operate within the law, specifically the expectations set out in the Data Protection Act 1998 (DPA) and the General Data Protection Regulation (UK-GDPR).

1.3. Data security breaches are increasingly common occurrences whether these are caused through human or technical error or via malicious intent. As technology trends change and the volume of data and information created grows, there are more emerging ways by which data can be breached. The Company needs to have in place a robust and systematic process for responding to any reported potential data security breach, to ensure it can act responsibly, protect individual’s data, Company information assets and reputation as far as possible.

1.4. Data security breaches will vary in impact and risk depending on the content and quantity of data involved, the circumstances of the loss and the speed of response to the incident. By managing all perceived data security breaches in a timely manner, it may be possible to contain and recover the data before it an actual breach occurs, reducing the risks and impact to both individuals and the Company. Breaches can result in fines for loss of personal information and significant reputational damage, and may require substantial time and resources to rectify the breach. As of May 2018, the GDPR replaced the DPA with fine limits increasing up to €20 million for a breach. Breach reporting within 72 hours of identifying a breach is mandatory under the GDPR, with fines of up to €10 million for failing to report a breach.

2. Purpose

2.1. The purpose of this procedure is to ensure that:

personal data breaches are detected, reported, categorised and monitored consistently;
incidents are assessed and responded to appropriately without undue delay;
decisive action is taken to reduce the impact of a breach;
improvements are implemented and communicated to prevent recurrence or future incidents;
certain personal data breaches are reported to the Information Commissioner’s Office (ICO) within 72 hours, where required.

2.2. This document sets out the procedure to be followed to ensure a consistent and effective approach in managing personal data security breaches across the Company.

3. Scope

3.1. This procedure applies to all staff, partner organisations and partner staff, suppliers, contractors, consultants, representatives and agents that work for or process, access, use or manage personal data on behalf of the Company.

3.2. This procedure relates to all personal and special category (‘sensitive’) information handled, stored, processed or shared by the Company whether organised and stored in physical or IT based record systems.

4. Definition

4.1. What is a data security breach?

A personal data security breach means “a breach of security leading to the loss, unauthorised destruction, alteration or disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
A data security breach is considered to be any loss of, or unauthorised access to, Company data, normally involving Personal or Confidential information including intellectual property.
Data security breaches include the loss, modification, or theft of data or equipment on which data is stored, inappropriate access controls allowing unauthorised use, human error (e.g. information sent to the incorrect recipient), hacking attacks and ‘blagging’ where information is obtained by deception.
A personal data breach in the context of this procedure is an event or action that has affected the confidentiality, integrity or availability of personal data, either accidentally or deliberately, that results in its security being compromised, and has caused or has the potential to cause damage to the Company and/or the individuals to whom the information relates to.

4.2. What is a data security incident?

A data security incident is where there is the risk of a breach but a loss or unauthorised access has not actually occurred.
It is not always clear if an incident has resulted in a breach; by reporting all perceived data breaches quickly, steps can be taken to investigate, secure the information and prevent the incident becoming an actual breach (e.g. by reporting an email IT can remove the email before it has been read and therefore the data has been contained and not been seen by the incorrect recipient).
For the purposes of this policy, data security breaches include both confirmed and suspected incidents and breaches.

4.3. A data breach incident includes, but is not limited to:

Devices containing personal data being lost or stolen (e.g. laptop, USB stick, iPad/tablet device or paper record);
Access by an unauthorised third party or unlawful disclosure of personal data to a third party Deliberate or accidental action (or inaction) by a data controller or processor;
Sending personal data to an incorrect recipient;
Alteration of personal data without permission;
Loss of availability of personal data;
Data input error / human error;
Non-secure disposal of hardware or paperwork containing personal data;
Inappropriate access/sharing allowing unauthorised use of, access to or modification of data or information systems;
‘Blagging’ offences where information is obtained by deceiving the organisation who holds it.

5. Reporting an Incident

5.1. The Company adopts a culture in which data protection breaches are reported. Any staff, contractor, partnership organisation, partner staff or individual that processes, accesses, uses or manages personal data on behalf of the Company is responsible for reporting information security incidents and data breaches immediately or within 24 hours of being aware of a breach to their supervisor or to the Legal Compliance Department at legal@mainportfolio.co.uk, who will investigate the potential breach.

5.2. If the breach occurs or is discovered outside normal working hours, it must be reported as soon as is practicable.

5.3. A Data Breach Report Form (see Appendix 1 ) should be completed as part of the reporting process and emailed it to their supervisor or to the Legal Compliance Department at legal@mainportfolio.co.uk. The report will include full and accurate details of the incident, when the breach occurred (dates and times), who is reporting it, the nature of the information and how many individuals are involved.

6. Containment & Recovery

6.1. The Legal Compliance Department in liaison with the respective supervisor and/or Information Security Officer, will determine if the breach is still occurring. If so, the appropriate steps will be taken immediately to minimise the effect of the breach.

6.2. An initial assessment will be made to establish the severity of the breach, who will take the lead as designated Investigating Officer to investigate the breach (this will depend on the nature of the breach) and determine the suitable course of action to be taken to ensure a resolution to the incident.

6.3. The Investigating Officer will establish whether there is anything that can be done to recover any losses and limit the damage the breach could cause.

6.4. The Investigating Officer will establish who may need to be notified as part of the initial containment.

6.5. Advice from experts across the Company such as IT, HR and legal and in some cases contact with external third parties may be sought in resolving the incident promptly.

Investigation & Assessing the Risks

7.1. An investigation will be undertaken by the Investigating Officer immediately and wherever possible within 24 hours of the breach being discovered/reported.

7.2. The Investigating Officer will investigate the breach and assess the risks associated with it, for example, the potential adverse consequences for individuals, how likely they are to happen and how serious or substantial they are.

7.3. The level of risk associated with a breach can vary depending on the type of data and its sensitivity.

7.4. The investigation will need to consider the following:

What type of data is involved?
How sensitive is the data?
Where data has been lost or stolen are there any protections in place such as encryption?
What has happened to the data? Has it been lost or stolen?
Could the data be put to any illegal or inappropriate use?
Could it be used for purposes which are harmful to the individuals to whom the data relates?
How many individuals’ personal data has been affected by the breach? Who are the individuals whose data has been breached?
What harm can come to those individuals?
Are there risks to physical safety or reputation, of financial loss or a combination of these and other aspects of their life?
Are there wider consequences to consider?

8. Notification of Breaches

8.1. The Investigating Officer in consultation with the Legal Compliance Department and/or the Information Security Officer, will determine who needs to be notified of the breach.

8.2. Any notification must be agreed by the management.

8.3. Every incident will be assessed on a case-by-case basis.

8.4. Not every incident merit notification and over notification may cause disproportionate enquiries and work.

8.5. The following will need to be considered:

Are there any legal/contractual notification requirements?
Can notification help the individual? Could they take steps to act on the information to protect themselves?
Would notification help prevent the unauthorised or unlawful use of personal data?
Can notification help the Company meet its obligations under the data protection principles?
Is there a large number of people that are affected? Are there serious consequences?
Should the ICO be notified of the personal data breach? The ICO must be notified where there is likely to be a risk to people’s rights and freedoms.
If so, notification shall be within 72 hours with details of:
1. a description of the nature of the personal data breach including, where possible:
  - the categories and approximate number of individuals concerned; and
  - the categories and approximate number of personal data records concerned.
2. the name and contact details of the data protection officer or other contact point where more information can be obtained;
3. a description of the likely consequences of the personal data breach;
4. details of the security measures and procedures in place at the time the breach occurred; and
5. a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

8.6. If a breach is likely to result in a high risk to the rights and freedoms of individuals, notification to the individuals whose personal data has been affected by the incident must be without undue delay describing:

the nature of the personal data breach;
the name and contact details of the data protection officer or other contact point where more information can be obtained;
a description of the likely consequences of the personal data breach; and
a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects including what action the individual(s) can take to protect themselves.
The following factors to consider include:
Sensitivity of information;
Volume of information;
Likelihood of unauthorised use;
Impact on individual(s);
Feasibility of contacting individuals.

8.7. If the Company decides not to notify the individuals affected, it will still need to notify the ICO unless it can demonstrate that the breach is unlikely to result in a risk to rights and freedoms.

8.8. The Investigating Officer and/or Legal Compliance Department must consider notifying third parties such as the police, insurers, professional bodies, bank or credit card companies who can help reduce the risk of financial loss to individuals. This would be appropriate where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future.

8.9. The Investigating Officer and/or Legal Compliance Department will consider whether the Marketing and Communications Team should be informed regarding a press release and to be ready to handle any incoming press enquiries.

8.10. All personal data breaches and actions will be recorded by the Legal Compliance Department regardless of whether or not they need to be reported to the ICO.

9. Evaluation & Response

9.1. Data protection breach management is a process of continual review. Once the initial incident is contained, the Investigating Officer will carry out a full review of the causes of the breach; the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be undertaken.

9.2. Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents occurring.

9.3. The review will consider:

Where and how personal data is held/ stored;
Where the biggest risks lie and identify any further potential weak points within its existing security measures;
Whether methods of transmission are secure;
Sharing minimum amount of data necessary;
Staff awareness.

9.4. Regardless of the type and severity of incident, there will always be recommendations to be made even if it is only to reinforce existing procedures.

9.5. All recommendations will be assigned an owner and have a timescale by when they should be implemented which has a dual purpose. The first is to ensure that the Company puts in place whatever measures have been identified and that there is an individual that can report back to the Investigating Officer on progress. The second is that where incidents are reported to the ICO, the Company can demonstrate that the measures have either been put in place or that there is a documented plan to do so.

9.6. Identifying recommendations is more than just damage control. The knowledge of what has happened together with the impact is a fundamental part of learning and continual improvement which can then be disseminated throughout the Company.

Last Updated: January 2025

Information Security & Risk Management Policy

1. Purpose

Main Portfolio LTD (“we”, “us”, “our” or the “Company”) is committed to safeguarding its information assets and ensuring compliance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy integrates our Information Security Management System (ISMS) and Personal Information Management System (PIMS) to protect the confidentiality, integrity, and availability of all information, including personal and sensitive data, processed by the organisation.

2. Scope

This policy applies to all employees, contractors, consultants, and third parties who access or handle Main Portfolio LTD’s information systems, data, or infrastructure. It includes all digital and physical information assets, focusing specifically on personal data processed under PIMS. This high-level Information Security & Risk Management Policy sits alongside the “Data Protection Policy” and provides a high-level outline of, and justification for, the Company’s risk-based information security controls.

3. Objectives

Information Security: Ensure the protection of information assets from unauthorised access, disclosure, alteration, or destruction.
Privacy Management: Safeguard personal and sensitive data in compliance with data protection laws.
Risk Management: Identify, assess, and mitigate risks to minimise operational, financial, and reputational harm.
Compliance: Maintain adherence to legal, regulatory, and contractual obligations.

4. Key Principles

4.1 Confidentiality: Restrict access to information based on roles and business needs.

4.2 Integrity: Ensure all data is accurate, complete, and protected from unauthorised modifications.

4.3 Availability: Ensure information and systems are accessible to authorised users when required.

4.4 Accountability: Establish clear roles and responsibilities for information security and data privacy.

5. Roles and Responsibilities

Senior Management: Provide leadership, resources, and strategic oversight for ISMS and PIMS implementation.
Information Security Officer (ISO): Manage the ISMS, oversee risk assessments, and lead incident responses.
Legal Compliance Department: Ensure compliance with PIMS and act as the main point of contact for data protection matters.
Employees: Adhere to security protocols and report risks or incidents promptly.
Third Parties: Comply with Main Portfolio LTD’s security and privacy standards when handling information.

6. Risk Management

6.1 Risk Assessments: Conduct regular assessments to identify, evaluate, and prioritise risks.

6.2 Mitigation Strategies: Implement controls to address identified risks, such as encryption, firewalls, and multi-factor authentication.

6.3 Monitoring: Continuously monitor systems and processes to detect and address vulnerabilities.

6.4 Incident Response: Establish and maintain procedures to respond to security incidents promptly.

7. Personal Information Management System (PIMS)

7.1 Data Classification: Identify and classify personal data processed by the organisation based on sensitivity and risk.

7.2 Data Minimisation: Collect only the personal data necessary for specific, lawful purposes.

7.3 Lawful Processing: Ensure all personal data processing has a valid legal basis under UK GDPR.

7.4 Individual Rights: Respect data subjects’ rights, including access, rectification, erasure, and objection.

7.5 Third-Party Processing: Conduct due diligence on processors handling personal data and establish contracts that align with PIMS requirements.

7.6 Retention and Disposal: Retain personal data only as long as necessary and securely dispose of it when no longer required.

8. Information Security Controls

Access Control: Grant access based on the principle of least privilege.
Encryption: Use encryption to protect sensitive data in transit and at rest.
System Monitoring: Monitor systems to detect unauthorised activities or breaches.
Physical Security: Secure physical premises to prevent unauthorised access to information assets.
Training: Provide regular training on security and privacy best practices, including phishing awareness and data protection.

9. Breach Management

9.1 Reporting: All employees must report suspected data breaches to the ISO or DPO immediately.

9.2 Investigation: The ISO or the Legal Compliance Department will investigate and assess the severity and impact of the breach.

9.3 Notification: If necessary, notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach and inform affected data subjects promptly.

9.4 Mitigation: Take corrective actions to prevent recurrence and minimise impact.

10. Compliance and Legal Obligations

Main Portfolio LTD complies with:

UK GDPR and the Data Protection Act 2018.
The Computer Misuse Act 1990.
The Privacy and Electronic Communications Regulations (PECR).
Relevant contractual and regulatory obligations.

11. Monitoring and Review

This policy is reviewed annually, or more frequently if required by changes in law, regulation, or business operations. Regular audits are conducted to ensure compliance with ISMS and PIMS standards.

12. Consequences of Non-Compliance

Failure to comply with this policy may result in disciplinary action, up to and including termination of employment, and could have legal implications for individuals and the organisation.

Contact Information

If you have any inquiries, requests or concerns about this policy, please contact the Legal Compliance Department at: legal@mainportfolio.co.uk.

Last Updated: January 2025

Code of Professional Ethics

Main Portfolio LTD (“we”, “us”, “our” or “the Company”) is a UK Company whose primary aim is to simplify complex workplace challenges with services designed to enhance employee engagement, promote wellbeing, and secure future success. With a professional yet human approach, we partner with businesses to deliver results that align with their vision for the future of work. This Code of Professional Ethics reflects the principles that guide our business activities, professional interactions, and operational standards. By embracing these commitments, we cultivate a culture rooted in trust, accountability, and innovation, while striving to make a positive impact on society and the environment.

1. Integrity and Honesty

Integrity is the foundation of our business. We are dedicated to clear communication, ethical decision-making, and transparency in every interaction. Misrepresentation, fraud, or deceit have no place in our company, as we aim to uphold the trust of our clients, employees, and partners.

2. Compliance with Laws and Regulations

We strictly adhere to UK laws, including the Companies Act 2006, Equality Act 2010, Bribery Act 2010, and Data Protection Act 2018 (GDPR) etc. Compliance is a fundamental expectation for all employees, who are required to understand and apply the legal frameworks relevant to their roles.

3. Respect for Diversity and Inclusion

We embrace diversity and inclusion as core principles of our workplace and partnerships. Every individual, regardless of background, identity, or ability, is treated equitably and respectfully. We actively address and challenge discrimination, fostering an environment free of harassment and bias.

4. Confidentiality and Data Protection

Protecting privacy and safeguarding information are priorities. In alignment with GDPR, Data Protection Act 2018, and all relevant laws and regulations as amended and in force, we ensure that personal and sensitive data are handled with care, security, and integrity. Confidentiality extends to proprietary information, which we safeguard with robust protocols.

5. Professional Competence and Responsibility

Our team is committed to delivering excellence through skill, diligence, and accountability. We prioritise continuous learning and professional development, enabling employees to remain at the forefront of industry standards and adapt to evolving challenges.

6. Anti-Bribery and Corruption

Aligned with the UK Bribery Act 2010, we enforce a strict zero-tolerance policy on bribery and corruption. Employees must disclose potential conflicts of interest and abstain from any activities that could compromise impartiality or the company’s ethical standards.

7. Fair Competition

We engage in fair and transparent competition, adhering to UK Competition Law. Practices such as collusion, price-fixing, or abuse of market power are prohibited. We believe in building success through innovation, quality, and integrity.

8. Environmental Responsibility

Our operations reflect a commitment to sustainability. Guided by the UK Climate Change Act 2008, we actively reduce our environmental footprint by cutting emissions, conserving resources, and fostering recycling and waste reduction across our supply chain.

9. Workplace Health and Safety

We prioritise the health and safety of everyone in our workplace. Complying with the Health and Safety at Work Act 1974, we maintain a secure, hazard-free environment and encourage employees to report risks and support a culture of shared responsibility.

10. Respect for Human Rights

Human rights are fundamental to our business. In compliance with the Modern Slavery Act 2015, we ensure that our practices and supply chains are free from forced labour, exploitation, or child labour. We collaborate only with partners who uphold these principles.

11. Accountability

Accountability is a shared value throughout the organisation. From leadership to employees, we encourage responsibility, open communication, and constructive feedback to uphold our standards and continually improve.

12. Whistleblowing and Reporting

We foster a safe environment for reporting unethical behavior or violations. Our whistleblowing policy, in accordance with the Public Interest Disclosure Act 1998, ensures confidentiality and protection against retaliation for individuals who raise concerns.

13. Excellence in Client Relations

Clients are the core of our operations. We are dedicated to providing exceptional services and products with professionalism and respect. Customer feedback drives our improvements, and complaints are handled promptly and fairly.

14. Ethical Sourcing and Supply Chain Management

We are committed to ethical sourcing and working with suppliers who share our values. We conduct due diligence to ensure our supply chains are free from exploitation and focused on sustainability and social responsibility.

15. Innovation and Continuous Improvement

Innovation is at the heart of our growth. We encourage creativity, adaptability, and the continuous improvement of our processes, products, and services to remain competitive, impactful, and relevant in a dynamic world.

Anti-Money Laundering (AML) and Know Your Customer (KYC) Policy

1. Introduction

Main Portfolio LTD (“the Company”) is committed to preventing money laundering and terrorist financing by complying with all relevant UK laws, regulations, and guidance. This Anti-Money Laundering (AML) and Know Your Customer (KYC) Policy outlines the measures the Company will take to prevent, detect, and report suspicious activities, ensuring adherence to the legal and regulatory framework in place in the UK.

The policy applies to all employees, directors, and officers of the Company.

2. Legal Framework

This policy is designed to ensure compliance with:

The Proceeds of Crime Act 2002 (POCA)
The Money Laundering, Terrorist Financing, and Transfer of Funds (Information on the Payer) Regulations 2017
The Terrorism Act 2000
The Financial Services and Markets Act 2000
Guidance issued by the Financial Conduct Authority (FCA), the National Crime Agency (NCA), and the Joint Money Laundering Steering Group (JMLSG)

3. Purpose of the Policy

The purpose of this policy is to:

Prevent the Company from being used for money laundering or terrorist financing.
Outline procedures to identify, assess, and manage risks associated with money laundering and terrorism financing.
Ensure compliance with legal and regulatory obligations for customer due diligence (CDD), record-keeping, and reporting suspicious activities.
Establish a KYC process to ensure the legitimacy of customers and transactions.

4. Anti-Money Laundering (AML) Procedures

4.1 Customer Due Diligence (CDD)

The Company will carry out appropriate Customer Due Diligence (CDD) before entering into a business relationship with any customer. The level of CDD applied will be determined based on a risk-based approach, considering the type of customer, the nature of the business, and the geographical location. This includes:

Basic Information: Name, address, date of birth (individuals) or registration details (businesses).
Verification of Identity: Government-issued ID documents, proof of address, and any additional documentation as required.

4.2 Enhanced Due Diligence (EDD)

For high-risk customers or transactions (e.g., politically exposed persons, clients from high-risk jurisdictions), the Company will apply Enhanced Due Diligence (EDD). This may include:

Additional identity verification measures.
Investigating the source of funds.
Ongoing monitoring of the relationship.

4.3 Ongoing Monitoring

The Company will monitor transactions continuously to ensure that they are consistent with the Company’s knowledge of the customer, their business, and their risk profile. Any suspicious activity will be reported to the Legal Compliance Department.

4.4 Suspicious Activity Reporting (SAR)

The Company will report any Suspicious Activity to the National Crime Agency (NCA) by filing a Suspicious Activity Report (SAR) if there are reasonable grounds to suspect that a transaction may involve money laundering or terrorist financing.

The process for reporting suspicious activities is as follows:

Employees must report any suspicious activity to the Legal Compliance Department.
The Legal Compliance Department will assess the activity and, if appropriate, submit a SAR to the NCA.
No further action will be taken on the transaction until the NCA provides consent.

4.5 Record Keeping

The Company will maintain records of all CDD information, transactions, and reports for at least five years after the completion of the transaction or the termination of the business relationship. This will include:

The identity of customers and beneficial owners.
Copies of identification documents and any supporting evidence.
Details of the transaction and the associated risk assessments.

4.6 Training and Awareness

The Company will ensure that all employees receive regular training on:

Recognizing and understanding money laundering and terrorist financing risks.
The process for reporting suspicious activities.
Understanding the regulatory obligations and consequences of non-compliance.

Training will be updated annually, and refresher courses will be provided whenever necessary.

5. Know Your Customer (KYC) Procedures

5.1 Purpose of KYC

The purpose of the Know Your Customer (KYC) process is to establish and verify the identity of the customer before and during the course of a business relationship. KYC is an essential component of the Company’s broader AML efforts and helps mitigate the risk of being involved in money laundering or terrorism financing activities.

5.2 Customer Identification and Verification

Before entering into a business relationship, the Company will verify the identity of its customers using reliable and independent sources. This includes, but is not limited to:

For individuals: A government-issued passport, driving license, or national identity card, as well as proof of address (e.g., utility bill, bank statement).
For businesses: Company registration details, ownership structure, and beneficial ownership identification. Additional documentation may be requested for complex corporate structures.

5.3 Risk-Based KYC Approach

The KYC process will vary depending on the risk profile of the customer. The Company will assess each customer based on:

Risk Level: High, medium, or low-risk profiles based on jurisdiction, type of business, and transaction volume.
Ongoing KYC Monitoring: KYC information will be reviewed periodically and updated when necessary to ensure it remains accurate and consistent with the customer’s activities.

5.4 Politically Exposed Persons (PEPs)

The Company will identify and apply Enhanced Due Diligence (EDD) for Politically Exposed Persons (PEPs), their family members, and close associates. Additional checks will be conducted to assess the source of funds and to evaluate the risks associated with doing business with PEPs.

5.5 Beneficial Ownership

The Company will ensure that the identity of beneficial owners (i.e., the individuals who ultimately own or control the customer) is established, especially when dealing with corporate customers. If the beneficial owner cannot be identified, the Company will not proceed with the relationship.

7. Consequences of Non-Compliance

Failure to comply with the AML and KYC policies may result in:

Legal penalties for the Company and individuals involved.
Disciplinary action, including termination of employment.
Damage to the Company’s reputation and business operations.

8. Review and Updates

This policy will be reviewed and updated regularly to ensure that it complies with the latest legal and regulatory requirements. The Company will ensure that all employees are informed of any updates or changes to the policy.

Last Updated: January 2025

Anti-Bribery and Corruption Policy

Purpose

Main Portfolio LTD is committed to conducting all aspects of its business with the highest levels of integrity and transparency. We have a zero-tolerance approach to bribery and corruption and are dedicated to complying with all applicable anti-bribery laws, including the UK Bribery Act 2010.

Scope

This policy applies to all employees, contractors, consultants, partners, agents, and any third party acting on behalf of Main Portfolio LTD, regardless of location.

Policy Statement

Prohibition of Bribery and Corruption

Main Portfolio LTD strictly prohibits offering, giving, soliciting, or accepting any bribe or corrupt payment in any form, whether directly or indirectly.
Bribery includes offering or receiving money, gifts, favours, or anything of value to influence a decision, secure a business advantage, or gain improper benefits.

Compliance with Laws

All employees and representatives must comply with applicable anti-bribery and corruption laws in the jurisdictions in which Main Portfolio LTD operates.
Breaches of such laws could result in severe penalties, including criminal charges for individuals and significant fines for the company.

Facilitation Payments

Facilitation payments (small payments to expedite routine government actions) are prohibited unless there is a genuine concern for personal safety or security. Any such payment must be reported immediately to management.

Third-Party Relationships

All third-party relationships, including agents, suppliers, and partners, must undergo due diligence to ensure they adhere to the same anti-bribery standards as Main Portfolio LTD
Agreements with third parties must include anti-bribery clauses to safeguard against improper conduct.

Political Contributions

Main Portfolio LTD does not make political donations or contributions of any kind.
Employees must refrain from using company funds or resources for political activities.

Charitable Contributions

Charitable donations made on behalf of Main Portfolio LTD must be transparent, documented, and aligned with the company’s values. They must not be used as a subterfuge for bribery.

Responsibilities

Employees

Ensure personal compliance with this policy and promptly report any suspicions of bribery or corruption.
Avoid any activities that could bring Main Portfolio LTD into disrepute.

Management

Foster a culture of integrity and oversee adherence to this policy.
Ensure adequate training is provided to all employees regarding anti-bribery and corruption practices.

Compliance Officer

Monitor and review the implementation of this policy and report any issues to senior management.
Maintain records of reported incidents and outcomes for accountability.

Reporting Concerns

Employees and third parties are encouraged to report any suspected bribery or corruption through Main Portfolio LTD’s confidential whistleblowing mechanism at legal@mainportfolio.co.uk.
All reports will be treated with the utmost confidentiality and investigated promptly.

Consequences of Non-Compliance

Employees or third parties found to have engaged in bribery or corruption will face disciplinary actions, up to and including termination of employment or contracts.
Main Portfolio LTD reserves the right to report unlawful activities to relevant authorities.

Monitoring and Review

This policy will be reviewed annually to ensure it remains effective and aligned with current laws and business practices.

Last Updated: January 2025

Complaints and Dispute Resolution Policy

1. Introduction

Main Portfolio LTD (“the Company”) is committed to providing high-quality services and ensuring a positive experience for our customers. However, we recognise that from time to time, customers may have concerns or complaints. This Complaints and Dispute Resolution Policy outlines the procedures by which the Company will handle complaints and resolve disputes efficiently, fairly, and in compliance with relevant UK laws, including the Consumer Rights Act 2015, Financial Services and Markets Act 2000, and other applicable regulations.

2. Purpose of the Policy

The purpose of this policy is to:

Provide clear and transparent procedures for customers to raise complaints.
Ensure complaints are dealt with fairly, consistently, and promptly.
Resolve disputes in a way that meets legal requirements and customer expectations.
Improve our services based on feedback from customers.

3. Scope

This policy applies to all customers, clients, and service users of Main Portfolio LTD. It covers all complaints regarding the Company’s products, services, staff, or conduct, and outlines how complaints will be handled in accordance with UK law.

4. Definition of a Complaint

A complaint is defined as any expression of dissatisfaction made by a customer, either verbally or in writing, regarding the Company’s products, services, or conduct. This can include issues such as:

Poor service or product quality.
Delays or failures in service delivery.
Unresolved issues regarding fees or charges.
Dissatisfaction with how a transaction or interaction was handled.

A dispute arises when a complaint cannot be resolved through normal processes and requires a formal review or legal action.

5. Complaints Handling Procedure

The Company aims to resolve complaints quickly and efficiently. The following steps outline the complaints handling process:

Step 1: Acknowledging the Complaint

Customers can make a complaint by phone, email, or in writing. The Company will acknowledge receipt of a complaint within 3 business days of receiving it.
The Company will provide a clear timeline for resolving the complaint and offer an initial response as soon as possible.

Step 2: Investigation of the Complaint

The Company will review the details of the complaint, including gathering all relevant information, documents, and accounts related to the issue.
A senior staff member or manager will be assigned to investigate the complaint, ensuring an unbiased and thorough approach.
The Company aims to complete the investigation within 15 business days. If this is not possible, the customer will be informed of the reasons for the delay and provided with a new expected resolution date.

Step 3: Resolution and Response

Once the investigation is complete, the Company will provide a formal written response to the customer detailing the outcome of the investigation and any actions taken to resolve the issue.
If the complaint is upheld, the Company will offer an appropriate remedy or compensation in line with the issue.
If the complaint is not upheld, the customer will be provided with a clear explanation of the reasons why the complaint was not supported.

Step 4: Escalation

If the customer is not satisfied with the resolution, they can request that the complaint be escalated to a higher level within the Company.
The Company will appoint a senior manager or director to review the complaint, ensuring that an impartial second opinion is given. The review process should be completed within 10 business days.

6. Dispute Resolution

If a dispute arises and cannot be resolved within the Company’s internal complaints handling procedure, the Company will encourage the customer to use alternative dispute resolution (ADR) or external bodies such as:

Ombudsman Services: For certain regulated sectors, the customer may be entitled to refer their complaint to an ombudsman. The relevant ombudsman (e.g., Financial Ombudsman Service for financial services) will provide an independent, impartial review.
Mediation or Arbitration: The Company may suggest or offer mediation or arbitration services as an alternative to litigation to resolve disputes amicably.
The Company will provide the customer with details of the ADR options available.

7. Time Limits for Making a Complaint

Customers are encouraged to raise complaints as soon as possible after the incident occurs. In general, complaints should be submitted within 6 months of the issue arising, although this period may vary depending on the specific industry or service. The Company will review each complaint on a case-by-case basis.

8. Remedies and Compensation

If the complaint is upheld, the Company may provide the following remedies, depending on the nature of the complaint:

A formal apology for the inconvenience caused.
A full or partial refund, depending on the circumstances.
A replacement or repair of faulty goods or services.
A goodwill gesture or compensation for distress or inconvenience caused.

9. Record-Keeping and Monitoring

The Company will maintain a record of all complaints, including the details of the complaint, investigation, actions taken, and the outcome. These records will be kept confidential and in compliance with data protection laws.

The Company will regularly monitor complaints to identify trends and areas for improvement. The data will be used to inform improvements in products, services, and customer interactions.

10. Customer Rights

Customers have the right to:

Be treated fairly and respectfully during the complaint process.
Have their complaint reviewed impartially and thoroughly.
Receive a clear explanation of any decisions or outcomes.
Be informed about external dispute resolution mechanisms if the complaint cannot be resolved internally.

11. Contact Details for Making a Complaint

Customers can submit complaints using the following methods:

Email: info@mainportfolio.co.uk
Postal Address: K2 Tower 60 Bond Street, Silvester St Entrance, Hull, England, HU1 3EN

12. Review of the Policy

This Complaints and Dispute Resolution Policy will be reviewed regularly, and updated where necessary, to ensure it remains compliant with relevant laws and provides the best possible service to customers. Any significant changes will be communicated to customers.

Last Updated: January 2025

Environmental Policy Statement

1. Introduction

Main Portfolio LTD (“the Company”) is committed to conducting its operations in an environmentally responsible manner, in compliance with all applicable environmental legislation and regulations. We recognize the importance of environmental sustainability and the need to minimize our environmental impact. This Environmental Policy Statement outlines our commitment to reducing waste, conserving resources, and ensuring that environmental considerations are integrated into our business practices.

2. Purpose of the Policy

The purpose of this policy is to:

Demonstrate the Company’s commitment to environmental sustainability.
Establish clear objectives for reducing the environmental impact of our activities.
Ensure compliance with relevant environmental legislation and best practices.
Promote environmental awareness and responsibility among employees, customers, and stakeholders.

3. Scope

This policy applies to all employees, contractors, and operations of [Company Name], including:

Operations: The management of facilities, manufacturing processes, and service delivery.
Resource usage: The efficient use of energy, water, raw materials, and other resources.
Waste management: Waste reduction, recycling, and disposal practices.
Transportation: Minimizing emissions related to transportation and logistics.

4. Environmental Commitment

Main Portfolio LTD is committed to:

Compliance: Complying with all applicable environmental laws, regulations, and standards, including the Environmental Protection Act 1990, Climate Change Act 2008, and Waste and Resources Action Programme (WRAP) guidelines.
Sustainability: Continuously improving the sustainability of our operations by adopting practices that conserve resources, reduce emissions, and minimize environmental harm.
Waste Reduction: Reducing waste generation through efficient resource management, recycling, and reusing materials wherever possible.
Energy Efficiency: Promoting energy-efficient practices within the organization, including reducing energy consumption and exploring renewable energy sources.
Pollution Prevention: Minimizing pollution of air, water, and soil by adopting cleaner production processes and reducing the use of hazardous materials.

5. Key Objectives

The Company will work towards achieving the following environmental objectives:

Resource Efficiency: Reduce the consumption of energy, water, and raw materials in our operations, striving for more sustainable alternatives.
Waste Management: Minimize waste generation and increase recycling rates, aiming for zero waste to landfill wherever possible.
Carbon Footprint Reduction: Lower our carbon footprint by optimizing energy use and reducing greenhouse gas emissions, both in our direct operations and through our supply chain.
Sustainable Procurement: Source products and materials from suppliers who demonstrate environmental responsibility and use sustainable practices.
Compliance and Reporting: Regularly monitor, measure, and report on our environmental performance, ensuring we meet or exceed legal and regulatory requirements.

6. Roles and Responsibilities

To implement this policy effectively, the following responsibilities are assigned:

Senior Management: Responsible for setting the overall environmental strategy, providing resources, and ensuring that environmental objectives are integrated into business decision-making.
Employees: Every employee has a role to play in minimising the Company’s environmental impact by following best practices and complying with the Company’s environmental procedures.
Contractors and Suppliers: The Company will work with contractors and suppliers to encourage sustainable practices, promote environmental standards, and reduce their environmental impact.

7. Environmental Action Plan

The Company will take the following actions to achieve its environmental objectives:

Energy Management: Monitor and reduce energy consumption, implement energy-saving technologies, and consider renewable energy options for our facilities.
Waste Reduction: Implement recycling programs and encourage the reuse of materials. We will also aim to reduce packaging and adopt a circular economy approach where feasible.
Water Conservation: Adopt measures to reduce water usage in operations, including leak detection, efficient equipment, and water-saving technologies.
Sustainable Transport: Encourage the use of environmentally friendly transportation options, reduce emissions from company vehicles, and promote remote working and digital communication where possible.
Employee Engagement: Provide regular environmental awareness training for employees and encourage them to actively participate in sustainability initiatives.

8. Performance Monitoring and Review

The Company will:

Regularly monitor and evaluate the effectiveness of its environmental practices through audits and assessments.
Set measurable targets for energy use, waste reduction, and carbon footprint, and track progress towards these goals.
Review the policy and action plan on an annual basis to ensure they remain effective, relevant, and aligned with current regulations, and make adjustments as necessary.

9. Continuous Improvement

The Company is committed to continuous improvement in its environmental practices. We will review our environmental performance regularly, encourage feedback from employees and stakeholders, and incorporate new technologies and practices to enhance our sustainability efforts.

10. Communication and Awareness

We will communicate this policy to all employees, contractors, and stakeholders, ensuring that everyone is aware of their role in contributing to the Company’s environmental goals. This policy will be made available to the public and any interested parties.

11. Conclusion

Main Portfolio LTD recognises that environmental sustainability is crucial for the long-term success of our business and the well-being of the planet. We are committed to minimising our environmental impact and continuously improving our environmental performance. By working together with employees, customers, and suppliers, we aim to make a positive contribution to a sustainable future.

Last Updated: January 2025

Whistleblower Policy

Purpose

Main Portfolio LTD is committed to maintaining a workplace that encourages integrity, transparency, and accountability. This Whistleblower Policy provides employees, contractors, consultants, and other stakeholders with a safe and confidential way to report concerns about unethical, illegal, or improper conduct without fear of retaliation.

Scope

This policy applies to all employees, contractors, consultants, vendors, and other stakeholders of Main Portfolio LTD It covers reports related to:

Fraud or financial irregularities
Bribery and corruption
Breaches of legal or regulatory requirements
Discrimination, harassment, or other workplace misconduct
Health and safety violations
Environmental damage
Any other unethical or improper conduct

Reporting a Concern

1. Confidentiality

All reports will be treated with the utmost confidentiality.
The identity of the whistleblower will only be disclosed on a need-to-know basis or if required by law.

2. How to Report

Concerns can be reported through the following channels:

Direct Manager: Employees are encouraged to report concerns to their immediate manager.
Human Resources (HR): Reports can also be made directly to the HR department.
Legal Compliance Department: legal@mainportfolio.co.uk.
Anonymous Reporting: Reports can be made anonymously via info@mainportfolio.co.uk.

Investigation Process

Acknowledgment: Upon receiving a report, the whistleblower will be acknowledged (if not anonymous) within Five [5] business days.
Assessment: The report will be reviewed to determine the scope and nature of the alleged issue.
Investigation: An impartial investigation will be conducted by the Whistleblower Officer or an appointed team.
Outcome: Appropriate action will be taken based on the findings, and the whistleblower will be informed of the outcome (if identity is known).

Protection Against Retaliation

Main Portfolio LTD strictly prohibits retaliation against whistleblowers who report concerns in good faith. Retaliation includes, but is not limited to:

Termination or suspension
Harassment or discrimination
Negative performance evaluations
Any other adverse action

False Allegations

Employees who knowingly make false or malicious allegations may be subject to disciplinary action. However, employees who report concerns in good faith, even if the concerns turn out to be unfounded, will not face any consequences.

Responsibilities

1. Legal Compliance Department

Ensures reports are investigated promptly, fairly, and confidentially.
Provides guidance and support to whistleblowers.

2. Managers

Encourage open communication and a culture of transparency.
Support employees who report concerns and prevent retaliation.

3. Employees

Report any concerns promptly and in good faith.
Cooperate fully with investigations.

Policy Review

This Whistleblower Policy will be reviewed annually to ensure compliance with applicable laws and regulations and to maintain best practices.

Last Updated: January 2025

Workplace Wellness Policy

Purpose

At Main Portfolio LTD, we are committed to fostering a workplace culture that prioritises the physical, mental, and emotional wellbeing of our employees. This policy outlines the measures we take to ensure the health and happiness of our workforce while promoting a positive and productive working environment. This policy applies to all employees, contractors, and consultants working for Main Portfolio LTD, regardless of location or role.

Policy Objectives

Promote Health and Wellbeing

Encourage healthy lifestyle choices, physical activity, and mental health awareness.
Provide resources and support for employees to manage stress, health conditions, and work-life balance effectively.

Create a Positive Work Environment

Foster a culture of respect, inclusivity, and collaboration.
Address workplace challenges such as stress, workload management, and interpersonal conflicts.

Support Preventative Healthcare

Offer initiatives that help employees proactively manage their physical and mental health.

Wellness Initiatives

Work-Life Balance

Flexible Working Arrangements: Enable hybrid and flexible schedules to support work-life integration.
Paid Leave: Encourage employees to utilise annual leave entitlements for rest and rejuvenation.
Childcare Support: Assistance with childcare arrangements or access to dependent care resources.

Financial Wellbeing

Pension and Retirement Planning: Provide education and tools to help employees secure their financial future.
Lifestyle Benefits: Discounts on essential services and products, including groceries, electronics, and travel.
Debt Management Support: Access to resources for financial planning and debt reduction.

Employee Responsibilities

Participation: Employees are encouraged to take an active role in wellness programs and initiatives.
Communication: Employees should communicate any workplace challenges or personal health concerns to their manager or HR.

Employer Responsibilities

Supportive Environment: Managers and HR will provide resources and accommodations to support employee wellbeing.
Confidentiality: Ensure all health-related information is treated with strict confidentiality.
Regular Feedback: Collect employee feedback on wellness initiatives to assess effectiveness and make improvements.

Monitoring and Evaluation

The wellness policy will be reviewed annually to ensure it remains relevant and effective.
Employee feedback and participation rates will be used to measure the success of wellness initiatives.

Last Updated: January 2025