What is this policy for?
We take issues relating to your personal data really seriously. This policy is to explain more to you about how we handle you or your employee’s personal data.
What do various terms mean?
“Personal data” means recorded information we hold about you (if you are an individual) or your staff (if you are an organisation) from which you or another person can be identified. It may include contact details, other personal information, photographs, expressions of opinion or indications as to our or your intentions towards a person.
“Processing” means doing anything with the data, such as accessing, disclosing, destroying or using the data in any way.
“Sensitive Personal Data” or “special categories of data” includes
• information about a person’s physical or mental health or condition;
• racial or ethnic origin or religious or similar information;
• information about a person’s sexual life;
• information about a person’s criminal record or criminal proceedings;
• whether you are a trade union member or not;
• biometric information.
Generally, we do not need any such Sensitive Personal Data to perform our services for you and we will not seek such information from you.
What purposes do you use personal data for?
We only process data for the purposes we have agreed with you or where it relates to:
• carrying out the terms of our retainer with you/the organisation you work for (as applicable) – where we need to consider the data when advising, in order to give the best advice
• complying with legal requirements (such as our professional obligations to our regulator)
• pursuing our legitimate interests (such as being able to communicate with you and update you regarding our services)
• something necessary for the protection of a person’s vital interests (this is likely to be exceptional)
• something you have consented to or where the data has been made public by you
What safeguards are in place?
We will comply with the eight data protection principles in the DPA, which say that personal data must be:
(a) Processed fairly and lawfully.
(b) Processed for limited purposes and in an appropriate way.
(c) Adequate, relevant and not excessive for the purpose.
(d) Accurate.
(e) Not kept longer than necessary for the purpose.
(f) Processed in line with individuals’ rights.
(g) Secure.
(h) Not transferred to people or organisations situated in countries without adequate protection. (We don’t transfer any client data outside of the UK).
Your personal data will only be processed to the extent that it is necessary for the specific purposes notified to you.
We will keep the personal data we store about you accurate and up to date. Data that is inaccurate will be amended when we are made aware that it is out of date. Please notify us if your personal details change or if you become aware of any inaccuracies in the personal data we hold about you.
We will not keep your personal data for longer than is necessary for the purpose or carrying out our retainer. This means that data will be destroyed or erased from our systems when it is no longer required. For regulatory purposes we are required to keep our files for a six year period after which they are securely destroyed.
We will ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
We have in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorised purposes) of the personal data. For example, we take the following steps to protect data:
• Staff are trained in relation to the importance of privacy and data security.
• Laptops and phones are encrypted
• We don’t give advice via social media or text message
• Electronic files can only be accessed via password logins
• No visible labels on physical files or documents eg:- when visiting your premises
We will only pass your data to third parties where you have asked us to. For example, you might ask us to refer your contact details to other professionals such as tax experts or lawyers. We only make referrals of this kind when consent has been expressly given by you. We do not sell any data or pass any data to other organisations.
What rights do I have?
You have the following rights:
(i) Request access to any personal data we hold about you. If you wish to make a subject access request just tell us in writing, specifying as far as possible, which data you are interested in.
(j) Ask to have inaccurate data held about you amended/deleted
(k) Prevent processing that is likely to cause unwarranted substantial damage or distress to you or anyone else.
(l) To raise a complaint with us under our Complaints Policy if you have any concerns about the handling of your data or to ask the Information Commissioner’s Office for support in relation to a data protection issue.
(m) To notification in respect of high risk breaches of the law
What about third parties?
We will not disclose your personal data to a third party without your consent unless we are satisfied that they are legally entitled to the data. Where we do disclose your personal data to a third party, we will have regard to the eight data protection principles. We will only transfer personal data to a third party if he agrees to comply with those procedures and policies, or if he puts in place adequate measures himself.
What if we process data for you (organisations)?
From time to time we are asked to process data on your behalf. This part of this policy sets out more information about when we do this.
In this part of this policy:
• Controller, Data Subject, Personal Data, Processor and processing shall have the respective meanings given to them in applicable Data Protection Laws from time to time (and related expressions, including process, processed, processing, and processes shall be construed accordingly) and international organisation and Personal Data Breach shall have the respective meanings given to them in the GDPR;
• Data Protection Laws means, as binding on either party or the Services:
• the Directive 95/46/EC (Data Protection Directive) and/or Data Protection Act 1998 or the GDPR;
• any laws which implement any such laws; and
• any laws that replace, extend, re-enact, consolidate or amend any of the foregoing;
• GDPR means the General Data Protection Regulation (EU) 2016/679;
• Protected Data means Personal Data received from or on behalf of the Customer in connection with the performance of our obligations under this Policy; and
• Sub-Processor means any agent, subcontractor or other third party (excluding our employees) engaged by us for carrying out any processing activities on behalf of the Customer in respect of the Protected Data.
In engaging us you agree that you are a Controller and that we are a Processor for the purposes of processing Protected Data pursuant to this Agreement. You shall at all times comply with all Data Protection Laws in connection with the processing of Protected Data. You shall ensure all instructions given by you to us in respect of Protected Data (including the terms of this Policy shall at all times be in accordance with Data Protection Laws.
We shall process Protected Data in compliance with the obligations placed on us under Data Protection Laws and the terms of this Policy.
We shall:
• only process (and shall ensure our personnel only process) the Protected Data in accordance with this Policy (and not otherwise unless alternative processing instructions are agreed between the parties in writing) except where otherwise required by applicable law (and shall inform you of that legal requirement before processing, unless applicable law prevents us doing so on important grounds of public interest); and
• if we believe that any instruction received by us from you is likely to infringe the Data Protection Laws we shall promptly inform you and be entitled to cease to provide the relevant Services until the parties have agreed appropriate amended instructions which are not infringing.
• take into account the state of technical development and the nature of processing, we shall implement and maintain the technical and organisational measures agreed with you from time to time to protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access.
• not permit any processing of Protected Data by any agent, subcontractor or other third party (except our own employees in the course of their employment that are subject to an enforceable obligation of confidence with regards to the Protected Data) without your written authorisation;
(at your cost):
• assist you in ensuring compliance with your obligations pursuant to Articles 32 to 36 of the GDPR (and any similar obligations under applicable Data Protection Laws) taking into account the nature of the processing and the information available to us; and
• taking into account the nature of the processing, assist you (by appropriate technical and organisational measures), insofar as this is possible, for the fulfilment of the your obligations to respond to requests for exercising the Data Subjects’ rights under Chapter III of the GDPR (and any similar obligations under applicable Data Protection Laws) in respect of any Protected Data.
We shall not process and/or transfer, or otherwise directly or indirectly disclose, any Protected Data in or to countries outside the UK or to any international organisation without your prior written consent.
We shall, in accordance with Data Protection Laws, make available to you such information that is in our possession or control as is necessary to demonstrate our compliance with the obligations placed on us under this policy and to demonstrate compliance with the obligations imposed by Article 28 of the GDPR (and under any equivalent Data Protection Laws equivalent to that Article 28), and allow for and contribute to audits, including inspections, by you (or another auditor mandated by the you) for this purpose (subject to a maximum of a single audit request in any 12 month period).
We shall notify you without undue delay and in writing on becoming aware of any Personal Data Breach in respect of any Protected Data.
On the end of the provision of the Services relating to the processing of Protected Data, at your cost and your option, we shall either return all of the Protected Data to you or securely dispose of the Protected Data (and thereafter promptly delete all existing copies of it) except to the extent that any applicable law requires us to store such Protected Data. This shall survive the termination of us providing you Services.