Small Business Accountants Limited

Data Protection Policy
From 25 May 2018
Introduction
The firm, Small Business Accountants Limited, has appointed Paul Cooper as the Data Manager.
We have adopted a risk-based approach to data protection, whereby our policies and procedures only cover those areas which apply to our use of personal data. For example, as we currently do not use automated decision making or profiling then we do not have a policy on meeting the rights of data subjects with regard to automated decision making or profiling.


Background
We are bound by our professional body’s (AAT) relevant professional codes and regulations, including client confidentiality and the protection of client data.


Personal data
Personal data includes any information related to a person that can be used to directly or indirectly identify the person. Such data includes, but is not limited to:
• Name
• Image
• Email address
• Financial account details
• Social network posts
• Medical information
• IP address
• Passport number
• NI number


Individual's rights
Individuals, also referred to as ‘data subjects’, have the right:
• to be informed;
• of access;
• to rectification and correction;
• to erasure, sometimes referred to as the ‘right to be forgotten’;
• to restrict processing;
• to data portability;
• to object; and
• not to be subject to automated decision-making including profiling.


Our obligations
Our obligations in respect of personal data include:
• the knowledge of the data we hold and process, location, security usage and composition;
• identify if it is personal, prohibited, client-related or employee-related;
• how is it captured - is it permitted by law (‘lawful processing’) or consented to by the client?
• ability to provide information on how the data is used and on the rights of individuals regarding their data;
• ensuring that we are managing personal data in a manner compliant with the regulations;
• complying with the right to be forgotten;
• provision of data in a format that allows portability to other data processors;
• a duty to inform relevant parties if there is a breach.


Our use of data
We process two different types of personal data:
• ‘Client data’ is personal data received from clients in relation to professional engagements and practice.
• ‘Firm data’ is personal data held by the firm in relation to its own management, employees and affairs generally, including marketing databases.

When starting a new processing activity, we can only process personal data for the purpose for which it was provided. Where there is an on-going service, the firm will update the information as part of review process and make relevant notes in our records.

When seeking advice or other services from the firm, we will undertake certain information gathering processes. This may be obtained verbally, through written communication, or other suitable means. Withholding certain, relevant, information could result in the firm being unable to continue provision of some or all of its services.


Training
All principals and staff receive:
• training (appropriate to their role) to ensure they understand these policies and procedures;
• details of any changes to the firm’s data protection policies and practices;
• updated training and reporting to refresh their understanding of these policies.

An explanation of the firm’s policies and procedures is included in our induction procedures for new employees.


Relationships with others
Suppliers
When entering contracts with suppliers who process or store our data, we ensure that the supplier is fully compliant with the current data protection regime, and the contract addresses the requirements concerning the sharing of data.

The extent of the impact on our firm will depend on whether our firm is acting as a controller or processor. 

A data controller is an organisation that determines the purpose and methods for processing personal data. A data processor is an organisation that processes personal data on behalf of a data controller.

We determine what information to obtain and process in order to do our work, so we may act as “controllers in common” or “joint controllers” with our clients. 

Clients
Our client terms and conditions reflect the firm’s data policies and practices.

When we act as the data processor, we must obtain documented instructions from any data controller on whose behalf we process data.

When we act as a joint controller, we must ensure the other joint controller complies with the regulations and that our contract in respect of the sharing of data is in compliance with the regulations.


Data retention policies 
What client data should we hold?
The general principle is that we hold the minimum amount of data necessary.

The data we hold must be adequate, relevant and limited to what is necessary in relation to the purpose for which the data is processed. This applies to both automated personal data and manual filing systems where data is accessible.

The data we hold should be up to date and accurate.

How long do we retain personal data?
In general, data should not be retained any longer than necessary for the task performed, or than is necessary to comply with the relevant laws and regulations. 

We keep records and working papers for five years from the end of the submission deadline to which they relate, three years for payroll, or as dictated by statutory requirements or official bodies.

Under the anti-money laundering rules, we must keep records for five years after the relationship ends, and must delete any personal information obtained for the purposes of the anti-money laundering regulations after five years from the end of a business relationship unless:
• We are required to retain it under statutory obligation, or
• We are required to retain it for legal proceedings, or
• The data subject has consented to the retention.
Any decision to retain personal data beyond the policy noted above should be documented and approved by the Data Manager. A decision to retain personal data beyond the policy above should consider:
• The current and future value of the information,
• The costs, risks and liabilities associated with retaining it; and
• The ease or difficulty of making sure it remains accurate and up to date.


Privacy policies 
We aim to ensure our privacy policies are clear, use plain language, are transparent and easily accessible.

Our privacy notices include:
• what we are going to do with the client information; and
• with whom it will be shared.

Our privacy notices also explain the lawful basis for processing, our data retention policies and the fact that individuals have a right to complain to the ICO if they think there is a problem with the way we are handling their data.

We will use your information to:
• Act as the basis for any advice we provide;
• To carry out our obligations arising from any contracts entered into by you and us;
• Provide our ongoing service to you;
• Meet our regulatory obligations in the services we provide to you.

In addition, if we intend to use client data in a way that is likely to be unexpected or specialised, then this should be communicated as to why we need it and obtain your consent to obtain the data.


Consent 
Consent must be specific, informed, unambiguous, and freely given. Consent may be given in various manners, including, but not restricted to, verbal or written arrangements.

We may record how and when customer consent was lawfully gained, including:
• who consented;
• when they consented;
• what they consented to and any restrictions indicated;
• how they consented e.g. for written consent a copy of the relevant document;
• whether they have subsequently withdrawn consent, and if so when.

We recognise that consent is likely to degrade over time, and therefore may need to refresh the consent in accordance with the context, the scope of the original consent and the individual’s expectations.

When consent is withdrawn, we should notify other known holders of the data that consent has been withdrawn and that data should be restricted.

We may pass your information to our third party service providers, subcontractors and other associated organisations for the purposes of completing tasks and providing services to you on our behalf. However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service and we have a contract in place that requires them to keep your information secure and not to use it for their own direct marketing purposes.


Employment issues
Employment contracts provide the lawful basis for processing personal data. 

Our employment contracts include employees’ rights as data subjects. These include the right to be informed:
• they can make a complaint to the ICO (or relevant supervisory authority) if they believe their personal data is not being used appropriately or held securely;
• of the nature and reason for any monitoring by the firm of its employees; for example, by checking for excessive private use of telephones or e-mails, or inappropriate use of the internet;
• of their right to access information that the firm may hold on them. This includes information regarding any grievances or disciplinary action, or information obtained through monitoring processes. The firm must respond to such requests within 30 days. 

However, information can be withheld if releasing it would make it more difficult to detect crime or the information is about national security.

The firm may require specific written consent from employees for one-off circumstances such as bank requests to confirm income for a mortgage application. 

If the firm seeks to collect information regarding an employee's health, the employee’s consent will be sought. This information once collected will be held securely, with access limited to the appropriate principals. 


Breaches
A personal data breach is an accidental or unlawful act that has affected the confidentiality, integrity or availability of personal data. A personal data breach occurs whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.

If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we must also inform those individuals without undue delay.

Anyone who suspects they are the first person in the firm to identify a personal data breach must inform the Data Manager, or in their absence, another responsible manager.

Unless instructed to do so by the Data Manager, or their appointed deputy, no one should attempt to resolve the problem themselves.


Reporting personal data breaches
Any breach that is likely to result in a risk to the rights and freedoms of individuals must be reported to the Information Commissioner’s Office within 72 hours. 

If the firm is acting as data processors, we must inform the data controller as soon as feasibly possible and without undue delay.

Where we act as data controllers we must inform the individuals (data subjects) if there is a high risk that they will be impacted adversely by the breach. This must be as soon as feasibly possible and without undue delay.


Subject Access Requests 
Data subjects have the right to be informed, which includes the right to request the information held by the firm.

When the firm receives a Subject Access Request, it should be passed to the Data Manager who will allocate responsibility for responding to the request to a relevant individual. 

Unless the information requested would make it more difficult to detect crime or is a matter of national security, the firm must respond to any request within 30 days of receipt of the request. If we decide to refuse a request, we must tell the individual why and that they have the right to complain to the ICO and to seek a judicial remedy. Any refusal must be given without undue delay and at the latest, within one month of receiving the original request.

We will not make a charge for responding to Subject Access Request, unless the requests are manifestly unfounded or excessive.
Monitoring

The Data Manager ensures that a regular critical review of the firm’s compliance with its data protection policies and practices, as well as the effectiveness of those data protection policies and practices is carried out.

After completion, the Data Manager will provide a summary of the evidence of the compliance review to the next director’s meeting, together with details of any changes proposed to the firm’s data protection policies and practices.

(25 May 2018, reviewed 12 August 2022)
Small Business Accountants Limited
trading as SBA

A company limited by shares, company number 4122543, registered in England and Wales.

Registered Office: Self Assessment House, 85 – 87 Saltergate, Chesterfield, Derbyshire S40 1JS. United Kingdom


Share by: