In accordance with General Data Protection Regulations, we are setting out below our policy concerning personal data for your information:
PRIVACY POLICY
All client data is kept strictly private and confidential and will not be shared with any third parties without your consent. When the Law requires us to submit documents on your behalf to the authorities such as H M Revenue and Customs and Companies House, which will include personal data, then we will of course do so in order to assist you to fulfil your legal obligations. If we think it appropriate to obtain a second opinion on any matter that may affect your personal affairs, or refer to a specialist for advice on technical issues or matters outside our normal experience, then we will obtain your consent before so doing.
TERMS AND CONDITIONS FOR HOLDING CLIENT DATA
Client data is currently held on paper correspondence and working paper files. We intend shortly to go over to electronic filing of data and cloud storage. In the case of physical files, they are kept at our office which is locked and alarmed when we are not on the premises, and in the case of electronic storage we will satisfy ourselves that the storage medium concerned is completely GDPR compliant before using it. Our arrangements for cleaning the office and disposal of waste paper are that the cleaner comes to clean the office during working hours when the Principal and staff are present. Waste paper containing personal data is put into sealed sacks and taken away to be securely shredded by a licensed business who issue a Certificate of Secure Destruction of all papers collected from our premises. Correspondence files are not kept at anybody’s home overnight.
RIGHT TO FORGET
On request, we will be happy to remove from the system all personal data that we have on any former client, having regard to the Law and to H M Revenue and Customs guidance that normally requires all papers to be kept for six years. The six year time period begins from the year in which the documents concerned form the basis of an entry on a tax return. That is not necessarily the same as the date at which the documents are actually generated.
DATA RETENTION
Data is backed up securely and kept as long as we are still acting for you and for up to six years after we cease to act for any reason.
SOURCES OF DATA AND USES TO WHICH IT IS PUT
We will collect personal data from you that, in our experience, is relevant to our work on advising you concerning the impact of Government Legislation, mainly taxes but also other issues such as benefits. It is used for our normal professional purposes of preparing accounts, payrolls, VAT Returns, and other such documents that may be required either by you or by other business contacts (e.g. banks and other providers of finance) or the authorities.
Under some circumstances the data might come from other sources such as H M Revenue and Customs or your previous Advisors. In any case we will advise you to whom we are writing for personal data, and for what purpose.
DATA LOSS
If personal data is lost for any reason (for example, correspondence going astray in the post) we undertake to advise you that it has been lost and state exactly what was lost.
MAILSHOTS
We will, at appropriate intervals, prepare mailshots to clients who may be affected by certain changes in Government Legislation or other events of importance to the business community, so as to keep you up to date with changes in the business environment in a timely basis.
ACTION POINTS
• The above is a statement of our own policy which we believe is appropriate to ourselves as accountants. It may need to be changed as time goes on. It should not be taken as a template for use by yourselves, as your circumstances are different from ours.
• Please bear in mind that you should formulate your own data protection and privacy policy for your own business by 25 May 2018. Contact data on your clients, suppliers, and other business contacts counts as personal data.
• We are not data protection specialists and cannot give detailed advice on this point. We are aware that all limited companies should, if they have not already done so, register with the Information Commissioner’s office by 25 May 2018 and pay a fee, normally £35. Failure to do so may render you liable to a fine.
• If you would like specialist data protection advice, we have a helpful contact and can put you in touch with him on request.
– By Stephen Handley, FCCA