Version 1.0 | Dated: 21 May 2018
This policy applies to the following businesses:
You Need A PA – You Need A PA, 119a High Street, Blakeney, Holt, NR25 7NU
What are the GDPR / DPA?
You Need A PA, as a Data Controller & Processor, is bound by the requirements of the General Data Protection Regulations (EU) 2016/679 (GDPR). Previous to this we were bound by, and adhered to, the Data Protection Act (DPA) 1998, as we will be its successor, due to be ratified into law in 2018 (The UK Data Protection Act will supplement GDPR, implementing the EU Law Enforcement Directive, as well as extending data protection to areas which are not covered by the GDPR).
Both the GDPR & DPA have been implemented by the EU & UK into law as measures to ensure that Personal Data for citizens is being protected by the organisations that hold it, and to give the individual more rights to ownership of their personal data.
What is Personal Data, or Personally Identifiable Information?
Personal data is any information relating to an identifiable person, or data subject, who can be directly or indirectly identified by reference. This definition provides for a wide range of personal identifiers, from name and contact information to National Insurance or employer payroll numbers.
What is sensitive personal data?
Sensitive personal data refers to the above, but includes wider data such as:
- Medical conditions
- Religious or philosophical beliefs and political opinions
- Racial or ethnic origin
- Biometric data (eg photo in an electronic passport)
What is a Data Controller?
For GDPR purposes, the “data controller” is a person or organisation who decides the purposes for which any personal data is processed, and how it is subsequently used.
What is a Data Processor?
A “data processor” is an organisation or person that processes personal data on behalf of the controller.
What/Who is the Data Protection Officer
A Data Protection officer (DPO) is a role required by GDPR responsible for overseeing data protection strategy and implementation to ensure compliance.
You Need A PA has opted to voluntarily appoint this position. The DPO at time of publication is Polly Hadden-Paton who can be contacted at the above address, by calling 07786 416916, or via firstname.lastname@example.org
What is Data Processing?
Data processing is any operation performed upon personal data, or sets of it. Examples of data processing explicitly listed in the text of the GDPR are: collection, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating or making available, aligning or combining, restricting, erasure or destruction.
What do we mean by Business to Business?
PLC, LTD, LLP incorporated partnerships, sole traders, unincorporated partnerships, trusts and foundations, local authorities and government institutions.
What do we mean by Business to Consumer?
Private clients, sole traders, unincorporated partnerships, trusts, and foundations.
What information do we collect, and why?
As Data Controller we will obtain, use and process information provide to us for the purposes of enabling us to discharge the services as defined in our Letter of Engagement and supporting schedule. This will come from sources such as, but not limited to:
- The Data Subject & relatives
- Data Subject employers
- Payroll companies
- HMRC and related governmental bodies
- Companies House
- Credit reference agencies
- Anti-money laundering agencies
- Website visit / usage (i.e. Cookies)
- Practice App registration / usage
We will only collect, store, and utilise only information relevant to services provided and requirements from bodies such as HMRC and Companies House. This will include but is not limited to the following.
- Names & contact information (e.g names or online identifiers, email addresses, telephone numbers, and location identifiers such as addresses)
- Date of birth
- National Insurance (NI) number
- Unique Tax Payer Reference (UTR) number
- PAYE References
- Passport number
- Payroll information (inc. pensioninformaiton)
- Employer / employee information
- Accounts, payroll & dividend information
- Bank account number
- Bank & card statements
- Credit history
We may also use the information we gather/hold in purposes related to but not strictly stated in fulfilling our services such as:
- Updating and enhancing internal client records
- Analysis for management purposes
- Legal and regulatory compliance
- Crime prevention
- Practice news and updates
You Need A PA may, under certain circumstances have a requirement to share information with certain other professional organisations or companies to fulfil the services requested. Examples might be HMRC or Companies House. In these circumstances, information will only be shared upon obtaining prior permission from you as a client.
In using our website / practice app we may also use the following:
Cookies are files put on your computer when you visit a website that collects log information and visitor behaviour. This information can be used to track visitor use of the website and to create statistical reports on website activity. Browsers can be set to not to accept cookies, and the following websites provide information and guidance on use and how to remove cookies from your browser. For more information visit www.aboutcookies.org or www.allaboutcookies.org.
We or our third party marketing team might use software such as Google Analytics to report of how visitors use our website so that we may make improvements and give visitors a better user experience. This can store information such as your IP address (locational information).
An IP or Internet Protocol Address is a unique numerical address assigned to a computer as it logs on to the internet. You Need A PA does not have access to any personal identifiable information contained therein, and we would never seek this information. Your IP address is logged when visiting our site, but our analytic software only uses this information to track how many visitors we have from particular regions.
Internet Based Advertising
We may use advertising services such as Linkedin, Facebook and Twitter and as such there might be tracking codes installed on our website to report on the effectiveness of campaigns. We do not store any personal data within this type of tracking.
Lawful Basis of Data Collection & Processing.
You Need A PA takes the issue of personal data, and your privacy, extremely seriously and will only use personal information provided to us for the services requested from us. We will only use this information subject to instruction, data protection law, and our duty of confidentiality.
Business to Business clients and contacts – personal data will be held/processed under the lawful basis of “Contract” & “Legitimate interest”. Under this basis we can process personal information under genuine and legitimate reason, such as our contractual obligation, so long as we are not harming any of your rights and interests.
For Business to Consumer clients and contacts – personal data is held/processed under the lawful basis of “Contract” & “Legitimate interest”. Under this basis we can process personal information under genuine and legitimate reason, such as our contractual obligation, so long as we are not harming any of your rights and interests.
For both Consumer and Business clients and contacts we will hold /process personal data under the basis of “Legal Obligation”. This is to enable us to fulfil our regulatory obligations. Data held / processed under “Legal Obligation” includes, but not limited to preventing money laundering and terrorist financing as provided by the Money Laundering Regulations 2017 and the Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.
Marketing / News
For both Consumer and Business clients and contacts we may process some data held as noted above for the purposes of marketing under the basis of “Consent”. We may occasionally wish to contact you regarding wider services or news from You Need A PA outside of the scope of agreed services. We will limit this usage, and never share this information with outside organisations; however, we recognise that this data will only be used with client consent, which can be revoked at any time.
You have a right at any time to stop us from contacting you for marketing purposes. To opt out at any time please email email@example.com
Security precautions in place regarding storage and use of data collected
We have audited our data flow processes, where we store data, and how we use data to ensure that we are compliant to GDPR and DPA. We are committed to ensuring personal data is treated securely, and to make our best effort to ensure its security on our systems, and those third-party programs we use. We will be training all current and future staff, and as an ongoing process will regularly review our processes, data flow, security and training to ensure that any evolution of the company and our use of software / data is reflected in our compliance.
Please note that personal information details sent over the Internet to us without appropriate security (i.e on an open email) can never be guaranteed to be 100% secure. We cannot guarantee the security of any information you transmit to us, and you do so at your own risk; however, we have means such as our document transfer portal in place in order to assist you in passing over the relevant personal information to us.
Transferring your information outside of Europe
In order to fulfil some elements of our work, such as using some cloud bases services, some of the information you give to us may be transferred or processed through countries outside the European Union (e.g using cloud based software. Where this is the case we will take steps to make sure that the right security measures are taken so that your privacy rights continue to be protected as outlined in this policy. Where third-party software suppliers house servers outside of the EU we will do all we can to ensure locales are covered by the ICO, and that their services fall under the “Privacy Shield” agreements, or similar, whereby participating companies are deemed to have adequate protection and can therefore facilitate the transfer of information from the EU.
If you use our services while you are outside the EU, your information may potentially transferred outside the EU in communicating with you to give you those services agreed; however, all efforts will be made to ensure secure processes are used such as our documents portal.
Deletion of Data – How long will we hold your data for?
As part of GDPR, individuals have right for their data to be forgotten. We adhere to destroy any files and data relating to clients, 8 years from initial point of contact, on a quarterly basis.
Access to your information, correction, portability and deletion
What is a Subject Access Request?
GDPR requires that individuals have the right to request a copy of the information held about them from any organisation. If you would like a copy of some or all your personal information, please email or write to the Data Protection Officer, Polly, ; or firstname.lastname@example.org. We will respond to your request within one month of receipt of the request.
To update or correct any information we hold that may be inaccurate, please email or write to You Need A PA, 119a High Street, Blakeney, Holt, NR25 7NU; or email@example.com
In accordance with the right to have data forgotten, we will assess any request to delete information, and remove this, or notify you otherwise on a case by case basis. In some circumstances, we are bound to hold information for regulatory purposes. The only reason we would deny your request is if we can show compelling legitimate grounds for the processing or holding, which might override your interest, rights and freedoms.
We have an obligation to notify the individual and UK’s supervisory authority (the Information Commissioner’s Office) of any breach in security that may have resulted in personal data being accessed by outside parties, or where data may have been incorrectly handled. We will adhere to the required reporting standards, and notify all the relevant affected parties, but should there be any cause for concern or complaint, these can be lodged as per guidance from the Information Commissioner’s Office here.
How to contact us
- Email: firstname.lastname@example.org
- Call: 07786 416916
- Write: Data Protection Officer, You Need A PA, 119a High Street, Blakeney, Holt, NR25 7NU