Client data privacy notice
The Data Protection Act 2018 (“DPA 2018”) and the General Data Protection Regulation (“GDPR”) impose legal obligations in connection with the processing of personal data.
All Paul is a data controller within the meaning of the GDPR and we process personal data.
We may amend this privacy notice from time to time for best practice. The last date is shown at the end of this notice. We do not expect major changes in its application. We would however suggest that clients check our website for any updates.
Client privacy and trust are important to us. Here at All Paul Limited, we take client privacy seriously.
This privacy notice explains when and why we collect personal information about individual clients and corporate information about our business clients, how we use it, the conditions under which we keep it and how we keep it secure.
Personal information means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or to one or more factors specific to the identity of that person.
Throughout this privacy notice, when we refer to client or clients, this also refers to a former client or former clients of the firm.
What information is collected?
For individuals, we collect the client’s full name and title, marital status, gender, home address, date of birth, National Insurance number, Unique Taxpayers Reference, email address(es), mobile and home telephone numbers.
For businesses, incorporated or otherwise, which may also include individuals, we collect the business name and address, business and mobile telephone numbers, email address, Government Gateway username and passwords and, at times, HMRC shared secrets , VAT registration number and quarter dates, PAYE reference and PAYE accounts office reference, and the business accounts year end.
We collect for each individual and business client their main banker and related account number and sort code.
For incorporated businesses, we also collect their Registered Office address, date of incorporation, Companies House number and Companies House authentication code.
We collect details of each client’s banker and associated account number and sort code so that we can direct repayments due to them from HMRC or any other party that clients ask us to. We may use bank details on paper or online forms to register for services e.g. with HMRC.
At times we may use client bank details to set up Direct Debits through the HMRC Gateway to pay agreed tax liabilities on behalf of clients. We will never use client bank details to try to take any money from their account. The only exception to this is if clients give us express permission and also provide any logon details to their bank.
Clients may object to us collecting certain data about them. The consequence of such objections of not providing information is that we may not be able to undertake the services that we have contracted to provide to these clients.
We collect other information about our clients e.g. the source of the introduction, the date they became a client and the date of our engagement letter.
Who is collecting the data?
Client data is collected by All Paul Limited, Chartered Certified Accountants, which is a company registered in England and Wales with company number of 08367537. For the purposes of the General Data Protection Regulations (GDPR), the data controller is All Paul Limited.
How is client data collected?
Clients provide most of their data directly to us when they become a client. This can be in paper or electronic format e.g. emailing your personal data to us. Please be aware that the transmission of information via the internet is rarely completely secure.
Not all of the personal information All Paul Limited holds about clients will always come directly from clients. Some data is provided to us about clients from third parties e.g. HMRC, Companies House or other accountants e.g. when they provide professional clearance and transfer of information on change of appointment. Some data is available and collected from publicly accessible sources e.g. Companies House, though this is normally also provided directly by clients.
We will also collect, use, disclose and store personal data about the employees of some of our clients’ businesses e.g. if we run a payroll for that client. In this case, for example, personal data about employees will generally be provided by the employer to us.
As accountants and registered tax agents, HMRC provide us with client tax references either when clients join us or when clients are registered for new taxes.
Why is client data collected?
We collect, use, disclose and store personal and business data about our clients in order to operate our business, manage client accounts, invoice for our services and to provide our services to clients. We do this for any client that has requested services from us and where we have agreed to provide such services in our engagement letters, quotes, correspondence or verbal agreements. We only collect data about our clients that we actually need and only for the above purposes.
For contractual reasons, clients must provide us with certain personal data that we request. If they do not provide it we may not be able to provide our professional services. If this is the case, we will not be able to commence acting or will need to cease to act for a client.
How will client data be used?
Client data is only used for the intended use for which it was collected. Client data is processed lawfully as a means to provide our services to our clients and any individual or businesses that we have previously agreed to provide our services to.
Where we wish to use client data other than for the purpose that it was collected for, we will ask for client consent. In most cases, we do not need to ask for specific consent from clients to use their data. This is because we aim to be transparent as to why we have collected and how we will use their data.
We rely on the lawful basis as to why we obtain and process client data and specific consent is therefore generally not required. Our lawful basis is that processing of data is necessary for the performance of a contract with a client or to take steps to enter into a contract or that processing is necessary for compliance with a legal obligation. e.g. Money Laundering Regulations.
We also process personal data to comply with professional obligations to which we are subject as a member of the Chartered Association of Certified Accountants (ACCA) and to use in the investigation and/or defence of potential complaints, disciplinary proceedings and legal proceedings.
Sensitive personal information is a subset of personal information and is generally defined as any information related to racial/ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, other medical information including biometric and genetic data, or sexual life or preferences. Whilst our client data is mostly private and confidential, we do not consider that the data we collect, hold and process is deemed sufficiently sensitive information to require specific consent under the GDPR.
We do not undertake general direct marketing to our clients. However, it is our policy to send periodic updates to clients by email on accounting and taxation matters etc that we feel are relevant to clients of the firm to provide a better service to them, for example by explaining changes in legislation. We will use a client email address for this purpose.
We may offer clients certain additional services that we feel may be of specific benefit to them e.g. HMRC Fee Insurance to protect them from the potential costs of a tax enquiry or investigation. Clients can always choose whether they wish to receive such emails in the future.
We use client data to communicate with our clients. We use the client email address as the primary means of communicating with our clients.
Who will client data be shared with?
We do not share client data with third parties for marketing purposes.
We do not share or pass client details to another organisations unless this is required as part of our contractual services. The main organisations that we will provide such details to are H M Revenue & Customs (HMRC) and Companies House. Any information passed to them is provided solely in order to provide our agreed client services e.g. completion of Financial Statements, Tax Returns, payrolls etc.
Any information that we do share with another organisation will be in a way that clients would expect of us and where we have client authority, either expressly given or implied through the context of the data shared e.g. provision of financial data about the client to a potential loan provider to the client.
We may need to share or pass client data to an alternate appointed by us in the event of serious illness, permanent incapacity or death of the sole proprietor.
We may also share or pass client data to tax insurance providers, professional indemnity insurers, our professional body at ACCA, the Office of Professional Body Anti-Money Laundering Supervisors in relation to practice assurance and/or the requirements of Money Laundering Regulations or any similar legislation.
Data about clients is only given to law enforcement agencies, e.g. the police, courts and tribunals and the Information Commissioner’s Office (ICO), when we are legally required to do so.
We will never sell client data and we promise to keep such details safe and secure to the best of our ability. At times, third parties e.g. loan providers or property rental businesses, or their appointed agents, may request details about clients. We will only provide information to these types of organisations if we have client authority to do so.
Client data is never passed to advertisers or other organisations to promote their own services to our clients.
How long will we hold client data?
We retain personal information for as long as we reasonably require it for legal or business purposes. In determining data retention periods, All Paul Limited takes into consideration laws, contractual obligations, and the expectations and requirements of our clients. When we no longer need personal information, we securely delete or destroy it.
In accordance with recognised good practice within the tax and accountancy sector, we retain client data and accounting and tax workings and similar records arising from our contractual services for seven years after our business relationship ends. For clients where we have a continuing relationship we normally retain accounting and taxation records for seven years after the end of the accounting or taxation period. We retain data for this time period as we consider this period to be sufficient to deal with subsequent legal matters and client based queries, either from the client, their agents or H M Revenue & Customs.
Where we have a continuing client relationship, data which is needed for more than one year’s accounting or tax compliance is retained throughout the period of the relationship and is then deleted seven years after our business relationship ends.
What will be the effect of us collecting and holding client data?
Clients should see no negative consequences of us holding and using their data as we only use it for the legal basis that it was lawfully collected.
We do not use automated decision-making in relation to client data.
Individuals’ objections and complaints
Any questions regarding this privacy notice and our privacy practices should be sent by e-mail or in writing to the address shown in this section. If clients wish to change any of the consents that they have given to us in respect of their data, then they should email or write to us at our Registered Office address of 17 Longwood Crescent, Shadwell, Leeds LS17 8SR.
Clients have the right to complain to the ICO if they think there is a problem with the way their data is being handled by us.
How can clients ascertain and access the information that we hold about them?
Clients have a right to request access to, and correction of any inaccurate regarding, their personal data that we hold. We respect our clients’ right to access and control their data, and we will respond to requests for information and, where applicable, will correct, amend, or delete such personal information. Clients may have the right to request deletion of their personal data. However, this is not always possible due to legal requirements and other obligations and factors.
If clients request access to their personal data, we will gladly comply, subject to any relevant legal requirements and exemptions, including identity verification procedures. We may charge a fee for providing a copy of client data, except where this is not permitted under the law.
If we hold any information about clients which is incorrect, or if any changes to the details held are required, then clients should let us know so that we can keep our records accurate and up to date.
In certain circumstances clients have the right to be provided with the personal data that we hold about them in a machine-readable format, e.g. so that the data can easily be provided to a new professional adviser.
Clients should write to us at our Registered Office address regarding the data that we hold about them.
Where do we store client data?
Once client personal information has been received by us, all electronic client data is stored on our secure company server within the UK. We take all reasonable measures to keep it secure and prevent unauthorised access to it. We also use additional physical back-up devices and cloud based storage systems. Personal information may be stored outside of the UK or European Economic Area on cloud based storage systems.
Our premises are protected by physical security mechanisms and an alarm system. Our computer systems are secured by password and our databases are protected by passwords. We use appropriate physical measures to store and transfer data securely.
We use Microsoft for our off-site cloud based storage and backup systems. We have assurance from Microsoft that our cloud based storage systems comply with GDPR. Microsoft provides GDPR related assurances in their contractual commitments that they are committed to GDPR compliance across their cloud services.
We maintain and store limited paper based client data within our office. Key paper documents are kept safe and secure in our office.
Data Protection Officer
Due to the size of our organisation we are not required to appoint a formal Data Protection Officer. We have appointed Paul Clifton to be the person responsible for data protection within the firm. Clients should contact him in writing at the firm.
Transfers of data outside of the European Union
Personal information in the European Union (EU) is protected by data protection laws but other countries do not necessarily protect clients’ personal information in the same way.
Some of our client contact and topical news services may be hosted in the United States or otherwise outside of the EU. This means that we may transfer client names, business names and email addresses to the United States or to other territories outside of the EU.
We take steps to ensure that appropriate measures and controls are in place to protect any data that is transferred outside of the EU in accordance with applicable data protection laws and regulations.
By using our services, clients consent to the transfer of their data outside of the EU in the circumstances set out in this privacy notice. If clients do not want their data to be transferred outside of the EU, then they are unfortunately not able to use our services.
Last updated 9 May 2018.