DATA PROTECTION POLICY
This policy is for Eyre-Walker (Holdings) Limited (“EWHL”), Howsons (Audit & Assurance) Limited (“HAAL”) and Howsons (Stoke) Limited (“HSL”), collectively trading as Howsons.
The Data Protection Officer is James Eyre-Walker.
We are registered with the Information Commissioner’s Office under registration numbers ZA175940 (EWHL), ZA175943 (HSL) and ZA175941 (HAAL). You can access our notified use of personal data on the Information Commissioner’s Office website (www.ico.org.uk).
EIGHT DATA PRINCIPLES
We acknowledge, and always seek to comply with, the 8 data principles established by the Data Protection Act 1998. These are:
1. All data should be processed fairly and lawfully and that the data subject should know how and why data is being collected.
2. All data should be used only for the purposes for which it was collected.
3. All data should be only sufficient for the purpose for which it was collected.
4. All data should be accurate and up-to-date.
5. All data should be archived or securely deleted when it is no longer required.
6. All data should be able to be accessed by the data subject.
7. All data should be properly secured, reflecting its sensitivity.
8. All data should be retained within the EEA.
WHOSE DATA DO WE HOLD?
We hold personal data in respect of the following:
• Former clients
• Client employees
• Our employees
• Our former employees
• Suppliers/Service Providers
• Work Experience Students
• Prospective employees
WHAT DATA DO WE HOLD?
Clients and former clients:
• Date of birth
• National Insurance number
• Unique Tax Reference
• Telephone number(s) – landline and/or mobile
• Email address(es)
• Marital status
• Critical dates – death, marriage, divorce etc.
• Dependants – name and date of birth
• Advisers – names, addresses and telephone numbers
• Bankers and other financial institutions – names, addresses, account numbers, agreements etc.
• Client Due Diligence – photographic and address identification
• Legal documentation – partnership agreements, shareholder agreements etc.
• Investments – shareholdings, bank/building society accounts etc.
• Clients’ own accounting records
Employees, former employees
• Name *
• Address *
• Date of birth *
• National Insurance number
• Tax code
• Telephone number(s) *
• Email address *
• Gender *
• Marital status *
• Bank details
• Pension provider details
• Next of kin
• Emergency contact details
• Employment contract
• Training records
• Education and prior employments *
*We may hold this information in respect of work experience students and prospective employees.
Other Third Parties
• Telephone number(s)
• Email address
• Contracts, orders, invoices etc.
WHAT SENSITIVE PERSONAL DATA DO WE HOLD?
We do not systematically collect sensitive personal data, but we may on occasion be given it. This might include:
• Health details
• Sexual orientation
• Trade union membership
• Political affiliation
• Criminal activities
• Health details
WHERE DO WE GET DATA FROM?
Clients, Former Clients
• Financial institutions
• Public records (e.g. Companies House, Land Registry etc.)
• HM Revenue & Customs and other Government Agencies
• Other professionals (e.g. accountants, solicitors, insurers, banks, land agents etc.)
Employees, Former Employees, Prospective Employees, Work Experience Students
• Third parties (e.g. reference requests)
• Training providers
• HM Revenue & Customs
• Pension providers
• Suppliers/Service providers
• Other professionals (as above)
HOW AND WHERE WE HOLD DATA
We hold personal data in a variety of ways, both manually and electronically.
Manual data (which might include printed electronic data) is held as follows:
• Client files (which include permanent information, correspondence etc.)
• Working paper files
• Signed accounts
These are held within the office at Winton House, Stoke Road, Stoke-on-Trent ST4 2RW. We maintain physical security with code locks on external entry points in office hours and five lever mortice locks at night, with a regularly maintained burglar alarm set. We do not permit clients and other third parties to access areas of the office other than the reception/interview area without legitimate cause.
Electronic data is held on our networked IT infrastructure. The majority of this data is held on our file server, which is held in a locked room. We use passwords, user controls and access rights to limit access to data to employees with a legitimate need to access the data. We back-up our file server data hourly. The back-up is held off-site in a secure data centre in Dublin that conforms to ISO 27001 standards. It is also backed up every 30 days to an external hard drive, which is held off-site in a locked facility under the direct supervision of a senior member of staff.
Our email is hosted in the cloud through Giacom and is held in highly secure data centres in the UK. It is protected by “best in class” anti-virus and anti-spam software
Some data is held on work terminals, including laptops. This data is synchronised with data held on the file server. We maintain managed industry-standard firewalls, anti-malware (Heimal) and anti-virus software (Bitdefender), which update constantly.
We use laptops to facilitate delivery of services outside the office. Access to the file server from outside the office is protected by a Sonicwall NetExtender. Our laptops are encrypted.
Our IT support provider (Prism Total IT Services, The Technology Barn, Unit 20, John Bradshaw Court, Alexandria Way, Congleton CW12 1LB) undertake a review of our IT infrastructure every quarter, which includes consideration of the security of data.
Certain senior members of staff have access to their email on personal electronic devices, such as iPads and mobile phones. When an employee leaves the firm we take all reasonable steps to prevent continued access to our IT infrastructure and data and we require data held on personal devices to be removed and act to prevent future access to it.
We also hold personal data with a third party provider of information services for the provision of newsletters, both electronic and manual. This data is limited to names, addresses, email addresses and a categorisation of the related individual/entity that enables us to deliver relevant content.
Informanagement UK Limited, who manage our main newsletter service, hold names, addresses and email addresses for those clients and employees opted-in to the newsletter(s). This data is encrypted and held on secure servers at UK data centres with industry-leading infrastructures. Anyone on any distribution list is able to opt-out within the newsletters themselves.
HOW DO WE MAINTAIN THE ACCURACY OF DATA?
It is important to us that the data we hold is accurate. Staff notify changes to personal data to our administrative assistant who updates all our main databases. Additionally, at the start of each assignment, employees check that the data we hold is still accurate.
WHAT DO WE DO WITH THE DATA WE HOLD?
Dependent upon the terms of our appointment which are agreed in writing with each client in a Letter of Engagement, we process data to:
• Prepare accounts
• Prepare VAT returns
• Prepare tax returns
• Undertake audits
• Give tax planning advice
• Give business advice
• Communicate with clients and their advisers
• Operate payrolls on their behalf
• File statutory and other financial returns
• Mail relevant information (by email and/or post), if opted-in to that service
We process data within our own administration to:
• Maintain our own accounting records
• Prepare VAT and other tax returns
• Operate our payroll
• Manage benefits, including pensions, healthcare schemes, death-in-service scheme
• Administering training
• Managing work experience students
• Receiving and sending third party references
• Compliance reporting – professional indemnity insurance, Quality Assurance Directorate returns, suspicious activity reports etc.
WHO DO WE DISCLOSE DATA TO?
We are bound by the Institute of Chartered Accountants in England and Wales’ Code of Ethics which require us to maintain the confidentiality of client data. We respect that principle and regularly promote it throughout the firm. However, there are circumstances in which we may disclose confidential information relating to your affairs to third parties. These circumstances include (but may not be restricted to):
• Disclosures to third parties under your written authorisation;
• Disclosures to regulatory authorities, such as the Quality Assurance Directorate of the Institute of Chartered Accountants in England and Wales, in connection with the proper conduct of their business as regulators, on the basis that they are bound by appropriate ethical standards which prevent them from using the information for any purpose other than as a regulator;
• Disclosures to official Government agents upon production of appropriate warrants, court orders etc.; and
• Disclosures under the Proceeds of Crime Act 2002 and other related enactments of Parliament where we have a legal obligation to disclose knowledge or suspicion of money laundering.
As part of our service to clients and in managing our own business affairs we will provide information to third parties such as HM Revenue & Customs, Companies House and other Governmental agencies where there is a requirement to do so within the terms of our service or managing our own affairs.
Furthermore, our IT support provider (Prism Total IT Services, The Technology Barn, Unit 20, John Bradshaw Court, Alexandria Way, Congleton CW12 1LB) are the only third party with direct access to our IT infrastructure. They have a contractual obligation not to access data, except to the extent that it is necessary for them to do so to support us.
HOW LONG WE HOLD DATA FOR AND WHAT WE DO AFTERWARDS?
The length of time for which we retain data depends on the nature of the data as follows:
• Client accounting records and tax information – these are usually returned to the client on completion of the work for which they were given to us. We maintain a log of client records received and returned, which is reviewed on a quarterly basis.
• Other manual and electronic files (including correspondence and working papers) – these are reviewed after 7 years from the end of the accounting period or tax year. Any information of a permanent nature (such as details of capital assets that are still held, copies of longer term agreements etc.) are removed. The remaining information is destroyed.
• Permanent information – where information has on-going relevance to a client’s affairs it will be retained. If a client disengages us, for whatever reason, we will normally pass the information to a successor firm. If we don’t we will destroy it after 7 years.
• Client Due Diligence – In accordance with our obligations under Money Laundering legislation, we will retain client due diligence information for 5 years after we cease to act for the client.
• Opt-In Forms – Where clients have opted-in to receive materials from us we will retain them for the duration of the opt-in period.
We use a third party confidential waste disposal company to destroy all manual data containing personal data.
If we hold personal data relating to you, you have a right under DPA98 to find out what information we hold that relates to you. If you wish to exercise this right please request this from the Data Protection Officer in writing, who will make the necessary arrangements.
If you have opted-in to receive information from us, you may opt out at any time either through links in the information we send you or by contacting us by telephone, email or post. We will implement your opt-out within 3 working days.
If you become aware of any inaccuracy in any personal data that we hold, you have a right to have it rectified or removed. You should notify us by telephone, email or post and we will rectify the inaccuracy within 3 working days.