This Policy deals with the protection of your personal data, your personal information which you provide to us when using our services.
The protection of an individual’s personal data is important. How those data are used (and sometimes abused) has long been a topic of discussion. Previous legislation went back to 1998 and consensus was that the law required updating.
As a result The General Data Protection Regulations came into force from the 25th May, 2018 via the Data Protection Act, 2018. These Regulations build on previous legislation to protect, defend and enhance a person’s rights surrounding their personal data. This Policy and documentation referred to and associated with it, reflect those rights and set out what personal data we hold and what use we make of those data.
More information concerning the GDPR can be found at The Information Commission’s website; ico website.
Cannon Moorcroft Limited (CM) takes privacy and therefore the processing and protection of the personal data provided to it, very seriously. Such data is exclusive and belongs solely to the individual concerned and can only be processed with the consent of that individual. There are in place security measures to protect that personal data and CM only holds and processes the minimum required to fulfil its Engagement Terms.
If there is anything that you wish to clarify before or indeed after providing personal data please email: firstname.lastname@example.org .
WHAT IS CM?
Cannon Moorcroft Limited is a Company limited by shares and governed by the Laws of England and Wales. The Registered Office and operational address of the Company is; 3 Manor Courtyard, Hughenden Avenue, High Wycombe, Buckinghamshire HP13 5RE. Our telephone number is (01494) 450123. The Company has been allocated the number 04523821. The Registration Number at The Information Commissioner’s Office is Z7305206.
WHAT DOES CM DO?
We are a firm of Chartered Accountants and Registered Auditors and a member firm of the Institute of Chartered Accountants of England and Wales.
HOW TO CONTACT CM’S DATA PROTECTION OFFICER
Queries about the processing of your personal data should be addressed to Doug@cannonmoorcroft.co.uk . Our Data Protection Officer is Doug Simmen.
WHAT CM REQUIRES OF ITS CLIENTS
When a Client and CM enter into an Engagement, that Client is confirming that it complies with the terms of the GDPR when those Regulations apply to that Client. Therefore any personal data disclosed to CM is done so on a lawful basis.
CHANGES TO THIS POLICY
CM keeps this Policy under review. Updates will appear on the website. CM may also notify the changes via email and/or post and/or by other media platforms (if CM has access to such) providing an individual allows CM to do so. Continuation of the use the services will be deemed acceptance of those changes unless CM believes that actual consent is necessary to allow those changes to occur, as they relate to personal data.
WHAT IS PERSONAL DATA?
An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location number, an online identifier. Personal Data relates to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. As examples; name, address, gender, email, IP, location, etc. collectively (and sometimes on their own) amount to personal data. This definition is very wide and includes manual filing systems. There are further provisions that relate to “Sensitive Data” such as genetic information. If any of this data is processed, then the GDPR applies to those that are undertaking that processing.
The second element to the holding of personal data is “processing”. The criteria for such is twofold. Firstly and in very broad terms it means; the collecting, using, disclosing, retaining or disposing of personal data. The second element is that that processing must be done fairly, lawfully and in a transparent manner. The latter means in accordance with applicable legislation, including the GDPR. The former, means that CM are open and clear as to how it will use those data provided so that an informed decision can be made as to whether personal data is provided in order to take advantage of all our services. It also includes the right to opt-out where an individual may have previously agreed to a certain aspect of processing.
LEGAL BASES FOR PROCESSING PERSONAL DATA
An individual cannot be forced by CM to provide personal data. However, if a choice is made not to, then we will not be able to provide many services. When personal data is provided CM will make it clear on what bases it relies to hold and process those data. Further details on these bases can be sourced at The Information Commissioner’s website at ICO website and follow the links to the GDPR and then Lawful Processing. The details of what CM does with personal data and the legal bases can be found at the end of this Policy but in summary, we process those data based on the following:
• Performance of a Contract
• Legitimate interest
• Legal obligation
HOW LONG DOES CM RETAIN PERSONAL DATA?
CM can only retain personal data so long as it has a legitimate reason to do so or as is required by law.
Where CM has an ongoing Retainer with a Client it will retain any personal data supplied for the duration of that Retainer. Where that Retainer involves an annual or occasional function (rather than continuing and/or ongoing function) on behalf of a Client, for example tax returns, then the Retainer, for the purposes of the retention of personal data, will not be terminated simply by the completion of the annual or other occasional process. It will be dormant, but still in existence until the next process occurs, even though a Client may then receive a fresh Retainer to enter in to. That new Retainer will supersede the old and will confirm the accuracy of those data and that CM may continue to retain them. For the avoidance of doubt it is the responsibility of a Client to notify CM of their desire to terminate the Retainer unless CM itself were to terminate that Retainer. Upon such termination, those data held will be dealt with in accordance with the provisions of this Policy.
Upon termination CM believes that, in general terms, to keep personal data for the period to the end of the CM financial year in which the termination occurred, is a minimum length of time. This is subject to what is contained below in the section entitled Deleting Personal Data.
However, CM may decide, at its absolute discretion, that those data should be retained for a longer period, for example to comply with CM’s legal obligations.
When CM decides that it should delete personal data it will do so without notifying the person concerned, unless it is requested so to do in writing sent by post to the address given above and clearly marked; “Notification Upon Personal Data Deletion”.
DELETING PERSONAL DATA
At any time an individual can contact us and ask us to delete their personal data. Simply contact; email@example.com . However, if this is done then it is possible that not all services would be available. As examples; CM might not be able to file accounts with HMRC because it requires certain personal data, it would not be able to conduct investigations into employee’s rights to work and could not process payroll and ensure employees receive their pay. Further, where CM has any non-commercial reason to retain your details (for example it is legally required to do so) then it will BUT those details and data will not be processed except for the purposes for which they are retained. When there is no justifiable reason to retain your details CM will delete them completely.
If an employer or other third party, requests the deletion of an individual’s personal data, CM cannot do this without that individual’s consent. This must be obtained in writing from the individual concerned and the original (not scanned or copied) authority supplied to CM. In the absence of such authority, CM can only remove those data from the company’s details and would retain in archive, a record of all personal data it holds as it relates to that individual. CM would be obligated, at a cost to the employer/third party to seek the individual’s authority to delete. Such cost would then be deemed to be included as an extra fee within the Retainer.
Where personal data is to be deleted, other than by request, this will occur at the next Data Deletion Review and such occur every six months, currently in November and May.
OBTAINING DETAILS OF PERSONAL DATA FROM CM
This is known as a Subject Access Request (SAR). An individual can request CM to provide details of what personal data it holds and processes, which directly relates that individual.
CM may only provide personal data to the person to whom it relates. A company, for example, cannot make an SAR about an employee, even if those data were provided by the company in the first instance.
To make a SAR the individual should email the Request to firstname.lastname@example.org . CM is required to provide a response as quickly as possible, but in any event, within a month. Alternatively a request may be sent by post. If this method is used the request will have deemed to have arrived two working days after the date of posting.
All SARs must be marked SUBJECT ACCESS either in the “Subject” box of the email or at the head of the letter. All that is required generally is the full name of the individual, post code and confirmation should be given that there are not two people of the same name at the property or business. Details of alternate names used by an individual should also be given, for instance, a maiden name. If an individual is an employee and is making a request in that capacity, that person should provide details of the employer’s name and address. No notice will be given to the employer of the SAR. If CM requires further information it will contact the individual concerned in sufficient time in order that we may fulfil our obligations. The time for the provision of the response to the SAR will begin to run when we have all the information we deem necessary. Where we request further information, we will nevertheless endeavour to complete the process within a month of receipt of the SAR.
A SAR is free unless the amount of data to be supplied and/or investigated is beyond what CM would reasonably expect to produce or look at or multiple requests are or have been made (multiple means more than two).
CM will undertake the changes to personal data if so requested. This request can be by email email@example.com or by post. Any such communication should be marked “DATA CORRECTION”. CM may contact the person or entity to confirm any changes and such will be via a medium(s) contained in our records; email and/or telephone and/or post.
If it is discovered that personal data or indeed any data has been changed without appropriate authority, contact CM immediately at firstname.lastname@example.org putting “POTENTIAL FRAUD” in the “Subject” box.
WHAT DATA DOES CM COLLECT?
The only personal data that CM requests, holds and processes is the minimum necessary for the services that it provides. If more is provided than is necessary, CM will accept such on the basis that individuals have consented to the provision of those data. Such data will also only have been provided by an individual either directly or an employer or contractor or related business. These data will be provided at the time of initial instruction and thereafter, during the currency of the Retainer, through email, postal service letters, telephone, through our website via a client account, other businesses or individuals which have a connection (perhaps through contract), connected social media or data that CM can infer from the use of our services or those connected to them.
The minimum personal data that is required is dependent upon the function CM is performing and the service provided pursuant to a Retainer. As an examples;
Proof of Identification
CM will require a minimum of; driving licence and/or passport and a domestic bill.
CM will require a minimum of; the individual’s name, gender, home address, National Insurance Number, start date, date of birth.
CM will require from the directors and others that may be involved, a minimum of; full name, data of birth, personal address, eye colour, National Insurance Number and place of birth (Country and town/city).
If CM requests personal data then it is necessary and an individual and/or an employer is always at liberty to ask us why such data is required.
CONSENT TO PROVIDE PERSONAL DATA
Where an employer provides the personal data of an individual, then this must be based on the consent of the individual concerned. On occasion it is necessary and required that those data are supplied pursuant to the law or that it is necessary to fulfil contractual obligations thereby avoiding a breach of contract. For example, an individual’s personal data are necessary to process tax and national insurance contributions as part of their employment.
In some cases CM has to be provided with personal data to fulfil our Retainer and if it does not hold and process those data some fundamental and critical aspect, that directly affects an individual, cannot happen. One of the examples above cites the process of PAYE where, without those data and the processing of it, an individual cannot receive pay for the work performed which would result in a breach of contract by an employer.
There are other instances where CM has to receive personal data to ensure lawful payment is made or otherwise to comply with the law. Examples of such would be; a sub-contractor (who is an individual) cannot be paid or CM cannot confirm an individual’s right to work.
It is undoubtedly the case that it is necessary to confirm to an individual that their personal data will be passed to CM. CM does not consider that it is a duty set upon it to confirm this. Each and every business must comply with the GDPR and so must have sought the necessary consents from those individuals concerned. Further, where; those data and the processing of them are necessary to perform a function for the benefit of that individual in the context of a contract (whether employment or otherwise), where there is no benefit to CM derived directly from the individual as a result of holding those data and processing such fairly and lawfully, where an employer (for example) is preserving the rights of that individual in the context of their employment and where failure to provide those data and allow such to be processed would promote a breach of contract to the detriment of a party other than the individual concerned CM is entitled to process those data.
Any individual who instructs CM, provides their personal data themselves. However, they are under a duty only to pass over the personal data of others if they have permission from that person. CM will ask for confirmation of this and reserves the right to confirm such consent, especially in situations where those other data are not directly required for CM to fulfil any legal obligation.
An individual may provide personal details via Social Media. As such, the individual is responsible for what data is provided.
If we are of the opinion that the disclosure of personal data may be other than cited above, or for some other reason, we will require confirmation from the individual that they are content for us to receive, hold and process their personal data and the context for such. In such a situation CM will require that it contacts the individual directly.
HOW DOES CM USE PERSONAL DATA?
CM will use personal data to provide services under the Retainer that it has with a Client. A Client, in providing instruction under that Retainer, may necessarily disclose the personal data of individuals. The nature of the Retainer is confidential, but a term of it is that the Client complies with the GDPR, where such applies to that Client. Therefore that disclosure is lawful because the Client has taken all necessary steps before disclosing any third party personal data. Such personal data will only be processed in order that the terms of the Retainer can be fulfilled.
CM may use personal data to contact an individual whether that be the Client or otherwise. This may be by email and/or telephone and/or post to provide, for example, information or to remind that individual of an upcoming event.
An individual is free to browse the website without providing any personal data. The IP address which, by itself and in this context, does not identify you, will be collected and retained by CM. Clients will be requested to provide a username and password to maintain secure access to the relevant account. Such, as a matter of course will probably be linked to personal data provided by that Client. It is solely a Client’s responsibility to keep the username and password secure. CM is not liable for any loss, howsoever occurring as a result of unauthorised access to any account. Further, CM may itself suffer loss or damage as a result of unauthorised access. If such were to occur, CM would seek recovery of any loss or damage (to include costs) from that Client. The user name and password if matched to personal data, would not be disclosed in a SAR.
Access to services from the Website are available through Google and the terms of such will be agreed between the individual and Google.
CM has an Advice Group available to any individual, accessed through the Website. If this facility is used then any personal data is provided voluntarily.
CM uses various social media platforms as well as blogs. We have accounts which can be accessed through our website and generally with; Google, FaceBook, LinkedIn and Twitter. CM will also shortly use YouTube. Any access and personal data provided to those sources which comes into CM’s possession will be provided voluntarily by the individual concerned or with that individual’s consent. Any person can read a Blog and only an IP address will be held by CM unless other data is provided voluntarily.
Communication with clients is a fundamental part of the provision of services by CM. Email is the preferred method for CM to communicate with clients. When the Retainer is signed, a Client either consents to this method of communication or indicates otherwise. However, CM is obliged to offer all individuals the right to opt out after they have indicated, either directly or through a third party that they consent to such communication under the terms of the Retainer.
As is maintained in the Retainer, but is highlighted here; if an individual choses to opt-out of communication with CM, it may not be able to provide the services for which it has been contracted. If such occurs, CM cannot be responsible for any losses, whether those are directly or indirectly incurred, as a result of the inability to communicate with an individual or otherwise fulfil its Retainer whether instructed by that individual or not.
Information that we are required to give you by law
We are obliged to communicate these.
Those that result from the Retainer
We are obliged to communicate these. However, an individual may elect to receive that communication by post. An individual can ask CM not to communicate at all, through any medium. If so, then the warnings that appear here and elsewhere as to the provision of services apply. To change the method of communication or to opt-out of any communication please email to email@example.com .
If the individual is not the Client, notice of the opt-out must be given as a breach of contract is possible. An individual can opt-out by email firstname.lastname@example.org .
Security information relating to the website
CM believe that this is always essential, however an individual can opt-out by email email@example.com .
Technical Newsletters and Marketing messages whether from CM or our partners and affiliates
You can opt out by email firstname.lastname@example.org .
Again, CM consider this to be important but an individual can opt-out by email email@example.com.
Emails will only be received if an individual choses to provide details and request the service. If it is no longer required then email to unsubscribe firstname.lastname@example.org .
We will communicate by social media if an individual wishes to subscribe to such of CM’s accounts as may operate from time to time. At any time an individual can elect to unsubscribe to such.
WHO DOES CM DISCLOSE PERSONAL DATA TO?
Any third party in the UK, to whom CM discloses such data, is bound by the GDPR. Please refer to the section entitled: Where Does CM Send Personal Data, which is below.
If CM is required by law to disclose your personal data then it must do so and it is not possible to opt out of this process. This could be, for example, to HMRC or via an order of a Court.
We also provide your personal data to our service providers. These include:
• Banks and other payment providers: we have to supply personal data to secure payment;
• Payment card industry: the personal data we supply helps to prevent fraud;
• Our communications providers: they allow us to deliver emails and other communications;
• IT and Internet Security: to protect your personal data and provide our services;
• Licensed Technical Support Providers, Hardware and Software Providers: to provide secure service provision and enable a Client to share documentation as it wishes (in accordance with the GDPR);
• If a complaint is made, those data could be supplied to the appropriate authority which is the Institute of Chartered Accountants for England and Wales;
• Analytical tools: Self assessment planner, Online filing planner, Can we help you?, Starting a new business, Profit Chaser, Business Record Checker, Tax Planning Report, Business Fitness Assessment, Personal Financial Health Check, Tax Card and Interim Review.
If a sale of CM were to be proposed in whole or in part, then disclosure of personal data may be a part of that process and, for commercial confidentiality reasons, it would not be possible to seek approval from individuals. CM would however ensure, so far as is reasonably possible, that safeguards are established to preserve the security and integrity of those data pursuant to this Policy.
In the case of an emergency if, for example life is at risk, then we reserve the right to disclose personal data.
WHERE DOES CM SEND PERSONAL DATA?
CM controls your personal data from the United Kingdom and uses Cloud Storage for the data it holds and processes. If personal data is sent to anywhere within the European Union (EU), the recipient is bound by the rules set down by the GDPR. If CM send those data outside of the EU it has to ensure that the recipient has adequate safe guards in place to protect those data. These can be, for example, specific contract clauses or corporate rules or agreed and stated mechanisms such as exists between the EU and the USA.
CM is unable to say what will happen post the United Kingdom leaving the EU. It is likely that, during any transition period, these safe guards will remain in place, but that is not certain. What occurs thereafter (or if there is no such period of transition) and what may happen to your personal data, is undecided. This, however applies to all businesses based in this Country.
Wherever your personal data is sent, whether it is to say a bank that processes a transaction or a communications provider, CM is not responsible for how that organisation or person processes those data. The GDPR applies equally to all businesses in the EU and all businesses who deal with the EU and hold data concerning EU nationals have to show that they have adequate measures in place to protect individual’s personal data. Unless CM has reason to believe something to the contrary, we are entitled believe that all obligations have been fulfilled and those data are processed lawfully and fairly.
If you have queries, then those should be addressed directly to, for example, the charity or business that concerns you. Of course, please feel free to notify us at email@example.com .
LEGAL BASES FOR PROCESSING
The GDPR requires that CM specify what the legal basis is, or bases are to justify requesting, receiving, holding and processing personal data. There are six bases and CM must select one or more and provide notification as to those it selected. This appears above. However, further details have to be supplied as to how lawful processing will take place in each of those bases. Further information is available at; https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
There are two bases CM does not rely on. These are; to protect a person’s vital interests and the performance of a task carried out in the public interest or in the exercise a data controller’s official authority. Neither of these are applicable.
The legal bases we rely on are:
• Consent. This is processing with your consent. This includes; sending emails whether they be promotional or otherwise.
• Performance of a Contract. This is activity that happens when you request that we perform certain functions for you. We cannot fulfil our obligations unless we process your personal data.
Included here are:
Confirming any and all instructions and providing information in relation to a Retainer;
Remitting documentation prepared for approval;
Create a direct debit or other repeating payment; and
Sharing or forwarding an email;
• Legitimate Interests. These can be the interests of CM or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
Included here will be:
CM conducting general and specific internal reporting and analysis;
Sharing personal data with third party affiliates, companies and partners;
Sending individuals surveys connected with CM;
Sending individuals emails concerning the operation of CM;
Marketing to other organisations;
Sending targeted marketing by post;
Targeted marketing through advertising CM through places on other websites; and
• Legal Obligation. This is where we have to hold and process personal data in accordance with the law. Included is; sending email receipts for payments made, sending payroll information to include pay advices, checking for fraud, identity checks, right to work checks, providing statutory bodies with required information, complying with an order of a competent Tribunal whether in the UK or otherwise, complying with other statutory obligations.