ICAEW.com works better with JavaScript enabled.

Data protection policy

This policy relates to ICAEW (Company Number RC000246) and other associated entities/companies namely, District Societies, FCA Ltd, International Offices, Fraud Advisory Panel, Natural Capital Coalition, Joint Insolvency Examination Board, CCAB Ltd and Chartered Accountants Worldwide.

We will comply with the Data Protection Legislation by following a number of important principles regarding the privacy and disclosure of information.  The purpose of this policy is to ensure that ICAEW staff are aware of their obligations when handling personal information which identifies a natural living person and that individuals internally and externally are aware of their rights.

In the United Kingdom and the European Economic Area (EEA), "Data Protection Legislation" means all applicable data protection and privacy legislation or regulations including The Privacy and Electronic Communications (EC Directive) Regulations 2003 (also known as PECR) and any guidance or codes of practice issued by the European Data Protection Board or the Information Commissioner, together with:

  • prior to 25 May 2018, the UK Data Protection Act 1998; and
  • from 25 May 2018 onwards Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "Data Protection Legislation”), as amended by the UK Data Protection Bill and/or relevant acts of parliament
  • Outside of the EEA, "Data Protection Legislation” means local, territorial data protection and privacy legislation that governs the processing of Personal Data

When does this policy apply?

The Data Protection Legislation and therefore this policy applies to any situation where personal data for a natural living person can be identified. The protection of personal privacy is very important to ICAEW and any personal data collected and used MUST be treated in accordance with current Data Protection Legislation.  

What is covered by this policy

The capture, storage, processing, management, distribution and secure destruction of any personal data for natural living persons connected with ICAEW.

Responsibilities

The ICAEW Executive Committee is committed to ensuring we take our responsibilities to comply with the Data Protection Legislation throughout our organisation.

To operate efficiently, ICAEW needs to collect and use personal information relating to current, past and prospective staff, students, members, affiliates, suppliers, clients, customers and others who we communicate with. We may also be required by law or as part of our responsibilities as a regulator and professional body to collect, use and share personal information with government departments, agencies and regulators, or in some cases as part of the public interest. We will process this personal information lawfully, fairly and in a transparent way.

We believe that the lawful and correct way in which we deal with personal data is critical to our success, maintaining our reputation, integrity and our members’ confidence in us as an open and professional organisation.  

To enable ICAEW to meet our data protection commitments, whilst protecting our reputation, we will adopt appropriate and relevant data protection and privacy standards, guidelines and requirements for legal, regulatory or legitimate organisational purposes. When dealing with personal data ICAEW will:

  • voluntarily appoint a Data Protection Officer
  • process personal information only where this is strictly necessary in a fair and lawful way, ensuring it is relevant and adequate
  • keep the information we hold to a minimum and only while we have a purpose to retain it in line with company policy
  • where appropriate, carry out data protection impact assessments where personal data is being processed
  • have in place written contracts with organisations who process personal data on our behalf in support of delivering our business
  • ensure that special safeguards are in place when collecting information directly from children 
  • provide clear details about how personal information is used and by whom, taking particular care when dealing with high risk personal information i.e. financial or payment information, sensitive or special category data, protected characteristics information or information relating to children under the age of 13
  • maintain full records of personal information processed by ourselves including the categories and purposes for each category
  • keep accurate personal information, update as appropriate, store securely and do not hold for any longer than necessary, ensuring that we dispose of it appropriately
  • take a ‘data protection by design and default’ approach, adopting and implementing the appropriate technical and organisational security measures
  • throughout the entire lifecycle of our processing operations, including maintaining effective data protection policies to safeguard personal information
  • adhere to relevant codes of conduct and sign up to certification schemes where appropriate and necessary
  • only transfer personal information outside the UK in circumstances where it can be adequately protected
  • provide a strategy for dealing with regulators across the EU (EEA) where services are offered to individuals who are resident in other EU (EEA) countries
  • ensure that people know about their rights to see the personal information we hold about them and that we respond appropriately, taking into account the exemptions allowed by Data Protection Legislation, should a request for access, rectification or erasure (the right to be forgotten) be received.

To effectively manage our responsibilities internally the ICAEW Executive Committee will ensure:

  • the Data Protection Officer has specific responsibility for data protection in the organisation. You can contact the Data Protection office by email, data.protection@icaew.com
  • we document our approach to managing breach activity, managing Subject Access Requests (SAR’s), keeping evidence of the steps we take to comply
  • and any associated processes for consistency and ongoing review
  • we regularly review and audit how we handle personal information
  • we clearly describe the ways in which personal information is treated with a commitment to continuous improvement and will communicate to train and support internal departments and external organisations as appropriate
  • staff handling personal information understand that they are responsible for following good practice, they will receive appropriate training and are properly supervised. We ask all staff annually to sign up to our PCI policy and our information security policy agreements and regularly assess the performance of people who handle personal information
  • anybody wanting to make enquiries about handling personal information knows what to do
  • in the event of a data or privacy breach, we take swift and appropriate steps to minimise any reputational damage to ICAEW and any affected third parties and endeavour to minimise any associated business disruption
  • we have appropriate systems and procedures in place to deal with breaches occurring outside of core office hours and that these will be managed in line with the defined company approach. 

Special Category

We will have an appropriate policy document in place for processing special category data, keeping a record of the purposes, retention and erasure.

We will only process special category data with the explicit consent from a data subject for one or more specified purposes, except:

  • where processing is necessary for the purposes of carrying out our legal obligations, i.e. contractual, employment, social security, legal claims, judicial or criminal activity
  • to protect the vital interests of the data subject or of another natural person
  • processing is necessary for reasons of substantial public interest or archiving purposes in the public interest

When this approach is undertaken, this will be documented, shall be proportionate to the aim pursued, providing suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Individual’s rights

ICAEW ensures we are legal, fair, compliant and transparent when we process personal information and subject to Data Protection guidelines, individuals have the right to the following:

  • To be informed as to the purpose of the processing and the lawful basis for this processing.
  • To access their personal data and to request rectification or erasure if it is inaccurate or incomplete.
  • To restrict and/or object to the processing of their data.
  • To data portability, allowing them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way.
  • Where we use automated individual decision-making including profiling, we ensure this is necessary as part of a contract, is lawful and/or based on the individual’s consent.

Subject Access Requests

Everyone has the right to request a copy of the personal information we hold about them. We are required to complete any request we receive within 1 month of receipt and therefore it is very important that these requests are recognised, dealt with effectively, promptly and in line with our documented approach. The requestor should write to ICAEW, Metropolitan House, 321 Avebury Boulevard, Milton Keynes, MK9 2FZ, UK or by email to data.protection@icaew.com.

Privacy breaches

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

If a data breach occurs, the Data Protection office must be informed by telephone to the appropriate helpdesk or by email to data.protection@icaew.com immediately. We will investigate, record and take any steps required to minimise the risk of further unlawful disclosure. If necessary, we will inform the data subject as soon as practical and inform the relevant authority within 72 hours of the data breach.  If we fail to notify a breach when required to, this can result in a significant fine of up to 10 million euros or 2 per cent of our global turnover.

Note: You can obtain a written copy of this policy by contacting the Data Protection office by email data.protection@icaew.com or in writing at the address above.

What is excluded from this policy

This policy is not required to cover information held for deceased individuals. However, it should be noted that it is best practice to apply the same principles.

Failure to comply with this policy

Failure to comply with this policy may result in an increased risk to ICAEW. Data processing arrangements that are not in line with Data Protection Legislation create unnecessary risk and ICAEW would have minimal legal protection in the event of a challenge being made. Staff who do not comply with this policy may be subject to disciplinary action.

ICO details

The Information Commissioners Office (ICO) is the independent supervisory authority set up to promote and oversee compliance with Data Protection Legislation in the UK. You can contact them at the Information Commissioner's Office, Wycliffe House, Water Lane, Cheshire, SK9 5AF, telephone number +44 (0)162 554 5745 or via their website at www.ico.org.uk.

Authorised by

This document has been authorised and approved by:

Vernon Soare
Chief Operating Officer

  • Updated May 2018