This policy relates to ICAEW (Company Number RC000246) and other associated entities/companies namely, District Societies, FCA Ltd, International Offices, Fraud Advisory Panel, Natural Capital Coalition, Joint Insolvency Examination Board, CCAB Ltd and Chartered Accountants Worldwide.
We will comply with the Data Protection Legislation by following a number of important principles regarding the privacy and disclosure of information. The purpose of this policy is to ensure that ICAEW staff are aware of their obligations when handling personal information which identifies a natural living person and that individuals internally and externally are aware of their rights.
In the United Kingdom and the European Economic Area (EEA), "Data Protection Legislation" means all applicable data protection and privacy legislation or regulations including The Privacy and Electronic Communications (EC Directive) Regulations 2003 (also known as PECR) and any guidance or codes of practice issued by the European Data Protection Board or the Information Commissioner, together with:
The Data Protection Legislation and therefore this policy applies to any situation where personal data for a natural living person can be identified. The protection of personal privacy is very important to ICAEW and any personal data collected and used MUST be treated in accordance with current Data Protection Legislation.
The capture, storage, processing, management, distribution and secure destruction of any personal data for natural living persons connected with ICAEW.
The ICAEW Executive Committee is committed to ensuring we take our responsibilities to comply with the Data Protection Legislation throughout our organisation.
To operate efficiently, ICAEW needs to collect and use personal information relating to current, past and prospective staff, students, members, affiliates, suppliers, clients, customers and others who we communicate with. We may also be required by law or as part of our responsibilities as a regulator and professional body to collect, use and share personal information with government departments, agencies and regulators, or in some cases as part of the public interest. We will process this personal information lawfully, fairly and in a transparent way.
We believe that the lawful and correct way in which we deal with personal data is critical to our success, maintaining our reputation, integrity and our members’ confidence in us as an open and professional organisation.
To enable ICAEW to meet our data protection commitments, whilst protecting our reputation, we will adopt appropriate and relevant data protection and privacy standards, guidelines and requirements for legal, regulatory or legitimate organisational purposes. When dealing with personal data ICAEW will:
To effectively manage our responsibilities internally the ICAEW Executive Committee will ensure:
We will have an appropriate policy document in place for processing special category data, keeping a record of the purposes, retention and erasure.
We will only process special category data with the explicit consent from a data subject for one or more specified purposes, except:
When this approach is undertaken, this will be documented, shall be proportionate to the aim pursued, providing suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
ICAEW ensures we are legal, fair, compliant and transparent when we process personal information and subject to Data Protection guidelines, individuals have the right to the following:
Everyone has the right to request a copy of the personal information we hold about them. We are required to complete any request we receive within 1 month of receipt and therefore it is very important that these requests are recognised, dealt with effectively, promptly and in line with our documented approach. The requestor should write to ICAEW, Metropolitan House, 321 Avebury Boulevard, Milton Keynes, MK9 2FZ, UK or by email to firstname.lastname@example.org.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
If a data breach occurs, the Data Protection office must be informed by telephone to the appropriate helpdesk or by email to email@example.com immediately. We will investigate, record and take any steps required to minimise the risk of further unlawful disclosure. If necessary, we will inform the data subject as soon as practical and inform the relevant authority within 72 hours of the data breach. If we fail to notify a breach when required to, this can result in a significant fine of up to 10 million euros or 2 per cent of our global turnover.
Note: You can obtain a written copy of this policy by contacting the Data Protection office by email firstname.lastname@example.org or in writing at the address above.
This policy is not required to cover information held for deceased individuals. However, it should be noted that it is best practice to apply the same principles.
Failure to comply with this policy may result in an increased risk to ICAEW. Data processing arrangements that are not in line with Data Protection Legislation create unnecessary risk and ICAEW would have minimal legal protection in the event of a challenge being made. Staff who do not comply with this policy may be subject to disciplinary action.
The Information Commissioners Office (ICO) is the independent supervisory authority set up to promote and oversee compliance with Data Protection Legislation in the UK. You can contact them at the Information Commissioner's Office, Wycliffe House, Water Lane, Cheshire, SK9 5AF, telephone number +44 (0)162 554 5745 or via their website at www.ico.org.uk.
This document has been authorised and approved by:
Chief Operating Officer