ICAEW.com works better with JavaScript enabled.

PSD privacy notice

This privacy notice covers how ICAEW will discharge its responsibilities as a regulator working in the public interest

1. What we do and why we process personal data

This notice (referred to as this privacy notice) provides information on how The Institute of Chartered Accountants in England and Wales (Company No. RC000246) (ICAEW) collects, uses, shares and retains personal data in discharging its responsibilities as a regulator and professional body working in the public interest.

Please ensure that you read this privacy notice and any other privacy notices we may provide to you from time to time when we collect or process personal data about you. The privacy notice is available at any point via our website.

How to contact ICAEW

ICAEW is the controller for the Personal Data processed in discharging its responsibilities as a regulator and professional body working in the public interest, unless this is stated otherwise. ICAEW is registered with the Information Commissioner’s Office (ICO) with registration number (Z5765897). In this notice, references to ‘we’, ‘us’ or ‘our’ mean ICAEW.

ICAEW can be contacted in a number of ways:

E: data.protection@icaew.com

P: The Data Protection Office, ICAEW, Metropolitan House, 321 Avebury Boulevard, Milton Keynes, MK9 2FZ UK

T: +44 (0)1908 248 250

The Professional Standards Department (PSD) is responsible for carrying out ICAEW’s disciplinary, regulatory, monitoring and assurance functions under ICAEW’s Royal Charter and statute. An overview of our activities is set out below:

Regulatory activities

ICAEW is a regulator under statute of audit and local audit activities, insolvency, probate and exempt investment business. We process personal data about individuals when we carry out our functions as a statutory regulator - i.e. in processing licensing applications; in monitoring compliance with regulations and in taking regulatory and/or disciplinary action.

Practice Assurance Scheme

The Practice Assurance Scheme is ICAEW’s framework for principles-based quality assurance. In carrying out reviews and monitoring compliance with ICAEW’s bye-laws, regulations and standards (including through the annual return) we process information about individuals in firms which are part of the Practice Assurance Scheme. We may also review information about individual clients of practising firms when we carry out reviews.

Licensed Practice Scheme

We license firms to carry out non-statutory audit activities under the Licensed Practice Scheme. As with statutory audit, we process information about individuals in firms we license under the Licensed Practice Handbook; we may also process information about clients of licensed firms when we carry out monitoring reviews.

Use of the Description “Chartered Accountants” Regulations

We process the personal data of individuals in firms applying for dispensation under the Use of the Description ‘Chartered Accountants’ Regulations, along with the personal data of principals applying for general affiliate status under those regulations.

Supervision under Money Laundering Regulations1

ICAEW is a supervisory authority of ICAEW Member Firms under the Money Laundering Regulations. We also supervise non-member firms under contract. We process personal data about individuals when we carry out our functions as a supervisory authority ie, in processing applications; in monitoring compliance with regulations and in taking regulatory and/or disciplinary action. We will review information about firms’ clients who are individuals in carrying out our monitoring reviews. We also process personal information about individuals in firms, in particular beneficial owners, officers, and managers (BOOMs).

Complaints investigation and discipline

We investigate complaints about members, firms and other regulated individuals and, where necessary, take disciplinary action in accordance with ICAEW’s bye-laws and regulations. As part of this work, we will gather, use, retain and share information (including Special Category and Criminal Offence data) about respondents, complainants, and other individuals (e.g., legal representatives and expert witnesses).

Fitness to Practice process and the Fitness Committee

We have in place a process to determine whether a member, student or other regulated individual is suffering from a serious physical or mental illness which is undermining their professional competence or ability to participate in disciplinary proceedings. The Fitness Committee is set up to determine whether an individual’s health is impaired and we process personal data (including Special Category Data) in carrying out this function. The committee also considers applications for readmission by former members and has a role in determining provisional member (student) applications that disclose fitness issues.

Quality Assurance Department (QAD) commercial monitoring contracts

QAD has a number of commercial contracts in place to deliver monitoring and training in best practice to other professional bodies (both in the UK and abroad). In providing services under these contracts, we process information about individuals in firms that are the subject of monitoring activities. During the course of these activities, we may also review information about individual clients of these firms (or principals, employees or persons with a controlling interest of such clients).

Regulatory Policy

PSD’s Regulatory Policy team is responsible for developing ICAEW’s regulatory policy and engagement with government bodies, oversight regulators and other professional bodies. Occasionally, we will process personal data about individuals as part of this work.

The Chartered Accountants Compensation Scheme and the Probate Compensation Scheme

ICAEW has in place schemes to compensate clients who suffer financial loss due to the activities of current and former ICAEW registered firms (and, in the case of the Chartered Accountants’ Compensation Scheme, firms authorised by the Institute of Chartered Accountants of Scotland (ICAS) and Chartered Accountants Ireland (CAI)). We process personal data in dealing with applications for compensation to these schemes.

PII and the assigned risk pool

ICAEW members in public practice and individuals / firms carrying on regulated activity are required to comply with ICAEW’s PII Regulations. We process personal data in monitoring compliance with the PII Regulations, in contracting and liaising with insurers who participate in ICAEW’s PII arrangements for firms, and in overseeing the operation of the Assigned Risks Pool (ARP) (i.e., the ‘pool of last resort’ for firms that are unable to obtain compliant, commercial cover).

ICAEW Regulatory Board and Professional Standards Committees

We process the personal data of individuals who are members of the ICAEW Regulatory Board (IRB), the Regulatory and Conduct Appointments Committee (RACAC) and Professional Standards’ Committees (e.g., their address and contact details; personal and employment history and, in exceptional cases, health and criminal offence data).

Film licensing arrangements

ICAEW has created a series of training films which are intended to highlight ethical and practice issues and raise professional standards. In licensing these films for use by accountancy firms and other bodies, we process personal information of current and prospective licensees.

[1] The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017


2. What is personal data?

Personal Data is any information which directly or indirectly identifies an individual, for example, your name, address, membership and/or student number, NI number, qualifications, date of birth, photos, videos or voice recordings.

Special categories of personal data are a set of personal data that we are required to look after even more carefully. Special categories of personal data include details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about health and genetic and biometric data.

We may also collect information about criminal convictions and offences which is another type of information that we need to look after very carefully.

Types of personal data
Types of personal data
Identity Data* Your name, title, marital status, date of birth and National Insurance Number, passport information, birth, marriage and change of name certificates.
Contact Data* Your address and contact details, including email address and telephone numbers.
Education Data

Details of your academic and professional qualifications including, educational establishments, dates of study, subjects studied and results, membership of other professional bodies.

Details of training courses you have attended during your employment with ICAEW. Details of continued professional development.

Career Data*

Employment history, including start and end dates with previous employers, information about your current level of remuneration, including benefit entitlements.

Details of membership of Professional Bodies.

Financial Data*

Details of your bank account

History of financial mismanagement

Fee Income

Criminal Offence Data* Information about your criminal record, if applicable, for example this is collected during the recruitment process. Suspicious activity reports.
Equal Opportunities Data Equal opportunities monitoring information, including information about your age, nationality, ethnic origin, gender, sexual orientation, health, disability and religion or belief.
Health Data* Information about your health, medical conditions or disabilities, including whether you have a disability for which we need to make reasonable adjustments.
Employment Terms and Conditions Data

Details of your standard working hours.

Information about remuneration and expenses.

Information about your benefits such as insurance.

Emergency Contact Data Information about your next of kin and emergency contacts
Family and Dependent Data* Information about your spouse or partner and your dependents, including any children.
Nationality and Immigration Data* Your nationality and entitlement to work in the UK
Attendance Data* Details of your attendance at work
Leave Data* Details of periods of leave taken by you, including holiday, sickness absence, parental leave and the reasons for the leave.
Performance Management Data Assessment of your performance, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence.
Disciplinary and Grievance Data Details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence.
Image Data Photographs and CCTV
Audio Data Call and video recordings.
Geolocation Data IP address of a device location.
Browsing History Data Websites visited.
Pension Data* Details of your pension arrangements and all information included in these and necessary to implement and administer them.
Staff Survey Data Data that you input into staff surveys for example the entry and exit interview.
Shareholdings Voting rights and if the individual is on the firms management board.
Personal Data provided by third parties
Personal Data provided by third parties
Reference Data* Information supplied by former employers, education providers and recruitment agencies and personal referees. For example, information about your previous academic or employment history, including details of any conduct grievance or performance issues, appraisals, time and attendance.
Occupational Health Data
Information about your physical and mental health provided by your doctor, medical and occupational health professionals we engage and from our insurance benefit administrators.
Pension Data* Details of your pension arrangements and all information included in these and necessary to implement and administer them.
Image Data Photographs and CCTV provided by our landlord in buildings not owned by ICAEW.
Building Entry and Exit Data Information about your entry into and exit from our offices provided by our landlord in buildings not owned by ICAEW.
Court Orders and similar documents Court orders and similar documentation which require us to make deductions from your salary and benefits by law.
HMRC Data Tax codes and other information that we receive from HMRC in order to make the required deductions from your salary.
Right to Work Data* Data provided by third parties as evidence of your right to work in the UK, including relevant tax code information.
Driving Licence Data Where you have a company car or use a hire car during the course of your employment, details received from a third party that carries out DVLA checks on our behalf showing the name, consent expiry, date of birth and endorsements on your driving licence, in order to provide such details to our insurers.

3. Whose personal data we process

In carrying out these functions and responsibilities, we process information as set out in the table below. We only collect and process the minimum amount of personal information that is necessary according to each function and activity:

Whose personal data we process
Whose personal data we process
Purpose and/or activity The types of personal data we process Lawful basis for processing
Individuals or firms we license to carry out regulated activity – e.g. licensed insolvency practitioners*
  • Identity Data
  • Shareholdings
  • Education Data
  • Disciplinary Data
  • Health Data
  • Criminal Offence Data
  • Financial Data

Legal obligation: to comply with our legal obligations in relation to licencing arrangements

Clients of firms we license who are individuals (may include controlling parties and principals of clients, and employees of clients).
  • Identity Data

Legal obligation: to comply with our legal obligations in relation to licencing arrangements

Debtors and creditors in insolvency matters where the insolvency practitioner is licensed by ICAEW
  • Identity Data
  • Financial Data
  • Health Data
  • Shareholdings
Legal obligation: to comply with our legal obligations in relation to licencing arrangements
Designated alternates in the event of practitioner incapacity
  • Identity Data
Legal obligation: to comply with our legal obligations
Practice assurance, principals, employees, clients, and designated alternates of firms within scope of the Scheme
  • Identity Data
  • Shareholdings
  • Education Data
  • Health Data
  • Criminal offence data
  • Financial Data
Legitimate interest: to allow us to conduct our visiting and monitoring activities
AML supervision: Principals, clients, beneficial owners and employees of firms within the supervised firm
  • Identity data
  • Shareholdings
  • Education data
  • Disciplinary and grievance data
  • Health data
  • Criminal offence data
  • Financial data
  • Status as, or connections to, politically exposed persons

Legal obligation: to comply with our legal obligations in relation to AML

Individuals who raise an AML concern (in accordance with law, the anonymity of these individuals is maintained)
  • Identity data
  • Contact data
Legal obligation: to comply with our legal obligations in relation to AML
AML supervision: Principals, clients, beneficial owners and employees of firms within the supervised firm
  • Identity data
  • Shareholdings
  • Education data
  • Disciplinary and grievance data
  • Health data
  • Criminal offence data
  • Financial data
  • Status as, or connections to, politically exposed persons
Legal obligation: to comply with our legal obligations in relation to AML
Individuals who raise an AML concern (in accordance with law, the anonymity of these individuals is maintained)
  • Identity data
  • Contact data
Legal obligation: to comply with our legal obligations in relation to AML
Licensed practice scheme
  • Identity data
  • Contact data
Legitimate interest: for ICAEW to make that assessment to ensure that the firms are eligible and fit and proper and qualified
Individuals in firms, clients of firms and designated alternates we license under the Licensed Practice Scheme
  • Shareholdings
  • Education data
  • Disciplinary and grievance data
  • Health data
  • Criminal offence data
Legal obligation: to comply with our legal obligations in relation to AML
Individuals in firms applying for dispensation under the Use of the Description Regulations
  • Identity data
  • Contact data
  • Shareholdings
  • Disciplinary and grievance data
  • Education data
  • Financial data
Legitimate interest: ICAEW has a legitimate interest to keep a record of firms applying for dispensation
Applicants for general affiliate status
  • Identity data
  • Contact data
  • Shareholdings
  • Disciplinary and grievance data
  • Education data
  • Financial data
  • Criminal offence data
Legitimate interest: ICAEW has a legitimate interest to keep a record of applicants for affiliate status

Complaints investigation and disciplinary proceedings

Respondents (i.e. members, affiliates, provisional members or other regulated individuals)

  • Identity data
  • Contact data
  • Education data
  • Health data
  • Criminal offence data
  • Disciplinary and grievance data
  • Finance data

Legal obligation: to hold in relation to sentencing and appeal timelines

Legitimate interest: where we discharge our responsibilities that are not regulated under statute

Complainants, third parties, lawyers and representatives, Experts and witnesses
  • Identity data
  • Contact data
  • Health data
  • Education Data

Legal obligation: to hold in relation to sentencing and appeal timelines

Legitimate interest: where we discharge our responsibilities that are not regulated under statute

Respondents, medical experts and witnesses in fitness proceedings (i.e. members and other regulated individuals)
  • Identity data
  • Contact data
  • Health data
  • Education Data

Legitimate interest: to hold data subject data so that we can assess fitness to practice

Applicants for readmission / re-registration with ICAEW
  • Identity data
  • Contact data
  • Education data
  • Health data
  • Criminal offence data
  • Disciplinary and grievance data
  • Finance data

Legitimate interest to hold data subject data so that we can assess if readmission is warranted

Applicants for provisional member (student) status
  • Identity data
  • Contact data
  • Health data
  • Criminal offence data
  • Disciplinary and grievance data
  • Finance data

Legitimate interest to hold data subject data so that we can assess if provisional membership can be approved

Principals and employees of firms subject to QAD monitoring
  • Identity data
  • Contact data

Legitimate interest: ICAEW has a legitimate interest to monitor firms

Clients of firms which are subject to review who are individuals
  • Identity data
  • Contact data
  • Finance data

Legitimate interest: ICAEW has a legitimate interest to monitor those subject to review

Directors and employees of the professional bodies commissioning the reviews*
  • Identity data
  • Contact data

Legitimate interest: ICAEW has a legitimate interest to keep records on those commissioning the review

Stakeholder representatives (e.g. employees of other professional bodies, representatives of government and oversight regulators)
  • Identity data
  • Contact data

Legitimate interest: ICAEW has a legitimate interest to record stakeholder representatives for record keeping

CACA and probate compensation scheme:
Members and employees of regulated firms
  • Identity data
  • Contact data
  • Finance data
  • Criminal offence data

Legal obligation: to comply with our legal obligations

Applicants
  • Identity data
  • Contact data
  • Finance data

Legitimate interest: to hold data subject data so that we can action any probate or compensation

Compensation committee / panel members
  • Identity data
  • Contact data
  • Education data
  • Employment data
  • Financial data

Legitimate interest: to hold data subject data so that we can action any probate or compensation

Expert witnesses and legal advisers
  • Identity data
  • Contact data
  • Education data
  • Finance data

Legitimate interest: to hold data subject data so that we can action any probate or compensation

PII/ Assigned risk pool Members and employees of regulated firms
  • Identity data
  • Contact data
  • Education data
  • Criminal offence data
  • Claims history (sole practitioners)

Legal obligation: to comply with our legal and regulatory obligations

Legitimate interest: Where we discharge our PII monitoring and disciplinary functions more generally for firms which are carrying out accountancy and other activities

Underwriters and brokers
  • Identity data
  • Contact data

Legitimate interest: to enable us to carry out our role in the PII

Members of PSD boards and committees including the ICAEW Regulatory Board (IRB) and Regulatory and Conduct Appointments Committee (RACAC)
  • Identity data
  • Contact data
  • Education data
  • Employment data
  • Name and contact details of any referees
  • Health data
  • Criminal offence data
  • Finance data
  • Equal opportunities data

Legal obligation: to comply with our legal obligations

Legitimate interest: where we are required to collect data that is not covered by statute

Film licensing arrangement Customers
  • Identity data
  • Contact data
  • Finance data

Legitimate interest: ICAEW has a legitimate interest to keep a record of customers for our film licencing arrangements

Acting against those who incorrectly or fraudulently proport themselves to be a chartered accountant
  • Identity Data
  • Contact Data
  • Membership Number
  • Employment Data
  • Education Data

Public interest: to protect the public from dishonesty and misinformation

What if Data Subjects choose not to supply Personal Data?

In certain circumstances you may be obliged to provide us with personal data for a statutory requirement or to enter into a contract. Where this is the case, we have identified these instances in the tables above with an “*”. If you fail to provide the personal data when requested, we may not be able to continue your registration or perform our statutory functions.

4. The lawful bases for processing

Legal obligation – we will process personal data where this is necessary to perform a legal obligation - e.g:

  • When authorising individuals and firms to conduct activities regulated under statute (including carrying out ‘fit and proper’ checks);
  • In monitoring individuals and firms as a statutory regulator or supervisory authority;
  • In investigating complaints and taking disciplinary action against such individuals and firms as statutory regulator or supervisory authority;
  • In operating the Chartered Accountants Compensation Scheme and the Probate Compensation Scheme;
  • In maintaining the public audit and probate registers, as well as the HMRC Trust and Company Services register; and/or
  • In providing returns to oversight regulators.

Legitimate interest – as a regulator we have a duty under our Royal Charter to operate in the public interest. We have a legitimate interest in:

  • Monitoring firms that are part of the Practice Assurance Scheme;
  • Licensing and monitoring firms under the Licensed Practice Scheme;
  • Investigating complaints and taking disciplinary action against individuals/firms which are not authorised to carry out activity regulated under statute;
  • Operating the fitness to practise regime;
  • Monitoring compliance with the PII Regulations and administering the ARP;
  • Liaising with board and committee members and running our committee function;
  • Liaising with individuals in stakeholder organisations to develop regulatory policy and best practice;
  • In providing out-sourced monitoring activities under commercial contracts;
  • In carrying out film licensing activities;
  • Audit activities for governance and assurance purposes; and/or
  • Conducting data anonymisation for the purpose of reporting for service improvement and management information.

Special Category and Criminal Offence Data

We process special category data and criminal offence data when we are discharging our statutory and public interest functions.

This will be the case, in particular, where members and other regulated individuals are referred to the Fitness Committee for review or during the course of our monitoring and investigation and disciplinary activities. Where this is the case we always ensure that we are legally entitled to do so under data protection laws.

5. Who shares personal data with us

In carrying out our duties and functions, we receive personal data from (this is not an exhaustive list):

  • Applicants (both individuals and firms) applying for authorisation to carry out activity regulated under statute;
  • Applicants for ICAEW Licensed Practice status;
  • Firms and individuals, we monitor as a statutory regulator, supervisory authority, or as part of the Practice Assurance or Licensed Practice Schemes;
  • Complainants (both individuals and external organisations), respondents, witnesses, external legal advisers and representatives when investigating complaints and taking action under the Disciplinary Bye-laws;
  • Members and other individuals subject to the fitness regime, medical experts and other witnesses;
  • Oversight regulators (Financial Report Council, Insolvency Service (GB & NI), the Legal Services Board, the Financial Conduct Authority and OPBAS);
    • Other professional bodies and regulators (e.g. ACCA, CIOT, ICAS, CAI, FCA, the SRA and other legal services regulators, Legal Ombudsman, regulators in the Crown Dependencies; the Pensions Regulator)
  • Public bodies (e.g. HMRC, BEIS, Ministry of Justice, Charities Commission);
  • Our own external legal advisors;
  • Individuals applying for compensation from CACS or the Probate Compensation Scheme or firms that fall within the scope of those schemes;
  • Professional bodies which engage us to carry out monitoring activities on their behalf under commercial contract and the firms subject to review;
  • Marsh Ltd as ARP manager and firms within scope of the PII Regulations;
  • Insolvency bond providers;
  • Our suppliers, advisers and consultants (including recruitment specialists); and
  • Committee and board members

In addition, we may use publicly available information regarding a member undergoing an investigation, including information provided on social media accounts and Companies House. If this is the case we will inform you of the public source of the personal data.

6. Who we share personal data with

We share personal data with (this is not an exhaustive list):

  • Firms and individuals, we monitor as a statutory regulator, AML supervisor, as part of the Practice Assurance Scheme or Licensed Practice Schemes or under contract;
  • Complainants and respondents when investigating complaints;
  • Experts and other witnesses, legal advisers and Counsel when taking disciplinary action against firms / individuals;
  • External legal advisers and Counsel when exercising regulatory functions and powers over individuals / firms;
  • Medical experts and legal advisers in operating the fitness to practise regime;
  • Oversight regulators (FRC, Insolvency Service (GB & NI), the LSB, FCA, IAASA and OPBAS);
  • Other professional bodies and regulators (e.g., ACCA, CAI, ICAS, CIOT, FCA, the SRA and other legal services regulators, Legal Ombudsman, regulators in the Crown Dependencies)
  • Government bodies (e.g., HMRC, Treasury, BEIS, Ministry of Justice, Charities Commission)
  • Law enforcement and the National Crime Agency when discharging our responsibilities under the Money Laundering Regulations
  • Legal advisers and committee members in operating the CACS and Probate Compensation Schemes;
  • Marsh Ltd as ARP manager and ICAS and CAI in operating the ARP;
  • Insolvency bond providers;
  • Committee and board members;
  • ICAEW’s own insurers.

7. Transferring data overseas

In some cases, we may need to process Personal Data outside the United Kingdom (UK). Where this is the case we will only share the minimal amount of Personal Data necessary for the purpose of processing and, where possible, we will share the Personal Data in an anonymised form.

Whenever we transfer your Personal Data out of the UK or EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

(a) we will only transfer your Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data by the European Commission;

(b) where we use certain processors, we may use specific contracts approved by the European Commission which gives Personal Data the same protection it has within the EEA. When we rely on this measure we will ensure that the third-party can comply with the provision of such contracts and we have confirmed that the country to which the Personal Data is transferred has adequate data protection laws in place to protect Personal Data.

Please contact us at data.protection@icaew.com if you would like further information about the specific mechanism used by us when transferring your Personal Data.

8. How we store personal data and form how long

We will only retain personal data for as long as is necessary to fulfil our statutory and public interest functions. Details of how long we may retain these records are set out below:

  • Disciplinary cases which have been referred to committee – 50 years
  • Disciplinary cases which have been closed without referral to committee – 3 years from date of file closure (a closure summary will be retained)
  • Correspondence, reports and files relating to regulated individuals and firms – 10 years after individual / firm ceases to be regulated
  • Correspondence, reports and files relating to firms within the Practice Assurance Scheme – 10 years after the firm has ceased to be within the Scheme
  • Firm annual returns – 7 years
  • Signed minutes of meetings – for the life of the committee
  • Supplier / customer contracts – 6 years following performance of contract
  • Film licensing agreements – 6 years following expiry or termination of the licence.

ICAEW maintains an online database of disciplinary records of members / firms which can be used by members of the public. Disciplinary records are held in accordance with the Disciplinary Database Policy which can be found at ICAEW Blank. The policy provides an explanation of ICAEW’s policy on the publication of disciplinary findings and regulatory penalties; the length of time they will appear on the Disciplinary and Regulatory Database and the processes by which an individual may make representations on publication.

9. Your rights

Under data protection law, you have rights including:

(a) Your right of access – You have the right to ask us for copies of your Personal Data.

(b) Your right to rectification – You have the right to ask us to rectify Personal Data you think is inaccurate. You also have the right to ask us to complete Personal Data you think is incomplete.

(c) Your right to erasure – You have the right to ask us to erase your Personal Data in certain circumstances.

(d) Your right to restriction of processing – You have the right to ask us to restrict the processing of your Personal Data in certain circumstances.

(e) Your right to object to processing – You have the right to object to the processing of your Personal Data in certain circumstances.

(f) Your right to data portability – You have the right to ask that we transfer the Personal Data you gave us to another organisation, or to you, in certain circumstances.

(g) Rights related to automated decision making, including profiling –  You have the right not to be subjected to a decision based solely on automated processing (including profiling) which may significantly affect you. We do not make any employment decisions, solely using automated decision making technologies.

In most cases we will deal with your request as soon as possible and at the latest within one calendar month of the request. If we need to extend the time period for responding to your request, we will let you know within the one-month period. We do not charge a fee for any such requests.

If you wish to exercise any of your rights, please contact our Data Protection Office via email using data.protection@icaew.com.

10. Security

We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify data subjects and any applicable regulator of a suspected data security breach where we are legally required to do so.

12. Complaints

If you have any concerns about the personal data we use about you, you have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, by contacting them at www.ico.org.uk. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please feel free to contact us in the first instance via email at data.protection@icaew.com.

Updated: [May 2022]