This helpsheet has been issued by ICAEW’s Technical Advisory Service to help ICAEW members to understand the requirements of the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 in relation to the rights of an individual. Detailed guidance is available from the Information Commissioner’s Office (ICO).

Members may also wish to refer to the following related helpsheets and guidance:

• Know-how: Right to erasure
• Know-how: Transparency
• UK GDPR – Lawful basis for processing
• UK GDPR – Client files
• UK GDPR – Communicating safely with clients

The following terms are terms defined by the UK GDPR.

Personal data

The UK GDPR defines personal data as any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.

ICO guidance states that personal data which has been pseudonymised (e.g. the replacement of employee names with employee numbers in a set of data) can help reduce privacy risks by making it more difficult to identify individuals, but is still personal data. Where personal data has been truly anonymised, then the anonymised data is not subject to the UK GDPR as it no longer personal data.
Processing

The UK GDPR defines processing as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

As such obtaining, recording or simply holding personal data would be considered processing.

Under the UK GDPR, individuals have a number of specific rights. These are discussed on the following pages in the context of an accountancy practice.

Right to be informed

Individuals have a right to be informed about the collection and use of their personal data. This privacy information must be provided at the time you collect their personal data from them, or if personal data is collected from other sources, within a reasonable period of obtaining the data, but not more than a month after doing so. The information must regularly be reviewed and updated as appropriate. This information must be provided in a concise, transparent, intelligible and easily accessible format.

Where you don’t obtain the personal data from the individual directly, you do not need to provide individuals with privacy information if providing the information would be impossible or providing the information to the individual would involve a disproportionate effort. There are also a number of other exemptions which are discussed in ICAEW’s Know-how: Transparency.

In cases where firms are acting as a joint data controller, respective responsibilities of the joint data controllers should be contractually agreed and it must be completely clear to a data subject as to which data controller he or she can approach where they intend to exercise one or more of their rights under the UK GDPR. It is not expected to be common practice for an accountancy firm to be a joint data controller.

ICAEW has published guidance on privacy notices available via the Engagement letters and privacy notices helpsheet webpage.

Right of access

Under the right of access (often referred to as a Subject Access Request or SAR) individuals have a right to obtain confirmation that their personal data is being processed, and to access their personal data and other supplementary information. The reason for this right is to enable data subjects to have an awareness of the personal data processed and allow them to verify the lawfulness of such processing.

Where data subjects make a subject access request, firms must provide a copy of the information free of charge and within one month of the request, unless considered complex or further information is required. Per the ICO, you must comply with a subject access request without undue delay and at the latest within one month of receiving the request. You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual, e.g. other types of requests relating to individuals’ rights.

If you process a large amount of information about an individual, you may be able to ask them to specify the information or processing activities their request relates to, if it is not clear. The time limit for responding to the request is paused until you receive clarification, although you should supply any of the supplementary information you can do within one month.

It is worth noting that where a suspicious activity report has been made to the National Crime Agency, this would fall outside the scope of the right of access (as it would be covered by the crime and taxation exemptions contained within Schedule 2 of the Data Protection Act 2018) and a tipping off offence may be committed by providing such information.

Where requests are considered to be manifestly unfounded or excessive, in particular because they are repetitive, you can elect either to charge a reasonable fee for administrative costs of providing the information or refuse to respond. It would be sensible to seek legal advice before taking either of these courses of action however to ensure a defendable position is maintained. There are also a number of other exemptions which are discussed in ICAEW’s Know-how: Transparency.

Where a subject access request has been received electronically, you should (having verified the identity of the person making the request) provide the information in a commonly used electronic format, for example PDFs (but do consider the security of your communications).

The ICO has published detailed guidance on the right of access.

Right to rectification

The right to rectification is a right for individuals to have inaccurate personal data rectified or completed if it is incomplete. Requests can be made verbally or in writing and you have one calendar month to respond to a request and rectify the data.

This right is closely related to the principle of accuracy and facilitating easy rectification of personal data helps maintain compliance.

In some cases there may be a disputed opinion. For example, a client may be in dispute with you over a particular figure in a personal tax return. Where a client may try to force it to be changed with the right to rectification, as long as the record notes, that it is an opinion and whose opinion it is, it would be difficult to say it is inaccurate and needs to be rectified. Members should also be reminded of their obligations under the ICAEW Code of Ethics not to be associated with misleading information (paragraph R111.2).

If you refuse to comply with a request for rectification you should inform the individual about the reasons you are not taking action, their right to make a complaint to the ICO and their ability to seek to enforce this right through a judicial remedy.

Right to erasure

The right to erasure (or right to be forgotten) introduces a right for individuals to have personal data erased. This is not an absolute right however and only applies in certain circumstances. 
Where you are relying on consent as your lawful basis for holding the data and the individual withdraws their consent you must erase the data without delay and in any case within one month. This may be relevant to accountancy firms where individuals have signed up to receive newsletters or alerts from you.

The right to erasure does not apply if processing (including holding the data) is necessary to comply with a legal obligation or for the establishment, exercise or defence of legal claims. Where a firm is holding records in line with statutory or regulatory obligations (for example the requirements outlined in the Document retention helpsheet, or the CCAB Anti-money laundering guidance for the accountancy sector with respect to Client Due Diligence (CDD)), firms will not have to erase relevant personal data unless the specified retention periods have been exceeded.

If you refuse to comply with a request for erasure you should inform the individual about the reasons you are not taking action, their right to make a complaint to the ICO and their ability to seek to enforce this right through a judicial remedy.

Further guidance on the right to erasure is available in ICAEW’s Know-how: Right to erasure.

Automated decision making including profiling

Individuals have a wide range of rights where organisations use automated decision making including profiling. It is unlikely that this will be of relevance to most accountancy practices, although it may be used for jobs applicants and those attending training (e.g. automated marking of online tests), for example. The ICO does have guidance on rights relating to automated decision making including profiling.

Right to restrict processing

An individual can make a request to restrict processing verbally or in writing and you have one month to respond to such requests. The aim is to give individuals a right to limit the way an organisation uses their data.

Of relevance to an accountancy firm, an individual has a right to restrict processing where:

• They contest the accuracy of data and you are verifying the accuracy of the data;
• The data has been unlawfully processed;
• You no longer need the data but the individual needs you to keep it in order to establish, exercise or defend a legal claim (personal data still shouldn’t be kept longer than necessary to meet this requirement however); or
• Where you have used legitimate interests as the lawful basis for processing, the individual has objected and you are considering whether you have legitimate grounds to override those interests of the individual.

Restricting processing is not the same as the right to erasure and personal data may still be stored. In order to assist in restricting processing, you would still be able to temporarily move the data to a separate storage system or make the data unavailable to users for example. If you are using an automated filing system, you will need to use technical measures to ensure that the data can’t be changed whilst the restriction is in place.

Right to data portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It would commonly apply therefore to individuals wanting a download of their mobile phone usage, music streaming history or online shopping purchases from a particular retailer. This right only applies to personal data:

• an individual has provided to a controller;
• where the processing is based on consent or for the performance of a contract; and
• when processing is carried out by automated means.

It is unlikely that this right will therefore be of relevance to accountancy practices as it would be rare for accountancy practices to be relying on consent and would only apply on the basis of a contract where the data subject was a party to that contract. Furthermore it would be unlikely that processing would be carried out by automated means.

Right to object

Individuals have the right to object to processing in certain situations. Of relevance to accountancy practices would be the right to object to direct marketing. If an individual objects to direct marketing you must stop processing their personal data for such purposes as soon as you receive the objection. There are no exceptions and no grounds for refusal.

An individual may also object to processing which is based on legitimate interests. To continue processing, you must be able to demonstrate compelling legitimate grounds which override the interests, rights and freedoms of the individual or the processing must be for the establishment, exercise or defence of legal claims.

The ICO is the regulator for data protection in the UK and has its own website and helpline.

ICAEW members, affiliates, ICAEW students and staff in eligible firms with member firm access can discuss their specific situation with the Technical Advisory Service on +44 (0)1908 248 250 or via webchat.