This helpsheet has been issued by ICAEW’s Technical Advisory Service to help ICAEW members to understand the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 in relation to common situations experienced by members.

Members may also wish to refer to the following related helpsheets:

• UK GDPR – Data processor or data controller?
• UK GDPR – Data breaches
• UK GDPR – Communicating safely with clients
• UK GDPR – Rights of an individual

As professional accountants, members need to comply with the ICAEW Code of Ethics which addresses confidentiality in section 114. This applies to all confidential information acquired as a result of professional and business relationships.

The UK GDPR, however, is only concerned with protecting the rights of UK data subjects over their personal data. As such its scope is narrower than the confidentiality principle in the code of ethics, however applying similar principles to all confidential data would be good practice.

Personal data is any information relating to an identifiable person (that is a natural person) who can be directly or indirectly identified in particular by reference to an identifier. This could include name, identification number, location data or online data.

A practitioner’s files for personal tax work and payroll services, for example, will likely contain large volumes of personal data. Even where practitioners are working on company clients, files are still likely to contain personal data of the company’s employees, directors or even customers. The UK GDPR therefore affects all firms even if they have no employees themselves.

Whilst this helpsheet primarily focusses on client files, it is important to note that the UK GDPR affects all personal data which may also be held in emails, flash drives or other storage media. Furthermore it applies to personal data held in archives, for example, that of former clients, unless they are deceased.

One of the principles of the UK GDPR is that of storage limitation - personal data should not be held for longer than is necessary. Where there are legal or regulatory requirements which specify retention periods, these would usually be the necessary period. ICAEW’s Document retention helpsheet discusses these types of requirements.

The CCAB Anti-money laundering guidance for the accountancy sector specifies that all records created as part of the Client Due Diligence (CDD) process, including any non-engagement documents relating to the client relationship and ongoing monitoring of it, must be retained for five years after the relationship ends.

In addition to these obligations, firms should consider any minimum retention periods imposed on them by their insurer.

Firms should also ensure that they have adequate policies in place to address the destruction of personal data after the end of the relevant retention period.

The UK GDPR includes a right for individuals to have personal data erased, a right to erasure (often referred to as a right to be forgotten). This is not however an absolute right that applies in all circumstances.

The right to be forgotten does not apply if processing is necessary to comply with a legal obligation or for instance the defence of legal claims. Where the above retention periods are adhered to therefore the right to be forgotten will not be relevant unless time periods set by the regulations have been exceeded.

Further information can also be found in the UK GDPR - Rights of an individual helpsheet.

One of the principles within the UK GDPR is that personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures.

Whether client files are held electronically, in hard copy or a combination of the two, firms need to fully assess exactly what data they hold, why they hold it and where they store this data. Where cloud storage is used, the firm should establish exactly where this data is located geographically as specific requirements apply to the transfer of personal data to and from the UK. Further guidance on international data transfers and data protection now that the UK has left the EU is available from the ICO and ICAEW’s Data Protection webpage. 

Backups

In order to reduce the risk of accidental loss or destruction, an appropriate backup policy should be implemented by firms. This is not only essential to comply with the requirements of the UK GDPR, but is also an important component of disaster recovery and business continuity.

Often cloud storage providers will already have such facilities and where they are being relied upon, firms should ensure that these facilities are appropriate and should have regard to the ICO’s Guidance on the use of cloud computing (although written in the context of the Data Protection Act 1998, the content is still relevant).

Where a firm is not relying on cloud computing, there are many different options available including backup onto tape, disk or other physical media. The principles of the UK GDPR apply to backups as well as live data storage. It is therefore advisable that where physical media is used to back up data, this is encrypted and securely stored offsite.

Care should also be taken where staff work on laptops. Where files are stored on the laptop’s hard drive, how are they backed up? How is security maintained? Where laptops are simply used to log onto online portals and no data is synchronised or stored on the laptop’s hard drive, this is much less risky.

Portable drives

Portable hard drives and flash drives are also a potential area of concern. They are easily misplaced and stories of lost drives are all too commonplace within the news. Many organisations have adopted policies banning their use altogether and implemented software that prevents them working on devices at all. This also helps reduce the risk of employees downloading copies of client files or extracts from them and potential misuse.

Where portable drives are used; as an absolute minimum, these should be securely encrypted with a strong password and should be wiped as soon as data has been transferred.

Further guidance

There are a range of sources of support for cyber security in particular.

• The National Cyber Security Centre has a Cyber Essentials scheme which offers practical advice and support as well as a cyber security certification scheme.
• The ICO offers a Practical guide to IT Security aimed at small businesses.
• ICAEW also offers further guidance on the Cyber security hub.

Access to client files should be restricted to those within the firm who have a genuine need to access the files for legitimate purposes. Ultimately, a firm needs to be able to identify who has access to client files and why they have such access.

A firm also needs to have appropriate physical and/or technological security measures in place to prevent unauthorised access. Where hardcopy files are used, locked cabinets with appropriate key holders may be a sensible option. Where electronic files are used, user level access and/or password protected files to restrict access would be sensible.

A number of examples of access considerations are explored below.

Engagement team members

Members of the relevant engagement team will have a genuine need to access client files in order to fulfil the engagement.

In a very small firm where staff can be called to work on any engagement within the office it may be justifiable to permit access to all client facing staff, but have policies in place that they should not be accessing files unless they are working on the client.

In firms with more than one office it would be more difficult to justify staff from one office accessing the files of the other office’s clients, however it is down to the firm to devise and implement an appropriate policy.

Regulatory and compliance based roles

Members of staff in regulatory or compliance type roles, such as audit compliance principals for example, will usually require access to all client files within their remit in order to fulfil their role.

Additionally those conducting reviews of files will need access to client files too.

Administrators

In some cases, administrators who take client calls and update clients on the progress of their engagement, may well need to access client files and a firm may feel that this is justifiable. Additionally some administrative staff will need access in order to file or process relevant documentation. It would, however, rarely be justifiable for a receptionist who doesn’t undertake any such work to have access to client files.

Office cleaners and facilities staff

It is unlikely that it would be considered appropriate in any circumstances for office cleaners or other facilities staff to have access to client files.

Where electronic files are maintained, such staff should not have access to the relevant electronic storage spaces.

Where hard copy files are used, it would be sensible to ensure that a clear desk policy is adopted and that files are secured in locked cabinets to reduce the risk of unauthorised access.

Successor auditors

As explained more fully in ICAEW’s Technical Release AAF 01/08 Access to Information by Successor Auditors, successor auditors under taking statutory audits have a right to access the working papers of the predecessor auditor. As this is a legal and regulatory obligation, the UK GDPR would not prevent the predecessor auditor from permitting access to the working papers in line with the guidance contained in the technical release.

Investigating accountants

Where investigating accountants require access in line with ICAEW’s Technical Release Audit 04/03 Access to Working Papers by Investigating Accountants, there is no legal obligation to provide such access and therefore this lawful basis of processing will not apply. Permission would of course be required by the client before permitting access, but the personal data may not only be that belonging to the client, but could relate to the client’s employees and directors as well for instance. In such cases it is more likely that the legitimate interests basis for processing would be relied upon. Whilst this is more open to challenge than a legal obligation, guidance within the regulations suggest that such a legitimate interest could exist where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is in the service of the controller. Another such example would be in a client relationship, where the data subject is a client of the controller. Nevertheless care should be taken in these circumstances and legal advice sought if there is any doubt.

Handover

Where information is provided as part of a handover to a successor accountant, consideration should be given to the ICAEW Code of Ethics, specifically section 320 which deals with change of appointment (further guidance is available in the helpsheet Change of professional appointment – Outgoing accountant). Permission from the client would usually be required to respond to professional enquiry and to provide handover information. In the case of a personal client where they are the data subject, this consent provides the lawful basis for processing the data and transferring it as part of the handover process.

In the case of a corporate client for example, legitimate interest would usually be the most appropriate lawful basis for processing. In order to use the legitimate interest basis for processing, you need to identify a legitimate interest, show that the processing is necessary to achieve it and balance it against the individual’s interests, rights and freedoms. This would normally be relatively easy to justify in the case of professional handover, especially as the accountants the information is handed to would have their own professional obligations with regard to confidentiality, consent would have been obtained from the client and such transfer of information would usually be expected and considered reasonable by data subjects (e.g. employees of a corporate client).

Buying or selling fees

In the initial stages of discussions surrounding a purchase of a block of fees, personal data should be redacted and as a result, where no personal data is processed, the provisions of the UK GDPR will not apply. Regard should still be given, however, to the ICAEW Code of Ethics, specifically section 114 which deals with confidentiality. 

Whilst there is more guidance in the Buying and selling fees helpsheet, when progressing to the final stages and completing the deal, personal data will be more relevant. Before such data is passed on, regard should be given to the rights of the data subjects.

Positive confirmation may be the most appropriate approach to ensure compliance with both the principle of confidentiality and the requirements of the UK GDPR.

Where there are changes in the composition of a firm, similar principles will apply.

Law and regulations

Client files (or personal data contained within) may also have to be disclosed under relevant legal obligations, such as compliance with anti-money laundering obligations as outlined in the CCAB anti-money laundering guidance for the accountancy sector. In such cases the lawful basis for processing would be the legal obligation.

Firms may also be required to allow access to files in connection with their relationship with ICAEW, for example making files available under the audit regulations.

The UK GDPR places great emphasis on accountability and governance, requiring comprehensive but proportionate governance measures that minimise the risk of breaches and uphold the protection of personal data. The accountability principle requires that firms demonstrate they comply with the principles and documentation will of course be essential in achieving this. Firms may be required to make such records available to the ICO on request.

The ICO has produced extensive guidance on documentation requirements as well as producing a documentation template for controllers and a documentation template for processors available on the How do we document our processing activities? page of the ICO website. Whilst it is not mandatory to use these specific templates, as firms may wish to use their own or may be using another organisation’s examples, these templates are an excellent starting point. Further information can also be found in the UK GDPR - Data mapping and documentation helpsheet.

The ICO is the regulator for data protection in the UK and has its own website and helpline.

ICAEW members, affiliates, ICAEW students and staff in eligible firms with member firm access can discuss their specific situation with the Technical Advisory Service on +44 (0)1908 248 250 or via webchat.