Who can I contact if I have any questions?
ICAEW is the controller for the Personal Data collected from website visitors and individuals who download data via OneDrive unless this is stated otherwise. ICAEW is registered with the Information Commissioner’s Office (ICO) with registration number (Z5765897). In this privacy notice, references to ‘we’, ‘us’ or ‘our’ mean ICAEW. You can contact ICAEW in a number of ways as follows:
- Email: dataprotection@icaew.com
- Post: The Data Protection Office, ICAEW, Metropolitan House, 321 Avebury Boulevard, Milton Keynes, MK9 2FZ UK
- Telephone: +44 (0)1908 248 250
What is Personal Data?
Personal Data is any information which directly or indirectly identifies an individual, for example, your name, address, membership and/or consultant and temporary worker number, NI number, qualifications, date of birth, photos, videos or voice recordings.
Special categories of Personal Data are a set of Personal Data that we are required to look after even more carefully. Special categories of Personal Data include details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data.
Personal Data we collect about you
We collect Personal Data about you when you give us Personal Data in direct interactions with us during your onboarding or during your time as a contractor, worker or temporary staff member, for example from forms completed in preparation for the start of, or during your contract with ICAEW, from correspondence with you and meetings with you. The scope of the data collected and the purposes for which it is used may vary, depending upon the nature of your contract. We also collect Personal Data from other sources. Set out below are the types of Personal Data we may collect about you directly from you or from a third party.
Personal Data collected directly from you
Identity Data | Your name, title, marital status, date of birth and National Insurance Number, passport and driving license information, birth, marriage and change of name certificates |
Contact Data | Your address and contact details, including email address and telephone numbers. |
Company details |
If contracting through a company (eg outside IR35), our company details and contact information. |
Education Data | Details of your academic and professional qualifications including, educational establishments, dates of study, subjects studied and results. |
Career Data | Employment history, including start and end dates with previous employers, information about your current level of remuneration, including benefit entitlements. Details of membership of Professional Bodies. |
Financial Data | Details of your bank account. |
Criminal Offence Data | Information about your criminal record, if applicable. |
Equal Opportunities Data | Equal opportunities monitoring information, including information about your ethnic origin, gender, sexual orientation, health and religion or belief. |
Health Data | Information about your health, medical conditions or disabilities, including whether you have a disability for which we need to make reasonable adjustments. |
Contract Terms and Conditions Data | Details of your working hours Information about remuneration and expenses. |
Nationality and Immigration Data | Your nationality and entitlement to work in the UK. |
Attendance Data | Details of your attendance at work. |
Image Data | Photographs and CCTV. |
Audio and Video Data | Call and video recordings. |
Building Entry and Exit Log Data | Information about your entry into and exit from our offices. |
Geolocation Data | IP address and other such technical data of a device location. |
Browsing History Data | Websites visited. |
Personal Data provided by third parties
Recruitment data |
Recruitment agencies may provide the data from the section above (Personal Data collected directly from you) on your behalf. |
Reference Data | Information supplied by former employers, education providers, information agencies and recruitment agencies. For example, information about your previous academic or employment history. |
Building Entry and Exit Log Data | Information about your entry into and exit from our offices operated by third parties. |
HMRC Data | Tax codes and other information that we receive from HMRC in order to make the required deductions from payment of sums due under the contract. |
Nationality and Immigration Data |
Data provided by third parties as evidence of your right to work in the UK, including relevant tax code information. |
What if you do not supply your Personal Data
Some of the Personal Data we process is mandatory meaning that if you do not provide it to us, we will be unable to engage you as a contractor, worker or temporary staff member or to perform our obligations under our contract with you, for example ensuring your right to work or making payment for you for the provision of services.
Purposes and legal basis for which we will use your Personal Data
Processing Personal Data from contractors, workers and temporary staff allows us to administer and manage our contract with you, deliver effective Human Resource Management and business administration activities. In order to comply with data protection laws, we need a lawful basis (a reason) to process your Personal Data. We use the following lawful bases to obtain and use your Personal Data.
- Performance of a Contract – We need to process your Personal Data to take steps at your request, prior to entering into a contract with you and for the performance of our contract with you as a contractor, worker or temporary staff member.
- Consent – Some Personal Data is processed because you have given your consent.
- Legal or Regulatory Obligation – In some cases, we need to process Personal Data to comply with a legal or regulatory obligation which we are subject to
- Legitimate Interest – Where processing the Personal Data is in our legitimate interests (or those of a third party) provided that your fundamental rights do not override such interests. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process Personal Data for our legitimate interests.
- Public Interest – Where processing the personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
The table below describes the ways in which we use your Personal Data and the legal bases we rely on to do so. The scope of purposes may vary, depending upon the nature of your contract. Where appropriate we have also set out our legitimate interests in processing your Personal Data.
Purpose and/or activity | Type of Data | Legal basis for processing |
---|---|---|
Reviewing and assessing your employment status and suitability | Identity Data. Nationality and Immigration Data, Criminal Offence data, Contact Data |
Legal Obligation: To comply with our responsibilities to ensure your right to work in the UK is valid. Legitimate Interests: to determine the employment status of our contractors and temporary employees, to enable us to identify the relevant legal obligations on us in respect of each individual. |
Payment of sums due under the contract, including managing tax and National Insurance Contributions where applicable. | Identity Data Contact Data Financial Data Attendance Data HMRC Data |
To perform the contract including providing correct payment. |
Entering into and administering the contract. | Identity Data Attendance Data Contact terms and conditions Data |
To perform the contract |
Equal opportunities monitoring |
Equal Opportunities Data |
Consent: to be obtained at the start of employment for processing equal opportunities data and which may be used for gender pay reporting and to track diversity/equal opportunities. |
Gender pay reporting | Equal Opportunities Data | To comply with our legal obligations and for reasons of substantial public interest (equality of opportunity or treatment). |
Monitoring your use of our websites, other technical systems such as computer networks and connections, CCTV and access control systems, email and instant messaging, intranet and internet facilities, telephone, voicemail and mobile phones, printers and other such devices. |
Image Data. |
|
Controlling and monitoring entry and use of our buildings. | Image Data Building Entry & Exit Log Data |
Legitimate interests: to monitor and manage access to our premises, systems and facilities. |
Providing references about you to a prospective new employer, educational institution or other organisation at your request. | Identity Data Career Data |
Legitimate interests: to maintain records and to comply with legal, regulatory and corporate governance obligations and good business practice. |
Encouraging collaboration by publishing pictures on our intranet site. | Image Data | Legitimate Interests: our legitimate interests in promoting engagement and improving morale. |
Administering the pension scheme (where it has been agreed that you are eligible to be entered into the pension scheme) |
Identity Data Contact Data Family and Dependant Data Pension Data Employment Terms and Conditions Data |
Contractual Obligation: to assist in the performance of the private pension contract. Legal or Regulatory Obligations: to comply with auto-enrolment and workplace pension obligations. |
Research and Management information (using anonymised data where feasible). |
Limited Employment Data |
Legitimate Interests: in our legitimate interests to understand more about our business and improve our service for Members, Students, staff and the public. |
Audit related activities to ensure ICAEW understands it business practices | A sample of all Personal Data | Legitimate Interests: where we have a legitimate interest in auditing our internal processes and procedures to ensure that we are complying with applicable laws and internal and managing risk appropriately. |
Anonymisation of personal data for the onward activities of Management Information and Business Intelligence | All Personal Data | Legitimate Interest of the ICAEW for business improvement and intelligence purposes. |
Performing system testing in order to enhance and improve our products and services | Identity Data, Contact Data, Education Data, Career Data | Legitimate interest: In our legitimate interest to review and improve our services provided to you |
How long will Personal Data be retained?
We keep Personal Data that we obtain about you during your time as a contractor, worker or temporary staff member for no longer than is necessary for the purposes for which it is processed. How long we keep your Personal Data will depend on how long you remain a contractor, worker or temporary staff member, the nature of the Personal Data concerned and the purposes for which it is processed.
Automated Decision Making
Automated decision making may be used in connection with establishing a contractor’s right to work and IR35 status, when this is applicable. Your rights, as described in section 11, are maintaining throughout this process.
Sharing your Personal Data
ICAEW may share your Personal Data with third-party processors who provide services to the organisation where we have a legal obligation, contract or other legitimate interest to do so. These services include:
- Employment agencies;
- HR and payroll providers;
- Business system providers;
- Insurers;
- Regulatory Authorities
- Providers of right to work and background checks; and,
- Legal advisers acting under a duty of confidentiality;
- Systems;
- HMRC;
- Couriers and other postal services;
- Clients for whom we are providing services and you are engaged by us to assist with provision of all or part of those services;
- Pension providers;
- Service providers who provide information technology and system administration services to us
and, - Your former and future employers and other organisations or individuals you have identified to us as referees.
- Building landlords and facilities management organisations (CCTV and access control)
Your Personal Data may be transferred to other third-party organisations in certain scenarios:
- If we are discussing a merger or acquisition,. Personal Data may be transferred to respective third parties under suitable terms as to confidentiality;
- If we are reorganised or sold, Personal Data may be transferred to a buyer who can continue to provide services to you;
- If we are required to by law, or under any regulatory code or practice we follow, or if we are asked by any public or regulatory authority, for example the Police, we may need to share your Personal Data;
- If we are providing services to tenants that require your Personal Data, such as contact details for facilities or health and safety related activities.
- If we are investigating or defending any legal claims your Personal Data may be transferred as required in connection with defending such investigations and/or claims.
Transferring Data Overseas
In some cases, we or our suppliers may need to process Personal Data outside the European Economic Area (EEA) and/or United Kingdom (UK). Where this is the case we will only share the minimal amount of Personal Data necessary for the purpose of processing and, where possible, we will share the Personal Data in an anonymised form.
Whenever we transfer your Personal Data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- we will only transfer your Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data by the UK;
- where we use certain processors, we may use specific contracts approved by the UK which give Personal Data the same protection it has within the UK. When we rely on this measure we will ensure that the third-party can comply with the provision of such contracts and we have confirmed that the country to which the Personal Data is transferred has adequate data protection laws in place to protect Personal Data.
Please contact us at dataprotection@icaew.com if you would like further information about the specific mechanism used by us when transferring your Personal Data.
How we protect your Personal Data
We have appropriate security measures in place to prevent Personal Data from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your Personal Data to those who have a genuine business need to know it. Those processing your Personal Data will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Your Rights
Under data protection law, you have rights including:
- Your right of access – You have the right to ask us for copies of your Personal Data.
- Your right to rectification – You have the right to ask us to rectify Personal Data you think is inaccurate. You also have the right to ask us to complete Personal Data you think is incomplete.
- Your right to erasure – You have the right to ask us to erase your Personal Data in certain circumstances.
- Your right to restriction of processing – You have the right to ask us to restrict the processing of your Personal Data in certain circumstances.
- Your right to object to processing – You have the right to object to the processing of your Personal Data in certain circumstances.
- Your right to data portability – You have the right to ask that we transfer the Personal Data you gave us to another organisation, or to you, in certain circumstances.
- Rights related to automated decision making, including profiling -You have the right not to be subjected to a decision based solely on automated processing (including profiling) which may significantly affect you. We do not make any employment decisions, solely using automated decision making technologies.
In most cases we will deal with your request as soon as possible and at the latest within one calendar month of the request. If we need to extend the time period for responding to your request, we will let you know within the one-month period. We do not charge a fee for any such requests, unless there are exceptional circumstances.
If you wish to exercise any of your rights, please contact our Data Protection Office via email using dataprotection@icaew.com
Complaints
If you have any concerns about the Personal Data we use about you, you have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, by contacting them at www.ico.org.uk. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please feel free to contact us in the first instance via email using dataprotection@icaew.com.