Emergency contacts privacy notice

Please ensure that you read this privacy notice (including the Appendix applicable to you). This and all other ICAEW privacy notices may be found here.

ICAEW is the controller for the Personal Data collected from emergency contacts unless this is stated otherwise. ICAEW is registered with the Information Commissioner’s Office (ICO) with registration number (Z5765897). In this privacy notice, references to ‘we’, ‘us’ or ‘our’ mean ICAEW. You can contact ICAEW in a number of ways as follows:

• Email: dataprotection@icaew.com
• Post: The Data Protection Office, ICAEW, Metropolitan House, 321 Avebury Boulevard, Milton Keynes, MK9 2FZ UK
• Telephone: +44 (0)1908 248 250

Personal Data is any information which directly or indirectly identifies an individual, for example, your name, address, membership number, job title, date of birth, photos, videos or voice recordings.

Special categories of Personal Data are a set of Personal Data that we are required to look after even more carefully. Special categories of Personal Data include details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data.

We collect the following types of Personal Data directly from employees or board or committee members that have nominated you as an emergency contact:

• contact details, including name, email, phone numbers and, relationship to the employee

Processing Personal Data from emergency contacts allows us to look after the wellbeing of our employees or board or committee members wellbeing in the event of an emergency. In order to comply with data protection laws, we need a lawful basis (a reason) to process your Personal Data. Subject to the relevant data protection law, we may use the following lawful bases to obtain and use your Personal Data.

Legitimate Interest – Where processing the Personal Data is in our legitimate interests (or those of a third party) provided that your fundamental rights do not override such interests. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process Personal Data for our legitimate interests.

Consent – In some cases, Personal Data is processed because you have given your consent

The table below describes the ways in which we use your Personal Data and the legal basis we rely on to do so, subject to the relevant data protection law. Where appropriate we have also set out our legitimate interests in processing your Personal Data.

Your data will be held within our iTrent system and may be shared internally only for the purpose of contacting you in the event of an emergency.

In some cases, we or our suppliers may need to process Personal Data outside your country, the European Economic Area (EEA) and/or United Kingdom (UK). Where this is the case, we will only share the minimal amount of Personal Data necessary for the purpose of processing and, where possible, we will share the Personal Data in an anonymised form.

Your personal data may be transferred to other third-party organisations in certain scenarios in accordance with law:

1. If we are reorganised or sold, Personal Data may be transferred to a buyer who can continue to process your contact details as an emergency contact.
2. If we are required to by law, or under any regulatory code or practice we follow, or if we are asked by any public or regulatory authority, for example the Police, we may need to share your Personal Data.
3. If we are investigating or defending any legal claims your Personal Data may be transferred as required in connection with defending such investigations and/or claims.

We keep Personal Data that we obtain that we obtain about you for up to 30 days from the date the employee that nominated you has left the business, subject to the relevant law.

We have appropriate security measures in place to prevent Personal Data from being accidentally lost or used or accessed in an unauthorised way. We limit access to your Personal Data to those who have a genuine business need to know it. Those processing your Personal Data will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Under the relevant data protection law, you may have rights including:

1. Your right of access – You have the right to request access to, or ask us for copies of, your Personal Data.
2. Your right to rectification – You have the right to ask us to rectify Personal Data you think is inaccurate. You also have the right to ask us to complete Personal Data you think is incomplete.
3. Your right to erasure – You have the right to ask us to erase your Personal Data in certain circumstances.
4. Your right to restriction of processing – You have the right to ask us to restrict the processing of your Personal Data in certain circumstances.
5. Your right to object to processing – You have the right to object to the processing of your Personal Data in certain circumstances.
6. Your right to data portability – You have the right to ask that we transfer the Personal Data you gave us to another organisation, or to you, in certain circumstances.
7. Rights related to automated decision making, including profiling - You have the right to ask for explanations on a decision based on automated processing that may significantly affect you, and the the right not to be subjected to a decision based solely on automated processing (including profiling) which may significantly affect you. We do not make any employment decisions, solely using automated decision making technologies.

In most cases we will deal with your request as soon as possible and at the latest within one calendar month of the request, subject to the relevant data protection law. If we need to extend the time period for responding to your request, we will let you know within the required period. We do not charge a fee for any such requests, unless there are exceptional circumstances.

If you wish to exercise any of your rights, please contact our Data Protection Office via email using dataprotection@icaew.com

If you have any concerns about the Personal Data we use about you, you have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, by contacting them at www.ico.org.uk, or the relevant data protection authority of your country as mentioned in the applicable Appendix. We would, however, appreciate the chance to deal with your concerns before you approach the ICO or the relevant data protection authority, so please feel free to contact us in the first instance via email using dataprotection@icaew.com.

This Appendix applies to individuals who reside in the People's Republic of China (for the purposes of this privacy notice, excluding Hong Kong Special Administrative Region, Macau Special Administrative Region and Taiwan) (China).

This Appendix supplements the main body of this privacy notice should be read together with the main body. In the event of any conflict or inconsistency between this Appendix and the main body of this privacy notice, this Appendix shall prevail.

Legal basis for processing your Personal Data

We process your Personal Data for the purposes mentioned in the main body of this privacy notice with your consent or as otherwise required or permitted by applicable law (e.g. where the processing is necessary for concluding or performing a contract with you, where the processing is necessary to perform legal obligations, etc.).

By providing, or allowing our employee or board or committee member to provide, your Personal Data as an emergency contact, you consent to our processing of your Personal Data according to this privacy notice.

Processing of your Personal Data upon the expiry of the relevant retention period

We will irreversibly destroy or anonymize your Personal Data upon the expiry of the relevant retention period in a way that prevents that information from being restored or reconstructed.

Sensitive Personal Data

Sensitive Personal Data is Personal Data that, once leaked or illegally used, may easily cause the personal dignity of a natural person to be infringed or his/her personal or property security to be endangered. It includes data related to biometrics, religious belief, specific identity, medical health, financial account and location tracking, the Personal Data of a minor under the age of 14 (Minor Personal Data), as well as government issued ID information. The sensitive Personal Data about you we process may include marital status. We only process your sensitive Personal Data where such processing is strictly necessary for the relevant purposes identified in the main body of this privacy notice. Our processing of your sensitive Personal Data will adhere to the safeguards mandated by applicable laws and regulations. However, depending on the specific type of sensitive Personal Data involved, such processing may result in various impacts, including potential harm to your reputation, property, or personal safety in the event of a data breach. 

We will not knowingly collect or process Minor Personal Data except with consent of the parent or guardian or as otherwise permitted by law. When we collect or process Minor Personal Data, we will process such data in accordance with the safeguards set out in applicable laws and regulations. 

If you are a parent or guardian who believes that we collect or process any Minor Personal Data of your child without your consent or would like to erase, correct, or exercise any other right regarding any Minor Personal Data of your child, or have inquiries or complaints about how we process Minor Personal Data, please contact [our Data Protection Office, which is in charge of protection of Minor Personal Data, through the means mentioned in the main body of this privacy notice].

Overseas transfer of your Personal Data

As ICAEW operates globally, with your express consent where required, we may transfer your Personal Data outside of China, including to the UK and other jurisdictions where we, our service providers and other relevant third parties conduct business. In particular, your Personal Data may be transferred to our office in the UK for our storage and processing in accordance with this privacy notice. 

We may also share your Personal Data with third parties outside of China. The following list specifies the identity of the third parties outside of China that we may share your Personal Data with, basic information about their data processing activities and links to the relevant privacy policies (which you may refer to for more details about how they process your Personal Data, their contact information, and procedures to exercise data subject rights with them).

Your additional rights

Besides the rights listed in the "Your Rights" section in the main body of the privacy notice, you also have the following rights:

a. Your right to deregister your account – You can request to deregister any account you may have with us. However, if you deregister your account, certain services or processes may be disrupted or become unavailable (e.g. we may not be able to process your application properly or at all).

b. Your right to withdraw your consent – You can withdraw your consent to our processing of certain Personal Data about you when we rely on your consent for such processing. Please note that your withdrawal may lead to certain consequences (e.g. disruption or unavailability of certain services or processes, including failure to process your application properly or at all) if such processing is strictly necessary for a certain purpose and consent is the only legal basis for our processing.

Inquiries or complaints

If you have any requests to exercise rights, inquiries or concerns about the Personal Data we use about you, please contact us at china@icaew.com.  [You also have the right to make a complaint at any time to the Cybersecurity Administration of China (CAC) or its local counterparts. 

This Appendix applies to individuals who reside in the Republic of Singapore. It supplements and should be read together with the main section of this privacy notice. In the event of any conflict or inconsistency between this Appendix and the main body of this privacy notice, this Appendix shall prevail.

Consent

We will collect, use or disclose your Personal Data for purposes which you have provided your consent which can be express, deemed or by notification, unless exempted, in accordance with Singapore’s Personal Data Protection Act (2012) and its regulations (PDPA). Where we have collected, used or disclosed your personal data based on consent, you may withdraw consent with reasonable notice, and we will inform you of the likely consequences of the withdrawal.  

Purpose limitation & notification

We will only collect, use or disclose Personal Data for the purposes that a reasonable person would consider appropriate under the given circumstances and for which you have given consent (unless exempted by law).  

Accuracy, access & correction

We will make reasonable effort to ensure that your Personal Data collected is accurate and complete. You have right to access Personal Data which we hold about you, request a copy of that information and details of what we have done with that information (i.e., how long we kept it for and to whom we disclosed it) within a year before your request.

You have a right to request us to correct your Personal Data where it is inaccurate or out of date. We will make the necessary corrections as soon as practicable and send the corrected data to other organisations to which your Personal Data was disclosed pursuant to this privacy notice within a year before the correction was made.

Retention limitation

We will cease retention of your Personal Data or dispose of it in a proper manner if it is no longer necessary for the purpose for which it was collected and we have no other legal ground for processing the data, or if the collection, use or disclosure of your Personal Data was based on consent and the consent has been withdrawn.

Transfer limitation

For international transfers (i.e., a cross-border disclosure) of your Personal Data from Singapore to overseas, we will put in place contractual measures to ensure the overseas recipients process your personal data in accordance with our instructions and have in place technical and organizational measures to protect your personal data with a level of protection comparable to the protection under the PDPA. 

Data breach notification

We will notify you of any data breach that is or is likely to be of significant scale, or results in or is likely to result in significant harm to you. 

Data portability

Where required by law, at your request, we will transmit your Personal Data that is in our possession or under our control, to another organisation in a commonly used, machine readable format.

Inquiries or complaints

If you have any requests to exercise rights, inquiries or concerns about the Personal Data we use about you, please contact our Data Protection Officer at dataprotection@icaew.com.  If we are unable to help you, you may contact Singapore’s Personal Data Protection Commission (http://www.pdpc.gov.sg).