Data Protection Policy
AIMS OF THIS POLICY
The Data Protection Act 1998 (“DPA”) and GDPR gives rights to all individuals. The rights relate to how information about them is obtained, used and processed. This policy describes how:
Tax Affinity Limited aim to meet our obligations under the DPA and GDPR. Our aim is to look after information about you in your best interests and in compliance with the DPA, whilst ensuring that we can use it for the legitimate purposes of our businesses.
Because we take data protection seriously, we have appointed a Data Protection officer. His contact details are given at the end of this policy.
WHAT INFORMATION IS COVERED BY THE DPA?
Any information relating to a living individual who can be identified from that information falls under the remit of the DPA. Such information is called “Personal Data”, and covers information held manually or electronically. Some examples of Personal Data which may be used by us in our day-to-day business include names, addresses, telephone numbers, bank and financial details.
The DPA defines a special category of Personal Data which it calls “Sensitive Personal Data”. This includes information about health, religion and criminal records, and a full list is available on request. Financial information is not included in this category.
Organisations and businesses are legally obliged to comply with the DPA if they use Personal Data in almost any way whatsoever. The DPA sets out a series of principles to be met for compliance, and we set out below how we aim to comply with these principles.
Principle 1: Use of Personal Data must be fair and lawful
We aim to ensure that wherever possible individuals are advised of the Personal Data which has been obtained or retained, its source and the purposes for which such Personal Data may be used or disclosed. If we give this information to the individual at the time the Personal Data is collected, in the main we will conclude that the individual has given consent when providing that Personal Data. For example, where you provide us with your bank account details.
If the Personal Data is not received directly from the individual concerned, then we will try to ensure that we have authority to use this information, and that we will let the individual know that we are holding and using that additional information as soon as possible. If the reasons for using Personal Data change, then we aim to notify the individual at that point.
If we are using Sensitive Personal Data, consent cannot be deemed, and we aim to obtain explicit consent. If there is no explicit consent or the information has not been received directly from the individual, we will not process this information unless we are lawfully entitled to do so or we obtain the relevant consents.
Occasionally another specific part of the DPA can justify processing of Personal Data without consent where it is necessary for a particular reason set out in the DPA, and we may use this in certain circumstances, e.g. for crime prevention.
Principle 2: Personal Data must only be used for specified lawful purposes
We should only use Personal Data for a lawful purpose, and where it is covered by our notification to the Information Commissioner.
We are required to notify the Information Commissioner (formerly known as the Data Protection Commissioner) about our use and processing of Personal Data.
You can check the notifications on the Information Commissioner’s website or by asking our Data Protection Officer.
We will review and co-ordinate the processing of Personal Data in accordance with the DPA and recommended good practice. We will try only to process Personal Data within the remit of the relevant notifications.
Principle 3: Personal Data to be adequate, relevant and not excessive
The Personal Data held and used by us must be adequate, relevant and not excessive for the reasons for which we are holding it.
Whilst this is a question of fact in each case, we will try to ensure that the Personal Data we collect is specific and relevant to the particular reason for which we need it. Whilst we may use all Personal Data necessary on which to base any decision that is to be taken for those reasons, we will not collect Personal Data that is simply useful rather than necessary.
Principle 4: Personal Data to be accurate
The best way to ensure that Personal Data is accurate is for us to check this with the individual at the time it is collected. But Personal Data change from time to time. Examples of this include address and contact details, bank accounts and financial arrangements. Use of inaccurate or out-of-date information may conceivably cause some harm to the individual. We will try to keep Personal Data up to date. We may periodically ask individuals to tell us about any changes to the Personal Data they provide, and to confirm that the Personal Data we hold is correct.
If Personal Data is held or used for long periods of time and there is the possibility that some or all of the Personal Data held may become inaccurate, we will carry out regular reviews of the Personal Data by the most cost effective method to update this Personal Data.
Principle 5: Personal Data not to be kept for longer than is necessary
We should not keep Personal Data for longer that is necessary for the reasons for which we need it. This includes as long as may be necessary for the purpose of defending any legal proceedings brought against us in relation to the use of the Personal Data or as required by law, any regulatory body or recommended by any relevant code of practice.
We will review the nature of information being collected or held regularly to ensure there is a sound business reason requiring the information to be held.
Principle 6: Personal Data must be processed in accordance with individuals’ rights
Individuals have rights in relation to Personal Data processed about them.
These include the right to have copies made available on request in most circumstances. This is called the right of subject access. We will deal with requests for copies of Personal Data in accordance with the provisions of the DPA. Generally, if such a request is made, we will:
If compliance with a subject access request requires the disclosure of information relating to identifiable third party then we will not disclose the Personal Data unless either the third party has consented; or it is otherwise reasonable to comply with the request without such third party consent; or the Personal Data has been edited prior to disclosure so that the identity of third parties is not discernible.
Individuals have other rights under the DPA including:-
We will check the telephone preference service, fax preference and mail preference service prior to marketing to any individual by telephone, fax, or mail and will comply with elections not to receive marketing by fax, telephone or mail.
Principle 7: Appropriate security must be applied to all Personal Data
The DPA provides that appropriate technical and organisational measures must be taken to prevent unauthorised or unlawful processing, accidental loss of, or destruction of, or damage to, Personal Data. Special security measures may be required to be put in place in the case of Sensitive Personal Data.
We have internal procedures to meet these requirements, and take very seriously the security of Personal Data. Our procedures include:-
Principle 8: Transfers outside the European Economic Area
The DPA provides that Personal Data shall only be transferred outside the European Economic Area (“EEA”) in certain circumstances.
The EEA currently includes all European Union countries plus Iceland, Liechtenstein, and Norway.
Personal Data may be transferred outside the EEA where we have first either obtained consent from the individual, or where the transfer is to a country or parts of a country, or in some cases, to specific businesses, which have been deemed adequate by the European Commission. We may also transfer your Personal Data outside the European Economic Area. You should be aware that the countries to which we may pass your Personal Data may not have laws to protect your Personal Data. Details of the companies and countries involved will be provided on request.
COOKIES
We may store information about you using cookies (files which are sent by us to your computer or other access device) which we can access when you visit our site in future. We do this to learn more about how many users visit this website, what pages they read the most and for overall statistics to help us understand and improve the website for the user. This is common practice and is essential to our business.
If you want to delete any cookies that are already on your computer, please refer to the instructions for your file management software to locate the file or directory that stores cookies.
CONCLUSION
Our aim in this Data Protection policy is to show how we aim to meet the legal rights of individuals. If you have any queries about the policy, our Data Protection officer will be pleased to advise you.
This policy is not to be taken as providing legal advice or guidance about the rights of individuals under the DPA. Individuals should take their own advice if they require it. The Information Commissioner can be contacted by telephoning 01625 545740. The website address is http://www.ico.gov.uk.
The Data Protection Act 1998 (“DPA”) and GDPR gives rights to all individuals. The rights relate to how information about them is obtained, used and processed. This policy describes how:
Tax Affinity Limited aim to meet our obligations under the DPA and GDPR. Our aim is to look after information about you in your best interests and in compliance with the DPA, whilst ensuring that we can use it for the legitimate purposes of our businesses.
Because we take data protection seriously, we have appointed a Data Protection officer. His contact details are given at the end of this policy.
WHAT INFORMATION IS COVERED BY THE DPA?
Any information relating to a living individual who can be identified from that information falls under the remit of the DPA. Such information is called “Personal Data”, and covers information held manually or electronically. Some examples of Personal Data which may be used by us in our day-to-day business include names, addresses, telephone numbers, bank and financial details.
The DPA defines a special category of Personal Data which it calls “Sensitive Personal Data”. This includes information about health, religion and criminal records, and a full list is available on request. Financial information is not included in this category.
Organisations and businesses are legally obliged to comply with the DPA if they use Personal Data in almost any way whatsoever. The DPA sets out a series of principles to be met for compliance, and we set out below how we aim to comply with these principles.
Principle 1: Use of Personal Data must be fair and lawful
We aim to ensure that wherever possible individuals are advised of the Personal Data which has been obtained or retained, its source and the purposes for which such Personal Data may be used or disclosed. If we give this information to the individual at the time the Personal Data is collected, in the main we will conclude that the individual has given consent when providing that Personal Data. For example, where you provide us with your bank account details.
If the Personal Data is not received directly from the individual concerned, then we will try to ensure that we have authority to use this information, and that we will let the individual know that we are holding and using that additional information as soon as possible. If the reasons for using Personal Data change, then we aim to notify the individual at that point.
If we are using Sensitive Personal Data, consent cannot be deemed, and we aim to obtain explicit consent. If there is no explicit consent or the information has not been received directly from the individual, we will not process this information unless we are lawfully entitled to do so or we obtain the relevant consents.
Occasionally another specific part of the DPA can justify processing of Personal Data without consent where it is necessary for a particular reason set out in the DPA, and we may use this in certain circumstances, e.g. for crime prevention.
Principle 2: Personal Data must only be used for specified lawful purposes
We should only use Personal Data for a lawful purpose, and where it is covered by our notification to the Information Commissioner.
We are required to notify the Information Commissioner (formerly known as the Data Protection Commissioner) about our use and processing of Personal Data.
You can check the notifications on the Information Commissioner’s website or by asking our Data Protection Officer.
We will review and co-ordinate the processing of Personal Data in accordance with the DPA and recommended good practice. We will try only to process Personal Data within the remit of the relevant notifications.
Principle 3: Personal Data to be adequate, relevant and not excessive
The Personal Data held and used by us must be adequate, relevant and not excessive for the reasons for which we are holding it.
Whilst this is a question of fact in each case, we will try to ensure that the Personal Data we collect is specific and relevant to the particular reason for which we need it. Whilst we may use all Personal Data necessary on which to base any decision that is to be taken for those reasons, we will not collect Personal Data that is simply useful rather than necessary.
Principle 4: Personal Data to be accurate
The best way to ensure that Personal Data is accurate is for us to check this with the individual at the time it is collected. But Personal Data change from time to time. Examples of this include address and contact details, bank accounts and financial arrangements. Use of inaccurate or out-of-date information may conceivably cause some harm to the individual. We will try to keep Personal Data up to date. We may periodically ask individuals to tell us about any changes to the Personal Data they provide, and to confirm that the Personal Data we hold is correct.
If Personal Data is held or used for long periods of time and there is the possibility that some or all of the Personal Data held may become inaccurate, we will carry out regular reviews of the Personal Data by the most cost effective method to update this Personal Data.
Principle 5: Personal Data not to be kept for longer than is necessary
We should not keep Personal Data for longer that is necessary for the reasons for which we need it. This includes as long as may be necessary for the purpose of defending any legal proceedings brought against us in relation to the use of the Personal Data or as required by law, any regulatory body or recommended by any relevant code of practice.
We will review the nature of information being collected or held regularly to ensure there is a sound business reason requiring the information to be held.
Principle 6: Personal Data must be processed in accordance with individuals’ rights
Individuals have rights in relation to Personal Data processed about them.
These include the right to have copies made available on request in most circumstances. This is called the right of subject access. We will deal with requests for copies of Personal Data in accordance with the provisions of the DPA. Generally, if such a request is made, we will:
- advise the individual whether we (or someone on our behalf) are using Personal Data about them;
- if so, give the individual a description of that Personal Data, the purposes for which it is being processed and to whom it is or may be disclosed;
- provide the individual with copies (unless the costs of such permanent format would be disproportionate) of the Personal Data.
If compliance with a subject access request requires the disclosure of information relating to identifiable third party then we will not disclose the Personal Data unless either the third party has consented; or it is otherwise reasonable to comply with the request without such third party consent; or the Personal Data has been edited prior to disclosure so that the identity of third parties is not discernible.
Individuals have other rights under the DPA including:-
- no use to be made of Personal Data which will or is likely to cause substantial and unwarranted damage or distress to the individual;
- the right to be notified of any decisions made solely on the basis of automatic processing, such as creditworthiness, together with the logic for that decision making;
- the right to have any decision based solely on automatic processing to be reviewed upon written request.
We will check the telephone preference service, fax preference and mail preference service prior to marketing to any individual by telephone, fax, or mail and will comply with elections not to receive marketing by fax, telephone or mail.
Principle 7: Appropriate security must be applied to all Personal Data
The DPA provides that appropriate technical and organisational measures must be taken to prevent unauthorised or unlawful processing, accidental loss of, or destruction of, or damage to, Personal Data. Special security measures may be required to be put in place in the case of Sensitive Personal Data.
We have internal procedures to meet these requirements, and take very seriously the security of Personal Data. Our procedures include:-
- computer security, including the use of firewalls, passwords, virus updates, back-up procedures;
- controlling access to Personal Data, including checking the authenticity of persons to whom Personal Data is disclosed, limiting personnel access to Personal Data, procedures for disposing of Personal Data;
- steps to reduce the chances of the destruction of Personal Data, including taking appropriate precautions against burglary, fire and natural disaster;
- detecting and dealing with security breaches.
Principle 8: Transfers outside the European Economic Area
The DPA provides that Personal Data shall only be transferred outside the European Economic Area (“EEA”) in certain circumstances.
The EEA currently includes all European Union countries plus Iceland, Liechtenstein, and Norway.
Personal Data may be transferred outside the EEA where we have first either obtained consent from the individual, or where the transfer is to a country or parts of a country, or in some cases, to specific businesses, which have been deemed adequate by the European Commission. We may also transfer your Personal Data outside the European Economic Area. You should be aware that the countries to which we may pass your Personal Data may not have laws to protect your Personal Data. Details of the companies and countries involved will be provided on request.
COOKIES
We may store information about you using cookies (files which are sent by us to your computer or other access device) which we can access when you visit our site in future. We do this to learn more about how many users visit this website, what pages they read the most and for overall statistics to help us understand and improve the website for the user. This is common practice and is essential to our business.
If you want to delete any cookies that are already on your computer, please refer to the instructions for your file management software to locate the file or directory that stores cookies.
CONCLUSION
Our aim in this Data Protection policy is to show how we aim to meet the legal rights of individuals. If you have any queries about the policy, our Data Protection officer will be pleased to advise you.
This policy is not to be taken as providing legal advice or guidance about the rights of individuals under the DPA. Individuals should take their own advice if they require it. The Information Commissioner can be contacted by telephoning 01625 545740. The website address is http://www.ico.gov.uk.