Teresa Smith Bookkeeping Services logo

Bookkeeping with a personal touch

07759 983428

Bookkeeping Services Aberdeen

TERESA SMITH BOOKKEEPING SERVICES – DATA PROTECTION POLICY

 

1.0          Introduction

Teresa Smith Bookkeeping Services needs to gather and use certain information about individuals.

These include, but are not limited to:

  • Clients
  • Other parties that the organisation has a relationship with or may need to contact

This policy describes how this Personal Data must be collected, handled and stored (processed) to meet our Data Protection standards AND to comply with the Law.

2.0          Purpose

This Data Protection Policy ensures that Teresa Smith Bookkeeping Services:

  • Complies with Data Protection Laws and follows good practice
  • Protects the rights of staff, clients/patients and partners
  • Is open and transparent about how it processes Personal Data
  • Protects itself from the risks of Data Breach

3.0          Scope

The scope of this Policy applies to the following:

  • All working locations (Clinic & Remote)

It applies to all data that Teresa Smith Bookkeeping Services holds relating to identifiable individuals including, but not limited to:

  • Name
  • Postal address
  • Email address
  • Date of birth
  • Telephone numbers
  • And any other identifiable information relating to individuals, including Special Categories (Sensitive) – see Section 9.0

4.0          Data Protection Law

The following key legislation and guidance informs Teresa Smith Bookkeeping Services and the development of our procedures/controls:

  • European Data Protection Directive (95/46/EU)
  • The Data Protection Act 1998
  • The General Data Protection Regulation (GDPR)

These legal requirements govern how we will collect, handle and store Personal Data.  They apply regardless of whether the data is stored electronically, on paper or on other materials.

To comply with the law, the following EIGHT principles must be applied and evidenced.  Personal Data must be:

  1. Processed fairly, lawfully and transparently
  2. Be obtained only for specific and lawful purposes
  3. Be adequate, relevant and not excessive
  4. Be accurate and kept up to date
  5. Not be held for any longer than necessary
  6. Processed in accordance with the rights of the Data Subjects (individuals)
  7. Be protected in appropriate ways
  8. Not be transferred out of the European Economic Area (EEA) unless that country or territory also ensured an adequate level of protection

5.0          Risks

The Policy helps to protect both Teresa Smith Bookkeeping Services and associated individuals from very real data security risks including:

  • Breaches of confidentiality – e.g. information being disclosed inappropriately
  • Failing to offer choice – e.g. all individuals have the right to choose how a company processes their data
  • Reputational Damage – e.g. complaints, legal proceedings etc

6.0          Responsibilities

Everyone who handles/processes Personal Data must ensure that it is done so in line with this Policy and all other related procedures.

7.0          Guidelines

  • The only people who can access the Personal Data, covered by this Policy, are those who are required to use it for their legitimate work and who are authorised to do so
  • Data must not be shared informally. Personal Data must be treated with the utmost confidence and security at all times
  • Teresa Smith Bookkeeping Services will provide training to all employees, partners, contractors etc to ensure that they are fully aware and understand their responsibilities regarding Data Protection & Privacy
  • For system access, strong passwords must be used and never shared
  • Personal Data should never be disclosed to unauthorised persons, either within the business or externally
  • Data should be regularly reviewed by Teresa Smith and updated accordingly. If there is no longer a legal basis or legitimate purpose for retaining/processing the Data, it must be safely deleted/destroyed
  • Where consent is the legal basis for processing information, regular reviews must be undertaken to ensure that the individual still (explicitly) consents to sharing their Personal Data
  • Individuals reserve the right to withdraw their consent to processing their Personal Data
  • Individuals may request information regarding the Data processed by Teresa Smith Bookkeeping Services. This is called a Subject Access Request (SAR) and must be responded to within 1 month
  • Individuals may raise a query or complaint to the Data Controller/Data Protection Officer. The contact details are at the end of this document

8.0          Consent

Under the new GDPR, a lawful basis must be identified and evidenced before Personal Data can be processed.  If there is no longer legal basis (lawful purpose) then consent must be sought and evidenced.

Consent must be:

  • Freely given
  • Specific
  • Informed
  • Unambiguous
  • Given by clear statement or affirmative action

Consent can no longer be implied.

Prior to obtaining consent, individuals will be provided with access to the Privacy Notice (also called a Fair Processing Notice).  See Section 14.0.

To manage consent and ensure that it does not degrade over time, Teresa Smith Bookkeeping Services will conduct regular consent audits and contact the relevant individuals to establish that consent is still current and given as above.

9.0          Special Categories

This relates to the processing of sensitive data that must be treated with a high degree of care.  Special categories of data includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data and data concerning health or reveal their sex life or sexual orientation.

Processing the data is prohibited unless EXPLICIT consent is obtained from the individual.  There may be certain circumstances where processing is necessary and these details can be provided by the Data Controller/Data Protection Officer on request.

10.0        Data Storage

The following details and rules exist for data stored at Teresa Smith Bookkeeping Services

DATA TYPE

PURPOSE

LEGAL BASIS

STORAGE REQUIREMENTS

RETENTION PERIOD

 

Client File

To capture client information to ensure appropriate treatment

Consent

Paper

Locked Cabinet

Server

Electronically

As per HMRC requirement – 7 years

Emails

 

To communicate with client

Consent

Paper

Locked Cabinet

Server

Electronically

1 year and as above

 

Questions regarding storage can be directed to the Data Controller/Data Protection Officer.

When data is stored in a physical format (paper etc), it will be kept in a secure location where unauthorised persons cannot get access.

These guidelines also apply to data that is stored electronically, but that has been printed out:

  • Paper files, when not being processed, will be stored in a locked cabinet/drawer
  • Employees shall ensure that paper/prints that contain Personal Data shall not be left unattended e.g. on a printer or left on a desk, where non-authorised persons can see them
  • When no longer required, paper/prints shall be shredded and disposed of securely

When data is stored electronically, it must be protected from unauthorised access, accidental disclosure/loss, accidental deletion or malicious hacking attempts:

  • Data must be protected with strong passwords that are changed regularly and never shared
  • Data stored on removable media (DVD, CD, USB etc) must be stored securely and locked away when not in use
  • Data should only be stored on approved drives and servers and should only be uploaded to an approved cloud computing service
  • Servers containing Personal Data should be sited in a secured location, away from general office space, as appropriate
  • Data should be backed up regularly
  • Data should not be saved/stored directly on laptops (unless encrypted) or smart phones/tablets
  • All servers and computers containing data should be protected by approved security software and a firewall, as appropriate

11.0        Data Minimisation

Data will be held in as few as places as necessary and only retained in line with the data storage requirements documented in Section 10.0

12.0        Data Subject Rights

In line with the new Regulation, individuals have more rights to ensure the protection of their privacy and the security of their data.  This section details their rights and how Teresa Smith Bookkeeping Services will respond to them.

12.1        Subject Access Requests (SAR)

All individuals are entitled to:

  • Ask what information the company holds about them and why
  • Ask how to gain access to it
  • Be informed about how we keep it up to date
  • Be informed about how Teresa Smith Bookkeeping Services is meeting its data protection obligations

If an individual requests to receive this information, it is called a Subject Access Request (SAR).  Teresa Smith Bookkeeping Services will always verify the identity of the requester and no information will be sent out until that has been undertaken.  Approved identity documents will be one that is photographic (national ID card, drivers licence or passport) and one current utility bill.

SAR’s may be requested in any medium (verbally, email or physical letter) and Teresa Smith Bookkeeping Services has a legal obligation to provide all information processed within 1 month of receiving the request.  Ordinarily, there is no charge for this, however, if the SAR is significant in terms of size/complexity, Teresa Smith Bookkeeping Services does reserve the right to apply and administration fee.

Please note, however, there may be certain circumstances where it is not possible to provide all SAR’s information (in line with the Law).  If this is the case, the person will be fully informed.

12.2        Right to Rectification

In the event that it is discovered that Teresa Smith Bookkeeping Services is holding inaccurate or out of date Personal Data relating to an individual, that individual has the right to request that the Data is amended/rectified as quickly as possible.

12.3        Right to Erasure

Whilst the individual does have the right to request erasure of their data (also called the Right to be Forgotten) it is not an absolute right, as there are certain instances where their request cannot be accepted.  The right can be fulfilled in the following circumstances:

  • The Personal Data is no longer required by Teresa Smith Bookkeeping Services in relation to the purposes that originally applied
  • The individual has withdrawn their consent and there is no other legal basis for processing
  • The individual objects to Teresa Smith Bookkeeping Services processing their data and there are no overriding legitimate grounds for continuing to process
  • The Personal Data has been unlawfully processed
  • A legal obligation (e.g. a court order) requires the data to be erased
  • The data relates to a child and there is no parental consent

If the right to erasure is accepted Teresa Smith Bookkeeping Services must take reasonable steps to destroy all data, including any that has been made public (e.g. photographs, video clips etc) and any data that has been forwarded/shared with other agreed 3rd parties, including processors.

The right to erasure may not be accepted for legal or public health reasons.

12.4        Right to Restriction of Processing

                An individual has the right to restrict processing in the following instances:

  • The accuracy of the data is contested and time is required to verify
  • The processing of the data is considered unlawful but erasure isn’t an option
  • Teresa Smith Bookkeeping Services no longer needs the data but it may be required to support a legal claim
  • The individual has objected to processing and verification is required to establish legitimate grounds

12.5        Right to Data Portability

The individual has the right to request all their Personal Data held by Teresa Smith Bookkeeping Services, receive it in a machine-readable format and request that it be transferred to another Data Controller.  This is applicable when the data is processed by automated means only.

13.0        Disclosure

In certain circumstances, the Law allows Personal Data to be disclosed without the consent of the Data Subject.

Under these circumstances, Teresa Smith Bookkeeping Services will disclose the requested data.  However, the Data Controller/Data Protection Officer will ensure that the request is legitimate, seeking assistance from Legal Advisors or Regulators, as necessary.

14.0        Transparency

Teresa Smith Bookkeeping Services aims to ensure that individuals are aware that their Personal Data is being processed and that they understand:

  1. What data is being processed
  2. Why it is being processed
  3. How the data will be used
  4. How it will be stored
  5. How to exercise their rights

To these ends, Teresa Smith Bookkeeping Services has a Privacy Notice, setting out how data relating to individuals is used by us.

This is available both electronically and on our website www.teresasmithbookkeeping.co.uk and physically (paper copy) on request.

15.0        Version Control

VERSION

DATE

DETAILS

AUTHOR/OWNER

3.0

April 2021

Third Draft

Teresa Smith

 

Registered with HMRC Anti Money
Laundering Scheme.

Teresa Smith Bookkeeping

© 2018 Teresa Smith Bookkeeping Services. All Rights Reserved

x  Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
Shield Security

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close