TERESA SMITH BOOKKEEPING SERVICES – DATA PROTECTION POLICY
Teresa Smith Bookkeeping Services needs to gather and use certain information about individuals.
These include, but are not limited to:
This policy describes how this Personal Data must be collected, handled and stored (processed) to meet our Data Protection standards AND to comply with the Law.
This Data Protection Policy ensures that Teresa Smith Bookkeeping Services:
The scope of this Policy applies to the following:
It applies to all data that Teresa Smith Bookkeeping Services holds relating to identifiable individuals including, but not limited to:
4.0 Data Protection Law
The following key legislation and guidance informs Teresa Smith Bookkeeping Services and the development of our procedures/controls:
These legal requirements govern how we will collect, handle and store Personal Data. They apply regardless of whether the data is stored electronically, on paper or on other materials.
To comply with the law, the following EIGHT principles must be applied and evidenced. Personal Data must be:
The Policy helps to protect both Teresa Smith Bookkeeping Services and associated individuals from very real data security risks including:
Everyone who handles/processes Personal Data must ensure that it is done so in line with this Policy and all other related procedures.
Under the new GDPR, a lawful basis must be identified and evidenced before Personal Data can be processed. If there is no longer legal basis (lawful purpose) then consent must be sought and evidenced.
Consent must be:
Consent can no longer be implied.
Prior to obtaining consent, individuals will be provided with access to the Privacy Notice (also called a Fair Processing Notice). See Section 14.0.
To manage consent and ensure that it does not degrade over time, Teresa Smith Bookkeeping Services will conduct regular consent audits and contact the relevant individuals to establish that consent is still current and given as above.
9.0 Special Categories
This relates to the processing of sensitive data that must be treated with a high degree of care. Special categories of data includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data and data concerning health or reveal their sex life or sexual orientation.
Processing the data is prohibited unless EXPLICIT consent is obtained from the individual. There may be certain circumstances where processing is necessary and these details can be provided by the Data Controller/Data Protection Officer on request.
10.0 Data Storage
The following details and rules exist for data stored at Teresa Smith Bookkeeping Services
To capture client information to ensure appropriate treatment
As per HMRC requirement – 7 years
To communicate with client
1 year and as above
Questions regarding storage can be directed to the Data Controller/Data Protection Officer.
When data is stored in a physical format (paper etc), it will be kept in a secure location where unauthorised persons cannot get access.
These guidelines also apply to data that is stored electronically, but that has been printed out:
When data is stored electronically, it must be protected from unauthorised access, accidental disclosure/loss, accidental deletion or malicious hacking attempts:
11.0 Data Minimisation
Data will be held in as few as places as necessary and only retained in line with the data storage requirements documented in Section 10.0
12.0 Data Subject Rights
In line with the new Regulation, individuals have more rights to ensure the protection of their privacy and the security of their data. This section details their rights and how Teresa Smith Bookkeeping Services will respond to them.
12.1 Subject Access Requests (SAR)
All individuals are entitled to:
If an individual requests to receive this information, it is called a Subject Access Request (SAR). Teresa Smith Bookkeeping Services will always verify the identity of the requester and no information will be sent out until that has been undertaken. Approved identity documents will be one that is photographic (national ID card, drivers licence or passport) and one current utility bill.
SAR’s may be requested in any medium (verbally, email or physical letter) and Teresa Smith Bookkeeping Services has a legal obligation to provide all information processed within 1 month of receiving the request. Ordinarily, there is no charge for this, however, if the SAR is significant in terms of size/complexity, Teresa Smith Bookkeeping Services does reserve the right to apply and administration fee.
Please note, however, there may be certain circumstances where it is not possible to provide all SAR’s information (in line with the Law). If this is the case, the person will be fully informed.
12.2 Right to Rectification
In the event that it is discovered that Teresa Smith Bookkeeping Services is holding inaccurate or out of date Personal Data relating to an individual, that individual has the right to request that the Data is amended/rectified as quickly as possible.
12.3 Right to Erasure
Whilst the individual does have the right to request erasure of their data (also called the Right to be Forgotten) it is not an absolute right, as there are certain instances where their request cannot be accepted. The right can be fulfilled in the following circumstances:
If the right to erasure is accepted Teresa Smith Bookkeeping Services must take reasonable steps to destroy all data, including any that has been made public (e.g. photographs, video clips etc) and any data that has been forwarded/shared with other agreed 3rd parties, including processors.
The right to erasure may not be accepted for legal or public health reasons.
12.4 Right to Restriction of Processing
An individual has the right to restrict processing in the following instances:
12.5 Right to Data Portability
The individual has the right to request all their Personal Data held by Teresa Smith Bookkeeping Services, receive it in a machine-readable format and request that it be transferred to another Data Controller. This is applicable when the data is processed by automated means only.
In certain circumstances, the Law allows Personal Data to be disclosed without the consent of the Data Subject.
Under these circumstances, Teresa Smith Bookkeeping Services will disclose the requested data. However, the Data Controller/Data Protection Officer will ensure that the request is legitimate, seeking assistance from Legal Advisors or Regulators, as necessary.
Teresa Smith Bookkeeping Services aims to ensure that individuals are aware that their Personal Data is being processed and that they understand:
To these ends, Teresa Smith Bookkeeping Services has a Privacy Notice, setting out how data relating to individuals is used by us.
This is available both electronically and on our website www.teresasmithbookkeeping.co.uk and physically (paper copy) on request.
15.0 Version Control