Client Engagement Privacy Notice
Stanbridge Associates
Updated 4 November 2020
As part of any engagement process, SAL collects and processes personal data relating to our clients. This is essential to the nature of the engagement and the services we provide to you as our client. We are committed to being transparent about how we collect and use that data and to meeting our data protection obligations.
What Personal Data Do We Collect?
To enable us to provide the most focused and efficient advice to help you plan and meet your compliance obligations we store and process large amounts of your personal data. We do this electronically, online and in physical format. We collect and collate information from a myriad of sources direct and indirect. Such information can include:
​
-
Name
-
Address and telephone numbers
-
Date of birth
-
Gender
-
Preferred title
-
Details of membership of professional bodies
-
Qualification details
​
-
Employment details including a CV and references
-
Details of relevant professional disciplinary issues
-
Email address
-
Next of kin
-
Driving licence details including convictions
-
Passport details
-
Bank account details
-
Tax reference and National Insurance Number
-
your nationality, domicile and residency
High Risk Data
Financial Data Including But Not Limited To:
-
Associated company information such as registered number and office,
-
employer’s name and address,
-
information about your current level of remuneration, including benefit entitlements;
-
pension savings growth, contribution levels and membership of schemes
-
​business details including income and expenses and profits;
-
details of past and present taxable income and gains
-
data on other taxes or potential taxes including investment in tax avoidance schemes
Why Do We Collect Your Personal Data?
It is necessary to have a lawful basis for collecting, using, sharing and storing personal data for us to comply with the law. Depending on the context and the information process, determines the lawful basis which applies.
Consent
We will only process your special category data with your explicit consent unless we have a legal obligation to supply such data without your consent or knowledge.
Legal Obligation
We collect data to fulfil our legal obligations and to monitor compliance with our regulations and the law.
Legitimate Interest
We collect data to enable us to fulfil our obligations under our contract terms as a supplier of professional services. We process your data to allow us to provide accountancy and tax compliance and tax advisory services (if applicable).
​
We will use the information to fulfil a contractual service as detailed in an engagement letter, to meet legal obligations or for other purposes e.g.:
-
to confirm your identity and address
-
to carry out your instructions
-
to improve our services
-
to offer other services we believe may benefit you unless you ask us not to.
​
We hold data in order to make ID checks under the Money Laundering Regulations, this may include a copy of your passport or driving licence and evidence of your address.
High Risk Personal Data
-
Details of your bank accounts
-
Unique Tax Reference (UTR) and national insurance number
-
Passport and driving licence information.​
Personal Data Provided by Third Parties
SAL will also collect personal data about you from third parties, such as NHS business services, HMRC, and Independent Financial Advisors. We will expect your co-operation with the provision of your authority to approach necessary third parties, and if you withhold this it will affect our opportunity to work together.
Why Do We Process Personal Data?
Processing data collected from you and about you allows us to provide our services to you as we have agreed to perform under contract. In order to comply with Data Protection Laws, SAL need a lawful basis to process your Personal Data. We use the following lawful reasons to obtain and use your Personal Data.
Contract
SAL needs to process your Personal Data to take steps at your request, to carry out the services we have agreed to perform for a professional fee, usually by way of our engagement letter, which we ask you to sign or approve before commencing our engagement.
​
Prior to engaging our services, we carry out some initial work on checking who you are and your financial circumstances.
Legal Obligation
In some cases, SAL needs to process data to ensure we comply with legal obligations. For example, checking your identity under money laundering regulations.
Legitimate Interest
In other cases, we have a legitimate interest in processing Personal Data to meet our business requirements including:
​
-
Offering our services
-
Promoting our services and business
-
Providing analytical data (anonymised) for statistical purposes such as benchmarking
-
Publishing data in the press
-
Communicating with HMRC
-
Including information on our website, social media etc.
-
Responding to and defending against legal claims
Who May Have Access To Personal Data?
Your information may be shared internally for the purposes of providing the best advice for your circumstances.
​
SAL will not share your data with third parties without express written authority. This includes information about business associates and family. Where you provide such information we assume you have obtained the consent of that person or entity to allow us to process their data. We shall take the same level of care over this data.
Processors
SAL may share your personal data with third-party processors who provide services to our business. These services include:
​
HMRC and legal representation
​
-
We will only share data with HMRC and HM Courts and Tribunal’s service and any necessary legal representation, during the course of an enquiry or investigation or tax appeal or other reasons if:
a) We authorised to do so by the taxpayer, or
b) In the case of a Schedule 36 FA 2008 Information Notice, we have either been so authorised by a tribunal or we are compelled to provide data under the terms of a third party notice, or
c) We are obliged by other regulations to provide data.
Website
-
We maintain a database that contains the details of users of our website. The details that we retain are as input by you when you registered with our website. We retain this information to communicate with you.
-
Our website allows us to track user data for our own analytical purposes. We track users by name (when logged in), by IP address, according to which device you are using (whether you are logged in or not) and by device location.
-
We do not sell our website data or allow any third party access to our data or our database of users.
-
Our website data may be hosted on third party servers or on our own servers which are protected by firewalls, encryption and access to our servers is protected by password protection applications.
-
our web developers may require access to the full back-end of our website. We place reliance on their own security measures when they access our data. They do not have access to financial data or our software for processing your data.
Our Use Of Cookies And Similar Technologies
-
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used to make websites work, or work more efficiently, as well as to provide information to the owners of the site.
-
We do not store any personal data in the cookies that we use and store your information anonymously to assist us in the running of the site, and for monitoring the activity and traffic both to and through our website. To do this we use Google Analytics cookies.
-
Depending on the browser you use you should be able to control what cookies are placed on your device through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit
-
We use Google Analytics to analyse the use of our website; Google Analytics generates statistical and other information about website use by means of cookies, which are stored on users’ devices. The information generated relating to our website is used to create reports about the use of our website. Details captured during your visit will include, but not limited to, traffic data, location data, weblogs and other communication data and the resources you access, however, all data collected is anonymous and will not identify you as an individual.
-
Google, store this activity information, and you can view Google’s privacy policy at
www.google.com/privacypolicy.html
To opt out of being tracked by Google Analytics across all websites visit
IT Providers
In the course of our service provision we use a practice management software provided by a third party. In the event of issues occurring with the data processing we may provide them with external log in access or a snapshot of electronic data to allow them to fix or correct the issue. We place reliance on their security measures when they access our data.
Insurers
We provide access to fee protection insurance. We are required to allow these insurers access to our correspondence with HMRC for their audit purposes.
​
Sometimes we may ask for a second opinion and we may share data but we do not share your name unless you provide your authority to do so.
Our professional indemnity insurer may require specific details in the event of a complaint.
​
Our professional body may require specific details in the event of a complaint or they may be provided with access to our files for quality assurance purposes.
Independent Financial Advisors
In some circumstances you ask us to obtain or share information with your IFA. We will do so on your written authority and will rely upon their security measures to process your data in an appropriate manner.
​
We do not allow any third party access to our data, however, our IT support (outsourced) may work on software programmes that hold that data such as our databases.
​
We store data via our own and third party servers (cloud-based within the UK) and we use applications including but not limited to Openspace, Microsoft and Google products.
​
Data held on third party servers is highly protected by security features including firewalls, regular scans against malware and measures to prevent SQL injection.
We process and store data using our tax and accounting software, such software may be located 'in the Cloud' and if so we rely on the software provider's security features and all access if password protected.
​
When software is installed on our local machines all software is password protected.
​
We prohibit the use of memory sticks to hold client data. If you provide us with a memory stick we will not transport it out of our office.
​
We may use third party contractors in our business and they are required to sign a ‘Fit and proper’ declaration which includes a declaration that they will not remove data or pass on data to other parties.
Separate Controllers
SAL may share your personal data with organisations where we have a legal obligation, contract or other legitimate interest to do so.
Third Countries
Your personal data may be transferred to countries outside of the European Economic Area (EEA). For example, your personal data may be shared with Revenue authorities overseas if there is a legal requirement to do so. Where data is transferred outside of the EEA, it is done on the basis of appropriate safeguards, for example binding corporate rules, EU model clauses or a declaration of adequacy.
How Long Do We Hold Your Personal Data?
-
We retain data for as long as statute or regulations demand
-
We hold data electronically and on paper
-
We normally destroy files after six years although if you have been a client for a longer period we may store your tax return data on our software to retain a picture of your financial position in the event of an enquiry but we do not retain your source data. Once processed your source data is returned to you.
-
Our computer hard drives are destroyed before disposal
What If You Do Not Supply Your Personal Data?
You are under no statutory or contractual obligation to provide data to us during our engagement. However, if you do not provide the information we request or of which you are aware we may need to perform our duties under our engagement terms, we may not be able to act on your behalf or in your best interests.
Your Rights In Relation To Your Personal Information
You have a number of rights relating to your information:
​
-
The right to be informed about the processing of your personal data;
-
The right to have the personal data corrected if it is inaccurate and to have incomplete personal data completed;
-
The right to object to processing of your personal data;
-
The right to restrict processing of your personal data;
-
The right to have your personal data erased (the “right to be forgotten”);
-
The right to request access to your personal data and information about how we process it; and
-
The right to move, copy or transfer your personal data (“data portability”).