Simia Farra & Company Limited (The Firm)
10 Western Road Romford Essex RM1 3JT
PRIVACY AND DATA PROTECTION POLICY
In the course of its business, the Firm needs to gather and use certain information about individuals. This will include clients, suppliers and other business contacts, and employees and prospective employees, as well as other people that we have a relationship with, may need to contact, or with whom we need to deal.
This policy describes how this personal data must be collected, processed, transferred, handled and stored in order to meet the requirements of data protection law, in particular the General Data Protection Regulation (GDPR). We recognise that, not only must we comply with the principles of fair processing of personal data, we must also be able to demonstrate that we have done so. The procedures and principles set out below must be followed always by the Firm, its employees and all those within its scope as set out below.
- We are registered with the Information Commissioner’s Office, registration number Z6326592
- Our Data Protection Officer is David Leff and he can be contacted on 01708 777 950 or firstname.lastname@example.org.
Why this policy exists
This Policy provides help and guidance to our staff and managers in:
- complying with data protection law and following good practice
- protecting the rights of staff, clients, partners and business contacts
- being open about how we use personal data, how we store it and when we secure it
- protecting the Firm against the risks of both inadvertent and intentional data breaches
Scope of the Policy
- The Policy applies to all employees; fixed term contract employees; temporary employees; agency staff; and consultants and contractors who are provided with access to any of the Firm’s files and/or computer systems. All users have responsibility for complying with the terms of this Policy
What is personal data?
- The GDPR regulates how organisations must collect, handle and store personal data. Personal data is any information relating to an identified or identifiable living individual. It is information which enables that person to be identified, directly or indirectly, and may include their name, address, telephone number(s), email address(es), age, location data, or online and biometric identifiers. We hold data relating to our employees, some of which is classed as sensitive personal data (also known as ‘special category data’) where, for example, it concerns a person’s health and medical status. We also hold a wide range of information about clients, including highly confidential personal financial data such as their individual tax information. These rules apply to all data stored in any structured way, including both paper files and electronically
- The Directors are ultimately and collectively responsible for ensuring that the Firm meets its legal obligations and that this Policy is followed
David Leff, The Data Protection Officer (DPO) is responsible for:
- keeping the directors updated about data protection responsibilities, risks and issues
- reviewing all data protection procedures and related policies, in line with an agreed schedule
- arranging data protection training and advice for everyone to whom this Policy applies
- handling data protection queries from staff and contractors
- dealing with requests from anyone whose data we hold for access to that data (known as SAR ‘subject access requests’)
- checking and approving any contracts or agreements with third parties that may handle our personal data
- checking and approving any contracts or agreements with third parties whose personal data we may handle
- ensuring that policies on processing, retention, storage and deletion of data are adhered to and relevant documentation is maintained to evidence compliance
- The independent external IT Manager/company for Simia Farra & Company Limited will be: – Ratcliff IT.
Ratcliff IT are responsible for:
- ensuring that all systems, services and equipment used for storing data meet acceptable security standards
- performing regular checks to ensure that security hardware and software is functioning properly
- evaluating any third-party services, the Firm is considering using to store or process data. For example, cloud computing services
Data Security – Transferring Personal Data and Communications
- We will ensure that we take the following measures with respect to all communications containing personal data:
- all emails containing personal data will either be sent via our cloud based technology portal (CCH – Simia Farra & Co Ltd – Client Space). Clients will be provided with unique, confidential log in details to allow them to view their documents or via secure email systems
- all documents prepared for clients such as tax returns, and final accounts will be held in a separate client area, hosted by our reputable IT service provider (Ratcliff IT). Access to the area is controlled.
- all emails containing personal data will be marked ‘Confidential’
- personal data contained in the body of an email, whether sent or received, should be copied from the body of the email and stored securely.
- all temporary files containing any personal data should be deleted without delay
- where personal information is being sent by fax, the recipient should be informed of its imminent arrival to allow them to monitor and collect the document immediately
- all personal data sent in hard copy form should be delivered to the recipient in person, in a container marked ‘Confidential’, or sent by recorded delivery or courier, as appropriate.
Data Storage and General Security
- all electronic copies of personal data should be stored securely using privilege levels and passwords
- regular password changes will be enforced and the number of logins will be restricted
- passwords should never be written down or shared between any employees, agents, contractors or other persons working on behalf of the Firm, no matter what their level of seniority.
- computer equipment belonging to the Firm will be sited in a secure location within the office and in a position where they cannot be viewed by members of the public
- computer terminals must not be left unattended, and should be logged off at the end of the session
- personal data is backed up at regular intervals and is stored state onsite or offsite location and where appropriate is encrypted
- all software must be kept up to date and David Leff shall be responsible for ensuring that all security-related updates are installed promptly, unless there are valid technical reasons for not doing so
- no software should be installed on the Firm’s system without the prior approval of David Leff
- personal data should not be stored on any mobile device such as laptops, tablets and smartphones without the approval of the DPO and, where it is held, only in accordance with his or her instructions and limitations
- personal data must never be transferred on to an employee’s personal device and we will never transfer such data onto a device owned by a contractor or agent unless they have agreed to comply fully with the letter and spirit of this Policy and with the GDPR
- all manual files must be stored securely in locked cabinets and should not be left unsecured in the office overnight
- computer print outs containing personal information should be destroyed without delay and should never be retained for scrap paper
- where personal data is to be erased, or otherwise disposed of, this will be done in accordance with the Firm’s Data Retention Policy.
Data Subject Access
- Access: (SAR’s) You have the right to access the personal information we may hold about you. On receipt of such a request we will endeavour to respond to you as soon as possible, but at least within one calendar month. You must provide us with 2 forms of personal identity to ensure that we only disclose to you, information which is relevant to you personally.
- Rectification: You have the right to request that we amend any personal information that may be incorrect or require updating.
- Erasure and suspension: You have the right to request that we delete any personal information pertaining to you, however this may be overridden by our HMRC time limit requirements. Individuals have a right to suppress processing of personal data. If you decide to do this, we will continue to store the data, but not further process it.
- Under GDPR there is a new right to data portability, primarily designed to make it easier for individuals to switch between service providers.
Data breach reporting.
- You have the right to be informed of a data breach if there is material damage which might affect you. We commit to inform you as soon as possible should this occur.
- We will only use your data for the purposes we have specified. Primarily we use your personal data to send you what you have signed up and as disclosed in agreements and set out in engagement letters.
- We will not sell or distribute at any time your personal data, unless previously authorised by yourself.
- Occasionally third parties may provide secure storage services to us. In those circumstances those third parties will/have provided to us confirmation of their data protection policies and that they are GDPR compliant.
- Personal data will always be stored securely to prevent unauthorised access by third parties. Data will be processed at our offices in Romford with access restrictions in place and at the sites of our data processors within the UK or abroad. Our IT managers/consultants retain our data at a different location protected behind the appropriate firewalls and other security devices.
The transmission of Information via the Internet
- The transmission of Information via the Internet is not completely secure. We cannot ensure the security of your Information transmitted by you to us via the internet. Any such transmission is at your own risk and you acknowledge and agree that we shall not be responsible for any unauthorised use, distribution, damage or destruction of your Information, except to the extent we are required to accept such responsibility by the GDPR, The Privacy and Electronic Communications Regulations or the Data Protection Act. Once we have received your Information we will use security procedures and features to prevent unauthorised access to it. Simia Farra & Company Limited will promote the use of cloud based portal systems for the exchange of data where possible
Implementation of the Policy
- This Policy is effective as of 25th May 2018. No part of the Policy is retrospective in effect and applies to matters occurring on or after 25th May 2018.This Policy has been approved and authorised by:
David Leff (DPO)
Dated: 25th of May 2018
PDF available for download here: