Drummond Laurie Chartered Accountants – Privacy Statement

Who we are

This is the privacy statement of Drummond Laurie Chartered Accountants.

We have offices at Unit 5, Gateway Business Park, Beancross Road, Grangemouth, FK3 8WX, and Algo Business Centre, Glenearn Road, Perth, PH2 0NJ.

This privacy statement explains how we collect and use personal information about you.

What personal information we collect

We collect various personal information about you depending on your relationship with us.

Where you are a client of ours we collect any or all of your

  • Name
  • Date of Birth
  • Postal address(es) of your business premises
  • Postal address(es) of your home address
  • Business telephone number and / or business mobile
  • Home telephone number and / or personal mobile
  • Business email address(es)
  • Personal email address (where you provide this to us)
  • Business website url
  • Business social media ‘handles’ such as your Facebook & Twitter ID
  • Bank account details, such as sortcode, account number & bank account name
  • HMRC reference number(s) if applicable, such as VAT registration number or personal Universal Tax Reference (UTR)

As part of our procedures to accept you into our business as a client, we are required by legislation such as the Money Laundering Regulations to verify your identity. To do this we will normally request at least 2 forms of ID from you, with at least one being photographic ID and the other a utility bill or similar confirming your address. These are, by definition, personal data, but are chosen by you and therefore it is not possible to specify them exactly in this policy. As you will be choosing them, however, then you will be perfectly aware of the fact we have collected them.

Where you are an employee of ours, we collect your

  • Name
  • Date of Birth
  • Postal Address
  • Contact telephone number (either landline or mobile or both)
  • National Insurance number
  • Bank account details, such as sortcode, account number & bank account name

If your job with us involves travelling on business, then we will also take a copy of your driving licence and insurance details each year.

As part of our procedures to employ you, we are required by legislation such as the Money Laundering Regulations to verify your identity. To do this we will normally request at least 2 forms of ID from you, with at least one being photographic ID and the other a utility bill or similar confirming your address. These are, by definition, personal data, but are chosen by you and therefore it is not possible to specify them exactly in this policy. As you will be choosing them, however, then you will be perfectly aware of the fact we have collected them.

Where you are a visitor to our website then we have a specific privacy policy which applies – please see http://www.drummondlaurie.co.uk/privacy-policy/ for details.

Where we collect personal information from

The majority of the personal information we collect will be obtained directly from you by face to face contact / letters / telephone calls and / or email contact.

We may obtain certain types of information, such as your business registered address & other contact details from publicly available material, such as companieshouse.gov.uk. Where we obtain information in this way, then we will treat the data in exactly the same way as that which we collect from you directly – ie we will apply the same principles to all personal data we hold on you.

How we use your personal information

We use your personal information in various ways, depending on our relationship with you.

If you are a client of ours, then we will use your personal information to:

  • Verify your identity
  • Communicate with you in connection with the service(s) we provide to you
  • Assist us to perform the services we provide for you, for example (but not restricted to) using your VAT or HMRC reference numbers to submit statutory returns or other information on your behalf
  • Suggest additional services that we can provide, or ways that you operate your business that will improve your business and / or personal position. Such suggestions may include reference to third party services or information but we will never pass on any of your details to said third parties without your explicit consent.
  • Detect and prevent fraud or other criminal activity
  • Comply with any requests made to us by HMRC or other regulatory or legal authorities in connection with any enquires they may make into your affairs. Please note that whilst we will always endeavour to notify you that we have responded to such requests and provide a note of any of your personal information that we have shared, this may not always be possible due to legal reasons.

If you are an employee of ours, then we will use your personal information to:

  • Verify your identity
  • Transfer your wages and any expense payments etc to your bank account
  • Communicate with you in writing about any aspect of your employment should it be required
  • Communicate with your designated emergency contacts should it be required
  • Help detect and prevent fraud or other criminal activity
  • Comply with any requests made to us by HMRC or other regulatory or legal authorities in connection with any enquires they may make into your affairs. Please note that whilst we will always endeavour to notify you that we have responded to such requests and provide a note of any of your personal information that we have shared, this may not always be possible due to legal reasons.

If you have applied for employment with us, then we will use your personal information to:

– Asses your suitability for the position you have applied for, or any other position that we may have available and that we consider is relevant

– Communicate with you about the status of your application and any progress made at any interviews etc

If you are a visitor to our website then we generally do not collect any personal information in a form that we can use. Please see http://www.drummondlaurie.co.uk/privacy-policy/ for details.

Who we share your personal information with

We share your personal information with various third parties as part of the work that we do for you. We do this either for legislative reasons (for example, but not limited to submitting your VAT or Income Tax returns to HMRC) or to allow us to provide the services you have asked us to do for you, such as, but not limited to, making electronic payslips available to your employees or accessing your accounts information from an online accounts provider. We also contract an external IT support company to assist us with the operation of our computer systems and as they have access to our system to do this then it’s possible that some of your data may be exposed to them in the performance of their work. As mentioned elsewhere in this policy, we have obtained adequate assurances from them that they will keep any such data secure and will not divulge it to anyone else, and that they will comply with all aspects of the GDPR.

How we use your information to make automated decisions

We do not use any of your information to make automated decisions.

If you do not provide your personal information

As we are required by law to verify the identity of any business or person that we act for, provide services to, or employ, then, regrettably, if you do not provide your personal information then we cannot accept you as a client nor perform any work for you or employ you.

How long we retain your personal information for

How long we will retain your information will depend on our relationship with you.

Where you are a client of ours:

  • We will retain your information whilst you are a client of ours, and also for the minimum amount of time thereafter to allow us to respond to any legislative enquiries in connection with any work we have done for you.For example, HMRC can generally enquire into Income Tax, Corporation Tax or VAT returns at any point up to 4 years after they are submitted and if they then discover material errors then they can look into returns submitted 3 years prior to that. So we therefore require to keep information for at least 7 years in total.

    Please note that although you have the right to request that we delete your information as noted further on in this policy, the legislative provisions mentioned above will still apply, and therefore we may not be able to act on your deletion request until all of the various time limits have elapsed.

Where you are an employee of ours:

  • We will retain your information whilst you are employed by us, and also for the minimum amount of time thereafter to allow us to respond to any legislative enquires in connection with your work for us, and also to respond to or defend any legal disputes between us should they arise.

Where you have applied for employment with us:

  • We will retain your information until we have either successfully filled the vacancy for which you have applied, or decided not to make the post available. This is to allow us to choose the best candidate for the position whilst retaining the ability to contact alternatives should our original choice not be able to proceed for some reason.Once the position has been filled, then our policy is to retain CVs and other data supplied in connection with a job application for a period of 12 months unless you ask us not to.

Holding personal information outside the EEA

Where we share your information with third parties, we will, as far as possible, ensure that they are in the UK or within the European Economic Area.

Where they are located outside the EEA, then we will ensure that they are either in a country which has been identified as ensuring an adequate level of protection for the rights and freedoms of data subjects, eg New Zealand, or, where the third party is located in the US, that they participate in the Privacy Shield program.

Protection of your data

We take the protection of your data extremely seriously and take various measures to protect it.

Where we process the data on our systems then it is kept secure by various industry standard methods, including but not limited to:

  • Encryption of hard drives on all company laptops
  • Continually updating our servers to apply all Microsoft and other security patches and updates
  • Equipping our network with appropriate hardware, such as firewalls, to ensure that no unauthorised access takes place
  • Maintaining a robust password policy which ensures that only valid users can access our systems and that all passwords allowing access and protecting client data are strong and are changed on a regular basis.
  • Only allowing remote access to our systems through an encrypted VPN which uses regularly changing passwords.
  • Reviewing all traffic in and out of our network for any suspicious activity
  • Carrying out regular and frequent backups to multiple different backup media, some on and some off-site to allow for fast recovery of data and systems where required
  • Enforcing password protection or other similar security protocols on all personal or commercially or personally sensitive data being transferred to / from clients and third parties
  • Continually monitoring all laptops and servers for viruses or other malware and taking appropriate action where any is discovered.
  • Keeping all servers in a locked server cabinet within a locked server room and only allowing access to both the room and cabinet to authorised personnel.
  • Connecting all main servers to battery backups and dual power supplies to minimise the risk of data loss or corruption due to power failure – all main servers are set to detect when running on battery power and perform a clean shutdown before the battery runs out, thus protecting our systems in the event of a prolonged power outage
  • Having a standby server located in a separate physical location which can be brought into service at short notice to allow us to continue our services.

Where we share your data with a third party then we ensure that the third party will only be storing that data in the UK, in the European Economic Area, in a country that ensures an adequate level of protection for the rights and freedoms of you as a data subject, or, in the case of an organisation based in the US, that said organisation is participating in the Privacy Shield policy. We also ensure that we have obtained adequate assurances from those third parties that they agree to keep such information confidential and secure and not divulge it to anyone other than authorised recipients, and that they comply with all aspects of the GDPR.

Any personal or commercially or personally sensitive data that is transferred to third parties will be transferred by uploading it to a secure portal on the third party’s systems, emailed to them in a password protected attachment or entered directly into their website(s) by our staff, except in the case of Sagedrive (a method of sharing Sage 50 Accounts data with our clients which transfers the data via servers run by Sage UK) where the data is automatically sent to the Sage servers when entered into the appropriate Sage company on our systems.

Using our website

Any use of our website is covered by a separate privacy policy, and this can be accessed at http://www.drummondlaurie.co.uk/privacy-policy/

Your rights

Access to your information – You have the right to request a copy of the personal information about you that we hold.

Correcting your information – We want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.

Deletion of your information – You have the right to ask us to delete personal information about you where:

  • You consider that we no longer require the information for the purposes for which it was obtained.
  • We are using that information with your consent and you have withdrawn your consent – see Withdrawing consent to using your information below.
  • You have validly objected to our use of your personal information – see Objecting to how we may use your information below.
  • Our use of your personal information is contrary to law or our other legal obligations.Please note that, as covered elsewhere in this privacy policy, we are required to maintain copies of any information used in the preparation of accounts, Vat returns, Income Tax returns and other information that has been submitted to HMRC and other similar bodies either by us on your behalf, or by you directly after we have prepared the information for you.

    The timescales that we are required to maintain this information for vary depending on the type of information submitted, but we generally require to keep information for around 7 years.

    This requirement to keep information over-rides your right to have your data deleted, and so we will generally not be able to comply with any such requests until such time periods have elapsed. We will of course, comply with any restrictions you place on our use of your data during this time period, such as not contacting you unless it is specifically in response to an enquiry by HMRC or similar, subject always to the fact that legislative reasons may again over-ride any restrictions you may impose.

Objecting to how we may use your information – You have the right at any time to require us to stop using your personal information for direct marketing purposes.  In addition, where we use your personal information to perform tasks carried out in the public interest then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds to continue.

Restricting how we may use your information – In some cases, you may ask us to restrict how we use your personal information.  This right might apply, for example, where we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information.  The right might also apply where this is no longer a basis for using your personal information but you don’t want us to delete the data.  Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest or legislative grounds to do so.

Automated processing – If we use your personal information on an automated basis to make decisions which significantly affect you, you have the right to ask that the decision be reviewed by an individual to whom you may make representations and contest the decision.  This right only applies where we use your information with your consent or as part of a contractual relationship with you. As at the time of writing (May 2018) we do not use any form of automated decision making, but should we do so in the future then this right will automatically apply.

Withdrawing consent to using your information – Where we use your personal information with your consent you may withdraw that consent at any time and we will stop using your personal information for the purpose(s) for which consent was given.

Please contact us in any of the ways set out in the Contact information and further advice section if you wish to exercise any of these rights.

Changes to our privacy statement

We keep this privacy statement under regular review and will place any updates on our website and also distribute them by whatever electronic means we think relevant.  Paper copies of the privacy statement may also be obtained on request.

This privacy statement was last updated on 21/05/2018.

Contact information and further advice

Any comments or queries on this privacy policy or any aspect of how Drummond Laurie collect, maintain and use your data, personal or otherwise, should normally be directed to your usual Drummond Laurie contact(s) as they are best placed to answer specific questions about your data.

Should you not wish to contact them for whatever reason, are unable to do so, or do not have a regular contact then any queries about this policy and all aspects of Drummond Laurie’s collection and use of personal data should be directed to:

Data Protection Officer
Drummond Laurie Chartered Accountants
Unit 5, Gateway Business Park
Beancross Road
Grangemouth
FK3 8WX

Telephone – 01324 441250

E-Mail – data.protection@drummondlaurie.co.uk

Website – http://www.drummondlaurie.co.uk

Complaints

We seek to resolve directly all complaints about how we handle personal information but you also have the right to lodge a complaint with the Information Commissioner’s Office, whose contact details are as follows:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Chesire
SK9 5AF

Telephone – 0303 123 1113 (local rate) or 01625 545 745

Website – https://ico.org.uk/concerns