Streets in this Privacy Notice refers to the following associated businesses:
Streets LLP (OC309545); Streets Northern LLP (OC309382); Streets Whitmarsh Sterland LLP (OC333591); Streets Tax LLP (OC309379; Streets Audit LLP (OC309381); Streets ISA Limited (07525045); Mark Carr & Co Limited (05437182); SMS Corporate Partner Limited (06950010) and Streets Financial Consulting plc (2029793).
All of these businesses have their registered office at Tower House, Lucy Tower Street, Lincoln, LN1 1XW.
If you have any comments or queries regarding our use of your data, please contact our Group Data Protection Officer at:
Alternatively, you can write to Group Data Protection Officer at Streets Chartered Accountants, Tower House, Lucy Tower Street, Lincoln, LN1 1XW.
The Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulation (GDPR) requires organisations that process personal data to meet certain legal obligations. Streets is a data controller within the meaning of the act and we process personal data.
Where we act as a data processor on behalf of a data controller (for example, when processing payroll), we provide an additional schedule setting out required information as part of that agreement, which should be read in conjunction with this privacy notice.
We have aimed to set out the arrangements for processing your data as clearly as possible in this privacy notice. For the avoidance of doubt we have set out a table at the end of this privacy notice summarising the purpose for which we are using your information and the lawful basis on which we are undertaking the processing of that data.
What information do we collect about you?
We are entering into a contract with you and will be processing data on that basis. We therefore collect information about you so we can fulfil this contract. In general terms, we seek to collect information about you so that we can:
- Administer our relationship with you, provide services and respond to enquiries
- Enable business development including sending legal updates, publications and details to events
- Process applications for payment
- Deliver requested information to you about our services and our associated businesses
- Ensure the billing of any procured services and obtain payment
- Process and respond to any complaints
- Enable us to meet out legal and other regulatory obligations imposed on us
- Audit usage on our websites
The information that we need for these purposes is known as your “personal data”. This includes your name, home address, email address, telephone and other contact numbers and financial information. We collect this in a number of different ways. For example, you may provide this data to us directly online or over the telephone, or when corresponding with us by letter.
If you do not provide the information we request we are unable to provide the services required under the contract and we will not be able to commence acting or will need to cease to act.
Please also be advised that when you visit our websites, cookies will be used to collect information about you such as your Internet Protocol (IP) address which connects your computer or mobile device to the Internet, and information about your visit such as the pages you viewed or searched for, pages response times, download errors etc. We do this so that we can measure our website’s performance and make improvements in the future. Cookies are also used to enhance this website’s functionality and personalisation, which includes sharing data with third party organisations.
Where we collect information
We collect information that is supplied about you from:
- A spouse/partner
- Your employer/partnership/limited liability partnership (LLP)/company
- Electronic ID verification providers
- Members of the Streets group as listed above
- Other third parties (eg banks, investment managers etc) as authorised by you
How is information collected and transferred?
Both within our organisation and when dealing with external parties we recognise the importance of the privacy of your information. We have agreed in communications with you that we will use appropriate security measures and we will also use appropriate security measures in communications with others.
How we use your information
We may use information we hold about you:
- to provide services under the contract in force between us
- to contact you about other services we provide which may be of interest to you if you have consented to us doing so
- to meet other legal and regulatory requirements
- for other legitimate interests
We will retain records based on our retention policy so that we can defend ourselves against potential legal claims or disciplinary action which can be brought within statutory time limits.
We may also use information from other people or organisations when carrying out these activities.
There is no automated decision-making involved in the use of your information and therefore no data portability.
Where we use contractors, they will comply with General Data Protection Regulation (GDPR) requirements.
On occasions we may process your information outside of the UK but will maintain written records of our processing activities performed on your behalf which shall include: (i) the categories of processing activities performed; (ii) details of any on cross border data transfers outside of the European Economic Area (EEA); and (iii) a general description of security measures implemented in respect of the client personal data.
If we transfer personal data to a country or territory outside the EEA we will do so in accordance with data protection legislation.
Information we may give to others
In order for us to undertake our contract with you, we may give information about you to:
- other third parties you require us to correspond with (for example, finance providers, pension providers (including auto-enrolment) and investment brokers)
- tax insurance providers
- professional indemnity insurers
- Our professional body (the Institute of Chartered Accountants in England and Wales) or the Office of Professional Body Anti-Money Laundering Supervisors (OPBAS) in relation to practice assurance or the requirements on us in relation to MLR 2017
We need to give information to these other parties in order to fulfil our contractual obligations to you and therefore it is not possible to opt out of the provision of information to these parties. If you ask us not to provide information we may need to cease to act.
If the law allows or requires us during the period of our contractual arrangements or after we have ceased to act we may give information about you to:
- the police and law enforcement agencies
- courts and tribunals
- the Information Commissioner’s Office (ICO)
In addition, after we have ceased to act we may give information about you to:
- our professional indemnity insurers or legal advisers where we need to defend ourselves against a claim
- our professional disciplinary body where a complaint has been made against us in order to defend ourselves against a claim
- your new advisers or other third parties you ask us to give information to
Retention of information
When acting as a data controller and in accordance with recognised good practice within the tax and accountancy sector we will retain all of our records relating to you as follows:
- where tax returns have been prepared it is our policy to retain information for seven years from the end of the tax year that the information relates to.
- where ad hoc advisory work has been undertaken it is our policy to retain information for seven years from the date the business relationship ceased.
- where we have an ongoing client relationship permanent information (the data supplied by you and others which is needed for more than one year’s tax compliance) including, for example, capital gains base costs and claims and elections submitted to HMRC are retained throughout the period of the relationship but will be deleted seven years after the end of the business relationship unless we are asked to retain it for a longer period by our clients.
Our contractual terms refer to the destruction of documents after seven years and therefore agreement to the contractual terms are taken as agreement to the retention of records for this period. Under the Money Laundering Regulations (MLR 2017) personal data must normally be destroyed within specified time limits but where contractual agreement is in place this is taken as agreement under Regulation 40 (5) MLR 2017 to retain records for the longer period of seven years.
You are responsible for retaining information that we send to you (including details of capital gains base costs and claims and elections submitted) and this will be supplied in the form agreed between us.
Documents and records relevant to your tax affairs are required by law to be retained by you as follows:
Individuals, trustees and partnerships
- with trading or rental income: five years and 10 months after the end of the tax year
- otherwise: 22 months after the end of the tax year
Companies, LLPs and other corporate entities
- six years from the end of the accounting period
Where we act as a data processor as defined in DPA 2018, we will delete or return all personal data to the data controller as agreed with the controller at the termination of the contract.
Requesting information we hold about you
Requests to see records and other related information that the firm holds about you are known as ‘subject access requests’ (SAR). We have set out further details on SARs below.
Where we act as a data processor, we will assist you as data controller with SARs on the same basis as is set out below. For example, this will be required where we process payroll for a data controller.
Requests in writing
Please provide all requests in writing marked for the attention of Group Data Protection Officer.
To help us provide the information you want and deal with your request more quickly, you should include enough details to enable us to verify your identity and locate the relevant information. For example, you should tell us:
- your date of birth
- previous or other name(s) you have used
- your previous addresses in the past five years
- personal reference number(s) that we may have given you, for example your national insurance number, your tax reference number or your VAT registration number what type of information you want to know.
If you do not have a national insurance number, you must send a copy of:
- the back page of your passport or a copy of your driving licence
- a recent utility bill
DPA 2018 requires that we comply with a request for information promptly and in any event within one month of receipt. We will always try to provide a response within this timescale. We will not charge you for dealing with a SAR.
Asking someone else to make a subject access request on your behalf
You can ask someone else to request information on your behalf – for example, a friend, relative or solicitor. We must have your authority to do this. This is usually a letter signed by you stating that you authorise the person concerned to write to us for information about you, and/or receive our reply.
When we won’t release information
The law allows us to refuse your request for information in certain circumstances – for example, if you have previously made a similar request and there has been little or no change to the data since we complied with the original request.
The law also allows us to withhold information where, for example, release would be likely to:
- prejudice the prevention or detection of crime
- prejudice the apprehension (arrest) or prosecution of offenders
- prejudice the assessment or collection of any tax or duty
- reveal the identity of another person, or information about them
We will do our best to apply these conditions carefully, without damaging the effectiveness of our work, so that we can meet your requests as often as possible.
Putting things right (the right to rectification)
Should information you have previously supplied to us be incorrect, please inform us immediately so we can update and amend the information we hold.
Deleting your records (the right to erasure)
In certain circumstances it is possible for you to request us to erase your records and further information is available on the ICO website (www.ico.org.uk). If you would like your records to be erased, please inform us immediately and we will consider your request. In certain circumstances we have the right to refuse to comply with a request for erasure and if applicable we will supply you with the reasons for refusing your request.
Restrictions on processing (the right to restrict processing and the right to object)
In certain circumstances you have the right to ‘block’ or suppress the processing of personal data or to object to the processing of that information. For further information refer to the ICO website (www.ico.org.uk). Please inform us immediately if you want us to cease to process your information or you object to processing so that we can take the appropriate action.
Withdrawal of consent
Where you have consented for us to contact you with details of other services we provide we may continue to process your data and contact you for that purpose after our contractual relationship ends. You may withdraw consent for us to contact you in relation to details of other services we provide at any time during the performance of the contract or thereafter. We will then cease to process your data but only in connection with contacting you with details of other services we provide. Note that the withdrawal of consent does not make the other bases on which we are processing your data unlawful. We will therefore still continue to process your data under the terms of our contract and for other reasons set out in this privacy notice.
Obtaining and reusing personal data (The right to data portability)
The right to data portability only applies:
- to personal data an individual has provided to a controller
- where the processing is based on the individual’s consent or for the performance of a contract
- when processing is carried out by automated means
You may be able to request your personal data in a format which enables it to be provided to another organisation. We will respond to any requests made to us without undue delay and within one month. We may extend the period by a further two months where the request is complex or a number of requests are received but we will inform you within one month of the receipt of the request and explain why the extension is necessary.
If you have requested details of the information we hold about you and you are not happy with our response, or you think we have not complied with the DPA 2018 principles in some other way, you can complain to us. If you’re still not happy with our response, then you can ask the ICO to assess whether we have contravened DPA 2018.
You can also complain to the Institute of Chartered Accountants in England & Wales (ICAEW) (www.icaew.com).
Summary of purposes for processing data and the legal basis of this processing
|Purposes of processing data||Legal basis of processing|
|Providing the services requested by you and agreed by contract||Contract basis|
|Contacting you with details of other services we provide||Consent basis|
|Meeting other legal and regulatory purposes||Legal obligation basis|
|Protection against potential legal and other disciplinary action||Legitimate interest basis|
This policy should be read in conjunction with the Candidate Privacy Notice that is provided to all candidates when they apply for a position directly (not through a third party) with Streets. However, if after reading both you have any questions or concerns, in the first instance contact the HR Manager of Streets, Emma Russell.
Reasons for holding candidate data
There are a number of reasons why we need to collect, process and hold your data, the primary one is that we will need your details in order for us to manage your candidacy for a position.
There are many regulatory, legal and statutory obligations that the company has to fulfil either for themselves or on your behalf that require us to collect, use and hold your personal data.
The GDPR provides individuals with a number of rights:
1. The right to be informed
As your potential employer, we need to provide you with information on the personal data we collect from you; the purpose for us to collect and use this; how we store it and for how long; and who we might need to share it with. We need to provide this information when we collect your data. Streets does this through the Privacy Notice provided to all candidates when they apply directly for a role with Streets.
It is important that you understand the information in your Privacy Notice and therefore, if you have any concerns or need the information provided in a different format, please contact the HR Manager.
2. The right of access
You have the right to access the personal data that we hold on you as a potential employee. If you would like to view this data, please speak to the HR Manager who will arrange for this to happen.
In addition, you can raise a Subject Access Request (SAR) with us through sending a request in writing to the HR Manager. We will provide you with copies of the personal data that we hold either in paper or electronic format as quickly as possible however, this will not take longer than one month unless an extension in the timeframe is needed. There will be no charge made for doing this unless the request is repeated, excessive or multiple copies are required. In these cases a reasonable charge will be made to cover the administrative resources required to do this.
3. The right to rectification
It is important for both the company and any potential employees to ensure that we hold up to date and accurate information and that the accuracy is maintained. Candidates therefore have the right to ensure that inaccurate data is rectified as soon as possible.
If you become aware of any inaccuracies or you change address, telephone number, email or the like, it is your responsibility to inform the HR Manager.
4. The right to erasure
In certain circumstance such as when there is no longer any need for us to hold or process certain data or where in certain circumstances you have provided consent and now wish to withdraw this, you have the right for all or some personal data that we hold on you to be deleted.
If you wish to exercise this right, you should send a request in writing to the HR Manager which we will respond to as quickly as possible however, we confirm it will not take longer than one month unless an extension in the timeframe is needed. There will be no charge made for doing this unless the request is complicated. In this case a reasonable charge will be made to cover the administrative resources required to do this.
There may be occasions such as where we need to comply with a legal or regulatory obligation or where we may need data to establish, exercise or defend a legal claim when we will refuse a request to delete personal data however, we will explain this to you in writing should this occur.
5. The right to restrict processing
In certain circumstances such as an issue with the content, accuracy or nature of processing, you have the right to request that we restrict the processing of your data. In this instance processing means collecting, storing, sharing or deleting your data. This may be a request to temporarily restrict the processing to allow other rights to be exercised.
If you wish to exercise this right, you should send a request in writing to the HR Manager which we will respond to as quickly as possible. There will be no charge made for doing this unless the request is complicated. In this case a reasonable charge will be made to cover the administrative resources required to do this.
There may be occasions such as where we need to comply with a legal or regulatory obligation or process your data to establish, exercise or defend a legal claim when we will refuse a request to restrict the processing of your personal data however, we will explain this to you in writing should this occur.
6. The right to data portability
You have the right to obtain and reuse your personal data for your own purposes across different services allowing you to move, copy or transfer the personal data we hold on you easily from one IT environment to another in a safe and secure way.
If you wish us to transfer your data to another organisation, you should send a request in writing to the HR Manager which we will respond to as quickly as possible however, we confirm it will not take longer than one month. There will be no charge made for doing this.
There may be occasions when we may be unable to do this due to technical difficulties or when another’s rights would be adversely impacted however, we will explain this to you in writing should this occur.
7. The right to object
You have the right to object where the reason for us to process your personal data is based on legitimate aims only. In addition, if you have any general concerns or complaints about the processing of personal data, you should raise this with the HR Manager who should be able to resolve the matter informally.
In the unlikely event that we have been unable to address your concern internally, you may call the Information Commissioner’s Office (ICO) helpline on 0303 123 1113.
Security of data
We are committed to restricting access to personal data to just those individuals who may need it to meet their or the company’s obligation. Specific details regarding this is provided in the Candidate Privacy Notice.
Records are kept securely:
- on our Applicant Tracking System;
- on the company’s IT system where it is retained in a secure and limited-access area; and
- in hard-copy files kept by the HR Manager.
In order to fulfil our regulatory and contractual obligations the company may also need to share your personal data with third parties. We have chosen to outsource some of our operational requirements and some of our outsourced suppliers also need access to your personal data. Specific details regarding this is provided in the Candidate Privacy Notice however, in all cases we have committed to limiting the personal data that we share to only that which is necessary for them to be able to carry out the function we have contracted with them to perform.
We are committed to minimising the risk of data breaches affecting your personal data. For that reason, we have a data security policy and when sharing data we:
- use where possible direct password protected portals;
- password protect documents;
- never store personal data on portable storage devices such as USB sticks;
- limit the use of emails when sharing information containing personal data; and
- limit the number of places that personal data is stored within the company.
Should a security breach occur where Streets believe that candidate’s personal data may have been lost or stolen, they will inform you within 24 hours of becoming aware of the breach and the ICO in line with statutory guidelines.
Retention of Data
We will retain all your personal data for the duration of your candidacy and then for a further year to enable us to meet our legal obligations and to establish, exercise or defend a legal claim.