This policy is intended to provide information about how Hugh Davies & Co use (or "process") personal data about individuals including its staff and its customers. Collectively, we refer to these individuals as Hugh Davies and Co’s community.
This information is provided because Data Protection Law gives individuals rights to understand how their data is used. Staff and customers are all encouraged to read this Privacy Notice and understand Hugh Davies and Co’s obligations to its entire community.
This Privacy Notice applies alongside any other information Hugh Davies & Co may provide about a particular use of personal data, for example when collecting data via an online or paper form.
This Privacy Notice also applies in addition to the business's other relevant terms and conditions and policies, including:
Any contract between Hugh Davies & Co and its staff or customers;
Hugh Davies & Co’s retention of records policy;
Hugh Davies & Co’s health and safety policies, including as to how concerns or incidents are recorded; and
Hugh Davies & Co’s IT policies, including its Acceptable Use policy, eSafety policy, WiFi policy, Remote Working policy and Bring Your Own Device policy.
Anyone who works for, or acts on behalf of, Hugh Davies & Co including volunteers or self –employed staff should also be aware of and comply with this Privacy Notice which also provides further information about how personal data about those individuals will be used.
Responsibility for data protection
Why Hugh Davies and Co needs to process personal data
In order to carry out its ordinary duties to staff and customers, Hugh Davies & Co needs to process a wide range of personal data about individuals as part of its daily operation.
Some of this activity Hugh Davies & Co needs to carry out in order to fulfil legal rights, duties or obligations – including those under a contract with its staff and customers.
Other uses of personal data will be made in accordance with Hugh Davies & Co’s legitimate interests, or the legitimate interests of another, provided that these are not outweighed by the impact on individuals, and provided it does not involve special or sensitive types of data.
Hugh Davies and Co expects that the following uses will fall within that category of its (or its community’s) “legitimate interests”:
- To provide accounting and payroll services,
- For the purposes of management planning and forecasting, including that imposed or provided for by law (such as tax, diversity or gender pay gap analysis);
- To monitor (as appropriate) use of Hugh Davies and Co’s IT and communications systems in accordance with the IT: acceptable use policy;
- Where otherwise reasonably necessary for Hugh Davies and Co’s purposes
Types of personal data processed
This will include by way of example:
- names, addresses, telephone numbers, email addresses and other contact details;
- passwords and logins to access HMRC or other financial or accounting services;
- bank details, taxation details and other financial information,
- personnel files, including in connection with academics, employment or safeguarding;
- where appropriate, information about individuals' health and welfare, and contact details for their next of kin;
How Hugh Davies and Co collect data
Generally, Hugh Davies and Co receives personal data from the individual directly. This may be via a form, or simply in the ordinary course of interaction or communication.
We may also obtain your personal data indirectly from your third parties and/or publicly available resources (for example, from your employer or from Companies House)
How we use personal data we hold about you
We may process your personal data for purposes necessary for the performance of our contract with our clients and to comply with our legal obligations. This may include processing your personal data where you are an employee, subcontractor, supplier or customer of our client.
We may also process your personal data for the purposes of our own legitimate interests provided that those interests do not override any of your own interests, rights and freedoms which require the protection of personal data. This includes processing for marketing, business development, statistical and management purposes.
Please note that we may process your personal data for more than one lawful basis depending on the specific purpose for which we are using your data.
Situations in which we will use your personal data
We may use your personal data in order to:
- carry out our obligations arising from any agreements entered into between our clients and us (which will most usually be for the provision of our services);
- carry out our obligations arising from any agreements entered into between our clients and us (which will most usually be for the provision of our services) where you may be a subcontractor, supplier or customer of our client;
- provide you with information related to our services and our events or seek your thoughts and opinions on the services we provide; and
- notify you about any changes to our services.
In some circumstances we may anonymise or pseudonymise the personal data so that it can no longer be associated with you, in which case we may use it without further notice to you.
We may also process your personal data without your knowledge or consent, in accordance with this notice, where we are legally required or permitted to do so.
Change of purpose
Where we need to use your personal data for a reason, other than the purpose for which we originally collected it, we will only use your personal data where that reason is compatible with the original purpose. If we need to use your data for a new purpose we will notify you and communicate our legal basis for this new processing.
Who has access to personal data and who does Hugh davies share it with?
Occasionally, Hugh Davies and Co will need to share personal information relating to its community with third parties where we are required by law, where it is necessary to administer the relationship between us or where we have another legitimate interest in doing so. This may include sharing your personal data with a regulator or to otherwise comply with the law.
“Third parties” includes third-party service providers and the members of our firm’s network. The following activities are carried out by third-party service providers: IT and cloud services, professional advisory services, administration services, marketing services and banking services We only permit our third-party service providers to process your personal data for specified purposes and in accordance with our instructions.
We may share your personal data with other third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your personal data with a regulator or to otherwise comply with the law.
How long we keep personal data
Hugh Davies and Co retain personal data securely and only in line with how long it is necessary to keep for a legitimate and lawful reason. Typically, the legal recommendation for how long to keep ordinary staff and customer files is up to 7 years following departure.
If you have any specific queries about how our retention policy is applied, or wish to request that personal data that you no longer believe to be relevant is considered for erasure, please contact: Hugh Davies.
However, please bear in mind that Hugh Davies and Co often have lawful and necessary reasons to hold on to some personal data even following such request.
A limited and reasonable amount of information will be kept for archiving purposes, for example; and even where you have requested we no longer keep in touch with you, we will need to keep a record of the fact in order to fulfil your wishes (called a "suppression record").
Keeping in touch and supporting Hugh Davies and Co
Should you wish to limit or object to any such use, or would like further information about them, please contact Hugh Davies in writing. You always have the right to withdraw consent, where given, or otherwise object to direct marketing. However, Hugh Davies and Co is nonetheless likely to retain some of your details (not least to ensure that no more communications are sent to that particular address, email or telephone number).
Rights of access, etc.
Individuals have various rights under Data Protection Law to access and understand personal data about them held by us, and in some cases ask for it to be erased or amended or have it transferred to others, or for Hugh Davies and Co to stop processing it – but subject to certain exemptions and limitations.
You have the right to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing.
Any individual wishing to access, deletion, or amend their personal data, or wishing it to be transferred to another person or organisation, or who has some other objection to how their personal data is used, should put their request in writing to Hugh Davies.
Hugh Davies & Co endeavour to respond to any such written requests as soon as is reasonably practicable and in any event within statutory time-limits (which is one month in the case of requests for access to information, but actually fulfilling more complex requests may take 1-2 months longer).
Hugh Davies & Co will be able to respond quickly to smaller, targeted requests for information quickly. If the request for information is manifestly excessive or similar to previous requests, Hugh Davies & Co may ask you to reconsider, or require a proportionate fee (but only where Data Protection Law allows it).
Requests that cannot be fulfilled
You should be aware that the right of access is limited to your own personal data, and certain data is exempt from the right of access. This will include information which is subject to legal privilege (for example legal advice given to or sought by Hugh Davies & Co, or documents prepared in connection with a legal action).
You may have heard of the "right to be forgotten". However, we will sometimes have compelling reasons to refuse specific requests to amend, delete or stop processing your (or your child's) personal data: for example, a legal requirement, or where it falls within a legitimate interest identified in this Privacy Notice. All such requests will be considered on their own merits.
Where Hugh Davies & Co may rely on explicit consent as a means to process personal data, any person may withdraw this consent at any time. Please be aware however that Hugh Davies & Co may not be relying on consent but have another lawful reason to process the personal data in question even without your consent.
That reason will usually have been asserted under this Privacy Notice, or may otherwise exist under some form of contract or agreement with the individual (e.g. an employment contract, or because a supply of services to clients).
Data accuracy and security
Hugh Davies & Co endeavour to ensure that all personal data held in relation to an individual is as up to date and accurate as possible. Individuals must please notify Hugh Davies of any significant changes to important information, such as contact details held about them.
An individual has the right to request that any out-of-date, irrelevant or inaccurate or information about them is erased or corrected (subject to certain exemptions and limitations under Data Protection Law): please see above for details of why Hugh Davies and Co may need to process your data, and who you may contact if you disagree.
We have put in place commercially reasonable and appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Hugh Davies & Co will update this Privacy Notice from time to time. Any substantial changes that affect your rights will be provided to you directly as far as is reasonably practicable.
Queries and complaints
Any comments or queries on this policy should be directed to Hugh Davies
If an individual believes that Hugh Davies & Co has not complied with this policy or acted otherwise than in accordance with Data Protection Law, they should utilise Hugh Davies & Co complaints procedure and should also notify the Hugh Davies. You can also make a referral to or lodge a complaint with the Information Commissioner’s Office (ICO), although the ICO recommends that steps are taken to resolve the matter with Hugh Davies & Co before involving the regulator.