This policy document explains how we process and store client data. You can find our full Disclaimer, Privacy and Legal policy here.
Jump to section:
- > What information we collect?
- > How we use your personal information?
- > How we store your personal information?
- > Data sharing
- > Access to information & correction
- > Breach notification procedure
- > Data retention
- > Involvement of sub-processor
- > Liability and indemnity
- > How to contact us?
What information we collect?
For the purpose of the Data Protection Legislation and this notice, we are the ‘DATA CONTROLLER’. This means that we are responsible for deciding how we hold and use personal data about you. We are required under the Data Protection Legislation to notify you of the information contained in this privacy notice.
As set out in our letter of engagement, we may collect your personal details, contact details, financial details and details of your family, lifestyle and social circumstances that allow us to assess your requirements and to provide appropriate advice and services.
If you are providing information and/or contact data for a third-party (for example your client, relative or spouse) we assume that you have their explicit consent to share this with us. They retain the right to access, correct or remove this information at any point.
How we use your personal information?
We process personal information to enable us to provide accounting, auditing and related services, and to allow us to suggest services which may be of interest to you.
We may, from time to time, contact you regarding legal, technical, regulatory or industry changes that we believe should be brought to your attention.
We may need to use your information for regulatory purposes. For instance, we are required to carry out anti-money laundering checks as part of our new client take on process.
We may need to provide your information to service providers or other professional advisors. In the instance that personal identifiable data is shared, we will request your consent before doing so.
How we store your personal information?
We have put in place commercially reasonable and appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Your data will be stored electronically in our encrypted database or in hard copy in a secure location at our office 55 Station Road, Beaconsfield, HP9 1QL. It will be accessible to the relevant team members. An encrypted backup may be stored off-site but will not be sent outside of the United Kingdom.
For payroll clients, as a data processor of your payroll data we are required to meet requirements set by Bacs with regards to the storage and accessibility of data. This includes a key-fob locked working environment, set data authorisation levels and password protection on data sent to you by email (with the password provided separately). Our payroll service is subject to an audit by Bacs (www.bacs.co.uk) every 3 years, covering all aspects of the payroll and Bacs payment processing, with particular emphasis on security aspects. Our e-payslip service requires users to login to access payslips via a secure online portal.
We can offer clients encrypted methods to send data files to us/and or receive data files from us. Using ‘RouseShare’ or our ‘Client Portal’. Both data sending systems require acceptance to terms of usage upon initial registration. ‘RouseShare’ uses AEAD ciphers, a unique IV and passphrase entropy to encrypt the packages and protect your files. If you would like to use either of these systems, please contact your Rouse Partners client service team.
We will share your personal data with third parties where we are required by law, where it is necessary to administer the relationship between us or where we have another legitimate interest in doing so.
“Third parties” includes third-party service providers such as HMRC, accounting software providers, CCH, Praxity alliance firms, IT and cloud services providers, professional advisory services, administration services, marketing services and banking services.
All of our third-party service providers are required to take commercially reasonable and appropriate security measures to protect your personal data. We only permit our third-party service providers to process your personal data for specified purposes and in accordance with our instructions.
We may share your personal data with other third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your personal data with a regulator or to otherwise comply with the law.
Access to your information, correction and removal
You have the right to request a copy of the information that we hold about you, to correct information or to request the removal of your data.
We want to make sure that your personal information is accurate and up-to-date. You may ask us to correct or remove information that you think is inaccurate.
To access your information, make corrections and removal:
- Submit your request by email to email@example.com with the subject line/heading ‘Data Subject Access/Correction/Removal Request’ as appropriate;
- The information will be provided free of charge within three-weeks;
- The information will be in an accessible format and intelligible;
- If the request is complex it may be extended to two-months and a reasonable (and justified) charge may be applied. We will advise of this within the initial three-weeks;
- All requests are logged;
Breach notification procedure
The client will be advised of all breaches relevant to their data including:
- Awareness: Reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised;
- If the breach is reportable to the Information Commissioner’s Office (ICO) it will be within 72-hours of becoming aware of it;
- All breaches will be logged;
- Rouse as Controller will document any personal data breaches, compromising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.
- The notification will include the nature of the breach, the Practice Manager details, the consequences of the breach, the measures taken to address the breach and measures to mitigate its possible adverse effects;
- If appropriate measures were taken, if the personal data was unintelligible/encrypted the situation will be logged, and the client advised, but the ICO may not be informed;
- All breaches will be contained where possible and the severity of the resulting risk will be assessed;
- An internal meeting will be held at Rouse Partners LLP including the department head, Practice Manager, responsible person and the Managing Partner.
- Notes will be provided and filed with the log.
We will only retain your personal data for as long as is necessary to fulfil the purposes for which it is collected.
When assessing what retention period is appropriate for your personal data, we take into consideration:
- the requirements of our business and the services provided;
- any statutory or legal obligations;
- the purposes for which we originally collected the personal data;
- the lawful grounds on which we based our processing;
- the types of personal data we have collected;
- the amount and categories of your personal data; and
- whether the purpose of the processing could reasonably be fulfilled by other means.
Please note that, we are required by our professional body and professional indemnity insurers to retain certain client data for a period of time following and during our client engagement. If your request for data removal is within this timeframe we will notify you, and we will remove all data which does not conflict with this obligation.
Involvement of sub-processor
- Rouse Partners LLP does not use a Sub-Processor
Liability and indemnity
- Rouse Partners LLP is as standard a Data Controller
How to contact us?
Abigail Tester, Practice Manager
By telephone: 01494 675321
By email: firstname.lastname@example.org
By writing: Rouse Partners, 55 Station Road, Beaconsfield, Buckinghamshire, HP9 1QL