020 8977 1888

Accountants west london Accountants west london Accountants west london Accountants west london Accountants west london Accountants west london Accountants west london Accountants west london

Our Privacy Policy

Introduction

Haxton Limited is committed to protecting the confidentiality and privacy of information entrusted to it and securely processing data in accordance with all of the legal obligations and in conjunction with our Terms of Engagement. This policy details how we handle personal information we collect.

 

Information Collection

We collect personal information about you if you choose to provide it when you register for services.  Your personal information is not used for other purposes, unless we obtain your permission, or unless otherwise required or permitted by law or professional standards.

This policy sets out how we seek to protect personal data and ensure that our staff understand the rules governing their use of the personal data to which they have access in the course of their work.

 

The principles

Haxton Limited shall comply with the principles of data protection (the Principles) enumerated in the EU General Data Protection Regulation. We will make every effort possible in everything we do to comply with these principles. The Principles are:

  1. Lawful, fair and transparent – data collection must be fair, for a legal purpose and we must be open and transparent as to how the data will be used.
  2. Limited for its purpose – data can only be collected for a specific purpose.
  3. Data minimisation – any data collected must be necessary and not excessive for its purpose.
  4. Accurate – the data we hold must be accurate and kept up to date.
  5. Retention – we cannot store data longer than necessary.
  6. Integrity and confidentiality – the data we hold must be kept safe and secure.

 

Accountability and transparency

We must ensure accountability and transparency in all our use of personal data. We must show how we comply with each principle. We are responsible for keeping a written record of how all the data processing activities we are responsible for complying with each of the Principles.

 

Lawful basis for processing data

We will establish a lawful basis for processing data. At least one of the following conditions must apply whenever we process personal data:

Consent – we hold recent, clear, explicit, and defined consent for the individual’s data to be processed for a specific purpose.

Contract – the processing is necessary to fulfil or prepare a contract for the individual.

Legal obligation – we have a legal obligation to process the data (excluding a contract).

Vital interests – processing the data is necessary to protect a person’s life or in a medical situation.

Public function – processing necessary to carry out a public function, a task of public interest or the function has a clear basis in law.

Legitimate interest – the processing is necessary for our legitimate interests. This condition does not apply if there is a good reason to protect the individual’s personal data which overrides the legitimate interest.

 

Special categories of personal data

Where we process special categories of personal data, such as race, ethnic origin, politics, religion, trade union membership, genetics, health or sexual orientation we will require the data subject’s explicit consent to do this unless exceptional circumstances apply or we are required to do this by law.

Our responsibilities

Analysing and documenting the type of personal data we hold

Checking procedures to ensure they cover all the rights of the individual

Identify the lawful basis for processing data

Ensuring consent procedures are lawful

Implementing and reviewing procedures to detect, report and investigate personal data breaches

Assessing the risk that could be posed to individual rights and freedoms should data be compromised

Checking and approving contracts or agreements with third parties, eg, our IT provider, that their policies comply with the data protection legislation where they have access to personal data we hold

Ensuring all systems, services, software and equipment meet acceptable security standards

Checking and scanning security hardware and software regularly to ensure it is functioning properly

In cases when data is stored on printed paper, keeping it in a secure place where unauthorised personnel cannot access it

Shredding printed data when it is no longer needed

Protecting data stored on a computer by strong passwords that are changed regularly.

Encrypting or password protecting data stored on CDs or memory sticks and locking them away securely when they are not being used

Regularly backing up data in line with the company’s backup procedures

All possible technical measures will be put in place to keep data secure

Data retention

We will retain personal data for no longer than is necessary. What is necessary will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained.  In most cases we have a legal obligation to keep records for a statutory period.

Rights of individuals

Individuals have rights to their data which we must respect and comply with to the best of our ability. We must ensure individuals can exercise their rights in the following ways:

Right to be informed – providing privacy notices which are concise, transparent, intelligible and easily accessible, free of charge, that are written in clear and plain language. Keeping a record of how we use personal data to demonstrate compliance with the need for accountability and transparency.

Right of access – enabling individuals to access their personal data and supplementary information. Allowing individuals to be aware of and verify the lawfulness of the processing activities

Right to rectification – we must rectify or amend the personal data of the individual if requested because it is inaccurate or incomplete. This must be done without delay, and no later than one month. This can be extended to two months with permission from the Information Commissioners Office.

Right to erasure – we must delete or remove an individual’s data if requested and there is no compelling reason for its continued processing.

Right to restrict processing – we must comply with any request to restrict, block, or otherwise suppress the processing of personal data. We are permitted to store personal data if it has been restricted, but not process it further. We must retain enough data to ensure the right to restriction is respected in the future.

Right to data portability – we must provide individuals with their data so that they can reuse it for their own purposes or across different services. We must provide it in a commonly used, machine-readable format, and send it directly to another controller if requested.

Right to object – we must respect the right of an individual to object to data processing based on legitimate interest or the performance of a public interest task. We must respect the right of an individual to object to direct marketing, including profiling. We must respect the right of an individual to object to processing their data for scientific and historical research and statistics.

Rights in relation to automated decision making and profiling. Not currently in use.

Reporting breaches

Any breach of this policy or of data protection laws will be reported as soon as practically possible. This means as soon as we have become aware of a breach. Haxton Limited has a legal obligation to report any data breaches to the Information Commissioners Office within 72 hours.

Any questions regarding the contents of this policy should be sent to Gordon Haxton at gordon@haxton.co.uk.


Book your free Confidential Financial Review 020 8977 1888