ICAS Privacy Notice

Who we are
The Institute of Chartered Accountants of Scotland (ICAS) is a professional body and regulator created by Royal Charter and having our chief office at CA House, 21 Haymarket Yards, Edinburgh EH12 5BH, United Kingdom.
Purpose
This notice explains ICAS’ approach to the personal information we handle in carrying out our duties as a professional body and regulator of Chartered Accountants.
Our commitment
ICAS is fully committed to handling personal information in accordance with data protection legislation and best data protection practices. This means that your personal information will be:
- Processed lawfully, fairly, and in a transparent manner.
- Collected for specified, explicit and legitimate purposes.
- Only collected so far as required for our lawful purposes.
- As accurate and up to date as possible.
- Retained for a reasonable period of time, in accordance with retention policies.
- Processed in a manner which ensures an appropriate level of security.
Whether through this notice or otherwise, we hope to ensure that everyone has a good understanding of why ICAS processes personal information and, where we do, the rights they may have.
Why does ICAS need to process personal information?
ICAS is a professional body and regulator of Chartered Accountants. In addition to representing the interests of our members, CA student members, accountancy firms, and other regulator individuals (‘affiliates’), we act in the public interest, by promoting and maintaining high professional standards in the accountancy profession.
As explained in this notice, there are various ways in which ICAS must process personal data to allow us to fulfil our role.
How does ICAS collect personal information?
Like most organisations that handle personal information, there are various ways in which ICAS collects information from the people we deal with.
- Email and written correspondence.
- Telephone discussions.
- Visitors to the ICAS website.
- Social media.
- Application forms and other information requests.
- Direct contact at CA House and elsewhere.
In nearly all instances, it should be obvious to you that ICAS is collecting your personal data.
What personal information does ICAS collect?
ICAS collects personal information to fulfil its role as a professional body and regulator of Chartered Accountants. As there are many different aspects to this role, the information requested and collected will vary from person to person.
From our members and those we regulate:
The personal information most commonly collected from ICAS members, CA student members, affiliates, and firms is as follows:
- Name.
- Contact details (including home and business addresses, email, telephone number).
- Date of birth.
- Employment details (including current and previous employers).
- Information connected to training (including exam results).
- CPD records.
- Attendance records for ICAS courses and events.
- Information relating to firms (e.g. commercial information, client data).
- Regulatory information (including applications for licenses and regulatory monitoring).
- Information in relation to investigation and disciplinary processes.
- Records of enquiries, meetings and other direct engagement.
- Copies of physical and electronic correspondence.
- Financial information.
From the public:
The personal information most commonly collected from members of the public is as follows:
- Name.
- Contact details (including home and business addresses, email, telephone number).
- Information regarding investigation and disciplinary processes.
- Records of enquiries, meetings and other direct engagement.
- Copies of physical and electronic correspondence.
What is the lawful basis for ICAS’ processing activities?
ICAS will only process personal information where we believe we have a lawful basis to do so. The basis for processing will vary from activity to activity. In some instances, processing may have more than one lawful basis.
The following information below summarises the basis on which we process personal information.
Lawful Basis | Examples of processing activities |
---|---|
Processing is necessary for ICAS to meet its legitimate interests as a professional body and regulator of Chartered Accountants, including: the maintenance of our membership database, the promotion and monitoring of professional standards, and other services we provide to various parties. |
|
Processing necessary for ICAS to comply with its legal obligations. |
|
Processing carried out in the public interest as a regulatory body and to protect members of the public. |
|
Consent |
|
Does ICAS share personal data with third parties?
Some of the processing activities set out above require ICAS to share personal information with third parties. Whenever we share personal data, we take all reasonable steps to ensure it will be handled appropriately and securely by the third party.
The following is a list of the main third parties with whom ICAS shares personal information:
- ICAS Council members, as well as members of the Boards, Committees, Panels (etc) which assist us in fulfilling our role as a professional body and regulator of Chartered Accountants.
- Oversight regulators and statutory bodies (e.g. HMRC, the FRC, the Insolvency Service).
- Other professional bodies (on a ‘regulator-to-regulator’ basis).
- Software providers which allow ICAS to operate efficient digital processes, including:
- Admincontrol
- Axia Digital
- D2L (for Advantage learning support)
- Dot Digital
- EventMap
- VeryConnect (with regard to the CA Connect platform)
- Microsoft
- Cryocloud
- Proact
- Cascade
- Redstor
- Concur
- Go Cardless
- ACTi Payroll
- The River Group, as the publisher of The CA Magazine.
For practical reasons, this is an indicative, but not exhaustive list. Please also note that the list may be updated from time to time.
Where ICAS is the main training provider for apprenticeships in England & Wales, we may sub-contract teaching and other training services to BPP. As part of this engagement, ICAS will share personal data of CA Student Members with BPP and will ask BPP (on our behalf) to collect data where that is necessary for BPP to fulfil their contractual obligations. There are contractual arrangements in place between ICAS and BPP to ensure that each party meets its legal obligations, as data controller and data processor respectively.
Does ICAS share student data with employers?
In addition to the data-sharing set out in the previous section, CA student members should be aware that certain information in respect of training will be shared by ICAS and the Authorised Training Offices (ATO) which employ students. Such information is shared to enable ICAS and the ATO to operate an effective training programme.
This information includes:
- Disclosure of marks, grades or feedback related to any assessed work, including professional examinations.
- Comments or opinions on a student’s performance – written or oral – from lecturers, tutors, or other academic support staff.
- Class attendance record.
Further information is provided in the handbook for CA student members.
Who is responsible for personal data in student email accounts?
All CA Student Members have been issued with an ICAS email account, with an address ending with ‘@student.icas.com’. This is to allow for easier communication between ICAS and its students in relation to their CA training.
While ICAS has issued students with an e-mail acceptable use policy which sets out standards that must be followed when using their ICAS email account (e.g. avoiding unacceptable use, misrepresentation), ICAS does not determine the purposes for which, or the manner in which, any personal data in these emails is processed. Therefore, ICAS is not a controller for personal data processed by students using their ICAS email account, and accepts no responsibility for such processing nor for responding to data subject requests under data protection law.
ICAS monitors e-mail accounts in accordance with its acceptable use policy, however, and will investigate any complaints which a third party may raise over a student’s use of their ICAS email account.
How long does ICAS retain personal information?
The periods for which ICAS retains personal information depend on the purpose for which the information was obtained but, in general terms, we will retain personal data for so long as required by law, or as may be required for record keeping and legal claims purposes. Please contact us if you would like more information about this.
Where does ICAS store personal information?
Personal information is mostly processed by ICAS’ staff at our offices in the UK. To allow us to operate efficient digital processes, we sometimes need to store information in servers located outside the UK, but within the European Economic Area (EEA).
Given that ICAS has members and firms in more than 100 countries around the world, there may sometimes be occasions when we need to transfer information outside the EEA. Where this happens, we will take all reasonable steps to ensure that your personal information is properly protected.
CCTV
ICAS uses Closed Circuit Television (“CCTV”) in or around some of its places of business, including at CA House, Edinburgh. All use of CCTV is in accordance with the law and other guidance, including the ICO’s Code of Practice.
As more fully explained in ICAS’ CCTV Policy, ICAS only uses CCTV to the extent that it is considered a necessary and proportionate step to achieve legitimate purposes, including the following:
- To provide a safe and secure environment for ICAS employees and any visitors to ICAS’ places of business.
- To prevent the loss of or damage to ICAS’ property (including buildings and/or assets).
- To assist in the prevention of crime and assist law enforcement agencies in apprehending offenders
IP addresses
ICAS may collect information about the computer or device which is used to access icas.com. We use this information to improve the user experience, and to help us better understand the ways in which our website is used. This may include information about:
- The computer or device type.
- IP address.
- Operating system.
- Browser type and version.
- Time zone setting and browser plug-in types and versions.
This is statistical data about our users' browsing actions and patterns. It is collected on an anonymous, aggregated basis, and does not identify individual users.
Cookies
Our website makes use of cookie files to distinguish you from other users of our site, to provide you with a bespoke user experience tailored to your individual preferences. Further information is available on our cookie page.
Your rights where ICAS is processing your information
The law in the UK gives certain rights to individuals whose information is being processed by a third party. The following is a quick summary of these rights:
- Access to your information – you have the right to request a copy of the personal information about you that ICAS holds.
- Correcting your information – ICAS wants to make sure that your personal information is accurate, complete, and up to date, and so you may ask ICAS to correct any personal information about you that you believe does not meet these standards.
- Deletion of your information – You have the right to ask ICAS to delete personal information about you where:
- You consider that ICAS no longer requires the information for the purposes for which it was obtained
- ICAS is using that information with your consent and you have withdrawn your consent – see ‘withdrawing consent to using your information’ below.
- You have validly objected to ICAS' use of your personal information – see ‘objecting to how we may use your information’ below.
- ICAS' use of your personal information is contrary to law or ICAS' other legal obligations.
- Objecting to how we may use your information – you have the right at any time to require ICAS to stop using your personal information for direct marketing purposes. In addition, where ICAS uses your personal information to perform tasks carried out in the public interest, or in exercising official authority vested in it then, if you ask us to, ICAS will stop using that personal information unless there are overriding legitimate grounds to continue.
- Restricting how we may use your information – in some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold, or assessing the validity of any objection you have made to ICAS' use of your information. The right might also apply if ICAS no longer has a basis for using your personal information but you don't want ICAS to delete the data. Where this right is validly exercised, ICAS may only use the relevant personal information with your consent, for legal claims, or where there are other public interest grounds to do so.
- Withdrawing consent using your information – where ICAS uses your personal information with your consent, you may withdraw that consent at any time, and ICAS will stop using your personal information for the purpose(s) for which consent was given.
Please contact ICAS in any of the ways set out in the ‘contact information and further advice’ section if you wish to exercise any of these rights.
Changes to our privacy policy
ICAS keeps this notice under regular review and will place any updates on this website. Paper copies of the privacy statement may also be obtained by emailing connect@icas.com or in writing to our office at CA House, 21 Haymarket Yards, Edinburgh EH12 5BH.
This privacy statement was last updated on 14 August 2020.
Contact information and further advice
If you have any questions which are not covered in this notice, we suggest that you email us through connect@icas.com. To help us deal with your query as quickly as possible, we recommend that you include the following in the email subject ‘FAO Data Protection Officer’. If you would prefer to submit your questions in writing, please write to our office at CA House, 21 Haymarket Yards, Edinburgh EH12 5BH, addressing your letter to the Data Protection Officer.
Complaints
While ICAS seeks to resolve directly all complaints about how we handle personal information, you also have the right to lodge a complaint with the Information Commissioner's Office, whose contact details are as follows:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone - 0303 123 1113 (local rate) or 01625 545 745
Website - https://ico.org.uk/concerns