ICAS Privacy Notice

Who we are
The Institute of Chartered Accountants of Scotland (ICAS) is a professional body and regulator created by Royal Charter and having our chief office at CA House, 21 Haymarket Yards, Edinburgh EH12 5BH, United Kingdom.

Purpose
This notice explains ICAS’ approach to the personal information we handle in carrying out our duties as a professional body and regulator of Chartered Accountants.

Our commitment
ICAS is fully committed to handling personal information in accordance with data protection legislation and best data protection practices. This means that your personal information will be:

  1. Processed lawfully, fairly, and in a transparent manner.
  2. Collected for specified, explicit and legitimate purposes.
  3. Only collected so far as required for our lawful purposes.
  4. As accurate and up to date as possible.
  5. Retained for a reasonable period of time, in accordance with retention policies.
  6. Processed in a manner which ensures an appropriate level of security.

Whether through this notice or otherwise, we hope to ensure that everyone has a good understanding of why ICAS processes personal information and, where we do, the rights they may have.

Why does ICAS need to process personal information?

ICAS is a professional body and regulator of Chartered Accountants. In addition to representing the interests of our members, CA student members, accountancy firms, and other regulator individuals (‘affiliates’), we act in the public interest, by promoting and maintaining high professional standards in the accountancy profession.

As explained in this notice, there are various ways in which ICAS must process personal data to allow us to fulfil our role.

How does ICAS collect personal information?

Like most organisations that handle personal information, there are various ways in which ICAS collects information from the people we deal with.

  • Email and written correspondence.
  • Telephone discussions.
  • Visitors to the ICAS website.
  • Social media.
  • Application forms and other information requests.
  • Direct contact at CA House and elsewhere.

In nearly all instances, it should be obvious to you that ICAS is collecting your personal data.

What personal information does ICAS collect?

ICAS collects personal information to fulfil its role as a professional body and regulator of Chartered Accountants. As there are many different aspects to this role, the information requested and collected will vary from person to person.

From our members and those we regulate:
The personal information most commonly collected from ICAS members, CA student members, affiliates, and firms is as follows:

  • Name.
  • Contact details (including home and business addresses, email, telephone number).
  • Date of birth.
  • Employment details (including current and previous employers).
  • Information connected to training (including exam results).
  • CPD records.
  • Attendance records for ICAS courses and events.
  • Regulatory information (including applications for licenses and regulatory monitoring).
  • Information regarding investigation and disciplinary processes.
  • Records of enquiries, meetings and other direct engagement.
  • Copies of physical and electronic correspondence.
  • Financial information.

From the public:
The personal information most commonly collected from members of the public is as follows:

  • Name.
  • Contact details (including home and business addresses, email, telephone number).
  • Information regarding investigation and disciplinary processes.
  • Records of enquiries, meetings and other direct engagement.
  • Copies of physical and electronic correspondence.

What is the lawful basis for ICAS’ processing activities?

ICAS will only process personal information where we believe we have a lawful basis to do so. The basis for processing will vary from activity to activity. In some instances, processing may have more than one lawful basis.

The following information below summarises the basis on which we process personal information.

Lawful Basis

Examples of processing activities

Processing is necessary for ICAS to meet its legitimate interests as a professional body and regulator of Chartered Accountants, including:

the maintenance of our membership database, the promotion and monitoring of professional standards, and other services we provide to various parties.

  • General administration for maintaining our membership.

  • Maintaining a membership database.

  • Corresponding with members in respect of their ongoing membership, including Annual Renewals, subscriptions, CPD etc.

  • Regulatory activity (e.g. licences, monitoring etc).

  • Investigations and discipline.

  • Enabling members to attain satisfactory CPD by providing information about courses and events.

  • Enabling members to have satisfactory technical knowledge by providing updates and other information.

  • Information connected to training.

Processing carried out in the public interest as a regulatory body and to protect members of the public.

  • Maintaining a public online directory of members.

  • Regulatory activity (e.g. licences, monitoring etc).

  • Investigations and discipline.

Processing necessary for ICAS to comply with its legal obligations.

  • Providing information to oversight regulators (including the FRC and the Insolvency Service).

  • Providing information to statutory bodies (e.g. HMRC).

  • Providing information to law enforcement agencies.

Consent

  • Allowing members to contact one another using ‘CA Connect’.

  • Providing information on offers and discounts we have negotiated for members.

  • Publishing attendance lists for ICAS courses and events.

  • Publishing addresses in our online directory of members.

Does ICAS share personal data with third parties?

Some of the processing activities set out above require ICAS to share personal information with third parties. Whenever we share personal data, we take all reasonable steps to ensure it will be handled appropriately and securely by the third party.

The following is a list of the main third parties with whom ICAS shares personal information:

  • ICAS Council members, as well as members of the Boards, Committees, Panels (etc) which assist us in fulfilling our role as a professional body and regulator of Chartered Accountants.
  • Oversight regulators and statutory bodies (e.g. HMRC, the FRC, the Insolvency Service).
  • Other professional bodies (on a ‘regulator-to-regulator’ basis).
  • Software providers which allow ICAS to operate efficient digital processes, including:
    • Marketo
    • Quercus
    • Microsoft
    • Cryocloud
    • Proact
    • Cascade
    • Redstor
    • Concur
    • Go Cardless
    • ACTi Payroll
  • Think Publishing Limited, as the publisher of The CA Magazine.

For practical reasons, this is an indicative, but not exhaustive list. Please also note that the list may be updated from time to time.

How long does ICAS retain personal information?

The periods for which ICAS retains personal information depend on the purpose for which the information was obtained but, in general terms, we will retain personal data for so long as required by law, or as may be required for record keeping and legal claims purposes.

Where does ICAS store personal information?

Personal information is mostly processed by ICAS’ staff at our offices in the UK. To allow us to operate efficient digital processes, we sometimes need to store information in servers located outside the UK, but within the European Economic Area (EEA).

Given that ICAS has members and firms in more than 100 countries around the world, there may sometimes be occasions when we need to transfer information outside the EEA. Where this happens, we will take all reasonable steps to ensure that your personal information is properly protected.

IP addresses

ICAS may collect information about the computer or device which is used to access icas.com. We use this information to improve the user experience, and to help us better understand the ways in which our website is used. This may include information about:

  • The computer or device type.
  • IP address.
  • Operating system.
  • Browser type and version.
  • Time zone setting and browser plug-in types and versions.

This is statistical data about our users' browsing actions and patterns. It is collected on an anonymous, aggregated basis, and does not identify individual users.

Cookies

Our website makes use of cookie files to distinguish you from other users of our site, to provide you with a bespoke user experience tailored to your individual preferences. A cookie file (a small file of letters and numbers) will be placed on your computer or other access device each time you visit our site.

ICAS also uses analytical cookie files. These allow us to recognise and count the number of visitors to our site and to see how visitors move around our site when they are using it. This helps us to improve the way our site works, for example, by ensuring that users are finding what they are looking for easily.

If you wish to delete any such cookie files, please refer to the instructions for your file management software to locate the file or directory that stores cookies. Our cookies will contain the domain name icas.com within the file name.

You may refuse to accept cookie files when visiting our site, by activating the setting on your browser which allows you to refuse the setting of cookies. However, if you choose this setting, you may not get an optimal web site experience and be unable to access certain parts of our site.

Your rights where ICAS is processing your information

The law in the UK gives certain rights to individuals whose information is being processed by a third party. The following is a quick summary of these rights:

  • Access to your information – you have the right to request a copy of the personal information about you that ICAS holds.
  • Correcting your information – ICAS wants to make sure that your personal information is accurate, complete, and up to date, and so you may ask ICAS to correct any personal information about you that you believe does not meet these standards.
  • Deletion of your information – You have the right to ask ICAS to delete personal information about you where:
    • You consider that ICAS no longer requires the information for the purposes for which it was obtained
    • ICAS is using that information with your consent and you have withdrawn your consent – see ‘withdrawing consent to using your information’ below.
    • You have validly objected to ICAS' use of your personal information – see ‘objecting to how we may use your information’ below.
    • ICAS' use of your personal information is contrary to law or ICAS' other legal obligations.
  • Objecting to how we may use your information – you have the right at any time to require ICAS to stop using your personal information for direct marketing purposes. In addition, where ICAS uses your personal information to perform tasks carried out in the public interest, or in exercising official authority vested in it then, if you ask us to, ICAS will stop using that personal information unless there are overriding legitimate grounds to continue.
  • Restricting how we may use your information – in some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold, or assessing the validity of any objection you have made to ICAS' use of your information. The right might also apply if ICAS no longer has a basis for using your personal information but you don't want ICAS to delete the data.  Where this right is validly exercised, ICAS may only use the relevant personal information with your consent, for legal claims, or where there are other public interest grounds to do so.
  • Withdrawing consent using your information – where ICAS uses your personal information with your consent, you may withdraw that consent at any time, and ICAS will stop using your personal information for the purpose(s) for which consent was given.

Please contact ICAS in any of the ways set out in the ‘contact information and further advice’ section if you wish to exercise any of these rights.

Changes to our privacy policy

ICAS keeps this notice under regular review and will place any updates on this website.  Paper copies of the privacy statement may also be obtained by emailing regulation@icas.com or in writing to our office at CA House, 21 Haymarket Yards, Edinburgh EH12 5BH.

This privacy statement was last updated on 7 November 2017.

Contact information and further advice

If you have any questions which are not covered in this notice, we suggest that you email us through regulation@icas.com. To help us deal with your query as quickly as possible, we recommend that you include the following in the email subject ‘FAO Data Protection Officer’. If you would prefer to submit your questions in writing, please write to our office at CA House, 21 Haymarket Yards, Edinburgh EH12 5BH, addressing your letter to the Data Protection Officer.

Complaints

While ICAS seeks to resolve directly all complaints about how we handle personal information, you also have the right to lodge a complaint with the Information Commissioner's Office, whose contact details are as follows:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone - 0303 123 1113 (local rate) or 01625 545 745

Website - https://ico.org.uk/concerns

Previous page