ICAS Privacy Notice
Who we are
The Institute of Chartered Accountants of Scotland (ICAS) is a professional body and regulator created by Royal Charter and having our chief office at CA House, 21 Haymarket Yards, Edinburgh EH12 5BH, United Kingdom.
Purpose
This notice explains ICAS’ approach to the personal information we handle in carrying out our duties as a professional body and regulator of Chartered Accountants. For the purposes of this Notice, we act as a controller of personal information, which means we are responsible for deciding how we process your personal information.
Our commitment
ICAS is fully committed to handling personal information in accordance with data protection legislation and best data protection practices. This means that your personal information will be:
- Processed lawfully, fairly, and in a transparent manner.
- Collected for specified, explicit and legitimate purposes.
- Only collected so far as required for our lawful purposes.
- As accurate and up to date as possible.
- Retained for a reasonable period of time, in accordance with retention policies.
- Processed in a manner which ensures an appropriate level of security.
Whether through this notice or otherwise, we hope to ensure that everyone has a good understanding of why ICAS processes personal information and, where we do, the rights they may have.
Why does ICAS need to process personal information?
ICAS is a professional body and regulator of Chartered Accountants. In addition to representing the interests of our members, CA student members, accountancy firms, and other regulator individuals (‘affiliates’), we act in the public interest, by promoting and maintaining high professional standards in the accountancy profession.
To make reading this notice easier, we refer to the collection, usage, storage, sharing, management and protection of personal information as processing.
As explained in this notice, there are various ways in which ICAS must process personal information to allow us to fulfil our role. In this notice, personal information means information about you from which you can be identified.
How does ICAS collect personal information?
Like most organisations that handle personal information, there are various ways in which ICAS collects information from the people we deal with. We collect personal information directly from you, including through:
- Email and written correspondence.
- Telephone discussions.
- Visitors to the ICAS website.
- Social media.
- Application forms and other information requests.
- Direct contact at CA House and elsewhere.
In nearly all instances, it should be obvious to you that ICAS is collecting your personal data, when you are:
- A member, or applying to become a member (including when you are a student)
- Sitting an examination
- Interacting with us as a member of the public
- Visiting our website
- Supplying us with goods or services (or your employer supplies us with goods or services)
- Attending an event
What personal information does ICAS collect?
ICAS collects personal information to fulfil its role as a professional body and regulator of Chartered Accountants. As there are many different aspects to this role, the information requested and collected will vary from person to person.
From our members and those we regulate:
The personal information most commonly collected from ICAS members, CA student members, affiliates, and firms is as follows:
- Name.
- Contact details (including home and business addresses, email, telephone number).
- Date of birth.
- Employment details (including current and previous employers).
- Information connected to training (including exam results).
- CPD records.
- Attendance records for ICAS courses and events.
- Information relating to firms (e.g. commercial information, client data).
- Regulatory information (including applications for licenses and regulatory monitoring).
- Information in relation to investigation and disciplinary processes.
- Records of enquiries, meetings and other direct engagement.
- Copies of physical and electronic correspondence.
- Special category data (sensitive data), which requires us to ensure a higher level of protection, including information about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, criminal convictions, offences or alleged offences, genetic data or biometric data for ID purposes. We will only collect and use special category data where we need to and if the law allows us to.
- Diversity data and information relating to the background of ICAS members as part of ICAS' commitment to diversity, equity, and inclusion. While diversity data may include information which is special category data, such as ethnic origins, disability and religion, it may also include information which is not special category data, such as social mobility, educational background, parental income and entitlement to free school meals.
From the public:
The personal information most commonly collected from members of the public is as follows:
- Name.
- Contact details (including home and business addresses, email, telephone number).
- Information regarding investigation and disciplinary processes.
- Records of enquiries, meetings and other direct engagement.
- Copies of physical and electronic correspondence.
Your personal information does not include personal information where identifiers that associate that data with you have been removed. We term this anonymous data. Aggregated data could be derived from your personal information but is not considered personal information in law as this data will not directly or indirectly reveal your identity. We may collect, use and share aggregated data such as statistical or demographic data for any purpose.
Where we need your personal information to enter into or perform a contract with you then if you don’t provide it, we may not be able to perform the contract we have or are trying to enter into with you.
What is the lawful basis for ICAS’ processing activities?
ICAS will only process personal information where we have a lawful basis to do so. The basis for processing will vary from activity to activity. In some instances, processing may have more than one lawful basis.
The following information below summarises the basis on which we process personal information. It also provides a non-exhausting list of examples of processing activities.
Lawful Basis | Examples of processing activities |
---|---|
Processing is necessary for ICAS to meet its legitimate interests as a professional body and regulator of Chartered Accountants. |
|
Processing necessary for ICAS to comply with its legal obligations. |
|
Processing carried out in the public interest as a regulatory body and to protect members of the public. |
|
Consent |
|
Legitimate interests |
|
Processing carried out to review equality of opportunity or treatment |
|
Processing carried out in the public interest to promote equality of opportunity or treatment (for processing of special category data) |
|
Does ICAS share personal data with third parties?
Some of the processing activities set out above require ICAS to share personal information with third parties. Whenever we share personal data, we take all reasonable steps to ensure it will be handled appropriately and securely by the third party.
The following is a list of the main third parties with whom ICAS shares personal information:
- ICAS Council members, as well as members of the Boards, Committees, Panels (etc) which assist us in fulfilling our role as a professional body and regulator of Chartered Accountants.
- Oversight regulators and statutory bodies (e.g. HMRC, the FRC, the Insolvency Service).
- Other professional bodies (on a ‘regulator-to-regulator’ basis).
- Software providers which allow ICAS to operate efficient digital processes, including:
- Admincontrol
- Axia Digital
- Cirrus
- D2L (for Advantage learning support)
- Datavita
- Dot Digital
- Druva
- EventMap
- Microsoft
- Cryocloud
- Proact
- Proctorio
- Cascade
- Redstor
- Concur
- Go Cardless
- ACTi Payroll
- The River Group, as the publisher of The CA Magazine.
For practical reasons, this is an indicative, but not exhaustive list. Please also note that the list may be updated from time to time.
Does ICAS share student data with employers?
In addition to the data-sharing set out in the previous section, CA student members should be aware that certain information in respect of training will be shared by ICAS and the Authorised Training Offices (ATO) which employ students. Such information is shared to enable ICAS and the ATO to operate an effective training programme.
This information includes:
- Disclosure of marks, grades or feedback related to any assessed work, including professional examinations.
- Comments or opinions on a student’s performance – written or oral – from lecturers, tutors, or other academic support staff.
- Class attendance record.
- Any other information lawfully required to ensure that we can promote and safeguard the rights and interests of members/students in all matters affecting the profession. Such information would be shared on the lawful basis of protecting an individual's vital interests and safeguarding any individuals at risk.
Further information is provided in the handbook for CA student members.
Who is responsible for personal data in student email accounts?
All CA Student Members have been issued with an ICAS email account, with an address ending with ‘@student.icas.com’. This is to allow for easier communication between ICAS and its students in relation to their CA training.
While ICAS has issued students with an e-mail acceptable use policy which sets out standards that must be followed when using their ICAS email account (e.g. avoiding unacceptable use, misrepresentation), ICAS does not determine the purposes for which, or the manner in which, any personal data in these emails is processed. Therefore, ICAS is not a controller for personal data processed by students using their ICAS email account, and accepts no responsibility for such processing nor for responding to data subject requests under data protection law.
ICAS monitors e-mail accounts in accordance with its acceptable use policy, however, and will investigate any complaints which a third party may raise over a student’s use of their ICAS email account.
How long does ICAS retain personal information?
The periods for which ICAS retains personal information depend on the purpose for which the information was obtained but, in general terms, we will retain personal data for so long as required and authorised by law, or as may be required and authorised for record keeping and legal claims purposes. Please contact us if you would like more information about this.
Where does ICAS store personal information?
Personal information is mostly processed by ICAS’ staff at our offices in the UK. To allow us to operate efficient digital processes, we sometimes need to store information in servers located outside the UK, but within the European Economic Area (EEA).
Given that ICAS has members and firms in more than 100 countries around the world, there may sometimes be occasions when we need to transfer information outside the EEA. Where this happens, we will take all reasonable steps to ensure that your personal information is properly protected to comply with applicable law regarding such transfers. Where such transfers require appropriate or suitable safeguards recognised under UK data protection laws, we may rely on them.
CCTV
ICAS uses Closed Circuit Television (“CCTV”) in or around some of its places of business, including at CA House, Edinburgh. All use of CCTV is in accordance with the law and other guidance, including the ICO’s Code of Practice.
As more fully explained in ICAS’ CCTV Policy, ICAS only uses CCTV to the extent that it is considered a necessary and proportionate step to achieve legitimate purposes, including the following:
- To provide a safe and secure environment for ICAS employees and any visitors to ICAS’ places of business.
- To prevent the loss of or damage to ICAS’ property (including buildings and/or assets).
- To assist in the prevention of crime and assist law enforcement agencies in apprehending offenders.
IP addresses
ICAS may collect information about the computer or device which is used to access icas.com. We use this information to improve the user experience, and to help us better understand the ways in which our website is used. This may include information about:
- The computer or device type.
- IP address.
- Operating system.
- Browser type and version.
- Time zone setting and browser plug-in types and versions.
This is statistical data about our users' browsing actions and patterns. It is collected on an anonymous, aggregated basis, and does not identify individual users.
Cookies
Our website makes use of cookie files to distinguish you from other users of our site, to provide you with a bespoke user experience tailored to your individual preferences. Further information is available on our cookie page.
Your rights where ICAS is processing your information
The law in the UK gives certain rights to individuals whose information is being processed by a third party. The following is a quick summary of these rights:
- Access to your information – you have the right to request a copy of the personal information about you that ICAS holds.
- Correcting your information – ICAS wants to make sure that your personal information is accurate, complete, and up to date, and so you may ask ICAS to correct any personal information about you that you believe does not meet these standards.
- Deletion of your information – You have the right to ask ICAS to delete personal information about you where:
- You consider that ICAS no longer requires the information for the purposes for which it was obtained.
- ICAS is using that information with your consent and you have withdrawn your consent – see ‘withdrawing consent to using your information’ below.
- You have validly objected to ICAS' use of your personal information – see ‘objecting to how we may use your information’ below.
- ICAS' use of your personal information is contrary to law or ICAS' other legal obligations.
- Objecting to how we may use your information – you have the right at any time to require ICAS to stop using your personal information for direct marketing purposes. In addition, where ICAS uses your personal information to perform tasks carried out in the public interest, or in exercising official authority vested in it then, if you ask us to, ICAS will stop using that personal information unless there are overriding legitimate grounds to continue.
- Restricting how we may use your information – in some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold, or assessing the validity of any objection you have made to ICAS' use of your information. The right might also apply if ICAS no longer has a basis for using your personal information but you don't want ICAS to delete the data. Where this right is validly exercised, ICAS may only use the relevant personal information with your consent, for legal claims, or where there are other public interest grounds to do so.
- Withdrawing consent using your information – where ICAS uses your personal information with your consent, you may withdraw that consent at any time, and ICAS will stop using your personal information for the purpose(s) for which consent was given.
Please contact ICAS in any of the ways set out in the ‘contact information and further advice’ section if you wish to exercise any of these rights.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Changes to our privacy policy
ICAS keeps this notice under regular review and will place any updates on this website. Paper copies of the privacy statement may also be obtained by emailing connect@icas.com or in writing to our office at CA House, 21 Haymarket Yards, Edinburgh EH12 5BH.
This privacy statement was last updated on 29 December 2023.
Contact information and further advice
If you have any questions which are not covered in this notice, we suggest that you email us through connect@icas.com. To help us deal with your query as quickly as possible, we recommend that you include the following in the email subject ‘FAO Data Protection Officer’. If you would prefer to submit your questions in writing, please write to our office at CA House, 21 Haymarket Yards, Edinburgh EH12 5BH, addressing your letter to the Data Protection Officer.
Complaints
While ICAS seeks to resolve directly all complaints about how we handle personal information, you also have the right to lodge a complaint with the Information Commissioner's Office, whose contact details are as follows:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone - 0303 123 1113 (local rate) or 01625 545 745
Website - https://ico.org.uk/concerns