TECHNICAL RELEASE TECH 05/14BL. Data Protection Handling information provided by clients

Transcription

1 TECHNICAL RELEASE TECH 05/14BL Data Protection Handling information provided by clients

2 ABOUT ICAEW ICAEW is a world leading professional membership organisation that promotes, develops and supports over 142,000 chartered accountants worldwide. We provide qualifications and professional development, share our knowledge, insight and technical expertise, and protect the quality and integrity of the accountancy and finance profession. As leaders in accountancy, finance and business our members have the knowledge, skills and commitment to maintain the highest professional standards and integrity. Together we contribute to the success of individuals, organisations, communities and economies around the world. This Technical Release reflects consultation with the ICAEW Business Law Committee which includes representatives from public practice and the business community. The Committee is responsible for ICAEW policy on business law issues and related submissions to legislators, regulators and other external bodies. ICAEW 2014 All rights reserved. If you want to reproduce or redistribute any of the material in this publication, you should first get ICAEW s permission in writing. Laws and regulations referred to in this ICAEW Technical Release are stated as at April Every effort has been made to make sure the information it contains is accurate at the time of creation. ICAEW cannot guarantee the completeness or accuracy of the information in this ICAEW Technical Release and shall not be responsible for errors or inaccuracies. Under no circumstances shall ICAEW be liable for any reliance by you on any information in this ICAEW Technical Release. Technical Release ICAEW MM/YYXXX ISBN

3

4 CONTENTS PAGE BACKGROUND Status Introduction What types of information are subject to this Technical Release? In what capacity is Client Data held?... 5 PRACTICAL GUIDANCE Contractual and professional issues Data security Client supervision of security measures Use, relevance and retention of Client Data Telling individuals how their personal data is used Overseas data transfers general principles and inter-office data transfers... 8 APPENDIX 1: DRAFT CONTRACTUAL TERMS AND CONDITIONS... 9 Example Clauses Technical Release 05/14

5 BACKGROUND 1. Status 1.1 Technical Release 05/14 supersedes Tech7/04 which is withdrawn with immediate effect. Technical Release 05/14 is intended to guide you through the specific issues faced by professional accountants in practice and practising firms when handling personal data provided by clients. The guidance should not be relied on by practitioners outside the UK as requirements elsewhere may vary. 2. Introduction 2.1 The Data Protection Act 1998 (DPA) was enacted as part of a wider European framework and all EU member states and the countries of the European Economic Area (EEA) have similar legislation. The DPA protects an individual s personal data and is based upon eight principles which are considered in more detail in Helpsheet Helpsheet 17 Data Protection is issued by ICAEW and is available free of charge to members. It covers general data protection issues including: A more detailed explanation of the data protection principles The notification obligations imposed by the DPA Other issues relevant to personal data held by accountants 2.3 Breaches of the DPA may lead to serious financial and/or reputational damage. This may be through direct fines from the Information Commissioner s Office (ICO) and/or damages payable to individuals or clients, and/or in some instances it could result in a criminal conviction. 3. What types of information are subject to this Technical Release? 3.1 This Technical Release applies to Client Data. This means personal data supplied by clients in connection with a professional engagement. It also includes personal data provided by third parties to a firm in relation to that client s affairs. 3.2 The Technical Release does not apply to Firm Data. This is personal data held by a firm in relation to their own employees or for its own management purposes, which is dealt with more fully in Helpsheet Personal data means all information that relates to a living individual who can be identified either from that information or in conjunction with other information held. 4. In what capacity is Client Data held? 4.1 Data protection laws categorise organisations into those responsible for deciding why and how personal data is used ( data controllers ) and those who simply act on the instructions of another ( data processors ). 4.2 The Information Commissioner has issued guidance 1 that suggests a firm is always a data controller - this can, however, be solely or jointly with the client. This is because the firm will usually have flexibility over the manner in which it provides services to its clients and may not be simply acting on their instructions. A firm can also act as a data processor in circumstances where the relationship suggests close control by the client. However, this categorisation depends on all the circumstances, including factors such as the nature of the services provided and the contractual relationship with the client. At one extreme, a 1 Data controllers and data processors: what the difference is and what the governance implications are, 27 May 2014 TECHINCAL RELEASE 05/14 5

6 firm will be a data controller where it determines both the purpose and means of the processing. Whereas at the other, a firm which relies on the processing instructions as set out in the scope of the engagement terms will more likely be a data processor. Additional considerations apply to insolvency practioners that is beyond the scope of this guidance, but further information can be found on the ICAEW website. 4.3 In practice, these considerations should make little difference to the way Client Data is handled. So long as the rights of individuals are respected, the question of whether the firm acts as data processor or data controller may be less important. Practical steps all firms should take when handing Client Data are set out below and the core requirements for professional confidentiality and integrity will apply in all cases. 4.4 The remainder of this Technical Release is intended to apply regardless of whether or not the firm is a data controller, joint data controller or data processor. However, the distinction does have a number of legal consequences. The most important of these is that only data controllers (including joint data controllers) are subject to the DPA. Therefore, regulatory sanctions cannot be imposed on a firm by the Information Commissioners Office if it acts as data processor, though data processors might still be subject to reputational damage, professional disciplinary action and be liable for damages to clients. Therefore, in some cases, firms may wish to seek legal advice on this topic in light of the Information Commissioner s guidance and based on their own particular circumstances. PRACTICAL GUIDANCE 5. Contractual and professional issues 5.1 Firms should structure engagements in a way that: Accurately records the contractual relationship between the parties Apportions the responsibilities for dealing with individuals Complies with the DPA and all applicable professional ethics and standards Keeps the information secure 5.2 Suggested terms and conditions for engagement letters are contained in Appendix 1. The wording can be used regardless of whether the firm is a data controller or data processor. 5.3 Where a firm provides Client Data to third parties as part of an engagement, it should ensure such disclosures are authorised by the client and that the information will be subject to appropriate protections once it is in the hands of the third party. 6. Data security 6.1 A firm must ensure Client Data is held securely. This is as much a matter of professional conduct as it is a necessary part of DPA compliance. 6.2 A firm should implement technical and procedural measures. In establishing those measures, a firm may consider what is proportionate and appropriate to its circumstances, such as the nature of the personal data held and the harm that may result from a security breach. 6.3 The examples below describe some technical measures firms should consider to comply with the security obligations under the DPA: Encrypt electronic data on laptops and memory sticks; Encrypt attachments if they contain substantial amounts of personal data; 6 Technical Release 05/14

7 DATA PROTECTION- HANDLING INFORMATION PROVIDED BY CLIENTS Shred and dispose of hard copy documents appropriately; Store backup copies of data securely and separately from live files; Destroy backup data once it is unnecessary to retain it; Ensure passwords are changed regularly and are only known to personnel authorised to access the personal data. 6.4 The examples below describe some of the other measures firms should consider to comply with the security obligations under the DPA: Provide training to employees regarding their specific responsibilities and the firm s wider responsibilities under the DPA; Designate an information security officer with responsible for information security; Ensure that the firm s sub-contractors and suppliers also keep personal data secure; Control physical access to buildings and rooms to ensure that only authorised personnel may enter; Ensure sufficient protections against burglary, fire and natural disaster; Protect data from casual passers-by (ie, offices with visibility through windows, presentations at client offices); Enforce a clear desk policy. 6.5 Firms should review these measures on a regular basis. 7. Client supervision of security measures 7.1 Where the firm acts as data processor, the client has regulatory responsibility for the firm s actions. In particular, the client must ensure the firm keeps Client Data secure. 7.2 To satisfy this obligation, the client will need a written contract with the firm that obliges the firm to act only on the client s instructions and keep Client Data secure. Appendix 1 contains suitable wording. 7.3 Clients may also try to impose additional obligations on firms, such as requiring a firm to encrypt Client Data. Firms will need to consider if they are in a position to comply with those obligations. One particular problem is where the client asks to audit the firm s technical and organisational security measures. There is no strict requirement on the client to carry out an audit so it may be more appropriate for a firm to provide information about its security measures instead. Where a firm agrees to an audit request it must comply with the confidentiality duties owed to other clients as a matter of professional conduct and ensure that those duties are not breached. 8. Use, relevance and retention of Client Data 8.1 The firm should only use the Client Data for the provision of services to the client and not for its own purposes. For example, it would almost certainly be professionally inappropriate and a breach of the DPA to use a client s customer data for the firm s own marketing purposes. 8.2 The firm should ensure the Client Data it accesses or uses to provide services is appropriate. If the client provides Client Data that is clearly inappropriate or not relevant to the services provided by that firm, the firm should discuss the matter with the client with a view to limiting the amount of Client Data provided in the future. This is particularly the case if the Client Data contains sensitive personal data, for example medical information, criminal records or information about an individual s sexual preferences. Technical Release 05/14 7

8 8.3 The firm should consider how long it keeps copies of Client Data. Client Data should be destroyed or returned to the client once it is no longer needed, subject to any other legal or professional duties to keep copies of that data. 9. Telling individuals how their personal data is used 9.1 The DPA imposes a general obligation to tell individuals who holds their personal data and what it is being used for. This is often done by means of a privacy notice which can be provided to individuals in hardcopy or electronic form or published on the firm s or its client s website. No prescribed form exists for an accountancy firm, but it should correspond with the purposes noted in the firm s registration with the ICO and the engagement terms. 9.2 For Client Data, it will normally be more appropriate for the client to be responsible for this obligation as it has the relationship with the underlying individuals. 9.3 This obligation is also relevant for Firm Data, for example advising staff on how and why personal data is collected and processed; further guidance is in Helpsheet Individuals also have a legal right to access copies of their personal data. Where such a request is made to a firm in respect of Client Data, the firm should normally inform the client. Responding to requests can be complex so the firm should consult with the client and may also wish to obtain legal advice. It is also important to deal with the request in a timely manner as a response must be provided to the individual promptly and, in any event, within 40 days. Accordingly, firms may wish to clarify with their clients in advance each party s responsibilities and expectations in order to comply with such a request. 10. Overseas data transfers general principles and inter-office data transfers 10.1 The DPA allows overseas data transfers in certain circumstances, the most common of which are: To a country within the EEA 2 ; To a country deemed by the European Commission to have an adequate level of data protection requirements 3 ; Made using European Commission approved model clauses or Binding Corporate Rules; or To a US organisation which is certified with the US Safe Harbor 4 scheme If these do not apply, the transfer may still be made if the firm is able to rely on another justification such as satisfying one of the conditions in Schedule 4 of the DPA. This is a complex area of law and the solution adopted varies depending on whether the firm acts as data controller or data processor. In many circumstances firms will need to seek specialist legal advice where looking to transfer personal data outside of the UK, for their own protection. For example, where firms are subcontracting book-keeping functions abroad, they will need to ensure that appropriate due diligence has been undertaken to check that the subcontractor has appropriate standards of integrity and adequate systems for data protection, as well as that there are appropriate contractual terms in place. 2 List available at 3 List available at 4 List available at 8 Technical Release 05/14

9 DATA PROTECTION- HANDLING INFORMATION PROVIDED BY CLIENTS APPENDIX 1: DRAFT CONTRACTUAL TERMS AND CONDITIONS Note: These clauses are examples rather than ICAEW requirements. They do not specify whether the firm acts as data controller or data processor. Firms with a particular desire to act in one or other capacity may wish to amend these clauses accordingly. These clauses also assume that there is a separate confidentiality clause under which the firm undertakes to use the client s information only for the purpose of providing services to that client or as otherwise required by law. Example Clauses This clause applies to personal data provided by, or on behalf of, [CLIENT] in connection with this Agreement or any Engagement Letter. Each party shall comply with the Data Protection Act 1998 (DPA) when processing such personal data. In particular, [CLIENT] shall ensure that any disclosure of personal data to [ACCOUNTANT] complies with the DPA. [ACCOUNTANT] shall use appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. [ACCOUNTANT] shall not sub-contract any processing of personal data unless that personal data continues to be subject to an appropriate level of protection. To the extent [ACCOUNTANT] acts as data processor for [CLIENT], it shall only process personal data in accordance with [CLIENT S] instructions. [ACCOUNTANT] shall notify [CLIENT] in [X] working days in the event of an individual asking for copies of their personal data, a complaint about processing of personal data or a notice from a relevant Data Protection Authority. [CLIENT] and [ACCOUNTANT] shall consult and co-operate with each other when responding to any such request, complaint or notice. [ACCOUNTANT] shall answer [CLIENT] reasonable enquiries to enable [CLIENT] to monitor compliance with this clause. Technical Release 05/14 9