CA Plus Data Protection

Community Accounting Plus – Data Protection Policy

Contents:

  1. Principles
  2. Responsibility
  3. Practical action
  4. Communications
  5. Consent
  6. Data cleansing and maintenance

1. Principles.

CA Plus only uses data in the achievement of our charitable objectives. We hold data for organisations and also personal data for individuals. In practice this involves maintaining data that is required in the delivery of services and support to client organisations.  Data is also be maintained whilst potential clients are considering using our services. Some individuals provide personal data, for example their email address, if they wish to go on our general newsletter list.

CA plus fully supports the basic principles of data protection:

  • Personal data shall be processed fairly and lawfully
  • Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  • Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  • Personal data shall be accurate and, where necessary, kept up to date.
  • Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  • Personal data shall be processed in accordance with the rights of data subjects under the EU General Data Protection Regulation (GDPR). This will apply from 25 May 2018, when it supersedes the UK Data Protection Act 1998.
  • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  • Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data

2. Responsibility

Responsibility for this policy and its implementation rests with the Chief Executive. CA Plus is not required to appoint a Data Protection Officer.

All staff, volunteers and trustees are expected to act with appropriate care and attention and comply with the procedures and general principles of this policy.

3. Data storage

The following list is not exhaustive and circumstances may arise where processes and procedures are not explicit. A degree of common sense is expected, and where necessary, this policy can be amended at any time by the Trustees.

CIVI
This is the main system for storing client data. It is an online system, with access restricted to CA Plus staff via username and password protection and our technical support provider GMCVO.

GMCVO ensure data is backed up and stored securely under our service contract.

Physical files
Physical files relating to CA Plus staff are kept in a locked filing cabinet within our offices. Key held by the Payroll Manager. Current physical client Payroll files are stored in the payroll office. The NCVS file, given some CVS cleaning staff have access to the office, is kept in the locked cabinet.
No physical files containing personal data shall be taken off site without the client’s consent.
Other client files (e.g. accounts) do not usually contain any personal data. Any data held whilst working on the file, e.g. bank statements or payroll information is shredded once the work is completed.

Archived physical files are stored offsite with Whitefields Ltd securely and under contract. Files are collected by Whitefields from our office and destroyed after 6 years. The Administrator maintains a record of all files held offsite.

Digital files

All client organisations have a unique data folder within the Office 365 system. These digital files are stored online, where username and log in is required, with access restricted to CA plus staff and, when required, our IT support provider.

SAGE: For payroll clients, data is stored within SAGE payroll software where username and log in is required. Each client has a separate company file which will contain personal data. Access is restricted to CA Plus staff and, when required, our IT support provider and SAGE support staff. These files are backed up online and to a server located in the CA Plus office.

DIGITA: For accounts production, some personal data may be stored in Digita, e.g. names and addresses of client trustees. Each client has a separate company file which will contain personal data. Access is restricted to CA plus staff. These files are backed up to a server, within the CA Plus office.

Thomson Reuters – who provide the software – have provided a commitment under GDPR . This is saved in the CA Plus policies and procedures folder alongside this policy.

QuickBooks online- Many clients use this system. Data files are not held by CA Plus but by Intuit who provide the software. Our own accounting records are in QuickBooks and do contain names, addresses, email addresses and phone numbers of clients and suppliers. Access to the QuickBooks file is restricted to CA Plus staff.

Intuit – who provide the software – have provided a commitment under GDPR . This is saved in the CA Plus policies and procedures folder alongside this policy.

CA Plus personnel files -are also within Office 365 with access restricted to the Payroll Manager and CEO.

With remote access facilities and using Office 365, it is rare that any personal data needs to be taken off site in digital form.  Client files for accounts, working papers, backups of client accounting records etc. may occasionally be stored on data sticks temporarily. Any data stick used for this purpose will be password protected.

Office access

Access to our own offices is restricted by secure doors. It is restricted to CA Plus staff, invited visitors and the NCVS premises and cleaning staff.

No visitors shall be left unattended in the 2 main offices.

4. Communications

Clients sending data to CA Plus are responsible for the security of their own data until it reaches the control of CA Plus.

The only personal data sent externally by CA Plus is Payroll information, e.g. payslips. This is usually done using our secure encryption email service. This also allows clients to reply to these emails thus encrypting their own data transfers.
Clients may request payroll information (payslips) are sent by post rather than email.

Communication with clients will be either:

  • In delivery or services, or
  • In response to a request for information, e.g. about potential services, or
  • As part of a general mailing for which the individual has subscribed.

5. Consent

Personal data is only held for 2 reasons:
1. The data is required in order to deliver the service that the client has requested.
2. The data is stored automatically in CIVI if the individual has signed up for our regular newsletter.

Unsubscribe is possible at any time and an unsubscribe link is on all bulk emails.

No personal data will be shared with anyone outside of CA Plus, unless required by a relevant statutory authority or under our reporting obligations, for example to the Charity Commission.

The CA Plus Privacy Policy is on our website and available to clients on request.

All service agreements contain clauses on confidentiality and data management.
 

6.  Data cleansing and maintenance

All staff have a responsibility to ensure data maintained is accurate on the systems they use.

On CIVI, if a staff member is alerted to a change, they are to ensure this is entered e.g. a new phone number. The CSC continually monitors CIVI to ensure data integrity

At least once a year, all individual contacts on CIVI will be asked via a web form to confirm the accuracy of data we hold and their communication preferences.

Archived physical files stored offsite are destroyed after 6 years.  Digital files of ex clients, within SAGE or Office 365, are not deleted.

 

Approved by the board                  1st Qtr 2018

Date for next review                       1st Qtr 2021