Fair processing notice: Licensed members
28 March 2024
The data we collect about you
- Your name, contact details and country of residence.
- Personal details like your date of birth, gender and address history
- Sensitive personal data such as ethnic background and certain health information you may voluntarily disclose in respect of your personal circumstances, such as details of disabilities
- Details of your membership and qualifications, such as your membership number, CPD details and any other information contained in your evidence of qualifications
- Details of your organisation/firm and website (required if we are your AML supervisor)
- Your insurance details such as account ID, name of provider, amount of cover and renewal date and, on registration, send a copy of the policy.
- Your licence details such as licence ID and status including for relevant licenses held with other bodies.
- Your business annual turnover
- Any information received as part of your practice assurance review
- Information relating to the "fit and proper" test, including criminal convictions, insolvency, sanctions with other professional bodies or regulators and civil sanctions, health records, insurance details and personal circumstances, complaints and malpractice details.
- The name of your Money Laundering Supervisor
- The name and contact details of the Money Laundering Reporting Officer (MLRO).
- You can view and update most of your personal details at any time by using the Edit My Details service. For change of name please contact our customer services team providing a copy of your marriage certificate or deed poll certificate, along with your membership number to customersupport@aat.org.uk. Please note AAT require an official legal name.
What we do with your data and on what grounds
We can only process your personal data if we have a basis to do so which is permitted by law. This may be that you have given your consent, or it may be one of the other lawful bases for data processing. These comprise situations where it is necessary:
- for our performance of a contract with you. We process your personal data where it’s necessary in order to fulfil a contract with you or to take steps, at your request, before entering into such a contract
- for our legitimate interests. We process your personal data as and when necessary to do so in order to conduct and manage our business to provide you with the best service and experience. We make sure we consider and balance any potential impact on you and your rights before we process your personal data for our legitimate interests. We don’t use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law)
- to meet our legal obligations. We process your personal data where it’s necessary for compliance with legal or regulatory obligations.
Purpose/activity | Lawful basis for processing including basis of legitimate interest |
---|---|
Publish details of licensed members and supervised firms in a publicly accessible online directory on our website and retain that data as long as necessary to fulfil our legal and public interest obligations. |
|
To process and manage licensed member applications. |
|
Monitoring equality and accessibility to AAT courses and qualifications with regards to gender, ethnicity and disability status, including producing anonymised and aggregated statistics. |
|
Product development and quality control, including to monitor engagement with third-party services. |
|
To fulfil regulatory requirements relating to licensing and anti-money laundering supervision, including assessing the suitability of licensed members, monitoring CPD, carrying out practice assurance, notifying regulators and investigating any alleged breach of money laundering regulations. |
|
To manage complaints and breaches of our regulatory framework and policies, including investigating incidents, publishing findings of misconduct and sanctions, any decisions to grant, refuse or terminate a licence, the findings and outcome of any appeals; and maintaining records for future reference.* |
|
Managing renewal applications for licensed members, including to fulfil regulatory requirements to assess the suitability of applicants for licensing. |
|
Customer support in relation to your application and membership, including:
|
|
Managing payment, including processing invoices and payments, including card and direct debit payments |
|
To make important communications relevant to your membership. |
|
Marketing and promotional communications, including to:
|
|
To invite people to provide feedback about an AAT product or service, and process feedback received and follow up with responses if appropriate. |
|
* AAT may use information provided as part of a complaint regarding professional and licensed members for the purposes of our investigation and disciplinary process within the meaning of the Professional Standards Investigation policy, and for the prevention and detection of crime. AAT may share details of the complaint with AAT’s Discipline and Conduct Panel members, or our oversight regulators, and law enforcement agencies upon their request or where we are legally obligated to disclose information, such as the submission of suspicious activity reports to the National Crime Agency.
Hearings of AAT’s Disciplinary Tribunal in accordance with AAT’s Disciplinary Regulations and the Appeals Committee in accordance with AAT’s Appeals Regulations are open to the public and the date, time and place of any hearing and findings are publicised unless determined otherwise. This will include details of the member that a case relates to but would not include the details of the complainant. If your complaint is against a member who holds dual membership status, we may also share details with other professional bodies.
For details of your rights see our main Privacy policy.
Automated decision making
We do not currently, and do not envisage, that any decisions will be taken about you using solely automated means, however we will notify you in writing if this position changes.
Who we share your personal data with
- The public, in relation to information published in the online directory of licensed members, and information regarding any disciplinary outcomes (which may include your name, membership number, alleged misconduct and sanctions)
- Supervisory and regulatory bodies (including HMRC and the Institute of Chartered Accountants in England and Wales) and your insurance providers, in connection with our anti-money laundering/licensing legal obligations
- The Shared Intelligence Service, which is an "anything known" enquiry service on individuals and firms that all participating bodies use to locate information held by other regulators
- The government Disclosure and Barring Service
If you are applying for a licence renewal, we may also share your data with:
- Our insurance providers
- HMRC, to notify them of when anti-money laundering supervision ceases
Our use of data processors
We use a third-party supplier of an IT system (Jotform) to complete student, licensed, and member applications. This system is hosted in Europe.
We use a third-party supplier of a Customer Relationship Management (CRM) IT system, hosted within the UK by our IT service provider. We also use a second CRM system, HubSpot hosted in Europe.
We also use Microsoft Office 365 to process email and for file storage, hosted within the EU, and a third-party email archive system hosted within the UK. Transfers to the EU are based on the UK adequacy decision of EEA countries.
Other third-party data processors might also include:
- our third-party providers of practice assurance activity, such as the Institute of Chartered Accountants in England and Wales
- our third-party service providers of payment, user testing, IT, career management consultancy, benefits and rewards services and mailing services.
- independent investigators/expert witnesses relating to disciplinary investigations.
Where a third-party data processor is used, we ensure that they operate under contractual restrictions with regard to confidentiality and security, in addition to their obligations under data protection legislation. This means that they cannot do anything with your personal data unless we have instructed them to do it. They will not share your personal data with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
Where we get your data from
Other than directly from you, we may also receive personal data from the following third-party sources:
- Publicly available sources, such as returned post and information on websites
- Your insurance providers
- Professional bodies such as the Institute of Chartered Accountants in England and Wales
- Law enforcement agencies
- The Shared Intelligence Service, which is an "anything known" enquiry service on individuals and firms that all participating bodies use to locate information held by other regulators
- Parliament Hill/TRM, which provides us with details of insurance bought by licensed members (if you have consented to this sharing).
How long we keep your data
- Your basic membership records, such as name, address history, membership statuses, work experience history and other awarding bodies and practice management details will be retained for 70 years from the end of your membership to support required reporting and professional queries.
- If you’ve undertaken any AAT assessments, information on these will be retained for 70 years from the date of assessment, as will information on qualifications awarded.
- If you’ve submitted any medical evidence to support Reasonable Adjustment and Special Consideration requests, this will be retained for 7 years from the end of the adjustment period
- Correspondence such as email is retained for a maximum of 2 years.
- Your communication preferences will be retained for two years after the end of your membership
- Credit card details will be managed in line with the Payment Card Industry Data Security Standard (PCI DSS). We do not store or retain any electronic credit card data and use third party payment provider services to process card payments. Card data provided on hardcopy application forms will be securely destroyed once processed.
- Direct Debit instructions will be retained for 2 years from the date your direct debit is cancelled.
Transferring your data overseas
We transfer your data to the European Economic Area (EEA) and the USA, as detailed above with regards to data processors.
We rely on the Standard Contractual Clauses for data transferred to the USA to ensure the protection of the rights and freedoms of individuals concerned. Transfers to Europe are based on the UK adequacy decision with regards to EEA countries.