Fair processing notice: Professional members
28 March 2024
This fair processing notice applies to AAT professional members, including those applying for full membership (MAAT), fellow membership (FMAAT), and bookkeeping membership (AATQB).
The data we collect about you
- Your name, contact details and country of residence
- Personal details like your date of birth, gender and address history
- Employment details like your organisation name and job title
- Details of your membership with us and other awarding bodies, such as your AAT membership ID, membership approval date and all status changes regarding your membership
- Your education and business information, such as your qualification records, CPD details, professional references, work experience history, membership of other Awarding Bodies and Practice Management
- Payment information, including your bank details for direct debit payments
- Sensitive personal data such as ethnic background and certain health information you may voluntarily disclose in respect of your personal circumstances, such as details of disabilities
- Responses to Fit and Proper assessment and relevant investigation data, including criminal convictions, insolvency, sanctions with other professional bodies or regulators and civil sanctions, personal circumstances, criminal convictions and offences
- Any other relevant personal information contained in your application forms, supporting documents uploaded (such as your photo ID) with your application, or that you may provide to us with consent (such as responses to surveys and personal stories for marketing material)
- The name, contact details, job titles and relationship to you of any nominated referee or employer contacts.
You can view and update most of your personal details at any time in the "Edit my details" service. For a change of name please contact our Customer services team providing a copy of your marriage certificate or deed poll certificate, along with your membership number, to customersupport@aat.org.uk.
What we do with your data and on what grounds
We can only process your personal data if we have a basis to do so which is permitted by law. This may be that you have given your consent, or one of the other bases for data processing outlined below.
- Performance of a contract with you. We process your personal data where it’s necessary to fulfil a contract with you or to take steps, at your request, before entering into such a contract.
- Necessary for our legitimate interests. We process your personal data as and when necessary to do so in order to conduct and manage our business to provide you with the best service and experience. We make sure we consider and balance any potential impact on you and your rights before we process your personal data for our legitimate interests. We don’t use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
- Necessary to meet our legal obligations. We process your personal data where it’s necessary for compliance with legal or regulatory obligations.
Purpose/activity | Lawful basis for processing including basis of legitimate interest |
---|---|
Managing our online Continuing Professional Development record service. |
|
Granting assistance, to offer support to members experiencing financial hardship. |
|
Monitoring equality and accessibility to AAT courses and qualifications with regards to gender, ethnicity and disability status, including producing anonymised and aggregated statistics. |
|
Managing payment, including to:
|
|
Processing your membership or licence renewal. |
|
To communicate with branches and support them to run the branch, including through running and monitoring engagement with branch events. |
|
Marketing and promotional communications, including to:
|
|
Administering free prize draws and competitions. You can email aat.research@aat.org.uk to opt out at any time. |
|
To invite people to provide feedback about an AAT product or service, and process feedback received and follow up with responses if appropriate. |
|
To make important communications relevant to your membership. |
|
Customer support in relation to your application and membership, including to:
|
|
To meet our legal obligations, including:
|
|
To manage complaints and breaches of our regulatory framework and policies, including investigating incidents, publishing consent orders and sanctions and maintaining records for future reference* |
|
Product development and quality control, including to:
|
|
Managing your MAAT, FMAAT and AATQB membership applications, including to:
|
|
To meet our legal obligations, including to fulfil regulatory requirements to share data related to investigations with other supervisory and regulatory bodies. |
|
IT system administration, to administer internal systems including maintaining access rights, troubleshooting issues and maintaining databases and backups. |
|
* AAT may use information provided as part of a complaint regarding professional and licensed members for the purposes of our investigation and disciplinary process within the meaning of the Professional Standards Investigation policy, and for the prevention and detection of crime. AAT may share details of the complaint with AAT’s Discipline and Conduct Panel members, or our oversight regulators, and law enforcement agencies upon their request or when we are legally obligated to disclose such as the submission of suspicious activity reports to the National Crime Agency. Hearings of AAT’s Disciplinary Tribunal in accordance with AAT’s Disciplinary Regulations and the Appeals Committee in accordance with AAT’s Appeals Regulations are open to the public and all orders and findings are publicised unless determined otherwise. This will include details of the member that a case relates to but would not include the details of the complainant. If your complaint is against a member who holds dual membership status, we may also share details with other professional bodies.
For details of your rights see our main Privacy policy.
Automated decision making
As part of our professional membership services, we use a partly computer automated process, without profiling, for straight forward decisions regarding approval to membership; this forms part of the performance of our contract with you. Where possible the system automatically approves you for membership where answers provided satisfy pre-defined criteria. Where further supporting evidence is required and the system is unable to automatically approve your application this will be referred to be manually reviewed before a decision is made to approve/reject an application, in accordance with your right to human intervention, and affording you an opportunity to express your views and a mechanism to contest any decision taken.
We do not currently, and do not envisage, that any decisions will be taken about you using solely automated means, however we will notify you in writing if this position changes.
Who we share your personal data with
- Our branches
- Your employers (if employed by an accredited employer who is set up for results sharing)
- Supervisory/regulatory bodies (including the Financial Conduct Authority), law enforcement and independent investigators relating to disciplinary investigations and complaints
- The public, in relation to information regarding any disciplinary outcomes (which may include your name, membership number, alleged misconduct and sanctions).
Our use of data processors
We use a third-party supplier of an IT system (Jotform) to complete student, licensed, and member applications. This system is hosted in Europe.
We use a third-party supplier of a Customer Relationship Management (CRM) IT system, hosted within the UK by our IT service provider. We also use a second CRM system, HubSpot hosted in Europe.
We also use Microsoft Office 365 to process email and for file storage, hosted within the EU, and a third-party email archive system hosted within the UK.
Other third-party data processors might also include:
- consultancy
- benefits and rewards
- printing
- mailing and payment services
- independent investigators/expert witnesses relating to disciplinary investigations.
Where a third-party data processor is used, we ensure that they operate under contractual restrictions with regard to confidentiality and security, in addition to their obligations under data protection legislation. This means that they cannot do anything with your personal data unless we have instructed them to do it. They will not share your personal data with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
Where we get your data from
Other than directly from you, we may also receive personal data from the following third party sources:
- Publicly available sources, such as returned post
- Our payment providers, such as BACS
- Our third-party service providers of IT, user testing, consultancy, benefits and rewards, printing, mailing and payment services
- Professional bodies and law enforcement agencies.
How long we keep your data
- Your basic membership records, such as name, address history, membership statuses, work experience history and other awarding bodies and practice management details will be retained for 70 years from the end of your membership to support required reporting and professional queries.
- If you’ve undertaken any AAT assessments, information on these will be retained for 70 years from the date of assessment, as will information on qualifications awarded.
- If you’ve submitted any medical evidence to support Reasonable Adjustment and Special Consideration requests, this will be retained for 7 years from the end of the adjustment period
- Correspondence such as email is retrained for a maximum of 2 years.
- Credit card details will be managed in line with the Payment Card Industry Data Security Standard (PCI DSS). We do not store or retain any electronic credit card data and use third party payment provider services to process card payments. Card data provided on hardcopy application forms will be securely destroyed once processed.
- Direct Debit instructions will be retained for 2 years from the date your direct debit is cancelled.
Transferring your data overseas
We transfer your data to the European Economic Area (EEA) and the USA, as detailed above with regards to data processors.
We rely on the Standard Contractual Clauses for data transferred to the USA to ensure the protection of the rights and freedoms of individuals concerned. Transfers to Europe are based on the UK adequacy decision with regards to EEA countries.