CIOT Privacy Notice 

27 Apr 2021

1.Introduction 

This privacy notice explains how personal data is used by (collectively We): 

  • The Chartered Institute of Taxation (CIOT), www.tax.org.uk, registered charity number 1037771 
  • The Association of Taxation Technicians (ATT), www.att.org.uk, registered charity number 241831 
  • The Low Incomes Tax Reforms Group (LITRG), www.litrg.org.uk, an initiative of the CIOT. 

If you wish to contact us, or our Data Protection Officer, please use the contact form on this website or write to 30 Monck Street, London SW1P 2AP. 

We will be data controllers if you: 

  • Visit our website. 
  • Ask us a general question. 
  • Subscribe to events, media or industry updates.
  • Become a student siting exams or apprenticeship End-Point assessments. 
  • Become a member. 
  • Become a colleague. 
  • Become a business contact. 
  • Attend an event online .

2. Details of our processing. 

2.1 If you visit our website. 

We will log your IP address and timestamped website interactions. 

This information is used both to prevent and detect crime, and for our legitimate interest of managing website performance. 

We will retain this data for six months to support analysis and investigations. 

We also use Cookies on our websites. For further details, please see our Cookie Notice. 

2.2 If you ask us a general question. 

We will use your contact details and information you provide, to establish our response and to respond to you. This includes queries for LITRG, Tax Policy, Membership, Education, External Relations, professional standards, anti-money laundering and Employment purposes. We do this as a public task, under our Royal Charter.  

Your query may include contact, financial, education and employment data. We ask that you do not send sensitive data (such as health data), bank account data, usernames, passwords, or unnecessary personal data. 

We will retain the information for seven years in accordance with the statute of liability and HMRC standard timeframes for investigating tax matters. 

2.3 If you subscribe to events, media or industry updates. 

We will use the contact details and communication preferences you provide us with, to send information that we believe to be relevant, as a public task, under our Royal Charter. 

Subscribers can opt-out at any time. If you opt-out of all communications, we will delete the associated personal data within three months. 

2.4 If you become a student siting exams or apprenticeship End-Point assessments. 

We will use your contact details to provide relevant industry updates. 

If you subsequently apply or take exams, we will process your contact details, the exams you sat, your answers and your results. We do this as a public task, under our Royal Charter. We retain this data indefinitely, as it is of historic interest under the Royal Charter. 

We will use identity documents you provide (e.g. passport) to manually verify your identity for exams. This is done to prevent/detect crime. We will delete this data six months after you take the exam. 

We will use medical or personal information you provide, with your consent, to make appropriate adjustments when you are sitting exams or for special consideration in relation to your results if something happens to you shortly before your or during your exam/s. We will delete this data no later than six years after you take the exam. 

If you agree (either via your employment contract or separately to CIOT), we will share your exam results with your exam sponsor or apprenticeship training provider as their legitimate interest. They will be the independent controller of that personal data and their own privacy notices apply. 

2.5 If you become a member. 

We will process your contact details, membership payments and professional information to provide membership services, under contract with you. We retain this data indefinitely, as it is of historic interest under our Royal Charter. 

As a member, we will publicly share your name, qualifications, membership start date, membership end date and grade, as a public task, under our Royal Charter. 

We will process any complaints or disciplinary action against members as a public task under our Royal Charter and to prevent and detect crime. We retain this data indefinitely, as it is of historic interest under the Royal Charter. 

2.6 If you become a colleague. 

Privacy information for colleagues, who have a direct contract with CIOT, is available from the CIOT HR team. 

If you apply to become a colleague, we will process your contact details and career history to assess your suitability for that position or other relevant positions, with a view to enter into a contract. If you are not successful in applying for that role, we will retain your details for one year, to help address any related matters. 

2.7 If you become a business contact. 

We will process your contact details and data from our interactions for business purposes, as our legitimate interest, including the provision of services or discussing tax matters. We will retain this data for 6 years from our last contact, to support on-going business activities. 

2.8 If you attend on online event. 

We will process your contact details, event attendance and any comments you provide, as our legitimate interest, and retain that information for 5 years, as a record of industry discussion. Details can be shared with other professional attendees, and attendees’ names and comments can be shared publicly, unless you notify us to opt-out, which you can do at any time. 

 2.9 AML Supervision 

We provide AML Supervision on member organisations, as a substantial public interest. In doing so, and operating as independent data controllers, we will process personal data provided by the member firms, including criminal convictions; share data with other authorised bodies; publish the names of supervised firms on our websites; and retain that data as long as necessary to fulfil our legal obligations for AML supervision. 

3. Data subject Rights 

We fully respect your rights to request that we: 

  • Allow you to opt-out of any process that you previously consented to, at any time. 
  • Provide a copy of data we hold on you, or pass it to a third party on your behalf. 
  • Amend, delete or restrict processing of your data. 
  • Explain and review any automated decision making or profiling. 
  • Provide further information about our processing activities. 
  • Allow you to speak directly with our Data Protection Officer (DPO) 

If you wish to raise a privacy request or contact us about any other matter, please use the contact form on this website or write to us at 30 Monck Street, London SW1P 2AP. 

We always aim to respond in a timely manner and within statutory timeframes. If you don’t hear from us, please let us know, in case there has been a communications issue. 

You can also escalate matters to the ICO if you believe we are using your data in an unlawful manner. However, please let us know first, so that we can help you resolve the concern. The ICO’s address is: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Their helpline number is UK 0303 123 1113. Their website is: https://www.ico.org.uk 

4. Other Matters 

We only process personal data in the UK. If you access your data from outside the UK, your data will be transferred internationally out of necessity and you should maintain appropriate safeguards. 

Other than described above, we only share personal data with third parties if they are processing that data as processors on our behalf under written contract, or if required for legal or regulatory reasons.  

We do not sell or give away personal data. 

Where our website provides links to other websites, those websites are beyond our control. We encourage you to read the privacy notices on any other website you visit. 

This privacy notice was written with brevity and clarity in mind. Please let us know if you would like more details. 

We reserve the right to update our notices and cookie notice at any time. 

This notice was last updated 27 April 2021.