Regulatory Disclosure and Privacy Notice

Regulatory Disclosure

Name and contact details
JOH Consultancy LLP is a limited liability partnership (registered in England and Wales with the number OC371058, VAT registration number: 130032876).

Our registered address is:
Wey Court West, Union Road, Farnham, Surrey, GU9 7PT.

The members of the LLP are Joanne Harris and Neil Harris.

Email: jo@johconsultancy.co.uk

Tel: 07780 613826

Complaints
Clients of the firm are entitled to receive a copy of the firm’s complaints policy upon request. Complaints should initially be addressed to JOH Consultancy LLP at the registered address above or by email to jo@johconsultancy.co.uk.

JOH Consultancy LLP limits any claim arising from our services to £1m.

A complaint about our use of personal data may also be lodged with the Information Commissioner’s Office (“ICO”) (the UK data protection regulator). For further information on your rights and how to complain to the ICO, please refer to the ICO website.

Insurance
Our insurance broker is Professional Insurance Agents Limited (Lion Works, Sidley Road, Eastbourne, East Sussex, BN22 7HB) and their telephone number is 01323 648000.

For the policy period 23 December 2023 to 22 December 2024, our Professional Indemnity Insurance Policy is with Prosure Solutions Ltd (34 Lime Street, London, EC3M 7AT) and their telephone number is 020 3150 1941. Jurisdiction: worldwide excluding USA and Canada. Our Public Liability Insurance Policy is with TMHCC (1 Aldgate, London, EC3N 1RE) and their telephone number is 020 7648 1100. Jurisdiction: worldwide excluding USA and Canada.

Applicable law
The law applicable to the contract for services provided is the law in England. Other matters addressed by the Provision of Services Regulations 2009 are dealt with in the engagement letters agreed between the firm and its clients.


Privacy Notice

The additional following information is provided to comply with the requirements of the data protection legislation. JOH Consultancy LLP (“we”, “us” or “our”) is strongly committed to protecting personal data. This privacy notice describes why and how we obtain and use personal data and how it is processed.

Contact for data protection matters
Neil Harris (contact details as above). If you have any questions about this privacy notice or how or why we process personal data, please contact us using one of the methods above.

Data protection
Processed data is stored in print and electronic format. We take the security of the data we hold very seriously and take measures to ensure the confidentiality and security of the data we use.

Electronic data
Electronic data is stored in emails, on local computers and mobile devices.

Our email provider (Microsoft Exchange) and website hosting service (Website Palace) provides secure 256-bit encryption on secure servers. Our mobile devices use either Secure Sockets Layer (SSL) or Advanced Encryption Standard (AES) email standards.

Documents are stored on our computers and mobile devices using Dropbox (a secure file sharing service) which is compliant with ISO/IEC 27001/2 (Information Security Management), ISO/IEC 27017 (Cloud Security), ISO 27018 (Cloud Privacy and Data Protection) and SOC 2 (Security, Confidentiality, Integrity, Availability and Privacy) and is compliant with data protection legislation. Our local computers and mobile devices are password protected for additional security.

Our blog is maintained using the WordPress application and is integrated within our website hosting service through an application programming interface (API) for extra security. The comments facility on the blog has been disabled to restrict the data collection activities by WordPress for our blog subscribers. Information about how WordPress and its owner Automattic handle data and use Cookies can be found on the Automattic website.

Paper data
Copies of data provided to us by our clients in paper format or printed electronic data will be destroyed using a cross cut shredder once the service period to the client (as declared in the relevant engagement letter) has been concluded. Original documents will be returned to the client. Hand-written notes containing personal data may be retained for longer periods as set out below.

Cookies and similar technologies
Our website does not use Cookies to record visitor data such as site usage, response rates or IP addresses. We do, however, reserve the right to introduce this at a later date (for example, if we wish to gather page visitation statistics using a third-party analytics service provider). Any changes to this will be reflected in this privacy policy. In the event that we introduce these technologies, there is a simple procedure in most browsers which allows you to decline these technologies, or to be given the choice of accepting or declining them.

Data processing
The information below relates to data we use for two main areas: data we use to send out our technical update and blog emails and data we use/store to provide our services and products.

1 - Technical update and blog update emails

Purposes of the processing
We send our technical updates via email. Blog update emails are generated from WordPress as part of the subscription setup.

Lawful basis for the processing
Data protection legislation requires active consent to be given for us to send email updates. The exception is where individuals have already been receiving emails from us and we believe the recipient has a legitimate interest in the material we are providing. We believe this exception applies to recipients of our technical updates. Blog email updates are only sent out to individuals who have subscribed to receive them; by providing your email address to subscribe to blog updates, you consent to the processing of data for this purpose.

Categories of personal data obtained
The data for our technical update emails consists of name, firm and email address. The firm is recorded to identify ambiguities and clarify potential duplications where an individual has changed firms. WordPress stores the email address of our blog subscribers.

Recipients
We do not send our technical update email data to any other parties. Data is stored within our email provider’s server and WordPress (blog subscribers only).

Retention periods for the personal data
The data for our technical update emails is retained on an ongoing basis on our email distribution lists. Recipients who wish to cease to receive our technical updates will have their data removed from our distribution lists. Blog subscribers’ data is retained for the duration of the subscription only.

The source of the personal data
The source of the personal data we have used for our technical update emails was provided in the 2013 R3 Directory and subsequent annual directories. We also access information from the Registrar of Companies and other similar public-access data providers. The source of the personal data for blog subscribers is from subscribers themselves.

2 - Data used/stored to provide our services and products

Data used to provide our services and products consists of data used/stored about our clients and data used/stored provided by our clients.

2a - Data used/stored about our clients

Purposes of the processing
We process your personal data because you use your email address and your password to sign in to our website. We also process your personal data for the purpose of sending you important information about updates to our products and services. Each product/service has a separate distribution list for our updates. We also process client data for administration purposes to provide engagement letters and invoices. It may also be necessary to process data in order to prevent or detect crime, fraud or corruption or to defend or take legal actions related to the provision of our services or products.

Lawful basis for the processing
The lawful basis for processing your personal data is our legitimate interest in protecting the security of your website login, the copyright of our products and services and the administration and maintenance of our contracts with our clients through our engagement letters and invoices. In addition, such processing is required in order to meet the terms of our engagements with our clients.

Categories of personal data obtained
Contact name, email address, firm and address, telephone number(s).

Recipients
This data is confidential to us and the client. However, in exceptional circumstances it may be necessary to share data with our professional advisers or with law enforcement or other government or regulatory agencies.

Retention periods for the personal data
Client information is retained for the length of the engagement plus up to a maximum of 7 years. Clients are removed from the relevant distribution list at the end of the contract if it is not renewed.

The source of the personal data
This data is usually obtained direct from the client on contract inception. Historically, we may have used the 2013 R3 Directory and subsequent annual directories, information from the Registrar of Companies and other similar public-access data providers.

2b - Data used/stored provided by our clients

Purposes of the processing
We process data and documents from our clients and potentially their clients as part of our compliance reviews, technical support and other services as described in our engagement letter to our clients. It may also be necessary to process data in order to prevent or detect crime, fraud or corruption or to defend or take legal actions related to the provision of our services or products.

Lawful basis for the processing
We have a legitimate interest in requesting and reviewing client files when making compliance reviews for a client. We need to process the data received from our clients in order to meet the terms of our engagements with them. We also have a legitimate interest in retaining the data for the periods described below in order to assist clients if they have reason to ask us about the service provided after completion and to defend or take legal actions should the need arise.

Categories of personal data obtained
This may include, but is not exclusive to, names, addresses and other contact information of clients and related third parties, books and records and financial information. This data may be in print or electronic format.

Recipients
This data is confidential to us and the client and is only used to provide the services set out in the engagement letter. However, in exceptional circumstances it may be necessary to share data with our professional advisers or with law enforcement or other government or regulatory agencies.

Retention periods for the personal data
Any original documents will be returned to the client. Apart from documents which may legally belong to the client, we intend to destroy correspondence and other papers (in print and electronic format) that we store which are more than seven years old, other than documents which we consider to be of continuing significance. It is a client’s responsibility to inform us if retention of a particular document is required.

The source of the personal data
This data is derived primarily from the client. To provide the services to our clients, we also access information from the Registrar of Companies and other similar public-access data providers, which is processed and stored alongside data received from clients.

Rights available to individuals (all services/products)

Access to your information – you have the right to request a copy of the personal information about you that we hold.

Correcting your information – we want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.

Deletion of your information – you have the right to ask us to delete personal information about you where:

If you have subscribed to our blog you can unsubscribe by selecting the ‘unsubscribe’ link in any of the WordPress blog update emails.

Objecting to how we may use your information – you have the right at any time to require us to stop using your personal information for email updates (although we strongly advise at least one individual per client to receive updates to maintain the currency of our products/services).

Restricting how we may use your information – in some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information. The right might also apply where this is no longer a basis for using your personal information but you do not want us to delete the data. Where this right to validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.

Please contact us in any of the ways set out in the Name and Contact Details section if you wish to exercise any of these rights.

Changes to our privacy statement
We keep this privacy statement under regular review and will place any updates on this website. Paper copies of the privacy statement may also be obtained by contacting us by any of the ways set out in the Name and Contact Details section.

This privacy statement was first published on 18 May 2018.

This privacy statement was last updated on 23 December 2023 (updated insurance for new rolling year).

Previous updates:
23 December 2022 (updated insurance for new rolling year).
17 October 2022 (new email provider).
15 June 2022 (new registered office address).
23 December 2021 (updated insurance for new rolling year).
1 January 2021 (updated references to data protection legislation following the end of the Brexit transition period).
23 December 2020 (updated insurance for new rolling year).
23 December 2019 (updated insurance for new rolling year).
23 December 2018 (updated insurance for new rolling year).