Contents
Our commitment
Who we are
Retention rules
Safeguarding data during retention
Disposal and destruction of data
Associated Documents
Acceptance
Data Retention Schedule for customers
1. Our commitment
At Domestic Tax Ltd, we are committed to protecting the data and privacy of our customers by upholding the rules surrounding Data Protection and GDPR. We offer assurance to our customers that we will only collect and retain data for a legitimate purpose.
The policy sets out how long we will keep the data we have collected and the reasons why. This applies to all:
Data collected and stored digitally/electronically
Hard copy documents
Soft copy documents
Communications including emails and telephone calls
If you are unhappy in how your data is being stored please let us know. We will take all reasonable steps to ensure your complaint is dealt with efficiently and fairly
If you remain dissatisfied, you have the right to complain directly to the Information Commissioners Office (ICO) who can be contacted as follows:
Write to: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Website: www.ico.org.uk
2. Who we are
Domestic Tax Ltd is a group of payroll and employment administration services comprising of NannyPaye, BusinessPaye and ProCRB.
We are a registered company in England & Wales with Registration No: 04221878 at Suite One, Lowen House, Sandy Lane, Kingswood, Surrey, KT20 6ND and our Data Protection registration number is XXX.
If you have any questions about the personal data we hold for you or want more details on how long we will keep your data, you can contact us on 01737 816 320 or email info@nannypaye.co.uk
3. Retention rules
Domestic Tax Ltd will only retain data for as long as required for a period that complies with legislative and regulatory requirements, or to achieve a business purpose. Where there is no legislative or regulatory requirement or business purpose, we will retain data for a minimum period of 30 days. The Data Retention Schedule for customers (Section 8) outlines what data we store, why we retain the data, and the period we will retain the data.
Domestic Tax Ltd fully complies with a Data Subject’s rights in line with the GDPR. When a Data Subject lawfully requests to withdraw their consent, or invokes the right to be forgotten, we will take all necessary steps required to comply with the request within a prescribed time. We will inform you once your request has been fulfilled whereupon this will be our last correspondence with you.
Please be aware that we may be unable to permanently delete or destroy the data following a request if there is a legal or regulatory requirement to retain the data. We will inform you of these reasons whilst processing your request.
4. Safeguarding data during retention
We are committed to safeguarding and will take all reasonable technical and organisational precautions to prevent the loss, misuse, alteration, or exposure of your personal information. To provide our services, Domestic Tax Ltd collects and retains data in various ways and we have several safeguarding measures in place to ensure all data is safeguarded effectively.
Electronic data
Data that is retained electronically and digitally (including any soft copy document) is stored on several secure servers (including back-up servers) in a secure facility. Our servers are password protected, firewall protected, and our back-up servers are also encrypted. All servers containing personal data are only accessible by our internal IT personnel and the Senior Management team. All electronic payments you make to us will be encrypted using SSL technology.
Staff access to data via applications is regularly audited and password protected. We have a strict internal unique user password policy to ensure that internal passwords are updated every 90 days matching strict criteria and are only known by the user.
Digital data
All our websites are protected with SSL certificates, a security technology which establishes an encrypted link between our web servers and a user’s web browser. This ensures all data passed between the servers and browsers remain private and integral. Clients can verify this themselves by looking for a visual cue within their own web browser such as a lock icon or a green bar/tick (usually found in the address bar).
Physical data
Data that is retained physically (hard copies) is only stored as a matter of necessity. Domestic Tax Ltd operates a strict Clear Desk policy that ensures all staff retaining documents containing personal data is stored in a locked facility whilst not in use. Any documents containing personal data that need to be stored physically for business or legislative purposes are only stored for a temporary period and will be filed digitally as quickly as possible and all hard copies securely destroyed.
Data exchanged via email
While we cannot take responsibility for the security of the internet, we do have in place security measures to safeguard sensitive information being sent via electronic mail. No unnecessary personal details will be included in the main body of our emails. All attached documents containing sensitive information will be password protected so they can only be opened by the intended recipient.
If you are in receipt of an email that you become aware was not intended for you, you have a responsibility to notify the sender and delete the errant email immediately.
Data exchanged by telephone
Customers telephoning us will be asked to confirm their identity by answering selected security questions before our advisors will discuss details of their account. If you have nominated someone to liaise with us on your behalf we will required your express written authorisation to discuss your account with that person. We have a strict policy not to discuss any account or disclose any details to any caller who:
Has not been satisfactorily identified as the account holder
We have not been given express written authorisation to discuss the account with
This includes any of employees of our customers.
Data that you have access to
As a customer of Domestic Tax Ltd you are responsible for keeping safe your data and that of your employees, clients or candidates. The data in our Members Area and other private online areas, is password protected, with a unique password to each user. Your user details and password are confidential, used to keep your data secure. Other than when you log in, we will not ask you for your password. It is your decision if you choose to allow others access to your Members Area.
5. Disposal and destruction of data
Where data has been stored for the required period and/or is no longer required for a lawful business purpose or legal requirements it will be erased or physically destroyed in a secure environment to prevent any recovery of the data
Disposal of electronic data
Domestic Tax Ltd routinely reviews all data held electronically or physically to decide whether to data processed has been held for the maximum time required for its purpose. When the data in question is no longer required to be retained it will be deleted from our systems (including both original files and back-ups, electronic and physical).
Disposal of physical data
Disposal of physical documents containing personal data is shredded internally and then placed in one of our locked recycling bins, of which only the Facilities Manager holds the key. Domestic Tax Ltd employs the services of a trusted and reputable external recycling supplier, who provide a secure document destruction service. Certificates of Destruction are provided and logged after each collection.
Disposal of other data
Disposal of other data (such as recorded telephone calls) are automatically deleted from all our servers after the required retention period outlined in the retention schedule below (section 8). If you request to right to be forgotten, we can remove all phone calls associated with your telephone number manually from our phone server.
6. Associated documents
Privacy Policy
Subject Access request Procedure
Service Terms and Conditions
Website and Cookie Policy
7. Acceptance
This Privacy Policy was last updated in April 2023. By using our services, you agree to the collection and use of your personal data and information as set out in this Privacy Policy. Any updates to our Privacy Policy will be made available on our websites and in our Members Areas. Please share any questions, concerns or comments you have about this policy by writing to:
The Data Protection Officer
Domestic Tax Ltd
121 Kingston Road
Leatherhead
Surrey
KT22 7SU
Our Data Protection Officer can also be emailed at info@nannypaye.co.uk.
8. Data retention schedule for customers
Customer relationship management
Data | Why we retain | Retention period |
CRM Data including name, address, all contact details, service agreements, payment records | To provide the service the customer has chosen | Duration of the customer’s subscription to our services. Some records will be retained once your subscription with us has finished for the duration that is required, depending on the service the customer has chosen. See Below |
Paper copies of subscriptions and renewals taken over the phone, including name, address, all contact details, payment records and identifier codes | To keep as reference regarding customer queries and renewal reporting | 1 month |
Payroll
Data | Why we retain | Retention period |
Full and complete payroll records for employers (our customers) & their employees, including but not limited to:
| To provide a payroll administration service acting on behalf of the customer as their payroll agent | The current tax year and 6 years prior as per legal requirement of Her Majesty’s Revenue & Customs (HMRC) |
Copies of RTI submissions made to HMRC. These contain details regarding your employee’s earnings and deductions along with their full name, address and NI number and your PAYE scheme details | To ensure that we have accurate records of payroll processed and submitted to HMRC | The current tax year and 6 years prior as per legal requirement of Her Majesty’s Revenue & Customs (HMRC) |
Copies of communications between us and you. These may include but not limited to:
| To support the accurate processing of payroll and for quality purposes | The current tax year and 6 years prior as per legal requirement of Her Majesty’s Revenue & Customs (HMRC) |
Information relating to statutory payments. These may include but not limited to:
| To support the accurate processing of payroll and for quality purposes | The current tax year and 6 years prior as per legal requirement of Her Majesty’s Revenue & Customs (HMRC) |
Auto enrolment & workplace pensions
Data | Why we retain | Retention period |
Workplace Pensions & Auto Enrolment records for employers (our customers) & their employees including but not limited to:
| To provide an auto enrolment administration service acting on behalf of the customer as their auto enrolment administrator | 6 years as per legal requirement of The Pensions Regulator (TPR) |
Copies of communications between us and you. These may include but not limited to:
| To support the accurate processing of payroll and for quality purposes | The current tax year and 6 years prior as per legal requirement of Her Majesty’s Revenue & Customs (HMRC) |
Human resource & employment law
The employment law section of the NannyPaye service is provided to our customers by an external employment law advice company, who have their own Data Protection policies regarding Privacy & Retention in place. Below is an overview of the data they may collect and retain to provide our customers with the employment law advice service. Please contact us if you would like access to the Data Protection policies of our employment law advice provider.
Data | Why we retain | Retention period |
The customer’s personal details: name, address, contact details | Relationship management for legal advice | Duration of the customer’s subscription to our services |
Personal details of the customer’s employee/s: name, address, contact details and terms of employment |
| Duration of the employee’s employment with the customer |
Records pertaining to any employment dispute between the customer and their employee | To assist the customer in the correct process and procedures for managing and employment issues | As per legal requirement depending on the issue |
Accounts & finance
Data | Why we retain | Retention period |
Direct Debit mandates/ customer bank details | For reference in case of investigation | 7 Years |
Purchase ledger invoices | Audit requirement | 7 Years |
Bank documentation, including refunds | Audit requirement | 7 Years |
Debit card details, card payment receipts | To keep as reference regarding customer queries and renewal reporting | 1 month |
Marketing & websites
Data | Why we retain | Retention period |
Google Analytics data, including but not limited to website users’
| To measure the performance and activity of our websites to make informed marketing decisions | 3 months |
Client Marketing preferences | To ensure that we respect your choice regarding if/how you would like to receive marketing material | Permanent unless informed otherwise by customer |
Cookie Acceptance | To ensure that we respect your choice regarding our cookie notice (see our Website and Cookie Policy for more details) | 5 years |
Third party suppliers
Domestic Tax Ltd may work with or employ the services of selected external companies to provide a business function. We treat the data of any external company or organisation as we would of any of our customers.
Data | Why we retain | Retention period |
CRM Data including main contact name, business name, address, all contact details | To manage the relationship, request services, and/or deliver a service | Duration of the relationship between us and the third party |
Any agreements or contracts including but not limited to:
| As a record of our contract and to manage the relationship and as an Audit requirement | 7 years or duration of the relationship |
Invoice, payment details | For accounting purposes | 7 Years |
Non-customer data
Data | Why we retain | Retention period |
Recorded Telephone calls |
| 1 month, or as required for the purpose of conducting the necessary business |
Emails | As a record of activity and correspondence, for reference | 1 month, or as required for the purpose of conducting the necessary business |