The nature of today’s business operations requires the collection and use of personal information. Expectations surrounding the safeguarding of data and effectiveness of controls over the collection, use, and disposal of such information are at increasingly high levels. The consideration and application of relevant controls, risks, policies, and procedures surrounding data and information security are key components of the accountability and integrity of an organization’s operations.
Agreement, Notice, and Communication
Use of formal contracts
As a condition of employment with the Firm, all staff members are required to formally execute agreements with the Firm, including an employment agreement containing non-disclosure and non-solicitation agreements, and conformance with the Firm’s Data and Information Security and Privacy Plan.
Updates and notice and consent thereof
Revocation of consent to use or retain data and information
To request a revocation of your consent to the Firm’s collection, usage, or retainage of your data and information, you may contact our Firm’s administrator at email@example.com. Removal, destruction, or erasure of data or information will occur in accordance with the Firm’s data and record retention policies, or as required by law. Notification of a removal, destruction, or erasure of requested data and information will be provided via written notice as deemed appropriate, including electronic letter, email, or certified mail. Requests not in accordance with the Firm’s data and record retention policies, or as required by law, will not be granted. The nature of the public accounting profession requires applicable record retention criteria to remain intact, and for which you give consent to understanding and agreeing to as a condition of working with the Firm.
Collection and Creation
The Firm communicates the intention to collect data and information and create records thereof within our system at various points during the data collection process. The major points of data collection occur during the initial contact or inquiry from the potential Client, upon engaging and onboarding the new Client, and during the performance of Services for the Client.
In the event that an individual or entity contacts or inquires of the Firm, the individual may either explicitly give consent to information collection based on the information they provide via the contact form on our website, or implicitly give consent with information provided via phone call, email, completion of the Firm’s Client Business Discovery Organizer, or other method of communication. Data collected from the individual or entity may be used for evaluation and scoping purposes related to the Firm potentially proposing to perform Services for the Client. For other uses of data provided, the Client must provide explicit consent to the other use(s), such as providing consent to being included on a Firm newsletter email list.
Data collection and record creation
Data and information may be collected via multiple methods, including electronic methods such as a shared portal, shared folder or document, software platform upload, or email; verbal methods such as video conference, in person meeting, or phone call; or other communication methods including facsimile.
Data records are created within the Firm’s systems in varying manners, depending on the applicability of the data and information. The Firm also utilizes third-party service providers to support its overall systems, objectives, and mission, including service providers utilized both by the Firm and Clients simultaneously, as well as by the Firm itself for its internal business management purposes.
Email data collection
The Firm utilizes a third-party service provider to track and collect, and duplicate email information. This provider’s service is integrated into the Firm’s primary email system. The Firm’s use for email data collection other than record creation is reliant upon its internal monitoring, record retention, and data backup needs. We do not use collected and duplicated email data for other purposes.
As a condition of the Firm providing Services to you, you agree to the use of third-party services. You agree that we have no responsibility for the activities of a third-party software or system, and you agree to indemnify and hold us harmless with respect to any and all claims arising from or related to the operation of any third-party system, software, or application.
Data collection process
The Firm establishes data collection procedures with the Client during the onboarding process for new Services in order to support its overall objectives and vision. Procedures may include an established process for transferring data and information to the Firm, including the method of transfer; the time period or expected due date of information and data transfer; the format of data and information transferred, such as PDF or Excel; and the process for notifying the Firm in the event data and information may not be available as otherwise previously established.
The Firm views the data collection procedures established as integral to the data control within its Service model and encourages all Clients to conform to the data collection procedures once established. Conformance to the process assists to enable the integrity and security of the data and information, as deviances can result in more timely identification of information that may have become missing or compromised during the collection process, as well as to curtail opportunities for inappropriate access during the data collection process.
To opt out of data collection and retention, please contact the Firm’s administrator at firstname.lastname@example.org. In general, requesting to opt out of data and information collection, record creation, or use of the related data and information may result in a termination of Service between the Firm and the Client.
Use, Retention, and Disposal
The use of personal data and information is inherent to the nature of the Service the Firm provides. Such data and information that may be used can relate to personal and business financial information, employee information, corporate information, and other data and information relevant to the nature of the Service performed by the Firm. In general, the Firm is unable to perform most services without the use of personal data and information, and generally it would not be anticipated that it would otherwise do so.
Purpose of data and information use
The Firm uses confidential and personal information and data in the capacity of performing a Service for you, the Client. The intended use of data and information is identified in relation to the Services the Firm will provide within the scope of your engagement agreement.
Data used for the Firm’s general business or internal improvement purposes
The Firm may use personal information and data provided to it in the general course of business or in the course of evaluating the Firm’s processes, potential improvements or changes to the Firm’s processes, or to comply with regulatory and other legal requirements, including participation in a regulated peer review program. You agree data and information may be used individually or in aggregate for these purposes as deemed necessary and appropriate by the Firm’s management.
Data used for the Firm’s marketing purposes
From time to time, the Firm may use data and information for other communication purposes, such as sending Firm newsletters or mailers. In general, newsletters or mailers may be sent to contacts of the Firm containing relevant information, topics, or updates. Explicit consent of acceptance or ‘opting in’ to these newsletters and mailers is required.
Other, general marketing communication may be utilized by the Firm as a form of ‘cold marketing’ to seek new opportunities. Information and data used for these purposes is obtained from public sources only.
Personal data and information are not used by the Firm for other purposes, unless required by law or regulation. Use of personal data and information by the Firm may be limited in accordance with other explicit privacy and confidentiality agreements in place.
Data retention and loss prevention
The Firm retains personal data and information in accordance with its data and record retention policies, and applicable laws and regulations inherent to operating a public accounting firm.
Data and information are protected from erasure or destruction during the retention period via controls established within the Firm’s document management system, and other business systems. The Firm has implemented controls to prevent, monitor, and detect potential harm to its data retention systems, as well as corrective procedures in the event safeguards should fail.
Corrections or updates to data and information
To request a correction or other necessary update to personal data and information the Firm maintains, please contact the Firm’s administrator at email@example.com. The Firm may utilize a data and information change form to facilitate information change requests, when practical. When required either by law or as deemed appropriate by Firm management, the Firm may notify third-parties of changes or corrections made to personal data and information.
The Firm manages requests for deletion of personal data and information in accordance with its Data and Information Security and Privacy Plan. Data and information is disposed of in an appropriate and secure manner, including the use of erasure, redaction, and destruction techniques when appropriate.
During the course of providing Services to you, we may grant view or editable access to shared data and information in a software application, electronic folder, shared portal, or other similar platform.
Access to data and information is granted to individuals during onboarding procedures, and periodically as appropriate. The Firm may use a data and information access form to assist with documenting user access rights and approval thereof when appropriate. In general, the Firm restricts access to data and information to the least amount of access necessary and practical.
User identity authentication
The Firm uses reasonable methods to authenticate user identity prior to granting access to data and information. In some cases, authentication methods may be required by law. You agree to comply with authentication methods and requests as appropriate.
Denial of access to data and information
In certain cases as required by the Firm’s policies, legal requirements, or other cases as determined appropriate by the Firm’s management, access or changes to data and information may be denied. If a data and information access or change request is denied, we will notify you in writing in a timely and reasonable manner of the denial and reasons for the denial, including any legal reasons, unless prohibited from doing so by law or Client confidentiality policy.
Removal of access to data and information
To request the removal of user access to data and information, please contact firstname.lastname@example.org.
Disclosure to Third-Parties
Data and information is disclosed to third-parties both in the normal course of the Firm providing Service to you as well as in instances of specific requests or events, that may occur between you and the Firm. In general, information is only disclosed to third-parties for the purpose for which it was collected or created, and within the scope of the Engagement Letter and Services Addendum, or as otherwise previously described.
Use of third-parties
The Firm has developed appropriate methods and assessments for evaluating the use of third-party service providers in the normal course of the Firm’s business of providing client services, and in accordance with its Data and Information Security and Privacy Plan.
Disclosure to third-parties not within normal scope
In the event of a request for disclosure to a specific third-party, or disclosure of data and information not within the normal scope and purpose of the Service provided by the Firm, the Firm utilizes a Consent to Disclose Information Form to document and retain the authorization and approval of the disclosure. Personal information and data is only disclosed to third-parties of this nature whom you have explicitly requested and agreed to disclose the information to.
The Firm applies a reasonableness standard in granting the disclosure request, and may perform a risk assessment, general research, interview, or other action(s) as determined to be appropriate based on the nature of the third-party the information is requested to be disclosed to, prior to disclosing the information. The Firm may limit, delay, or deny the disclosure request if it determines it is appropriate or necessary to do so.
Disclosure by third-parties
The Firm does not take steps to evaluate or gain assurance as to the effectiveness of the internal controls of a third-party for which information is disclosed to, however reasonable procedures are in place for disclosing information or onboarding a new vendor relationship. As stated in the Client Policies, Terms, and Conditions Addendum, you agree to the use of the third-party and are responsible for all data transmitted to or held by a third-party.
In accordance with standards and regulations established for tax practitioners and accounting professionals, practitioners are required to have minimum data protection policies in place. The Firm may request a copy of these policies from tax practitioners and other accounting professionals prior to disclosing data to the third-party, when appropriate to do so.
Notice of breach or incident
In the event we become aware of a data breach or incident of misuse of personal information and data, whether internally within the Firm or externally by a third-party, the Firm provides notice of the breach or incident in accordance with its Data Privacy and Security Breach Management Plan. In general, the Firm notifies data subjects of the breach and the remedial actions taken (or intended to be taken). The Firm may also take steps to notify law enforcement or regulatory authorities of the data breach or incident of misuse, as appropriate or as required by law.
If you become aware of a breach incident affecting data and information you provide to our Firm, you will notify us immediately of the breach at email@example.com.
Data Integrity and Quality
Data integrity, quality, reliability, relevancy, completeness, and accuracy are paramount to the success of yours, and the Firm’s operational processes and delivery of Service. The Firm collects and maintains data in a manner consistent with the Firm’s objectives.
Use of procedures and templates supporting data integrity and quality
We have established and may use various documented procedures and templates as appropriate to assist with communicating and supporting data and information accuracy, completeness, relevancy, and reliability. These may include but are not limited to:
Procedures for sending or uploading documents to the Firm.
Templates for inputting data.
Checklists, forms, and organizers for data requests.
We monitor and openly communicate regarding the adherence to data integrity and quality measures on a continuous basis during our Service engagement with you.
Monitoring and Enforcement
The Firm has established processes for monitoring, enforcing, and testing its controls over data security and privacy in order to ensure controls and procedures operate effectively and remain relevant. The Firm strives to address deficiencies to meeting its objectives related to data security and privacy in a proactive manner.
Inquiries, disputes, and complaints
The Firm documents all inquiries, complaints, and disputes related to data and information security and privacy. If complaints or disputes are not able to be resolved in a reasonable and timely manner internally within the Firm, the Firm may seek the advice or consultation of the Firm’s third-party technology service provider(s) that relates to the incident. Depending on the nature of the complaint or dispute, the Firm may seek the advice of its legal counsel, or other professional counsel or opinion.
To report a dispute or complaint over data security and privacy handling or other related instances, or if you have any related inquiries, please contact firstname.lastname@example.org.
COPYRIGHT AND ALL OTHER RIGHTS BY LEACIF LLC.
DO NOT REPLICATE OR USE WITHOUT PERMISSION.
Innovate your expectations.