About this notice
Under the Data Protection Act 2018 and the General Data Protection Regulation (2016/679) (the data protection laws), we are required to explain to data subjects why we collect their personal information, how we intend to use the information we receive and whether we will share this with anyone else.
This privacy notice explains what to expect when Public Sector Audit Appointments Limited (PSAA) collects personal information in the course of its business operations. It also summarises the rights of the data subject in relation to their data collected. The notice applies to information we collect about:
- individuals in specific posts at audited bodies that have opted into PSAA’s national auditor appointment scheme, in connection with PSAA’s responsibilities as a specified appointing person under the Local Audit and Accountability Act 2014;
- individuals in specific posts at audited bodies for which PSAA has appointed an auditor under the transitional arrangements made by the Secretary of State for Communities and Local Government;
- individuals in organisations that are key stakeholders for PSAA, in connection with its statutory responsibilities;
- individuals who are chairs of the Audit Committees for principal local government bodies that are subject to the requirements of the Local Audit and Accountability Act 2014;
- partners and employees of audit firms with which PSAA has, or has previously managed, audit contracts;
- individuals at suppliers of goods and services to PSAA;
- job applicants, current and former employees, current and former Board and Audit Committee members;
- members of the public making enquiries or complaints to PSAA; and
- visitors to our website.
The information we collect
PSAA is responsible for appointing external auditors to principal local government bodies. From 1 April 2018 this responsibility relates to the bodies that are opted-in bodies under the provisions of the Local Audit and Accountability Act 2014. Except for the financial and human resources information we require to run our company, the personal information we collect relates to our auditor appointment duty.
We may obtain information from third parties, such as Oscar Research who provide contact information for public sector organisations.
Individuals at audited bodies to which PSAA appoints the auditor
PSAA is required under the Local Audit (Appointing Person) Regulations 2015 (the Regulations) to appoint an auditor to all opted-in authorities, to oversee the independence of any auditor it has appointed, and to monitor compliance of auditors against the contractual obligations of PSAA’s audit contracts. The Regulations require PSAA to maintain and publish on its website a record of the principal authorities that are opted-in authorities.
Under the transitional auditor appointment arrangements made by the Secretary of State for Levelling Up, Housing and Communities, PSAA is required to appoint an auditor for all principal local government and police body types listed in schedule 2 of the Local Audit and Accountability Act 2014.
To support these requirements, PSAA records the name and contact details for the Chief Executive and Chief Finance Officer of each authority and requires the audit firm it appoints as the auditor to update the details on at least a quarterly basis. Names and contact details are retained for a period of up to five years for opted-in bodies, subject to the length of the appointing period as defined in the opt-in invitation process. We also use these contact details to inform individuals of events and resources that may be helpful to them in their role. For bodies that have not opted in, PSAA collects contact details from publicly available sources to discharge its communication responsibilities as set out in the Regulations, and updates these details annually, without retaining outdated records. Details are only shared outside PSAA or the appointed audit firm for the purposes of conducting client satisfaction surveys where we instruct a third-party organisation to run the survey on our behalf.
Individuals at PSAA’s other stakeholders
PSAA’s duties require it to communicate with or consult a variety of national stakeholders. For example, the duty to specify a scale of fees requires PSAA to consult representative associations of principal authorities and bodies of accountants. PSAA therefore records the name and contact details for relevant individuals at key stakeholder organisations. Details are updated annually, and outdated records are not retained. Details are not shared outside PSAA.
Individuals who are chairs of Audit Committees
PSAA considers that its role as an appointing person carries an obligation to share knowledge and practice in relation to the aspects of local audit for which it is responsible. We therefore maintain a record of the names and contact details of the Audit Committee chairs for all relevant authorities set out in schedule 2 of the Local Audit and Accountability Act 2014. We use these contact details to inform individuals of events and resources that may be helpful to them in their role. Details are updated periodically, and outdated records are not retained. Details are only shared outside PSAA for the purposes of conducting client satisfaction surveys where we instruct a third-party organisation to run the survey on our behalf.
Partners and employees of audit firms
PSAA lets contracts with audit firms to audit the accounts of bodies that have opted into the national appointing person auditor appointment scheme. Details of the firms with contracts for the current appointing period are available on the procurement outcome page of our website. PSAA maintains records of the name and contact details of the contact partner for each firm, and of the engagement lead and audit manager allocated by the firm for the opted-in bodies to which it is appointed by PSAA. The name and contact details for each engagement lead and audit manager for each opted-in body are published in a directory of auditor appointments on our website.
Details are updated by firms where needed on a quarterly basis and retained by PSAA for a period of twelve years, to discharge the responsibility to make an independent appointment.
Suppliers of goods and services to PSAA
PSAA maintains records of its suppliers of goods and services, including names and contact details of individuals where needed to support contract and payment management. Details are retained for a period of six years after the financial year to which the details relate.
Reflecting its role in managing and safeguarding public money in the form of fees charged to audited bodies, PSAA follows the principles of the Local Government Transparency Code, publishing its spending data on its website. This may include the names of individuals.
Job applicants, current and former employees, prospective, current and former Board and Audit Committee members
PSAA is the data controller for the information you provide, unless otherwise stated.
The information you provide will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements relating to your employment. We will only share information with third parties where this is required to fulfil our legal or regulatory requirements. The information you provide will be held securely by us and our data processors whether the information is in electronic or physical format. We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.
If your application is successful, the information you provide during the application process will be retained by us as part of your employee file for the duration of your employment plus 6 years following the end of your employment. If you are unsuccessful at any stage of the process, the information you have provided until that point will be retained for 6 months from the closure of the campaign.
Members of the public making enquiries or complaints
When we receive an enquiry or complaint we use the personal information provided to respond to the enquirer or complainant. For complaints, we usually have to disclose the complainant’s identity to whoever the complaint is about. If a complainant does not want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in complaints for a period of two years from our response to the complaint.
Visitors to our website
We use a third-party service, WordPress.com, to publish our website www.psaa.co.uk. The website is hosted and supported by dxw. We use the Google Analytics service to collect standard internet log information. This information is only processed in a way which does not identify anyone and is used for analysis of visitor patterns. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. Further information about our website is available on the legal page of the site, and on our use of Google Analytics and internet cookies on the cookies page of our website.
Attendees at our events
On occasions we may use a third party to manage event bookings, but they are only allowed to use information to manage the event booking process. We use the information we hold about the groups of individuals listed above, who may have an interest in our events, in order to provide a service. We only use these details for the purposes of event management and for other closely related purposes. For example, we might use information about people who have attended an event to carry out a survey to find out if they are happy with the quality of the event they received.
The name, job title and organisation of event attendees may be included in the event documentation that is made available to everyone attending the event.
If you do not want us to collect, use or transfer your personal information in this way then you should (depending on what it is you object to) contact firstname.lastname@example.org and ask for your information to be deleted.
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.
Under certain circumstances, by law you have the right to:
- Request access to your personal information;
- Request correction of the personal information that we hold about you;
- Request erasure of your personal information;
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes;
- Request the restriction of processing of your personal information; and
- Request the transfer of your personal information to another party.
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.
You also have the right to complain to the Information Commissioner’s Office (the ICO) if you are not satisfied with the way we use your information. You can contact the ICO by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Their information may be found at www.ico.org.uk.
Contacting us by email
Any email sent to PSAA, including any attachments, may be monitored by us for reasons of security. Email monitoring or blocking software may be used. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.
Links to other websites
Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.
Changes to this privacy notice
We keep our privacy notice under regular review. This privacy notice was last reviewed on 19 April 2023.
How to contact us