PSAA policy statement on data protection

April 2024

This is a statement of the data protection policy adopted by Public Sector Audit Appointments Limited (PSAA) to cover its obligations under data protection legislation.

These laws regulate the processing of information relating to individuals, including the obtaining, holding, using or disclosing of such information, and cover computerised records as well as manual filing systems.

PSAA needs to collect and use certain types of information about people with whom it deals in order to carry out its everyday business and fulfil its statutory duties. This personal information, whether in print, on computer, or recorded on other material is collected, held and used by PSAA in accordance with the data protection principles.

We process personal information relating to the following groups of people:

  • individuals in specific posts at audited bodies that have opted into PSAA’s national auditor appointment scheme, in connection with PSAA’s responsibilities as a specified appointing person under the Local Audit and Accountability Act 2014;
  • individuals in specific posts at audited bodies for which PSAA has appointed an auditor under the transitional arrangements made by the Secretary of State for Levelling Up, Housing, and Communities;
  • individuals in organisations that are key stakeholders for PSAA, in connection with its statutory responsibilities;
  • individual who are chairs of the Audit Committees for principal local government bodies who are subject to the requirements of the Local Audit and Accountability Act 2014;
  • partners and employees of audit firms with which PSAA has, or has previously managed, audit contracts;
  • individuals at suppliers of goods and services to PSAA;
  • job applicants, current and former employees, current and former Board and Audit Committee members;
  • members of the public making enquiries or complaints to PSAA; and
  • visitors to our website.

Summary of principles

PSAA’s data users will comply with the data protection principles of good practice which state that personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals;
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes – further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which the data is processed;
  4. accurate and, where necessary, kept up to date, with every reasonable step taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay;
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed – personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

In law, the Information Commissioner’s Office (ICO) has the right to audit organisations, and requires them to demonstrate that comprehensive data protection compliance programmes, with policies, procedures and compliance infrastructure, are in place, and to have documentary evidence of consent for data processed and the legal basis for processing.

PSAA regards the lawful and correct treatment of data as critical to its successful operation. To this end PSAA will:

  • comply with both the law and good practice in the handling of personal data;
  • treat all information about individuals with respect and with regard to personal privacy;
  • be open with individuals about how their personal data is collected, used and stored;
  • provide appropriate training and guidance to staff on the obligations under the legislation;
  • interpret the legislation, and associated regulations, with regard to the advice of the ICO and relevant directives of the European Commission. In all cases PSAA will have regard to the interests of the individual subject of the personal data;
  • apply the data protection principles as the foundation for information management in the organisation; and
  • process information about individuals on the presumption of confidentiality.

Data Security

All staff are responsible for ensuring that:

  • any personal data they hold, whether in electronic or paper format, is kept securely;
  • personal information is not disclosed deliberately or accidentally either orally or in writing to any unauthorised third party;
  • that they abide by these principles, and comply with PSAA’s data protection policy and associated procedures at all times in the processing and use of personal data.

Data Controller registration

Details of PSAA notification under Registration Number ZA321652 was last registered with the ICO on 27 February 2018 and can be viewed at:

Information Commissioners – Data protection register – entry details (

Individuals’ rights in relation to their own personal data

All individuals who are the subjects of data held by PSAA are entitled to:

  • ask what information PSAA holds about them and why;
  • ask how to gain access to it;
  • be informed how to keep it up to date; and
  • be informed how PSAA is meeting its data protection obligations.

Forms are available from PSAA to assist an individual to apply for access to personal data held by PSAA (a subject access request) and exercise their rights under data protection laws (an individual’s rights request). Neither of these forms is mandatory so requests made in other formats will also be accepted, though the forms have been designed to assist the process. Please contact us at

PSAA aims to comply with requests without delay and in line with the timescales set by the ICO on the receipt of the necessary information.

PSAA does not need to comply with a request where it has received an identical or similar request from the same individual unless a reasonable interval has elapsed between compliance with the original request and the current request.

Further Information

Further information about your rights under the data protection laws is available from the website of the Information Commissioner’s Office:

A copy of PSAA’s data protection policy is available on request from:

Privacy notice relating to personal information

PSAA is committed to protecting personal information. We will only process personal information for those purposes and in the ways specified in our privacy notice. To view our privacy notice please follow this link to our legal pages.