CIPFA has created this privacy notice in order to demonstrate our firm commitment to data privacy. It explains how we collect your personal data, the data we hold, what we do with that data, and how long we keep it for. Your privacy is important to us, and we are committed to upholding the data protection principles and protecting your data privacy rights.
This privacy notice tells you what to expect us to do with your personal information when you make contact with us or use one of our services.
1 Last updated
This privacy notice was last updated on the 18th of April 2023.
We will update this Notice from time to time and you should review it whenever you visit our website or before providing us with any personal data about yourself.
2 Who we are
The Chartered Institute of Public Finance and Accountancy (CIPFA) is a UK-based international accountancy membership and standard-setting body. We are the only such body globally dedicated to public financial management. We are a registered charity. CIPFA Business Limited is the trading arm of CIPFA that provides a range of services to public sector clients, registered in England and Wales, company no.2376684. Together, CIPFA and CIPFA Business Limited, are referred to as CIPFA in this Privacy Notice.
CIPFA is the controller for the personal information we process, unless otherwise stated.
There are many ways you can contact us, including by phone, email, fax and post.
You can contact our Data Protection Officer for data protection related matters as follows:
Post: Data Protection Officer, 77 Mansell Street, London, E1 8AN
Telephone (switchboard): 020 7543 5600
3 Data we collect
This section details the personal data we collect and how we collect it.
a) Data you provide to us
Most of the personal information we process is provided to us directly by you for one of the following reasons:
- website registration
- student membership application
- CIPFA Membership application
- product enquiries
- enquiries and bookings for an event or a course
- Professional Qualification (PQ) course, exam, and exemption registration
- you have made a complaint or enquiry to us
- you have made an information request to us
- you subscribe to our e-newsletter or other publications
- you have applied for a job or secondment with us
- you are representing your organisation
'Data' and 'personal information' can include, but is not limited to: names, address, date of birth, email address, telephone number, job title, work place address and other contact details, ethnicity, marital status, title, professional qualifications, employment details, referees and next of kin information, and social media details.
We also receive personal information indirectly, in the following circumstances:
- where it's provided by local authorities and subsequent third party contactors of CIPFA
- an employee/member/student of ours give us your contact details as an emergency contact or a referee
Where data has been gathered indirectly, if it is not disproportionate or prejudicial, we will contact you to let you know we are processing your personal information.
b) Data from your workplace or professional organisation
Your workplace or professional organisation may provide CIPFA with your personal information, for example, as part of a contract or subscription with CIPFA, as part of a Memorandum of Understanding to enable CIPFA membership, as part of a network subscription service that your organisation has purchased, or to allow staff access to best practice information, training course access, and to receive service provision notifications.
c) Data from third parties
Where permitted, CIPFA may collect your personal information from third parties and publicly available sources such as websites and professional registers. For example, as a finance director of a public body your contact details may appear on your corporate website and CIPFA may use these details to provide you with information regarding public sector finance best practice guidance or other regulatory information. We may process your data from marketing lists. If we do this we follow the relevant guidance from the ICO to ensure we comply with the applicable UK data protection legislation.
d) Services and communications
We log usage data when you visit or use our services, including our web sites, such as when you view or click on content (eg watch a learning video or download a publication), perform a search, post in a forum or submit data via a form. We use log-ins, cookies, and internet protocol (IP) addresses to identify you and log your use. We may also gather email tracking data to help us improve our services and communications.
4 How do we use your data?
CIPFA holds personal information and data collected in order to fulfil a variety of purposes:
- to provide and help develop products, services and activities to meet our obligations and objectives and for use in direct marketing
- to manage our business
- to facilitate payment for memberships, training, examinations, and other services
- to enable CIPFA to make payments to members, suppliers and associates, eg for expenses and fees
- to validate credentials for example to access restricted areas of websites
- to help us communicate relevant information
- to present relevant content on websites, to monitor progress on training programs and determine the effectiveness of promotional campaigns and advertising
- to comply with legislative and regulatory requirements
- to profile and anticipate your interests and potential needs
- to control access to network resources and systems and prevent fraud
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Depending on your chosen preferences, we may contact you using available methods including (but not limited to) email, telephone, post, messaging platforms, via our website and online portals, and via social media platforms. We will send you messages about the availability of our services, security, or other service-related issues. We may also send promotional messages. You can change your communication preference in MyCIPFA at any time or by letting us know using the contact methods below. Please be aware that you cannot opt-out of receiving service messages from us, including security and legal notices related to the services we provide.
If you register for an event or a conference that involves a third party, we may share your contact details and other relevant information with them so you can receive relevant information prior to or following the event. By signing up to the event you understand that your information will be passed on to our sponsor or relevant third party involved with all necessary safeguards in place.
Where appropriate we use your data to investigate, respond to and resolve complaints and improve customer service (eg system bugs or customer enquiries).
We use your personal data for relevant targeted communications to you promoting our services. You can use MyCIPFA, or communicate with us using the methods below, to change preferences or opt-out of receiving these in at any time. It may take up to 28 days for the changes to be implemented and for you to stop or start receiving emails.
c) Developing services and research
We use data, to conduct research and development for the further development of our services in order to provide you and others with a better, more intuitive and personalised experience, drive membership growth and engagement on our services, and help promote public financial management.
5 How do we share your information?
We will not share your information with any third parties for the purposes of direct marketing.
When we do share your data we will ensure there are adequate levels of protection and appropriate safeguards in place to guard your rights and freedoms.
Where appropriate and in accordance with local laws and requirements, we may share your personal data with:
a) Third parties
Third party processors: We use third party data processors who provide elements of our services to you on our behalf. We will have contracts in place with such data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They may share your data with sub-processors where they have a contract in place that imposes their data protection obligations on that sub-processor. We will ensure the third parties hold your data securely and retain it only for the period we have instructed, subject to their legal obligations.
Your employer or sponsoring body: We may provide relevant information to your employer or sponsoring body about your participation and progress in our professional training and development programmes. This information is supplied to your employer and/or sponsoring body as part of an agreed contract. For example, we may share your use of our learning platforms and your exam results with your designated training manger, or your contact details and responses as a contributor to the FM model survey.
Conference and Event delegates: When you attend one of our conferences or events, we may share your data with third parties. By registering, you acknowledge that we may share your details such as name, email address and job details, with any sponsor. Sponsors may use your details to contact you about the event or conference and they may send you direct marketing material. You can opt-out of receiving non-essential communications by changing your preferences in MyCIPFA portal at any time or by letting us know using the methods detailed in the Contact Us section below. Where you have specified any special requirements, we may share these with any relevant third parties involved with administering the conference or event.
Other Third Parties: If CIPFA enters into a joint venture, acquires, merges with, or is acquired by another business or company in the future, (or is in meaningful discussions about such possibilities) we may share your personal data with the other business or company, subject to appropriate assurances as to the protection of your data privacy.
We will not share your information with any third parties for other purposes than those for which we collected it (or other purposes as detailed in this privacy notice) without informing you first. When we do share your data, we will ensure there are adequate levels of protection and appropriate safeguards in place to guard your rights and freedoms, and that they will only retain it for the period we instruct.
b) Legal obligations
In some circumstances we are legally obliged to share information. For example under a court order or where we cooperate with other data protection authorities in handling complaints or investigations. We might also share information with other regulatory bodies in order to further their, or our, objectives. In any scenario, we will satisfy ourselves that we have a lawful basis on which to share the information and document our decision.
In order to comply with education guidelines, we keep a record of education certificates obtained by our students at CIPFA for the duration of 100 years. You have the right to have your information erased from our system, however as an exception to the Data Protection Act and GDPR we can keep hold of the certificate withstanding your name and a unique identifiable number only.
c) Members, students and subscribers
Your information may be shared for the following reasons:
- To provide relevant information to your employer/sponsoring bodies about your participation and progress in professional training and development
- Where other organisations are commissioned by CIPFA to provide specific activities to support the delivery of our services (sub-processors). These include (without limitation):
- Redactive as the publisher of Public Finance magazine and Public Finance International
- PQ Publishing as the publisher of PQ Magazine
- Parliament Hill as the provider of the CIPFA rewards website
- Chartered Management Institute as the provider of the Management Direct website
- Eintech as the provider of our examination platform
- D2L as the provider of our eLearning platform
- MonitorEDU as the provider of remote invigilation
- LogMeIn (GotoMeeting) as the provider of webinar platform
- Deloitte as a tax advisory service
- TechnologyOne as the provider of account management software
- To comply with legal and regulatory authorities including your listing in the CIPFA Members Directory.
If you wish to view a list of the third party organisations we hold contracts with please contact firstname.lastname@example.org and we will provide you with this information.
6 Lawful basis
To comply with the data protection principles and article 6(1) of the GDPR we identify a lawful basis for each purpose that we process your data.
The lawful basis that we use are:
- consent, where you have given us your consent to the process your personal data for one or more specific purposes
- contract, where the processing of your data is necessary for the performance of a contract or where we process your data prior to entering into a contract
- legal obligation, where the processing of your data is necessary for compliance with our legal obligations
- vital interest, where processing is necessary in order to protect your (or others) vital interests
- public Interest, where the processing of your data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us
- legitimate interest, where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data
7 Legitimate interests
Our legitimate interests explained – CIPFA think it's reasonable to expect that if we have (or have had) a professional relationship with you, or you have posted your professional information on professional networking site, or your information is generally available to the public, or we have been given your name as an emergency contact or as a referee, you are happy for us to use your personal data to contact you for a relevant reason. If you do not want any further contact with us you can ask us to stop (opt-out) by contacting us using the details at the end of this privacy notice.
It is our policy only to keep records of your personal data for as long as required under the legal obligations of delivering a service to you, or as required by relevant authorities or other legislation, whichever requirement is longer after which it will be erased from our systems and any paperwork will be destroyed.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Our retention policies are currently as follows:
- if you are a client, a member, a student, or a supplier, we may for regulatory reasons or to settle a dispute keep your data for six years after the end of the engagement with us
- if you have contacted us via our website, or sent us an email, or we have made contact with you and we do not engage in a professional relationship with you, we will destroy your data after two years or sooner
- if we are recruiting and you send us your CV or if we are not currently recruiting but are interested in your profile we may keep your cv and personal details for a period of one year, after which your data in this respect will be deleted
9 Transfer of data outside the UK
Normally your data will not be transferred to a country or territory outside the UK unless that country or territory ensures an adequate level of protection (adequacy decision by the ICO) or the appropriate safeguards are in place to guard your rights and freedoms and ensure your personal data is kept securely.
10 Your data protection rights
Under data protection law, you have rights that we want to make you aware of. The rights available to you does depend on our reasons for processing your information. We will respond to your request to exercise your rights at our earliest opportunity and within one month. Under normal circumstances we will not charge a fee. However, if we feel the request (with consideration to other requests you have made) is repetitive, unreasonable or excessive then we may ask for a fee to cover the administrative costs associated with your request.
We may limit our actions when you exercise your rights due to applicable exemptions in data protection law. For example, we may not be able to delete all your data when you exercise your right to be forgotten where we have a legal obligation to retain some of the data (eg for certifications or for criminal law enforcement purposes). Where exemptions apply and where it's permissible we will tell you why we are not taking action, explain our decision and explain how you can challenge this.
a) The right to be informed
You have the right to be informed of what we do with your data. The detail of what we do is in this privacy notice.
b) Your right of access
You have the right to ask us for copies of your personal information. This is commonly known as making a subject access request or SAR.
c) Your right to rectification
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
d) Your right to erasure
Also known as the right to be forgotten. You have the right to ask us to delete the Personal Data we hold about you.
e) Your right to restrict processing
You have the right to ask us to restrict the processing of your information in certain circumstances. Where consent has been given to process your data, you can withdraw that consent at any time by contacting us using the details at the bottom of this notice.
f) Your right to object to processing
You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests.
g) Your right to data portability
This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.
h) Rights in automated decision making and profiling
You have the right to ask us to stop using automated decision making when processing your data. You also have the right to ask us to stop profiling you by using algorithms and machine-learning. If you have any concerns about these mechanisms then you can ask us to explain what we do and we will provide you with any alternative methods of processing if available.
Please contact us at email@example.com if you wish to make a request.
11 Links to other websites and social media
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide while visiting such sites and such sites are not governed by this privacy notice. You should exercise caution and look at the privacy notice applicable to the website in question. Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes your personal information. We encourage you to read the privacy notices on the other websites you visit.
13 How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us at firstname.lastname@example.org or by calling us on 020 7543 5600. Please see our contact CIPFA page for further options.
You can also complain to the Information Commissioner's Office if you are unhappy with how we have used your data. Their contact details are available on their website www.ico.org.uk.