IR35 Shield and Data Protection Law
Here at IR35 Shield, we take data protection compliance very seriously. However, the application of data protection law to our operations is not always straightforward.
This is because:
- through our systems, we interact with several categories of user;
- personal data can be shared between users in different categories; and
- the purposes for which personal data is used vary depending upon context.
This document is designed to help our users, customers and business partners to understand how our activities fit into the regulatory framework.
Types of actor
The UK's General Data Protection Regulation (GDPR) regulates the processing of personal data in and in relation to the UK.
The GDPR recognises three main categories of actor in relation to personal data: data subjects, controllers and processors.
Data subjects are living human beings:
… an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Controllers are actors who process others' personal data for their own purposes:
'controller' means the natural or legal person … which, alone or jointly with others, determines the purposes and means of the processing of personal data …
Processors act purely on behalf of controllers:
'processor' means a natural or legal person … which processes personal data on behalf of the controller;
In some circumstances we will act as a controller of personal data, while in other circumstances we will act as a processor. In both cases, we are subject to a range of obligations under the GDPR and related laws.
Where we act as a controller, data subjects can exercise their legal rights against us directly; where we act as a processor, those rights are usually exercised indirectly through the relevant controller.
IR35 Shield for Contractors
Individual contractors ("Contractors") use this service directly to conduct status evaluations. They have their own accounts and buy services directly from us.
We collect and use the personal data of both IR35 Shield member Contractors and non-member Contractors.
When you register as a Contractor, and when you complete an IR35 assessment, generate a Status Determination Statement or use our similar services, we will collect your personal data. We are a controller of all Contractor personal data.
We will use Contractor personal data to provide our services to the Contractor in question, and if the Contractor completes an IR35 assessment at the request of an IR35 Shield for Business, we will use that personal data to provide services to that customer, including supplying Status Determination Statements to that customer. We will also store copies of a Contractor's Status Determination Statements for our own analysis and record-keeping purposes.
IR35 Shield for Business
Hiring firms ("Businesses") pay for a licence to use this service to make status determinations for individuals. Those individuals must create their own IR35 Shield for Contractors accounts before completing assessments for Businesses.
Businesses are always legal rather than natural persons, and so they cannot be data subjects. Nonetheless, there are three different categories of personal data that we handle in relation to IR35 Shield for Businesses.
Second, we handle user account data of the Business's staff. We are a processor of this personal data, not a controller. Our standard IR35 Shield for Business contract includes data processing clauses that set limits on what we can do with this personal data. For example, we will delete this personal data if our contract with the relevant Business terminates.
IR35 Shield Manager
Outsourced assessment providers ("Managers") pay for this service and can use it to provide services to Businesses.
The position of Managers is dependent upon context.
As with Businesses, we are processors of user account data supplied by Managers, and we are controllers of any personal data that we use for our marketing, administrative and record-keeping purposes.
The Manager's role in relation to Contractor personal data depends upon the relationship between the Manager and the relevant Business: the Manager may be either a controller or a processor.
To the extent that the Manager is providing professional advisory services using personal data, the Manager is likely to be acting as a controller with respect to that data. On the other hand, if the Manager is exclusively providing administrative services using that personal data, the Manager is likely to be a processor.
If the Manager is a controller, its compliance obligations will include the obligation to provide Contractors with information about the Manager's use of Contractor data; and if the Manager is a processor, the Manager's (and the relevant Business's) compliance obligations include an obligation to enter into a written contract covering personal data processing in accordance with the requirements of Article 28 of the GDPR.
The production and use of Status Determination Statements may involve automated processing that has legal effects or similarly significant effects on Contractors. This type of automated processing is generally prohibited under Article 22 of the GDPR. Our processing is necessary for the performance of the contracts between us and Contractors – and is therefore not prohibited.
Where Article 22 applies, we do however have an obligation to implement suitable measures to safeguard Contractors' rights and freedoms and legitimate interests with respect to the automated processing.
In the case of Contractors providing Status Determination Statements to Businesses, the decision of whether to engage a Contactor is made by the Business and, accordingly, the measures we have implemented enable a Contractor to notify the Business directly of the dispute, provide details of the dispute to the Business and request human intervention in resolving the dispute.
When we act as a processor of personal data, we have an obligation under our standard contracts to delete personal data not more than 12 months following contract termination. We retain data for this period just in case a customer asks for the service to be reactivated. However, upon request we will delete all relevant personal data from our systems and media at or after the end of the period of 30 days following termination.
We recognise however that these documents do not address every facet of data protection compliance and, if you would have any questions about our approach to these issues, please do not hesitate to get in touch.