IR35 Shield and Data Protection Law
Here at IR35 Shield, we take data protection compliance very seriously. However, the application of data protection law to our operations is not always straightforward.
This is because:
- through our systems, we interact with several categories of user;
- personal data can be shared between users in different categories; and
- the purposes for which personal data is used vary depending upon context.
This document is designed to help our users, customers and business partners to understand how our activities fit into the regulatory framework.
Types of actor
The UK's General Data Protection Regulation (GDPR) regulates the processing of personal data in and in relation to the UK.
The GDPR recognises three main categories of actor in relation to personal data: data subjects, controllers and processors.
Data subjects are living human beings:
… an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Controllers are actors who process others' personal data for their own purposes:
'controller' means the natural or legal person … which, alone or jointly with others, determines the purposes and means of the processing of personal data …
Processors act purely on behalf of controllers:
'processor' means a natural or legal person … which processes personal data on behalf of the controller;
In some circumstances we will act as a controller of personal data, while in other circumstances we will act as a processor. In both cases, we are subject to a range of obligations under the GDPR and related laws.
Where we act as a controller, data subjects can exercise their legal rights against us directly; where we act as a processor, those rights are usually exercised indirectly through the relevant controller.
IR35 Shield for Contractors
Individual contractors ("Contractors") use this service directly to conduct status evaluations. They have their own accounts and buy services directly from us.
We collect and use the personal data of both IR35 Shield member Contractors and non-member Contractors.
When you register as a Contractor, and when you complete an IR35 assessment, generate a Status Determination Statement or use our similar services, we will collect your personal data. We are a controller of all Contractor personal data.
We will use Contractor personal data to provide our services to the Contractor in question, and if the Contractor completes an IR35 assessment at the request of an IR35 Shield for Business, we will use that personal data to provide services to that customer, including supplying Status Determination Statements to that customer. We will also store copies of a Contractor's Status Determination Statements for our own analysis and record-keeping purposes.
See our privacy policy for full details of how we handle Contractor personal data.
IR35 Shield for Business
Hiring firms ("Businesses") pay for a licence to use this service to make status determinations for individuals. Those individuals must create their own IR35 Shield for Contractors accounts before completing assessments for Businesses.
Businesses are always legal rather than natural persons, and so they cannot be data subjects. Nonetheless, there are three different categories of personal data that we handle in relation to IR35 Shield for Businesses.
First, we collect and use certain personal data of Business staff for our own marketing, administrative and record-keeping purposes. We are a controller of this personal data and our privacy policy applies.
Second, we handle user account data of the Business's staff. We are a processor of this personal data, not a controller. Our standard IR35 Shield for Business contract includes data processing clauses that set limits on what we can do with this personal data. For example, we will delete this personal data if our contract with the relevant Business terminates.
Third, we handle the personal data of Contractors, including IR35 assessment inputs, Status Determination Statements and similar service inputs. As explained above, we are a controller of this personal data, and we will only use it in accordance with our privacy policy. A Business will usually be an independent controller of the personal data of Contractors who complete IR35 assessments at the request of that Business, and accordingly will have independent obligations to provide information to Contractors about the ways in which that personal data is handled by the Business.
We are occasionally asked by Businesses why we cannot be a processor with respect to the personal data of Contractors. We use the Contractor data to provide services to Contractors and for our own analysis and record keeping purposes – and use for these purposes would be incompatible with processor status. Even though we are controller of Contractor data, that does not mean we are free to do anything we like with it. Our IR35 Shield for Business contract includes special protection for Businesses' confidential information. We are also bound by our privacy policy and the obligations we owe to Contractors as data subjects.
IR35 Shield Manager
Outsourced assessment providers ("Managers") pay for this service and can use it to provide services to Businesses.
The position of Managers is dependent upon context.
As with Businesses, we are processors of user account data supplied by Managers, and we are controllers of any personal data that we use for our marketing, administrative and record-keeping purposes.
The Manager's role in relation to Contractor personal data depends upon the relationship between the Manager and the relevant Business: the Manager may be either a controller or a processor.
To the extent that the Manager is providing professional advisory services using personal data, the Manager is likely to be acting as a controller with respect to that data. On the other hand, if the Manager is exclusively providing administrative services using that personal data, the Manager is likely to be a processor.
If the Manager is a controller, its compliance obligations will include the obligation to provide Contractors with information about the Manager's use of Contractor data; and if the Manager is a processor, the Manager's (and the relevant Business's) compliance obligations include an obligation to enter into a written contract covering personal data processing in accordance with the requirements of Article 28 of the GDPR.
Automated processing
The production and use of Status Determination Statements may involve automated processing that has legal effects or similarly significant effects on Contractors. This type of automated processing is generally prohibited under Article 22 of the GDPR. Our processing is necessary for the performance of the contracts between us and Contractors – and is therefore not prohibited.
Where Article 22 applies, we do however have an obligation to implement suitable measures to safeguard Contractors' rights and freedoms and legitimate interests with respect to the automated processing.
In the case of Contractors providing Status Determination Statements to Businesses, the decision of whether to engage a Contactor is made by the Business and, accordingly, the measures we have implemented enable a Contractor to notify the Business directly of the dispute, provide details of the dispute to the Business and request human intervention in resolving the dispute.
Data retention
When we act as a processor of personal data, we have an obligation under our standard contracts to delete personal data not more than 12 months following contract termination. We retain data for this period just in case a customer asks for the service to be reactivated. However, upon request we will delete all relevant personal data from our systems and media at or after the end of the period of 30 days following termination.
Any questions
If you have a specific question about our handling of personal data, you may be able to find the answer in our privacy policy, or our information security policy, or in the data processing clauses in our customer and partner contracts.
We recognise however that these documents do not address every facet of data protection compliance and, if you would have any questions about our approach to these issues, please do not hesitate to get in touch.