Privacy Policy

This policy applies to the following business and trading names:

Hughes Spencer which is a trading name ofHughes Spencer Limited Registered company number 07282064

Cornish & Co which is a trading name ofHughes Spencer Limited Registered company number 07282064

This privacy policy explains how we use any personal information we collect about you when you use our services.

Glossary of Terms and Definitions
Personal Data

Personal data relates to any information about a natural person which identifies you this may include the following but is not limited to:

- Names, email addresses and telephone numbers
- National Insurance Numbers
- Tax References
- Date of Birth
- Address
- Payroll data
- Credit History
- Photographic ID
- Place of Birth
- Family members names

Sensitive personal data refers to the above but includes genetic data and biometric data eg:

- Medical conditions
- Religious or philosophical beliefs and political options
- Racial or ethnic origin
- Convictions
- Biometric data (e.g. photo in an electronic passport)

What is a Data Controller?
For general data protection regulation purposes, the “data controller” means the person or organisation who decides the purpose for which and the way in which any personal data is processed and stored.Our data controller isHughes Spencer Limited ,12 Acorn Business Park, Northarbour Road, Cosham, Hampshire PO6 3TH.The data protection officer is Michelle Jarvis who can be contacted at the above address or on or by calling 023 92250 931.

What is a Data Processor?
A “data processor” isa person or organisation which processes personal data for and on behalf of the controller.

What is Data Processing?
Data processing is any operation or set of operations performed using personal data, be it by automated systems or not. Data processing examples listed in the text of the GDPR explicitly; listed are: collection, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating or making available, aligning or combining, restricting, erasure or destruction.

What do we mean by “Business to Business”
LTD, LLP incorporated partnerships, trusts and foundations, local authorities and government institutions.

What do we mean by “Business to Consumer”
Private clients, sole traders, partnerships, trusts and foundations.

What Information Do We Collect About You?
Hughes Spencer as a Data Controller, is bound by the General Data Protection Regulations (GDPR)

You (as a client) agree that we are entitled to obtain, use and process the information you provide to us to enable us to the discharge the Services (as defined in our letter of engagement) and for other related purposes:

• Updating and enhancing client records
• Analysis for management purposes
• Statutory Returns
• Legal and regulatory compliance
• Crime prevention

At Hughes Spencer we take the protection of your privacy very seriously. This privacy policy explains how we use any personal information that we collect about you.

How Do We Collect Information About You?
We obtain information about you:

• When you engage us for professional services
• When you enquire about a potential engagement with us
• When we are engaged to act as a data processor on behalf of a data controller (for example when we carry out our payroll services on behalf of an employer)
• When you provide us with your personal details upon applying for a role within the firm, when you contact us via our website, or  sign up to receiving our mailings.

We may hold data from you for money laundering purposes such as photographic ID and confirmation of address. This data will only be processed for the purpose of preventing money laundering regulations 2017, Proceeds of Crime Act 2002, Criminal Finances Act 2017, Terrorism Act 2000 and Counter Terrorism Act 2008.

Information we collect from you will generally be obtained directly or from a third party which you have provided authority to us as your agent.

If we are acting as a data processor, the information may be passed to us via the data controller.

What Type of Information do we Collect About You
For our professional service, the information collected from you may relate to you personally and financially, for example we may record your name, address, telephone number, email address, date of birth, Unique Tax Reference (UTR), National insurance number, bank account details, data in relation to your personal tax and data regarding your business.

This could be a service for either you or a third party who have engaged us, for example, we may need to obtain personal data when we are acting as a data processor on behalf of a data controller (such as payroll services for an employer or bookkeeping services for a client).

Personal details for any job applicants such as contact details, date of birth, education, skills, previous employment, medical conditions, marital status, or ethnic origins and CV.

Why Do We Need to Collect and Use Your Personal Data?
Our primary basis for processing personal data is for the performance of our engagement for our clients and with our staff.  This can include the processing of personal data when we are engaged by a data controller to provide our service as a data processor.

The information that we collect is essential for us to be able to carry out the agreed contract effectively.  We will also use the data to notify clients of any updates that we feel are relevant to them, for example, updates to tax legislation.  Where possible this information will be communicated electronically.

How Will We Use The Information About You?
For all of our business services as a data controller and a data processor we may use your information to:

• Contact you by telephone, email or post
• Maintain our records in accordance with Government’s obligations and good practice.
• Process financial transactions
• Verify your identify when required
• Prevent and detect corruption, fraud or crime
• Complete our services as agreed by you
• Understand your needs and how they need to be met
• Ensure your confidentiality of sensitive information is met
• Market our business and improve our services

For our applicants and staff:
• Within the firm, consider you for a position
• Ensuring our business polices are adhered to, records maintained in accordance with legal regulatory corporation governance and good practice.
• Report statistics such as gender pay gap information and diversity
• Where necessary, vetting

Who Might We Share Your Information With?
If you are a client of Hughes Spencer, to enable us to deliver our service to you professionally and effectively we may send your details to third parties, such as those as we engage for compliance, accountancy or legal as well as platform providers that we use to manage bookkeeping.

All of our client data is held externally off site on a secure hosted server environment which is UK based and appropriate security is in place that complies with all legislative and regulatory requirements:

If your personal data needs to be forwarded to yourself or a third party (for example a mortgage advisor) we will use appropriate security measure to protect your data.

We will not share any of your information for marketing outside of our company.

Any of our staff who have access to your information have a duty of confidentiality under our ethical standards that we are required to follow.

Transferring Your Information Outside of Europe
As part of our services offered to you the information which you give us may be transferred to countries outside the European Union (“EU”). For example, some of our third-party providers may be located outside of the EU. Where this is the case we will take steps to make sure the correct security measures are in place so that your privacy is protected. By submitting data to us you are agreeing to the transfer, processing and storage of data.

How Long Will We Hold Your Data For?
Under the terms of our contract for services with you we should not hold personal data for longer than is required.  However, we are subject to regulatory requirements to retain data for specific minimum periods (a minimum of 7 years).  Where we consider it is in your interests to hold the data longer we will do so.

For human resources, when you have applied for a position within this firm and have been unsuccessful we will keep your data for a maximum of 1 month past the vacancy fulfilment.

For staff, we will keep your personal data for a minimum of 7 years after your employment ceases.

For, potential new clients data will be kept for a year.

Security Precautions
When you give us personal information we will take the appropriate steps to ensure that it is treated securely.

Sensitive information such as credit or debit card details is always encrypted and protected using 128 Bit encryption on SSL.

Non sensitive data such as email addresses are sent over the internet and this can never be guaranteed to be 100% secure. All attachments to emails that hold personal data will be encrypted or sent via an electronic signing programme.

We cannot guarantee the security of any information you transmit to us, and you do so at your own risk.

Where we have given you or you have given us a password which enables us to access your data it is your responsibility to keep this password safe, secure and confidential (Please do not share it).

Cookie Policy
Our website ( uses cookies to store information on your computer. Cookies help us to provide you with the best experience out of the website.

If you have any questions about the following information please email

Your Rights
Access to your information

It is your right to request a copy of the information that we hold about you.

If you would like a copy of some or all of your personal information that we hold about you please email or write to us at the address at the bottom of this document. We will respond to this within one month of receipt of your request.

To ensure your data is accurate and up to date you may ask us to correct or remove information you think is inaccurate. To do this please email  or write to the address at the bottom of the document.

Deletion of your Information
You have the right to request that we delete your personal data and we will comply with this request subject to any restrictions of our regulatory obligation and legitimate interests.

Objections to Processing of Personal Data
It is your right to object to the use of your data for processing if you feel the grounds relating to your situation apply.

The only reasons we will be able to deny your request is if we can show compelling legitimate grounds for the processing override your interest, rights and freedom or the processing establishment exercise or defence of legal claims.

Should you wish for us to completely delete all information that we hold about you please email or write to the address at the bottom of the document.

You have the right to lodge a complaint at the Information Commissioner’s Office if you feel your personal data has been processed in a way that does not meet the GDPR.

How to Contact Us
Please contact us if you have any questions about our privacy policy or information we hold about you:

• By email:
• Or write to Hughes Spencer Limited The Stables Stansted Park Rowlands Castle Hampshire PO9 6DX