Alan Steel Asset Management is a Data Controller for the purposes of the General Data Protection Regulation (GDPR) as enacted by the Data Protection Act 2018. We collect, use and retain your data using the permission of Legitimate Interest, in other words we need the data we collect from you in order to provide the services you wish us to provide for you. These services are laid out in your engagement letter.

We may amend this privacy notice from time to time. If we do so, we will supply you with and/or make available to you a copy of the amended notice.

If you use our website there is a separate terms of use on the website which includes details of collection and use of data via the website. This also provides details of our use of cookies and analytics together with information as to the company who looks after our website.

We collect and hold personal data about you to enable us to provide our service.  We may only ask for personal data that we really need. If we are preparing a self-assessment return for you, or reviewing your annual tax position the checklist sentwith our 6th April letter will set out the information required on the basis of the previous year’s tax return or review. Any other service will be detailed in your engagement letter. 

This is a contractual arrangement in order for us to deal with your tax affairs on your behalf and as such is governed by Legitimate Interest and does not therefore require consent.  You do not therefore have the right to withdraw from the exchange of personal data in the way that you can withdraw consent.  It is a requirement of our contract that you provide us with the personal data that we request.  If you choose not to provide the personal data requested, we may not be able to provide our services to you or may need to cease to act on your behalf.

We collect your personal data from you, from third parties with your permission and  via HMRC (for example your state pension/tax code). Whilst applying our process we may create new personal data in addition to the personal data you provide to us.

For a husband and wife, civil partnership, joint relationship each person is legally responsible for their own tax affairs and will receive an engagement letter. However if you choose to sign both letters to give us permission we will consider your combined tax position and speak to each of you about the other.

Where services are provided for a child, the records are held under the child’s name and are the personal data of the child who may be the subject of an access request in their own right. A child may access their own records from the age of 13 even though a parent signature may be required on their behalf to process other matters.  A child’s personal data is subject to this privacy notice in the same way as an adult subject.

We do not process or hold your data outside the UK and the EEA.  However we use tax software and a cloud storage facility with regard to your tax records via a company called TaxCalc.  They in turn use an Isle of Man company for part of the process. Whilst the IOM is outside the UK and EEA it does have equivalent data protection security standards to GDPR.  You can find details of TaxCalc’s privacy policy and information security policy at

We never sell your information and will only pass it on to other parties with your express permission for example to a lender for a mortgage application.

To fulfil our obligations in respect of prevention of anti-money laundering and other financial crime we may send your details to third party agencies for identity verification purposes.

We will store, archive and retain this personal data about you.

In addition to the specific tax services purposes for which we may process your personal data we will also process in order to comply with any legal obligation to which we are subject, or in order to protect your vital interests or those of any natural person.

We may also process your data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or out of court. This is covered by Legitimate Interest being the protection and assertion of our legal rights, your legal rights and the legal rights or others.

We may process your personal data in order to obtain or maintain insurance cover, manage risk, or obtain professional advice in order to protect our business against risks and as such we do so under Legitimate Interest.

Any of your personal data we retain must be pertinent, accurate and held for an appropriate length of time.  We rely on you to keep us informed of any changes to ensure that our records remain accurate.  To meet the requirements of GDPR and HMRC we will keep your data for 7 years from the end of the tax year after which time it will be destroyed. With the exception of the original costs of an asset which will be kept until the asset is disposed ofor if you cease to be a client 7 years from the end of the tax year in which you cease to be a client.

Please note that this means that you will have to keep the paperwork we return to you if you wish to still be able to access it as we will not be able to provide copies.

We care about the security of your personal data.  

We have Palo Alto and Symantec based cloud, network perimeter and endpoint security.  We have encrypted local backups and encrypted cloud backups. As of 03-09-2018 we will have SAN self-encryption on data at rest as well as local and network control policies.

Emails containing personal data are encrypted and identifiers within your personal data, relating to yourself or your investments, are kept to a minimum where possible.

Electronic communications between, us and you, and us and appropriate third parties are capable of data corruption and we do not accept responsibility for changes made after dispatch.

We do not permit staff to store your personal data on any portable device, laptop, tablet or smart phone unless using the protection of off-site access through Citrix.  Any local storage directly onto the device is prohibited. The use of memory sticks is also prohibited and the office computers have their USB access locked.

You have rights under GDPR with regard to your personal data.

You may make a subject access request - that is to be provided with a copy of anypersonal data we hold about you.  We may comply with this request either electronically or by paper.  Any such request must be met within 30 days.

You also have the right to have your data transferred from one controller to another.

You have the right to be forgotten under GDPR - that is that you may request thatall personal data held for you is destroyed.  As stated above however we are obliged by HMRC to retain data for 7 years. If you make a request during the 7 years it may be the case that we are unable to allow a right to be forgotten request in part or all.

You have the right to complain about the way your data is dealt with, stored, archived, retained or if there has been any breach with regard to the safety of your data.  If there is a breach, under certain circumstances, there is a mandatory requirement for us to report the breach to the ICO and there is a requirement for us to inform you.

Your complaint should be made to:

ICO Head Office (England):

Wycliff House, Water Lane, Wilmslow, Cheshire, SK95A7

Tel 0303 123 1113

Please contact us if you have any questions about our Privacy Notice or information we hold about you:

by email at

or write to us:  

For the Attention of Karen Barlow (Compliance Manager)  

Nobel House, Blackness Road, Linlithgow, EH49 7HU

Version 1 (250418)