SAAA – Privacy Notice

Smaller Authorities Audit Appointments Limited (SAAA) Ltd is a not-for-profit company limited by guarantee incorporated in England and Wales, registered number 09915776, whose registered office is at 77 Mansell Street, London E1 8AN.

Under the Data Protection Act 2018 and the General Data Protection Regulation (2016/679) (the data protection laws), we are required to explain to data subjects why we collect their personal information, how we intend to use the information we receive and whether we will share this with anyone else.

This privacy notice explains what to expect when Smaller Authorities Audit Appointments Limited (SAAA) collects personal information in the course of its business operations. It also summarises the rights of the data subject in relation to their data collected. The notice
applies to information we collect about:

  • individuals in specific posts at authorities that have opted into SAAA’s auditor appointment scheme, in connection with SAAA’s responsibilities as a specified appointing person under the Local Audit and Accountability Act 2014;
  • individuals in organisations that are key stakeholders for SAAA, in connection with its statutory responsibilities;
  • partners and employees of audit firms with which SAAA has audit contracts;
  • individuals at suppliers of goods and services to SAAA;
  • job applicants, employees, contractors, current and former Board members;
  • members of the public making enquiries or complaints to SAAA; and

The information we collect

SAAA is responsible for appointing external auditors to all smaller authorities. Except for the financial and human resources information we require to run our company, the personal information we collect relates only to our auditor appointment duty.

The type of information we hold about you

The information we hold about you may include the following:

  • your personal details (such as your name and/or address);
  • our correspondence and communications with you;
  • information about any complaints and enquiries you make to us;
  • information we receive from other sources, such as publicly available information.

Individuals at authorities to which SAAA appoints the auditor

SAAA is required under the Local Audit (Smaller Authorities) Regulations 2015 (the Regulations) to appoint an auditor to all opted-in authorities, to oversee the independence of any auditor it has appointed, and to monitor compliance of auditors against the contractual obligations of SAAA’s audit contracts. The Regulations require SAAA to maintain and publish on its website a record of the smaller authorities that are opted-in authorities.

To support these requirements, the audit firms collect and record the name and contact details for the Clerk/Responsible Financial Officer and Chairman of each smaller authority, keep the details updated and supply a copy of the database to SAAA on request.

Individuals at SAAA’s other stakeholders

SAAA’s duties require it to communicate with or consult a variety of national stakeholders, for example SAAA consults representative membership associations of smaller authorities. SAAA therefore records the name and contact details for relevant individuals at key
stakeholder organisations. Details are updated annually, and outdated records are not retained. Details are not shared outside SAAA.

Partners and employees of audit firms

SAAA has contracts with audit firms to review the Annual Governance and Accountability Return (AGAR) of smaller authorities. Details of the audit firms with contracts for the current appointing period are available on the SAAA website. SAAA maintains records of the name and contact details of the contact partner for each firm, and of the engagement lead and audit managers allocated by the firm for the opted-in authorities to which it is appointed by SAAA.

Suppliers of goods and services to SAAA

SAAA maintains records of its suppliers of goods and services, including names and contact details of individuals where needed to support contract and payment management. Details are retained for a period of six years after the financial year to which the details relate.

Job applicants, employees, contractors, current and former Board members

SAAA is the data controller for the information you provide, unless otherwise stated. The information you provide will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements relating to your employment or office holding. We will only share information with third parties where this is required to fulfil our legal or regulatory requirements. The information you provide will be held securely by us and our data processors whether the information is in electronic or physical format. We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.

Information you provide during any application process will be retained by us as part of your employee/contractor/office holder file for the duration of your employment plus 6 years following the end of your employment. If you are unsuccessful the information you have provided until that point will be retained for 6 months.

Members of the public making enquiries or complaints

When we receive an enquiry or complaint, we use the personal information provided to respond to the enquirer or complainant. For complaints, we need to disclose the complainant’s identity to whoever the complaint is about.

We will keep personal information contained in complaints for a period of three years from our response to the complaint.

Data retention

We will only retain your personal data for as long as is necessary to fulfil the purposes for which it is collected.

When assessing what retention period is appropriate for your personal data, we take into consideration:

  • the requirements of our business and the services provided;
  • any statutory or legal obligations;
  • the purposes for which we originally collected the personal data;
  • the lawful grounds on which we based our processing;
  • the types of personal data we have collected;
  • the amount and categories of your personal data;
  • Professional or legal advice we may have received.

Your rights

Under certain circumstances, by law you have the right to:

  • Request access to your personal data. This enables you to receive details of the personal data we hold about you and to check that we are processing it lawfully.
  • Request correction of the personal data that we hold about you.
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing.
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this basis.
  • Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal data to you or another data controller if the processing is based on consent, carried out by automated means and this is technically feasible.

You also have the right to complain to the Information Commissioner’s Office (the ICO) if you are not satisfied with the way we use your information. You can contact the ICO by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire,
SK9 5AF. Their information may be found at

Contacting us by email

Any email sent to SAAA, including any attachments, may be monitored by us for reasons of security. Email monitoring or blocking software may be used.

Links to other websites

Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.

How to contact us

If you want to request information about our privacy policy or have any concerns or questions about our use of personal data, you can email us at: