Fair processing notice: Professional members

Last updated: 28 March 2024

This fair processing notice applies to AAT professional members, including those applying for full membership (MAAT), fellow membership (FMAAT), and bookkeeping membership (AATQB).

The data we collect about you

  • Your name, contact details and country of residence
  • Personal details like your date of birth, gender and address history
  • Employment details like your organisation name and job title
  • Details of your membership with us and other awarding bodies, such as your AAT membership ID, membership approval date and all status changes regarding your membership
  • Your education and business information, such as your qualification records, CPD details, professional references, work experience history, membership of other Awarding Bodies and Practice Management
  • Payment information, including your bank details for direct debit payments
  • Sensitive personal data such as ethnic background and certain health information you may voluntarily disclose in respect of your personal circumstances, such as details of disabilities
  • Responses to Fit and Proper assessment and relevant investigation data, including criminal convictions, insolvency, sanctions with other professional bodies or regulators and civil sanctions, personal circumstances, criminal convictions and offences
  • Any other relevant personal information contained in your application forms, supporting documents uploaded (such as your photo ID) with your application, or that you may provide to us with consent (such as responses to surveys and personal stories for marketing material)
  • The name, contact details, job titles and relationship to you of any nominated referee or employer contacts.

You can view and update most of your personal details at any time in the "Edit my details" service. For a change of name please contact our Customer services team providing a copy of your marriage certificate or deed poll certificate, along with your membership number, to customersupport@aat.org.uk.

What we do with your data and on what grounds

We can only process your personal data if we have a basis to do so which is permitted by law. This may be that you have given your consent, or one of the other bases for data processing outlined below.

  • Performance of a contract with you. We process your personal data where it’s necessary to fulfil a contract with you or to take steps, at your request, before entering into such a contract.
  • Necessary for our legitimate interests. We process your personal data as and when necessary to do so in order to conduct and manage our business to provide you with the best service and experience. We make sure we consider and balance any potential impact on you and your rights before we process your personal data for our legitimate interests. We don’t use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
  • Necessary to meet our legal obligations. We process your personal data where it’s necessary for compliance with legal or regulatory obligations.
Purpose/activityLawful basis for processing including basis of legitimate interest
Managing our online Continuing Professional Development record service.
  • Performance of a contract with you
Granting assistance, to offer support to members experiencing financial hardship.
  • Performance of a contract with you
  • Your explicit consent (in respect of sensitive personal data)
Monitoring equality and accessibility to AAT courses and qualifications with regards to gender, ethnicity and disability status, including producing anonymised and aggregated statistics.
  • Your explicit consent

Managing payment, including to:

  • processing invoices and payments, including card and direct debit payments
  • manage reduced fees - see also Applying for a reduced subscription
  • enable employers to pay members' fees
  • Performance of a contract with you
  • Necessary for our legitimate interests (to recover debts due to us)
Processing your membership or licence renewal.
  • Compliance with our legal obligations
To communicate with branches and support them to run the branch, including through running and monitoring engagement with branch events.
  • Necessary for our legitimate interests (to manage our branches)

Marketing and promotional communications, including to:

  • market to existing members via post, SMS, email and social media
  • market to existing members on behalf of third parties
  • communicate third party campaigns to AAT members
  • communicate non-essential information and send relevant promotional information
  • to invite people to participate in surveys, research, interviews and focus groups to provide feedback about an AAT product or service, and process feedback received and follow up with responses if appropriate. Research conducted by AAT and/or a chosen third party.
  • Your consent (if received)
  • Necessary to our legitimate interests (to improve our business offering) - where you have bought a related product/service
Administering free prize draws and competitions. You can email aat.research@aat.org.uk to opt out at any time.
  • Our legitimate interest to incentivise participation in surveys, interviews and focus groups
To invite people to provide feedback about an AAT product or service, and process feedback received and follow up with responses if appropriate.
  • Necessary to our legitimate interests (to improve our business offering
To make important communications relevant to your membership.
  • Performance of a contract with you
  • Necessary for our legitimate interests (running our business)
  • Necessary to meet our legal obligations (statutory communications, eg AGM notice)

Customer support in relation to your application and membership, including to:

  • address enquiries and resolve issues
  • enable access to third party services made available as a benefit of membership.
  • Performance of a contract with you
  • Supporting activities performed under our legal obligations
  • Supporting activities performed with your consent.

To meet our legal obligations, including: 

  • data management, including to assess and maintain the quality of data stored, including dealing with returned mail and bounced emails and performing analysis on the completeness and correctness of data
  • to meet our regulatory reporting obligations.
  • Necessary to meet our legal obligations
To manage complaints and breaches of our regulatory framework and policies, including investigating incidents, publishing consent orders and sanctions and maintaining records for future reference*
  • Performance of a contract with you
  • Performance of a task carried out in the public interest or in the exercise of official authority
  • Supporting activities performed under the substantial public interest (in respect of your sensitive personal data)

Product development and quality control, including to:

  • recruit end users to test the website and other services
  • maintain internal quality levels by conducting call, email and CRM audits
  • identify trends and gather insight relating to AAT products and services
  • monitor engagement with third party services and branch events.
  • Necessary for our legitimate interests (to improve our business offerings)

Managing your MAAT, FMAAT and AATQB membership applications, including to:

  • ensure members are suitable for membership including meeting our fit and proper requirements and Continuing Professional Development (CPD) policy
  • register, renew and reinstate members including ensuring data held is up to date and accurate
  • sending essential communications about renewals, lapses and direct debit collections
  • process your MAAT, FMAAT and AATQB applications.
  • Performance of a contract with you
  • Supporting activities performed in the substantial public interest (in respect of sensitive personal data)
To meet our legal obligations, including to fulfil regulatory requirements to share data related to investigations with other supervisory and regulatory bodies.
  • Necessary to meet our legal obligations
  • Supporting activities performed in the substantial public interest (in respect of sensitive personal data)
IT system administration, to administer internal systems including maintaining access rights, troubleshooting issues and maintaining databases and backups.
  • Performance of a contract with you
  • Necessary for our legitimate interests (to for running our business)

* AAT may use information provided as part of a complaint regarding professional and licensed members for the purposes of our investigation and disciplinary process within the meaning of the Professional Standards Investigation policy, and for the prevention and detection of crime. AAT may share details of the complaint with AAT’s Discipline and Conduct Panel members, or our oversight regulators, and law enforcement agencies upon their request or when we are legally obligated to disclose such as the submission of suspicious activity reports to the National Crime Agency. Hearings of AAT’s Disciplinary Tribunal in accordance with AAT’s Disciplinary Regulations and the Appeals Committee in accordance with AAT’s Appeals Regulations are open to the public and all orders and findings are publicised unless determined otherwise. This will include details of the member that a case relates to but would not include the details of the complainant. If your complaint is against a member who holds dual membership status, we may also share details with other professional bodies.

For details of your rights see our main Privacy policy.

Automated decision making

As part of our professional membership services, we use a partly computer automated process, without profiling, for straight forward decisions regarding approval to membership; this forms part of the performance of our contract with you. Where possible the system automatically approves you for membership where answers provided satisfy pre-defined criteria. Where further supporting evidence is required and the system is unable to automatically approve your application this will be referred to be manually reviewed before a decision is made to approve/reject an application, in accordance with your right to human intervention, and affording you an opportunity to express your views and a mechanism to contest any decision taken.

We do not currently, and do not envisage, that any decisions will be taken about you using solely automated means, however we will notify you in writing if this position changes.

Who we share your personal data with

  • Our branches
  • Your employers (if employed by an accredited employer who is set up for results sharing)
  • Supervisory/regulatory bodies (including the Financial Conduct Authority), law enforcement and independent investigators relating to disciplinary investigations and complaints
  • The public, in relation to information regarding any disciplinary outcomes (which may include your name, membership number, alleged misconduct and sanctions).

Our use of data processors

We use a third-party supplier of an IT system (Jotform) to complete student, licensed, and member applications. This system is hosted in Europe. 

We use a third-party supplier of a Customer Relationship Management (CRM) IT system, hosted within the UK by our IT service provider. We also use a second CRM system, HubSpot hosted in Europe. 

We also use Microsoft Office 365 to process email and for file storage, hosted within the EU, and a third-party email archive system hosted within the UK.

Other third-party data processors might also include:

  • consultancy
  • benefits and rewards
  • printing
  • mailing and payment services
  • independent investigators/expert witnesses relating to disciplinary investigations.

Where a third-party data processor is used, we ensure that they operate under contractual restrictions with regard to confidentiality and security, in addition to their obligations under data protection legislation. This means that they cannot do anything with your personal data unless we have instructed them to do it. They will not share your personal data with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

Where we get your data from

Other than directly from you, we may also receive personal data from the following third party sources:

  • Publicly available sources, such as returned post
  • Our payment providers, such as BACS
  • Our third-party service providers of IT, user testing, consultancy, benefits and rewards, printing, mailing and payment services
  • Professional bodies and law enforcement agencies.

How long we keep your data

  • Your basic membership records, such as name, address history, membership statuses, work experience history and other awarding bodies and practice management details will be retained for 70 years from the end of your membership to support required reporting and professional queries.
  • If you’ve undertaken any AAT assessments, information on these will be retained for 70 years from the date of assessment, as will information on qualifications awarded.
  • If you’ve submitted any medical evidence to support Reasonable Adjustment and Special Consideration requests, this will be retained for 7 years from the end of the adjustment period
  • Correspondence such as email is retrained for a maximum of 2 years.
  • Credit card details will be managed in line with the Payment Card Industry Data Security Standard (PCI DSS). We do not store or retain any electronic credit card data and use third party payment provider services to process card payments. Card data provided on hardcopy application forms will be securely destroyed once processed.
  • Direct Debit instructions will be retained for 2 years from the date your direct debit is cancelled.

Transferring your data overseas

We transfer your data to the European Economic Area (EEA) and the USA, as detailed above with regards to data processors.

We rely on the Standard Contractual Clauses for data transferred to the USA to ensure the protection of the rights and freedoms of individuals concerned. Transfers to Europe are based on the UK adequacy decision with regards to EEA countries.

Related content