1.1 We are committed to ensuring the secure and safe management of data we hold for you. Our staff members have a responsibility to comply with the terms of this policy, and to manage your data in accordance with this policy and any documentation referred to.
1.2 We need to gather and use certain information about you, other service users, our staff and other individuals that we have a relationship with. We manage a significant amount of data, from a variety of sources. This data contains Personal Data and Sensitive Personal Data (known as Special Categories of Personal Data under the GDPR).
1.3 This Policy sets out our duties in processing that data, and the procedures for the management of such data.
2.1 It is a legal requirement that we process data correctly and that we collect, handle and store personal information in accordance with the relevant legislation.
2.2 The relevant legislation in relation to the processing of data is:
(a) The General Data Protection Regulation (EU) 2016/679 (“the GDPR”).
(b) The Privacy and Electronic Communications (EC Directive) Regulations 2003 (as may be amended by the proposed Regulation on Privacy and Electronic Communications).
(c) Any legislation that, in respect of the United Kingdom, replaces, or enacts into United Kingdom domestic law, the General Data Protection Regulation (EU) 2016/679, the proposed Regulation on Privacy and Electronic Communications or any other law relating to data protection, the processing of personal data and privacy as a consequence of the United Kingdom leaving the European Union.
3.1 We hold a variety of Data relating to you, which is known as Personal Data. The Personal Data held and processed by us is detailed within our Fair Processing Notice.
3.1.1 Personal Data is that from which a living individual can be identified either by that data alone, or in conjunction with other data held by us.
3.1.2 We also hold Personal data that is sensitive in nature (i.e. relates to or reveals your racial or ethnic origin, religious beliefs, political opinions, relates to health or sexual orientation). This is “Special Category Personal Data” or “Sensitive Personal Data”.
4.0 Processing of Personal Data
4.1 We are permitted to process Personal Data on behalf of you provided we are doing so on one of the following grounds:
- Processing with your consent (see section 4.3)
- When processing is necessary for the performance of a contract between us and you or for entering into a contract with you
- When processing is necessary when complying with a legal obligation
- To help investigate any complaints you may have about our service
- When processing is necessary to protect the vital interests of you or another person
- When processing is necessary for the performance of a task carried out in the public interest or in the exercise of any official duties
- When processing is necessary for the purposes of legitimate interests
4.2 Fair Processing Notice
4.2.1 We have produced a Fair Processing Notice (FPN) which we provide to all our customers whose Personal data we hold. This will be provided to our customers from the outset of processing their Personal Data and will include the terms of the FPN.
4.2.2 Our FPN at sets out the Personal Data processed by us and the basis for that Processing. To view the FPN click here.
4.3.1 Sometimes we will require consent when processing Personal Data where no other alternative ground for processing is available. The consent provided by you must be freely given and we will ask you to sign a consent form if you are willing to consent. Any consent we obtain must be for a specific and defined purpose (i.e. general consent cannot be sought).
4.4 Processing of Special Category Personal Data or Sensitive Personal Data
4.4.1 In the event that we process your Special Category Personal Data or Sensitive Personal Data, we do so in accordance with one of the following grounds of processing:
- You have given explicit consent to the processing of this data for a specified purpose
- It is necessary for carrying out obligations or exercising rights related to employment or social security
- It is necessary to protect your vital interest or, if you are incapable of giving consent, the vital interests of another person
- It is necessary for the establishment, exercise or defence of legal claims, or whenever court are acting in their judicial capacity
- It is necessary for reasons of substantial public interest
5.0 Data Sharing
5.1 We share our data with various third parties for numerous reasons in order that its day to day activities are carried out in accordance with our relevant policies and procedures. In order that we can monitor compliance by these third parties with Data Protection laws, we will require the third party organisations to enter in to an Agreement with us governing the processing of data, security measures to be implemented and responsibility for breaches.
5.2 Personal Data Sharing
5.2.1 Your personal data is from time to time shared amongst us and third parties who require to process your personal data that we process as well. Both we and the third party will be processing your data in our individual capacities as data controllers.
5.2.2 Where we share in the processing of your personal data with a third party organisation, it shall require the third party organisation to enter in to a Data Sharing Agreement with us.
5.3 Data Processors
5.3.1 A data processor is a third party entity that processes your personal data on behalf of us, and are frequently engaged if some of our work is outsourced.
5.3.2 A data processor must comply with Data Protection laws. Our data processors must ensure they have appropriate technical security measures in place, maintain records of processing activities and notify us if a data breach is suffered.
5.3.3 If a data processor wishes to sub-contact their processing, prior written consent from us must be obtained. Upon a sub-contracting of processing, the data processor will be liable in full for the data protection breaches of their sub-contractors.
5.3.4 Where we contract with a third party to process any personal data held by us it shall require the third party to enter in to a Data Protection Addendum.
6.0 Data Storage and Security
6.1 All your personal data held by us is be stored securely, whether electronically or in paper format.
6.2 Paper Storage
6.2.1 If your Personal Data is stored on paper it will be kept in a secure place where unauthorised personnel cannot access it. We will make sure that your Personal Data is not left where unauthorised personnel can access it. When your Personal Data is no longer required it must be disposed of.
6.3 Electronic Storage
6.3.1 Your Personal Data stored electronically will also be protected from unauthorised use and access. If your Personal data is stored on removable media (CD, DVD, USB memory stick) then that removable media will be stored securely at all times when not being used. Your Personal Data will not be saved directly to mobile devices and will be stored on designated drivers and servers. Further
examples of our security includes:
- Password protection of documents if appropriate
- Controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it
- Training our staff to allow us to make them aware of how to handle information and how and when to report when something goes wrong
- Regular testing of our technology and ways of working including keeping up to date on the latest security updates (commonly called patches)
7.1 A data breach can occur at any point when handling your Personal Data and we have reporting duties in the event of a data breach or potential breach occurring. Breaches which pose a risk to your rights and freedoms require to be reported externally.
If you suspect your personal information or that of any others may have been at risk of a data protection breach please tell us by clicking here (firstname.lastname@example.org)
7.2 Internal Reporting
7.2.1 We take the security of data very seriously and in the unlikely event of a breach will take the following steps:
- As soon as the breach or potential breach has occurred, and in any event on the same working day that it has occurred, the DPO will be notified in writing of (i) the breach; (ii) how it occurred; and (iii) what the likely impact of that breach is on any data subject(s)
- We will seek to contain the breach by whatever means available
- The DPO will consider whether the breach is one which requires to be reported to the ICO and data subjects affected.
- Notify third parties in accordance with the terms of any applicable Data Sharing Agreements
7.3 Reporting to the ICO
7.3.1 The DPO will require to report any breaches which pose a risk to your rights and freedoms to the Information Commissioner’s Office (“ICO”) within 72 hours of the breach occurring.
8.0 Data Protection Officer (“DPO”)
8.1 We have a Data Protection Officer who has an over-arching responsibility and oversight over compliance by us with Data Protection laws. We have appointed a Data Protection Officer whose details are noted on our website and contained within our Fair Processing Notice.
8.2 Our DPO is responsible for:
- Monitoring our compliance with Data Protection laws and this Policy
- Co-operating with and serving as our contact for discussions with the ICO
- Reporting breaches or suspected breaches to the ICO and data subjects.
9.0 Your Rights
9.1 You have certain rights under GDPR. You are entitled to view the personal data held about you, whether in written or electronic form.
9.2 You have a right to request a restriction of processing your data, a right to be forgotten and a right to object to our processing of your data.
9.3 Subject Access Requests
9.3.1 You have the right to view your data held by us upon making a request to do so (a Subject Access Request). Upon receipt of your request, we will respond to the Subject Access Request within one month of the date of receipt of the request. We:
- Will provide you with an electronic or hard copy of the personal data requested, unless any exemption to the provision of that data applies in law
- Where the personal data comprises data relating to other data subjects, we will take reasonable steps to obtain consent from those other data subjects before releasing the requested information.
- If we do not hold the information you have requested, we will tell you as soon as practicably possible, and in any event, not later than one month from the date on which the request was made
9.3.2 It should be noted that, all the personal data we hold can be viewed in your My Home account, in particular by accessing the My Documents section of your My Home account, which contains copies of all documents we hold issued or received by us in relation to your tenancy – only documents or data that would be fully or partially redacted (if requested) are not kept in these folders. This means that if you use your my Home account a subject access request is not necessary in order to see the your personal data we hold.
9.4 The Right to be Forgotten
9.4.1 You have the right to be forgotten by submitting a request in writing to ask that we erase your Personal Data in its entirety.
9.4.2 Your request will be considered on its own merits and legal advice may be required in relation to such requests from time to time. The DPO will have responsibility for accepting or refusing the data subject’s request and will respond in writing.
9.5 The Right to Restrict or Object to Processing
9.5.1 You may request that we restrict processing of your Personal Data, or object to the processing of that data if:
- You have identified inaccurate personal information, and have told us of it
- We have no legal reason to use that information but you want us to restrict what we use it for rather than erase the information altogether
9.5.2 In the event that any direct marketing is undertaken from time to time by us, you have an absolute right to object to processing of this by us, and if we receive a written request to cease processing for this purpose, then we must do so immediately.
9.5.3 Your request will be considered on its own merits and legal advice may be required in relation to such requests from time to time. The DPO will have responsibility for accepting or refusing your request.
10.0 Privacy Impact Assessments (“PIAs”)
10.1 PIAs are a means of assisting us to identify and reduce the risks that our operations have on your personal privacy.
10.2 We shall:
- Carry out a PIA before undertaking a project or processing activity which poses a “high risk” to your privacy – high risk can include, but is not limited to, activities using information relating to health or race, or the implementation of a new IT system for storing and accessing your data
- In carrying out a PIA, we will include a description of the processing activity, its purpose, an assessment of the need for the processing, a summary of the risks identified and the measures that it will take to reduce those risks, and details of any security measures that require to be taken to protect the personal data
10.3 We will consult with the ICO in the event that a PIA identifies a high level of risk which cannot be reduced – the DPO will be responsible for such reporting, and where a high level of risk is identified by those carrying out the PIA they will to notify the DPO within five (5) working days
11.0 Archiving, Retention and Destruction of Data
11.1 We cannot store and retain your Personal Data indefinitely. We will ensure that Personal data is only retained for the period necessary. We shall ensure that all Personal data is archived and destroyed in accordance with the periods specified within our retention schedules.
12.0 Policy Review
12.1 This policy will be reviewed every five years, unless changes in law or practice require an earlier review. Any changes to the policy will be approved by our Management Committee.