AGED CHRISTIAN FRIEND SOCIETY OF SCOTLAND

COLINTON COTTAGE HOMES

PRIVACY POLICY

Contents

1.Introduction

2.Data

3.Processing of personal data

4.Datasharing

5.Datastorage and security

6.Breaches

7.Datasubjectrights

8.PrivacyImpact assessments

9.Archiving, retention and destruction of data

1.Introduction

Aged ChristianFriendSociety of Scotland (the Society) arecommitted to ensuring the secure and safe management of data held by the SocietyIn relation to tenants, and other Individuals.The Society, any staff or any other third-partythat the Society contract withinfulfilment of ourlandlordobligations have a responsibility to ensure compliancewith the terms of thispolicy, and to manage Individuals’dataIn accordance with the procedures outlinedIn thispolicy and documentation referred to herein.

We need to gather and use certainInformation about Individuals.These can include customers (tenants) and other Individuals that we have a contractual relationshipwith.We manage a significant amount of data, from a variety of sources.Thisdatacontains“personal data” and “sensitivepersonal data” (known as “specialcategories of personal data” under the GDPR).

Thispolicy sets out ourdutiesinprocessing that data, and the purpose of thispolicyis to set out the procedures for the management of such data.

2.Data

2.1We hold a variety of datarelating to tenants, and staff and others (also referred to as “data subjects”) whichis known as personal data.The personal data held and processed by the Societyisdetailedwithin the “fairprocessingnotice” (FPN) at Appendix 2 hereto.

2.1.1 Personal datais that from which a livingIndividual can be Identifiedeither by that data alone, or inconjunctionwith other data held by the Society.

3.Processing of personal data

3.1We arepermitted to process personal data on behalf of data subjects providedwe aredoing so on one of the following grounds:

•processingwith the consent of the data subject (see clause 3.3 hereof);

•processingis necessary for the performance of a contract between the data subject and theSociety, or for enteringinto a contract with the data subject.

•processingis necessary for the Society’scompliancewith a legal obligation.

•processingis necessary to protect the vitalInterests of the data subject or another person; or

•processingis necessary for the purposes of legitimateInterests.

3.2Fairprocessingnotice

3.2.1The Society have produced a fairprocessingnotice (FPN) whichwe arerequired to provide to all tenants, housing applicants and staff whose personal dataIs held by the Society.The FPN must be provided to tenants, housing applicants and staff from the outset of processingtheir personal data and they should be advised of the terms of the FPN when it is provided to them.

3.2.2The FPN at Appendix 1 sets out the personal data processed by the Society and the basis for that processing. This documentisprovided to all the Society’s tenants, housing applicants and staff at the outset of processingtheirdata.

3.3Consent

Consent as a ground of processingwillrequire to be used from time to time by the Society when processing personal data.It should be used by the Society where no other alternative ground for processingisavailable.In the event that the Societyrequire to obtain consent to process a data subject’s personal data, the Society shall obtain that consent In writing.The consent provided by the data subject must be freely given and the data subject will be required to sign a relevant consent form ifwilling to consent.Any consent to be obtained by the Society must be for a specific and defined purpose (I.e. general consent cannot be sought).

3.4 Wewill comply with all requirements for processing your personal data, as set out In the FPN.

4.Datasharing

4.1The Society share yourdatawithvariousthirdparties for numerous reasons In order that day-to-dayactivities are carried out In accordance with our relevant policies and procedures.In order that the Society can monitorcompliance by these thirdpartieswithdata protection laws, the Societywillrequire the third-partyorganisations to enter into an agreementwith the Society to govern the processing of data, security measures to be implemented and responsibility for breaches.

4.2Datasharing

4.2.1Personal datais from time to time shared amongst the Society and thirdparties who require to process personal data that the Society process as well.Both the thirdparty and the Societywill be processing that dataintheirIndividualcapacities as data controllers.

4.3Dataprocessors

A “data processor” Is a third-partyentity that processes personal data on behalf of the Societyandisfrequently engaged If certain parts of our work are outsourced (e.g. maintenance and repair works).

4.3.1A data processor must comply withdata protection laws.The Society’sdata processors must ensure they have appropriatetechnicalsecurity measures in place, maintain records of processingactivities and notify the Societyif a data breach is suffered.

4.3.2If a data processor wishes to sub-contact theirprocessing, the Society’spriorwritten consent must be obtained.Upon a sub-contracting of processing, the data processor will be liablein full for the data protection breaches of their sub-contractors.

4.3.3Where the Society contract with a thirdparty to process personal data held by them, the Society shall require the thirdparty to enter in to a data processing agreement with themIn accordance with the terms of the model data processing agreement set out In Appendix2 to thispolicy. Should they not enter intothis, the Societywillprovide them with the data protection statement of requirements for data processors. Thiswilloutline what the Societyrequire from them as a data processor, acting on the Society’s behalf.

5.Datastorage and security

All personal data held by the Society must be stored securely, whether electronically or in paper format.

5.1Paper storage

If personal datais stored on paper it will be kept in a secure place where unauthorised personnel cannot access it.When the personal datais no longer required,it must be disposed of by the Society so as to ensure itsdestruction.If the personal datarequires to be retained on a physicalfile thenthe Societywill ensure that It isaffixed to the filewhichis then stored In accordance with the Society’s storage provisions.

5.2Electronicstorage

Personal data stored electronically must also be protected from unauthorised use and access. Personal data should be password protected when being sent internally or externally to our data processors. If personal dataIs stored on removable media (CD, DVD, USB memory stick) then that removable media will be stored securely at all times when not being used. Personal data will not be saved directly to mobiledevices and will be stored on designateddrivers and servers.

6.Breaches

6.1A data breach can occur at any point when handlingpersonal data and the Society have reportingdutiesIn the event of a data breach or potential breach occurring.Breaches which pose a risk to the rights and freedoms of the data subjects who are subject of the breach require to be reported externally In accordance withClause 6.3 hereof.

6.2Internal reporting

The Society take the security of data very seriously and in the unlikely event of a breach, the Society will take the following steps:

•as soon as the breach or potential breach has occurred, the Society must consider (I) thebreach and Its nature; (II) how It occurred; and (III) what the likelyImpact of that breach Is on any data subject(s);

•The Societymust seek to contain the breach by whatever means available.

•The Society must consider whether the breach isone, whichrequires to be reported to the ICO and data subjects affected and do so In accordance withclause 6.

•The Society will notifythirdpartiesIn accordance with the terms of any applicable data sharing agreements.

6.3Reporting to the ICO

The Society arerequired to report any breaches which pose a risk to the rights and freedoms of the data subjects who are subject of the breach to the ICO within 72 hours of becoming aware of the breach occurring.The Society must also consider whether itisappropriate to notify those data subjects affected by the breach.

7.Datasubject rights

7.1Certainrights are provided to data subjects under the GDPR.Datasubjects are entitled to view the personal data held about them by the Society, whether inwritten or electronic form.

7.2Data subjects have a right to request a restriction of processingtheirdata, a right to be forgotten and a right to object to the Societyprocessing theirdata.These rights are notified to tenants, housing applicants and staffinthe Society’sfairprocessingnotice.

7.3Subject access requests

Datasubjects are permitted to viewtheirdata held by the Society upon making a request to do so (a subject access request).Upon receipt of a request by a data subject, the Society must respond to the subject access request within one month of the date of receipt of the request.

7.3.1The Society must provide the data subject with an electronic or hard copy of the personal data requested unless any exemption to the provision of that dataappliesin law.

7.3.2Where the personal datacomprisesdatarelating to other data subjects, the Societymust take reasonable steps to obtain consent from those data subjects to the disclosure of that personal data to the data subject who has made the subject access request.

7.3.3Where the Society do not hold the personal data sought by the data subject, the Societymust confirm that they do not hold any personal data sought by the data subject as soon as practicablypossible, and In any event, not later than one month from the date on which the request was made.

7.4The right to be forgotten

7.4.1A data subject can exercisetheirright to be forgotten by submitting a request inwriting to the Societyseeking that the Society erase the data subject’s personal dataIn Its entirety.

7.4.2Each request received by the Societywillrequire to be considered on its own merits and legal advicewillrequire to be obtainedIn relation to such requests from time to time.The Societywill then have the responsibility for accepting or refusing the data subject’s request In accordance withthisclause and will respond inwriting to the request.

7.5The right to restrict or object to processing

7.5.1A data subject may request that the Societyrestrictthe Societyprocessing of the data subject’s personal data, or object to the processing of that data.

7.5.1.1 The Society will not share, sell or distribute any of the information you provide to us without your consent.

7.5.2Each request received by the Societywillrequire to be considered on its own merits and legal advicewillrequire to be obtainedIn relation to such requests from time to time.The Societywill then have responsibility for accepting or refusing the data subject’s request In accordance withclause 7.5 and will respond inwriting to the request.

8.Data protectionImpact assessments (DPIAs)

8.1These are a means of assisting the SocietyinIdentifying and reducing the risks that the Society’s operations have on personalprivacy of data subjects.

8.2The Society shall carry out a DPIA before undertaking a project or processingactivity, which poses a highrisk to an Individual’sprivacy.Highrisk can include, but Is not limited to, activitiesusingInformationrelating to health or race, or the Implementation of a new IT system for storing and accessing personal data.

8.2.1In carrying out a DPIA, the Society shall include a description of the processingactivity, its purpose, an assessment of the need for the processing, a summary of the risksIdentified and the measures that theywill take to reduce those risks, and details of any security measures that require to be taken to protect the personal data

8.3 The Societywillrequire to consult the ICO In the event that a DPIA identifies a high level of risk, which cannot be reduced.The Societywill be responsible for such reporting where such a high level of riskisidentified.

9.Archiving, retention and destruction of data

The Society cannot store and retain personal dataindefinitely.The Society will ensure that personal datais only retained for the period necessary. The Society shall ensure that all personal dataisarchived and destroyed timeously and at the point that the Society no longer need to retain that personal dataIn accordance with the periodsspecifiedwithin the table at Appendix 3 hereto.

List of appendices

  • FairProcessingNotice
  • Data Processing Agreement
  • Table of duration of retention of certaindata.

THE AGED CHRISTIAN FRIEND SOCIETY of SCOTLAND

FOUNDED 1889

COLINTON COTTAGE HOMES

4a Redford Road Edinburgh EH13 0AA

T: [+44] (0) 131 441 2286/2502

GDPR Fair Processing Notice

HOW WE USE YOUR PERSONAL INFORMATION

We, the Aged Christian Friend Society of Scotland (ACFSOS), are the controller of the personal information that we hold about you, which means that we are legally responsible for how we hold and use personal information about you. It also means that we are required to comply with data protection laws when holding and using your personal information. As you know we take the issue of security and data protection seriously and strictly adhere to guidelines published in the Data Protection Act of 2018 and the General Data Protection Regulation (EU) 2016/679, together with any domestic laws subsequently enacted.

We have appointed a Privacy Officer, John Buchanan (Manager) Colinton Cottage Homes, who ensures that we comply with data protection laws. If you have any questions about this statement or how we hold or use your personal information. Please contact our Privacy Officer by e-mail: ; telephone on 0131-441-2286; or in writing to: The Privacy Officer, Colinton Cottage Homes, 4A Redford Road, Edinburgh, EH13 0AA

Your attention is particularly drawn to section 2 of this statement, which confirms that you consent to your personal information being held and used by us as described in section 1 of this statement.

  1. What personal information do we hold and use about you and why?

As part of your tenancy agreement with us, we hold and use the personal information that you provided to us in your housing application form and the information that you completed on your Tenant Profile and other personal information that we may obtain from you.

We use such personal information for the following purposes:

  • Providing you with services as the landlord of your property;
  • Communicating with you, including in response to any of your enquiries;
  • Improving our services and responding to changing needs;
  • Tenancy management and administration, including: processing your rent payments; carrying out repairs to your property (including recharging such repairs to you, if relevant); assessing your housing needs; completing safety and other periodic maintenance checks to your property; handling and resolving complaints made by/against you; and recovering any rent arrears;
  • Keeping personal information that we hold about you accurate and up-to-date; publishing our newsletter in hard copy format and on our website;

We hold a copy of your housing application for a tenancy with Colinton Cottage Homes.

  • Name
  • Address
  • Date of Birth
  • Contact Telephone Numbers
  • Email
  • Details of your current housing/social/health situation
  • Supporting statement for housing
  • Name, address, email and telephone number of proposed keyholder.

This information is transferred from hard copy to Colinton Cottage Homes data base system, which is password, protected and the hard copy is stored in a fire resistant filing cabinet accessed by a password code. When you advise us that you no longer wish to be on the waiting list then your application is deleted from our database and the hard copy disposed of safely by the Society.

Tenant Profile detailing;

  • Name
  • Date of Birth
  • Contact Telephone Numbers
  • Address
  • Email
  • Hanover Telecare Identification Number
  • N.I. Number
  • House key safe number (if applicable.)
  • Names, addresses, telephone numbers, email, relationship status, power of attorney status and keyholder status of people whom you have nominated as your emergency contacts.
  • Solicitors’ information if applicable in the event of your death.
  • GP name and contact details
  • Electricity supplier
  • Telephone line provider
  • Own/ACFSOS’s cooker
  • Copy of your Dwelling Report issued by Hanover Telecare who provide you with a 24hr emergency contact service.

This information is held on Colinton Cottage Homes database and is shared as described further in this statement. When your tenancy ends the information is held for a period of 6 months then deleted from Colinton Cottage Homes database.

As part of your tenancy agreement, we share your:

  • Name,
  • Address
  • Contact telephone numbers
  • Date of birth,
  • Email address,
  • Bank details
  • N. I. number

With ACFSOS’s Secretaries & Treasurers, Johnston Smillie Ltd, Chartered Accountants, 6 Redheughs Rigg, Edinburgh EH12 9DQ for the preparation and management of your tenancy agreement. Johnston Smillie hold your personal information in compliance with their regulator who are the Institute of Chartered Accountants of Scotland (ICAS).

As part of your tenancy agreement, we share your:

  • Name
  • Address
  • Date of Birth
  • Contact Telephone Numbers
  • GP name and contact details
  • Names, addresses, telephone numbers, keyholder status and relationship status of the people whom you have nominated as your emergency contacts.

With Hanover Telecare, 95 McDonald Road, Edinburgh EH7 4NS who provide you with a 24hr emergency alarm call system in line with your Tenancy agreement. Hanover Telecare will hold your information in compliance with their retention policy.

As part of your tenancy agreement we, share your:

  • Name
  • Address

With the undernoted as required for your safety and comfort and to ensure compliance with landlord and other regulatory requirements.

  • Property Consultant appointed by Directors of ACFSOS to ensure the maintenance and good upkeep of Colinton Cottage Homes.
  • James Watt – Electrical Contractor for any maintenance and repairs.
  • Simon Corbett – Building Contractor for any maintenance and repairs.
  • Derek Boyle – IFIRE UK Alarm Systems for maintenance and repairs.
  • Express Heating – Heating Engineers for maintenance and repairs.
  • Active Directors of ACFSOS are advised of any accidents/incidents and actions taken to support and resolve these.
  1. What is our legal basis for holding and using your personal information?

By providing us with your personal information, you consent to it being used by us as described in section 1 of this statement.

Our basis in law for holding and using your personal information is your explicit consent and performance of the tenancy agreement that you have entered into with us. You have the right to withdraw your consent to our holding and using your personal information by contacting CCH Privacy Officer, John Buchanan. Once you have withdrawn your consent, we will no longer use your personal information for the purpose(s) you originally agreed to, unless we have another legal basis for doing so.

  1. Who do we share your personal information with?

We share your personal information with the following for the purposes described in section I of this statement: