Data Protection Policy
Version 1.2
Date of Last Update: 26/07/2016
Version Control
Note: minor updates increase version number by 0.1, major updates increase version number by 1.0.
Version Number / Sections Amended / Date of update / Approved by1.1 / Minor amendments on annual update / 16/8/13 / Caroline Moore
1.2 / Minor amendments on annual update / 28/08/14 / Nikki Allen
1.3 / Minor amendments on annual update / 26/07/16 / Nikki Allen
Table of Contents
1. Introduction 4
2. Implementation 4
3. Data Protection Principles 5
4. Responsibility 6
5. Review 6
1. Introduction
The Access to the Personal Information policy should be read in conjunction with this policy. This covers individual’s rights regarding personal data of which that individual is the data subject and their right to receive a copy of that data on request. This includes both employees and tenants.
The General Data Protection Regulation is due to come into force from 2018 and therefore this policy will be significantly updated when the precise requiremetns of the new regulations are known (which include being more transparent about data collection, uses for data and consent).
2. Policy
The Company, its members, officers and employees must comply with the Data Protection Act 1998.
3. Implementation
3.1 The Data Protection Officer will provide Management with information on changes in legislation, appropriate guidance notes and training to staff etc, where appropriate.
3.2 Leadership Team must furnish sufficient information to the Data Protection Officer to enable him/her to complete the notification or re-notification of appropriate systems with the Information Commissioner’s Office.
3.2 Information regarding new systems or files, new uses of files or amendments to systems shall be provided to the Data Protection Officer in sufficient time to enable registration details to be submitted before the new system, files or changes are brought into use.
3.3 The Act gives rights to individuals about whom information is recorded on computers, CCTV and certain manual records. Individuals may find out information about themselves, challenge it if appropriate and claim compensation in certain cases. The Act places certain obligations on the Company. The Company must be open about the use of personal data (through the Data Protection Registers) and follow sound and proper practices (the Data Protection Principles).
3.5 The Act only covers information which relates to living individuals.
3.6 In addition to electronic records, the manual records covered also by the Act are those recorded as part of a “relevant filing system” or with the intention that it should form part of a relevant filing system. Relevant filing systems are structured by reference to individuals, or criteria relating to individuals and which allow easy access to the personal data they contain, e.g. card indexes, indexed microfiche and personal files about individuals which are structured in such a way that data are capable of being readily extracted.
3.7 The Act has 8 Principles which must be adhered to:
The Data Protection Principles
Principle 1: Personal data shall be processed fairly and lawfully.
Principle 2: Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
Principle 3: Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Principle 4: Personal data shall be accurate and, where necessary, kept up to date.
Principle 5: Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
Principle 6: Personal data shall be processed in accordance with the rights of data subjects under this Act.
Principle 7: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Principle 8: Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
3.8 Personal information should only be accessed by those who need it. This is especially important for information deemed as “sensitive personal data” by the Act. This includes:
· Race or ethnic origin
· Political opinions;
· Religious beliefs or other beliefs of a similar nature;
· Whether they are a member of a trade union;
· Their physical or mental health condition;
· Their sexual life;
· The commission or alleged commission of them by any offence, or:
· Any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.
3.9 The appropriate technical and organisational measures (e.g. passwords, access restrictions to certain parts of the system) must ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected.
4. Responsibility
Leadership Team Members are responsible for ensuring that their staff understand and comply with the Data Protection Act. Electronic training will be required to completed by all staff on a regular basis.
The Company’s Data Protection Officer will be responsible for all notifications and renewals placed with the Information Commissioners Office and is the contact point for advice on data protection issues. The Data Protection Officer maintains registers for the different categories of personal data, e.g. payroll, rents etc and this includes details of who information may be received from and to whom it may be disclosed. If in any doubt, consult the Data Protection Officer before disclosing any personal data.
5. Review
This policy will be reviewed on an annual basis (and sooner subject to the finalisation of the GDPR). .
1