Data Protection, Privacy and Confidentiality Policy
Controlling Authority – Head of Information Services Policy Number FIN007
Issue No.3 Status – Final
Date – September 2014 Review Date – September 2016
Equality & Diversity Impact Assessment carried out – Impact – Low
1.1 This Policy sets out how Havebury Housing Partnership (‘Havebury’) complies with legislation relating to data protection, privacy and confidentiality.
2.1 Havebury is committed to protecting the rights and privacy of individuals in accordance with current legislation.
2.2 This Policy reflects the following legislative requirements:
- Data Protection Act 1998 (the Act)
- Article 8 of the European Convention on Human Rights
- Sections 7 and 49 of the Regulation of Investigatory Powers Act 2000 (RIPA)
- Freedom of Information Act 2000 (which at the time of publication of this Policy does not apply to Havebury)
2.3 Havebury is a ‘Data Controller’ as defined by the Data Protection Act as we collect and store personal data. We employ individuals who act as ‘Data Users’, handling this data on behalf of Havebury.
2.4 Havebury has relationships and obligations with third-party organisations where personal information collected by Havebury is passed for processing for a variety of purposes. These third-party organisations are ‘Data Processors’. The minimum requirements for such Data Processors is set down in the Data Protection Act but must also be laid down in all contracts.
2.5 Data is determined by the Act as personal when it relates to a living individual who can be identified by the data. It can be in any format - electronic (including websites and emails), paper-based, photographic etc.
2.6 The Act requires Havebury to be registered as a Data Controller and to notify the Information Commissioner's Office of the various types of personal data held, the purposes for which the data has been collected and defines the persons or bodies to which the information may be disclosed. Our registration number is Z807396X.
2.7 Failure to comply with the Data Protection Act or failing to provide an encryption key under Section 49 of RIPA, could result in prosecution against Havebury.
3.1 The Company Secretary has overall responsibility for Data Protection and is ultimately responsible for any loss or unauthorised disclosure of personal data, and general obligations of Havebury regarding personal data.
Executive Directors will follow up reports of breaches and near-breaches.
3.2 All employees, Board Directors, members of consultative bodies, agency workers, appointed agents and contractors are obliged to follow this Policy, report any breaches of this Policy and attend any training provided.
3.3 The Head of Information Services is responsible for administering the registration and notification with the Information Commissioner’s Office (acting as Data Protection Officer), providing training and advice, implementing controls, recording, monitoring performance and ensuring awareness of Data Protection and other obligations of Havebury regarding personal data.
3.4 Data Users should seek advice from either the Head of Information Services or the Company Secretary in the event of any query.
4 REGISTRATION AND NOTIFICATION
4.1 Upon receipt of a reminder from the Information Commissioner’s Office, Havebury will update its registration and make any amendments as required. This will be diarised to take place each July if no reminder has been sent.
5 THE EIGHT PRINCIPLES OF DATA PROTECTION
5.1 Data should be processed fairly and lawfully.
5.1.1 We may process data fairly if processing is necessary in order to pursue our legitimate interests or that of third parties (unless it could unjustifiably prejudice the interests of the individual).
5.1.2 We will have informed consent from the Data Subject and processing of
personal data will only be carried out if it is necessary to:
- provide a service or fulfil a contract requested by the Data Subject;
- comply with our legal obligations;
- protect the vital interest of the Data Subject; or
- administer justice and those functions of public interest.
5.1.3 In the case of sensitive personal data we will only be processing where:
- explicit consent has been obtained from the Data Subject;
- information in public already due to the deliberate actions of the Data Subject;
- we are exercising any right conferred in law in connection with employment;
- we are protecting the vital interests of the Data Subject where consent not obtained or unreasonably withheld by the Data Subject;
- it is required for legal proceedings or for obtaining legal advice;
- it is required for administration of justice, an enactment or functions of the Crown;
- it is for medical purposes as undertaken by a medical professional; or
- it is to monitor opportunities and treatment of the Data Subject based on all protected characteristics as defined by the Equality Act 2010.
5.1.4 Sensitive personal data is defined as racial or ethnic origin, political beliefs, religious beliefs, trade union membership, physical and mental health, sexual life and preference, commission of offences and proceedings of offences or sentences of Court.
5.1.5. We will pass personal data to a third-party (such as a Data Processor) if there is a Data Sharing Protocol agreed between Havebury and the third- party. Such protocols will need to ensure that:
- the third-party is responsible for processing the personal data on behalf of the Data Subject;
- the third-party is registered with the Information Commissioner’s Office;
- the third-party agrees in writing to store, process and destroy the personal data in accordance with the eight principles of the Data Protection Act;
- there is adequate protection in the transmission of personal data between Havebury and the third-party; and
- the personal data is not passed outside of the European Union or Switzerland without adequate protection.
5.1.6 Data Sharing Protocols must be reviewed and renewed, where necessary, every 3 years. Such protocols must detail the type of data shared and also the method of communication and transmission that is secure and appropriate for the type of data.
5.2 Data shall be obtained for specific purposes
5.2.1 Havebury must declare information collected and purposes at annual registration with the Information Commissioner’s Office.
5.2.2 Havebury must inform Data Subjects of how their personal data will be used.
5.2.3 Havebury must not use personal data for purposes other than agreed by Data Subjects.
5.3 Data shall be adequate, relevant and not excessive.
5.3.1 Personal data gathered must be relevant to the need of Havebury to meet the purpose.
5.3.2 It is unlawful to use ‘apparent authority’ or bullying (including financial coercion) to ask for personal data that is not relevant to the purpose. We must be particularly careful when incentivising responses to surveys and questionnaires with tenants who are financially vulnerable, ensuring a balanced approach is used.
5.3.4 Forms (electronic and paper) will be reviewed to ensure that:
- only relevant personal data is requested; and
- the form explains why the personal data has been requested.
5.4 Data shall be accurate and where necessary kept up to date.
5.4.1 It is the responsibility of Data Subjects to inform Havebury of changes to personal data. All forms where personal data is collected should contain a statement informing Data Subjects of their responsibility to help us keep their personal data up to date.
5.4.2 Where a request is made for Havebury to change some personal data held about a Data Subject, Havebury may verify the identity of the requestor, take reasonable steps to validate the new information. Once verified, Havebury must change the information as soon as practicable to do so.
5.4.3 Havebury will provide appropriate facilities for personal data to be kept up-to-date and accurate. Havebury will also use regular publications to inform Data Subjects of their responsibility to keep their personal data up-to-date.
5.5 Data is not kept longer than is necessary for its purpose.
5.5.1 Havebury will publish and review Data Retention Guidelines which covers all data types held and the length of time before archiving or destruction. Such data includes documents and electronic data.
5.5.2 Where a Data User requires guidance on an information type or document type that is not covered by the Data Retention Guidelines, this will be reported to the Head of Information Services. Appropriate research will be carried out and referral to Management Team and other parties as required.
5.5.3 Personal data will be destroyed by:
- Shredding paper documents using an appropriate device or by way of a contract with a reputable third-party; or
- The use of appropriate tools to prevent electronic data from being read.
5.6 Data shall be processed in accordance with subject rights under the Act.
5.6.1 Havebury will ensure that the rights of Data Subject to access their personal data as recorded on its systems (both manual and electronic) will be upheld.
5.6.2 Havebury will accept a letter or email as a Subject Access Request where someone asks for a copy of personal information held about them, with the time to respond starting at the point of receipt of the request. In normal circumstances, any telephone calls or face-to-face requests will result in the completion of the appropriate form with guidance notes, or referral to the same in electronic format available on the Havebury website. To ensure that Subject Access is open to all, we will take reasonable steps to take special needs into consideration. However, this will not at any time affect the minimum requirement of identification and payment of a fee.
5.6.3 Havebury will charge the maximum fee as dictated from time to time by the Information Commissioner’s Office.
5.6.4 Havebury will verify the identity of the requestor to ensure that they have the right to access the personal data and identification will be sought to ensure this. Havebury will generally not accept requests which will result in a disproportionate amount of effort in collation of personal data.
5.6.5 Havebury will complete the Data Subject Access Request within 40 days of the request being validated and payment received. If a cheque received as payment is not honoured by the requestor’s bank, this request will not be processed further.
5.6.6 This policy determines that personal data may be legitimately disclosed where one of the following conditions apply:
- the individual has given their consent (eg a tenant/member of staff has consented to the Company corresponding with a named third party);
- where the disclosure is in the legitimate interests of the institution (eg disclosure to staff - personal information can be disclosed to other
Company employees if it is clear that those members of staff require the information to enable them to perform their jobs);
- where the institution is legally obliged to disclose the data (eg. ethnic minority and disability monitoring);
- where disclosure of data is required for the performance of a contract
5.6.7 The Act permits certain disclosures without consent so long as the information is requested for one or more of the following purposes (requests must be supported by appropriate paperwork):
- to safeguard national security;
- prevention or detection of crime including the apprehension or prosecution of offenders;
- assessment or collection of tax duty (Section 29 of the Act);
- discharge of regulatory functions (includes health, safety and welfare of persons at work);
- to prevent serious harm to a third party;
- to protect the vital interests of the individual, this refers to life and death situations;
- in connection with legal proceedings or prospective legal proceedings (Section 35 of the Act)
5.6.8 Data provided in confidence to Havebury, such as legal advice or employment references, will not be disclosed. In some cases, references or tenancy reports may be disclosed if the author can remain anonymous.
5.6.9 In the case of those disclosures under sections 5.6.6 and 5.6.7, we will process them as required to do so under the Acts that apply.
5.6.10 If a court order is received for the disclosure of personal data, this should be referred immediately to the Company Secretary or another Executive Director.
5.6.11 The Data Subject has the right to prevent processing for direct marketing purposes.
5.6.12 A Data Subject may report to us that personal data held about them is inaccurate. In this circumstance, subject to receiving supporting evidence, this inaccurate data must be rectified, blocked, erased or destroyed.
5.7 Data will be safely and securely stored
5.7.1 Paper records will be stored securely in appropriate filing systems and not taken out of Havebury offices unless approved to do so by an Executive Director. The requirement for personal data to be taken outside of our offices for purposes of presenting evidence to a Court, sharing with other agencies or for legal advice should be managed by way of a standing authority from an Executive Director. This should be supported by a current and appropriately completed and signed Data Sharing Protocol.
5.7.2 Electronic records will be stored securely on appropriate systems protected by technical and organisational controls.
5.8 Data will not be transferred outside of the European Economic Area unless adequate protected
5.8.1 Havebury will not transfer data outside of the European Economic Area except where outside of its control.
6 GENERAL CONSENT AND RIGHTS OF DATA SUBJECTS
6.1 Personal data or sensitive data should not be obtained, held, used or disclosed unless the individual has given consent. Havebury understands consent to mean that the Data Subject has been fully informed of the intended processing and has signified their agreement, whilst being in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information will not be a valid basis for processing. There must be some active communication between the parties, such as signing a form and the individual must sign the form freely of their own accord. Consent cannot be inferred from non-response to a communication.
6.2 All forms where personal data is collected will carry a Data Protection Statement. The statement should contain:
- The name of the Data Controller: Havebury Housing Partnership
- What personal data will be held
- The purposes for which the personal data will be held
- Whether any of the data will be disclosed to any third-party, and if so, to whom and why
- Any non-obvious consequences of the processing of the data
- Personal data for which the data subject may withdraw consent for Havebury to hold or use
- Opt-in tick boxes for purposes which the Data Subject has to give explicit consent
- Contact details which data subject can check or amend the data held, or request the deletion of that data.
6.3 The form must have relevant indicators for recording the consent from the individual for their personal data to be used. All forms where personal data is collected will include text informing the reader for what purpose the data is collected.
6.4 All documents where personal data is disclosed (not including the name, address and rent reference) will carry an agreed symbol referred in section 6.5 to remind both the recipient and those dealing with that document internally of the importance of keeping the personal data safe.
6.5 "This document contains your personal information Keep it safe - dispose of it carefully"
6.6 If an individual does not consent to certain types of processing (e.g. communications or marketing), appropriate action must be taken to ensure that the processing does not take place.
7 DATA SECURITY
7.1 Everyone is responsible for ensuring that any personal data (on others) which they hold are kept securely and that they are not disclosed to any unauthorised third party.
7.2 All personal data should be accessible only to those who need to use it. Data Users should form a judgment based upon the sensitivity and value of the information in question, but always consider keeping personal data:
- in a lockable room with controlled access, or
- in a locked drawer or filing cabinet, or
- if electronic, password protected, or
- kept on disks which are themselves kept securely.
7.3 Care should be taken to ensure that PCs and terminals are not visible except to authorised staff and that computer passwords are kept confidential. PC screens should not be left unattended without password protected screen-savers and manual records should not be left where they can be accessed by unauthorised personnel. Users of mobile devices that have access to personal data should be careful to ensure that such data is not visible to the public.
7.4 Care must be taken to ensure that appropriate security measures are in place for the deletion or disposal of personal data. Manual records should be shredded or disposed of as "confidential waste". Hard drives of redundant PCs should be wiped clean before disposal.
7.5 This policy also applies to anyone who processes personal data "off-site". Off- site processing presents a potentially greater risk of loss, theft or damage to personal data. You should take particular care when processing personal data at home or in other locations off-site.
7.6 When someone receives enquiries as to whether a named individual has a relationship with Havebury (e.g. employee, tenant, etc.) or requests other information, the enquirer should be asked why the information is required. If consent for disclosure cannot be demonstrated and the reason is not one listed in 5.6.7, the enquiry should be dismissed and the incident reported to the Company Secretary as a fraudulent act.
7.7 Unless consent has been obtained from the Data Subject, personal data should not be disclosed over the telephone. Instead, the enquirer should be asked to provide documentary evidence to support their request. Ideally a statement from the Data Subject consenting to disclosure to the third party should accompany the request.
7.8 Havebury will never acknowledge a relationship with anyone without the consent of the Data Subject except for those reasons listed in 5.6.7.
8.1 Publication of personal data is strictly prohibited without consent from the Data Subject(s) and permission from the Company Secretary.
9.1 Anyone that uses personal data for direct marketing purposes must inform data subjects of this at the time of collection of the data. Individuals must be provided with the opportunity to object to the use of their data for direct marketing purposes (e.g. an opt-out box on a form).
10 PHOTOGRAPHY AND CCTV
10.1 Havebury, or agents acting on its behalf, will ensure that consent is gained from all clearly identifiable people in a photograph or in video footage. We will make it clear why we are taking the photographs and the potential audience for the images.
10.2 If we are taking images at an event attended by larger crowds, such as outdoor events and festivals, this is regarded as a public area and we will not request consent. However, Havebury will inform those in the foreground that a photo is being taken and may be published.
10.3 There are special considerations governing photographs and video of those under 18 years of age. Prior to image capture, parental consent is required. We will also undertake to:
- Ensure that our photos cannot be used inappropriately, including ensuring that child subjects are suitably clothed, and if they are not (such as in a swimming costume) the photograph will be shoulders-up.
- Obtain special permission from parents if any of our photos will be published publicly (e.g. website, newsletters, etc.)
10.4 Photographs taken for security reasons are a legitimate business purpose for processing personal data. Unless the employee agrees for the image to be further processed by publication on the intranet or internet, it cannot be used for this or any other purpose without their consent. Images of employees on the intranet require explicit consent prior to publication. Other photographs taken of employees will be published on the intranet. Verbal consent is sufficient as long as such consent is recorded. At any time, employees may revoke consent and Havebury will endeavour to restrict access to the photo as appropriate.
10.5 Archived photographs and other media that contains images of individuals who have not offered consent may not be published in any way. Havebury will seek consent prior to publication on any media.
10.6 For reasons of personal security and to protect our premises and the property of employees and tenants, closed-circuit television cameras are in operation in certain locations. The presence of these cameras may not be obvious but approved signage will be in place with the following details:
- The name of the Data Controller: Havebury Housing Partnership
- Contact details (telephone number will suffice)
- Purposes for which the images are collected and stored
10.7 Any monitoring will be carried out only by a limited number of specified Data Users. Images will be accessed only by the Data Users for security purposes during an investigation
10.8 Personal data obtained during monitoring will be destroyed as soon as possible after any investigation is complete
10.9 Data Users involved in monitoring will maintain confidentiality in respect of personal data
11 BIOMETRIC DATA
11.1 Biometric scans are acceptable for access to Havebury IT systems. The use of biometric scans is subject to approval of the Data Subject.
11.2 Any biometric data that is collected at the point of access will not be used for any purpose other than the authentication of users and will be immediately destroyed. We will only store a value which will be matched against another value gained from an algorithm executed based on biometric data presented. This value cannot be used to recreate the biometric data.
12 INCIDENT HANDLING
12.1 Havebury will investigate complaints received from both internal and external sources. Any breach of the Data Protection Act 1998 or this Data Protection Policy is considered to be an offence and in that event, disciplinary procedures will apply. The Head of Information Services is authorised to act immediately with priority of preventing any further breaches as appropriate. Any investigation into the breach will be overseen by an Executive Director, conducted by the Head of Information Services and reported to the Information Commissioner. Such breaches will be recorded in the Data Protection File and reported to Management Team at assurance meetings. Where a near-breach has occurred, all of the above actions will apply except for not reporting to the Information Commissioner. A near-breach is defined as an incident where a breach would have occurred except for an unexpected action or set of circumstances which prevented it.
12.2 Agencies and external individuals working with Havebury, and who have access to personal data, will be expected to have read and comply with this policy.
12.3 All contractors will need to abide by the Data Protection Act, this Policy and sign to that effect as part of the contract.
12.4 If an employee knowingly breaches the Data Protection Act or any part of this policy, this will lead to disciplinary action.
12.5 If a contractor or agent knowingly breaches the Data Protection Act or any of this policy, this will lead to a review of the working relationship and this may include a suspension during an investigation.
13 PRIVACY AND INVESTIGATORY POWERS
13.1 Privacy Impact Assessments help assess privacy risks to individuals in the collection, use and disclosure of information, foreseeing problems and bringing forward solutions. We will conduct basic PIAs at the early stages of a project or when a reviewing a policy.
13.2 Article 8 of the European Convention on Human Rights states that everyone has the right to respect for his private and family life, his home and his correspondence.
13.3 “There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the
economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”
13.4 Whilst Havebury is not directly subject to the Human Rights Act 1998, we should ensure that any requests for personal data (as listed in section 5.6.7) from a public authority are deemed not to be an attempt to ‘interfere’ as defined by the Act before processing such a request.
13.5 Section 7 and 49 of the Regulation of Investigatory Powers Act 2000 allows certain bodies to request the disclosure of encryption keys used to secure network connections as part of investigations in a number of illegal activities.
13.6 Requests for disclosure of encryption keys and any warrants will be forwarded to the Company Secretary in all cases.
14 REQUESTS FOR INFORMATION OF PUBLIC INTEREST
14.1 Havebury is an open organisation which wishes to be accountable to its tenants and transparent to the public. Where a request for information of public interest is received from an individual, Havebury will provide a response, without requiring any legislative or regulatory obligations pursuant to the Freedom of Information Act 2000.
14.2 Havebury will record such requests in a file maintained by the Head of Information Services. Where the FOI Act does not apply, requests may be declined by a Head of Service or Executive Director. If the FOI Act does apply, requests may only be declined by an Executive Director following the exemptions of the Act.
14.3 Where Havebury provides services under contract to an organization that is subject to the Freedom of Information Act 2000, we may be contractually obliged to provide information related to the services provided by us when a request is made on the other organization. Such requests are only accepted from that organization and are returned to the same.
- Data Protection Act 1998
- European Convention on Human Rights, Human Rights Act 1998 Regulation of Investigatory Powers Act 2000 (RIPA)
- Freedom of Information Act 2000 (FOI)
- Equality Act 2010 IT Security Policy
- IT Usage Policy
- Data Retention Guidelines