WCHG Data Protection Policy
This policy aims to enable Wythenshawe Community Housing Group to provide accessible information for its customers under the Data Protection Act 1998
Wythenshawe Community Housing Group is fully committed to complying with the requirements of the Data Protection Act 1998. This policy and guidance notes is designed to ensure that all employees, Board Members, contractors, agents, consultants and partners who have access to any Personal Data held by or on behalf of the , are fully aware and abide by their duties and responsibilities under the Data Protection Act.
The Group needs to collect and process certain Personal Data about individuals, including staff and customers, in order to operate effectively. The Group recognises the importance of the correct and lawful treatment of this Personal Data as specified in the Data Protection Act 1998.
This policy sets out the Group’s policy regarding compliance with Data Protection Act 1998 and associated legislation. It also outlines the responsibilities for data protection compliance, and how compliance is maintained and monitored.
1.0 Defintions – keywords, abbreviations and acronyms
Personal Data: Data which relates to a living individual who can be identified from that data, or from that data and other information which is in the possession of or is likely to come into the possession of the Group , and includes any expression of opinion about the individual and any indications of the intentions of the Group or any other person in respect of the individual.
Sensitive personal data: information about an individual’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sexual life, alleged criminal activity and court proceedings.
Data subject: The individual whose personal data is being processed
Data Processor: Individuals or organisations that use personal data provided by the to carry out work or deliver services on its behalf (e.g. contractors, research companies, etc)
Third party: Anyone who is not the data subject, Group staff, a data processor or an employee of a data processor
Subject Access Request: A formal written request made by a data subject to see all personal data that Wythenshawe Community Housing Group is processing. This is a legal right under schedule 1 Principle 6 of the Data Protection Act 1998.
Data Protection Act or DPA: Data Protection Act 1998
Processing: refers to any action involving personal data including obtaining, viewing, copying, amending, adding, deleting, extracting, storing, disclosing or destroying personal information.
The Data Protection Act is based on eight principles which require that Personal Data shall:
Be processed fairly and lawfully and shall not be processed unless certain conditions are met
Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose
Be adequate, relevant and not excessive for those purposes
Be accurate and, where necessary, kept up to date
Not be kept for longer than is necessary for that purpose
Be processed in accordance with the Data Subjects rights
Be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage by using the appropriate technical and organisational measures
And not to be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
3.0 Policy Statement
The Group fully endorses and adheres to the eight principles of the Data Protection Act.
In order to meet the requirements of the principles, the Group will:
Observe fully the conditions regarding the fair collection and use of personal data
Meets its obligations to specify the purposes for which personal data is used
Collect and process appropriate Personal Data only to the extent that it is needed to fulfil operational or any legal requirements
Ensure the quality of Personal Data used
Apply appropriate checks to determine the length of time Personal Data is held
Ensure that the rights of individuals about whom the Personal Data is held, can be fully exercised under the Act
Take the appropriate technical and organisational security measures to safeguard Personal Data
And ensure that Personal Data is not transferred abroad without suitable safeguards
In addition, the Group will ensure that:
There is someone with specific responsibility for data protection in the organisation, (this is currently the Data Protection Officer)
Everyone managing and handling personal information understands that they are contractually responsible for following good data protection practice
Everyone managing and handling personal information is appropriately trained to do so
Everyone managing and handling personal information is appropriately supervised
Anyone wanting to make enquiries about handling personal information, whether a member of staff or a member of the public, knows what to do
Queries about handling personal information are promptly and courteously dealt with
Methods of handling Personal Data are regularly assessed and evaluated
Performance with handling Personal Data is regularly assessed and evaluated
Data sharing is carried out under a written agreement, setting out the scope and limits of the sharing
Any disclosure of personal data will be in compliance with approved procedures
Further policies and guidance notes support the Group’s Data Protection Policy and, together, these form the Group’s Data Protection System.
4.0 Providing information to Third Party Data Processors
All contractors and other third parties who are users of Personal Data supplied by the Group will be required to confirm that they will abide by the requirements of the Act with regard to information supplied by the Group.
5.0 Disclosing Personal Data
The Data Protection Act does not prohibit the sharing of information, but provides that disclosure can only be made when it is lawful to do so.
6.0 Subject Access
All individuals who are the subject of Personal Data held by the Group are entitled to:
Ash what information the Group holds about them and why
Ask how to gain access to it
Be informed how to keep it up to date
Be informed what the Group is doing to comply with its obligations under the Data Protection Act
We will provide this information in 40 days from the date of request
Further guidance on dealing with Subject Access Requests is detailed in the Group’s Subject Access Request Procedure.
7.0 Responsibilities of staff
All staff are responsible for checking that any Personal Data that they provide to the Group is accurate and up to date and informing the Group of any changes to information which they have provided e.g. changes of address.
All staff are responsible for ensuring that:
Any personal data that they hold or are responsible for is kept securely
Personal Data is not disclosed either orally or in writing or by any other means, accidentally or otherwise, to any unauthorised third party
8.0 Retention of Data
The Group will keep some forms of Personal Data for longer than others. All staff are responsible for ensuring that Personal Data is not kept for longer than necessary.
9.0 Information Governance
The Group will undertake a data mapping exercise to
Identify and define the Personal Data held
Identify the location and ownership of all Personal Data
Review the retention periods applicable to Personal Data
Risk assess the security of the Personal Data and compliance with the Data Protection Act
This assessment will be reviewed annually, and any resulting actions will be prioritised for implementation.
Notification to the Information Commission
The Information Commissioner maintains a public register of data controllers. The Group is registered as such.
The Data Protection Act 1998 requires every data controller who is processing Personal Data, to notify and renew their notification, on an annual basis. Failure to do so is a criminal offence.
Any changes to the register must be notified to the Information Commissioner, within 40 days and managers are responsible for notifying and updating the Data Protection Officer of the processing of Personal Data within their directorate. In addition, the Data Protection Officer will review the register notification with designated officers annually, prior to notification to the Information Commissioner.
11.0 Customer Impact
The Group handles large amounts of personal data to our customers, and holds sensitive Personal Data. The lack of robust procedures for the processing of personal data can lead to unsanctioned disclosure or processing that can cause damage and distress to the individuals concerned and the Group’s Data Protection System is designed to ensure that there are appropriate procedures in place covering the Processing of Personal Data.
The Data Protection Officer directs responsibility for maintaining this policy, the data protection system and providing advice and guidance on its implementation.
All managers will be responsible for implementing the policy within their areas of responsibility.
All staff will be provided with education and training and will be expected to comply with data protection legislation and adhere to the policies and procedures.
13.0 Equality & Diversity
The Group will ensure that the Data Protection Policy is accessible to its diverse customers and will take into account the different needs of customers when explaining the options available to them and in tailoring the service around customer need.
Wythenshawe Community Housing Group has a responsibility to serve the needs and promote the interests of its entire staff and all it customers/service users. The Group’s Single Equality Scheme works towards developing services, facilities and working practices, which are equally accessible and non discriminatory for all its customers. This is irrespective of their gender, age, race, sexuality, disability, religion, marital status/civil partnerships, pregnancy/maternity and economic status, and in line with the nine protected characteristics part of the new legislation under Equality Bill 2010.
A key element of the Equality standards involves carrying out an Equality Impact Analysis on all existing and, in particular, new policies to ensure they DO NOT have an adverse impact or promote any form of discrimination to particular s or associated protected characteristics. An Equality Impact Analysis has been carried out to this policy and will be reviewed on a yearly basis
We will provide information in languages other than English, in Braille, Large Print and Audio format. Our reception and interview rooms are fitted with a hearing loop system and the use of mobile loop systems