The lawful and appropriate management of personal data is extremely important to Cloch Housing Association (Cloch). This policy sets our commitment to protecting personal data and how we will implement this in regards to the collection and handling of personal data as defined in the following legislation:
Failure to comply with data protection legislation could lead to financial penalties, regulatory action, as well as reputational damage.
The Policy applies to all personal data that Cloch holds relating to living identifiable individuals regardless of the category of data or the format of the data. Personal data is any data that could be used to identify a living individual e.g. name, address, email, postcode, CCTV image, and photograph. Special categories of personal data is any information about racial or ethnic origin, political opinions, religious beliefs, health (mental and physical), sexual health, trade union membership and criminal convictions.
The policy applies to personal data held or accessed on Cloch premises or accessed remotely via home or mobile working. Personal data stored on personal and removable devices is covered by this policy.
This policy applies to:
Data protection laws describe how organisations must collect, handle and store all personal data. Ensuring compliance is underpinned by the following principles.
Personal data must be:
In addition to these principles the law requires organisations to be responsible for, and must be able to demonstrate, compliance with the above principles.
Cloch’s Voluntary Board are ultimately responsible for ensuring that Cloch meets its legal obligations however, the day to day management is delegated to the Leadership Team.
All staff have a responsibility for ensuring personal data is collected, stored and handled appropriately and must ensure that it is handled and processed in line with this policy and the data protection principles.
The Data Protection Lead Officer is responsible for monitoring compliance with this policy and the data protection legislation; managing personal data breaches and data subject rights; recording and maintaining appropriate records of processing activities and the documented evidence required for compliance.
Cloch will comply with our legal obligations and the data protection principles by:
Cloch will ensure processing of personal data, and special categories, meets the legal basis as outlined in legislation. Individuals will be advised on the reasons for processing via a freely available Privacy Notice.
Where data subjects’ consent is required to process personal data, consent will be requested in a manner that is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language. Data Subjects will be advised of their right to withdraw consent and the process for Data Subjects to withdraw consent will be simple.
Personal data will only be used for the original purpose it was collected for. These purposes will be clear to the data subject.
If Cloch wishes to use personal data for a different purpose, we will notify the data subject prior to processing.
Cloch will only collect the minimum personal data required for the purpose. Any personal data discovered as excessive or no longer required for the purposes collected for will be securely deleted.
Any personal information that is optional for individuals to provide will be clearly marked as optional on any forms.
Cloch will take reasonable steps to keep personal data up to date, where relevant, to ensure accuracy.
Any personal data found to be inaccurate will be updated promptly. Any inaccurate personal data that has been shared with third parties will also be updated.
Cloch will hold data for the minimum time necessary to fulfil its purpose. Timescales for retention of personal data are outlined in the Records Retention Schedule.
Data will be disposed of in a responsible way to ensure confidentiality and security.
Cloch will implement appropriate security measures to protect personal data.
Personal data will only be accessible to those authorised to access personal data on a ‘need to know’ basis.
Employees will keep all data secure, by taking sensible precautions and following the relevant Cloch policies and procedures relating to data protection.
In certain circumstances Cloch may share personal data with third parties. This may be part of a regular exchange of data, one-off disclosures or in unexpected or emergency situations.
Appropriate security measures will be used when sharing any personal data.
Where data is shared regularly a contract, data protection addendum or data sharing agreement will be in place to establish what data will be shared and the agreed purpose.
Cloch will consider all the legal implications of sharing personal data prior to doing so.
Data Subjects will be advised of any data sharing in the Privacy Notice.
Where Cloch engage Data Processors to process personal data on our behalf, we will ensure:
Occasionally Cloch may experience a personal data breach; this could be if personal data is:
All security incidents or personal data breaches will be reported and managed by the Data Protection Lead Officer.
The Information Commissioner’s Office and the individuals affected will be notified promptly, if required.
All breaches will be managed under Cloch’s Breach Management Procedures.
Cloch will uphold the rights of data subjects to access and retain control over their personal data held by us.
Cloch will comply with individuals’:
We have an obligation to implement technical and organisational measures to demonstrate that we have considered and integrated data protection into our processing activities throughout the organisation.
When introducing any new type of processing, particularly using new technologies, we will take account of whether the processing is likely to result in a high risk to the rights and freedoms of individuals and carry out Data Protection Impact Assessment.
All new policies including the processing of personal data will be reviewed by the Data Protection Lead Officer to ensure compliance with the law and establish if a Data Protection Impact Assessment is required.
Advice will be provided by the Data Protection Lead Officer on conducting Data Protection Impact Assessments in line with Cloch’s Data Protection Impact Assessment Procedure.
All staff will be aware of good practice in data protection and where to find guidance and support for data protection issues.
Adequate and role specific training will be provided regularly to everyone who has access to personal data, to ensure they understand their responsibilities when handling data.
Any breaches of this policy, may be considered under the Cloch disciplinary procedures, and may result in disciplinary action being taken, including dismissal.
Annual audits will be carried out to check compliance with the law, this policy and any relevant procedures.
An annual report will be put to the Board at the beginning of each financial year about the previous year stating any breaches, subject access requests or DP Impact assessments done.
The following policies and procedures should be read with this policy:
This policy will be reviewed at least every three years, although changes will be made to the policy during the three-year period if required to meet changes in legislation and to address any weakness identified in the policy.
| File Description | File | Size |
|---|---|---|
| Privacy Notice - Customers |  | 909KB |
| Table of Duration of Retention of certain Data | | 22KB |