Introduction
Sovereign Housing Group and its subsidiaries (the “Group”) controls and processes personal information about its customers, staff and board members. The Data Protection Act 1998 (the Act) covers all personal information that relates to living individuals. These individuals are given rights by the Act. We will not share this information with other organisations without the consent of customers, staff or board members unless we are required by Law to do so.
This policy will set out what the Group will do to comply with the Act and the following eight principles:
1. Personal data shall be processed fairly and lawfully.
2. Personal data shall only be obtained and further processed for specified and lawful purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose that they are processed.
4. Personal data shall be accurate and kept up to date.
5. Personal data shall not be kept longer than necessary.
6. Personal data shall be processed in line with the rights of the data subject.
7. Personal data must be kept secure.
8. Personal data must not be transferred to a country without adequate protection.
Being fair and understanding our customers’ needs
We recognise that communities are made up of people with different needs and values and that those differences are important. We will promote equality of access for everyone and value their diversity. We will work to eliminate discrimination and, in line with the law, we will treat everyone fairly, regardless of age, disability, gender, gender reassignment, marital status including civil partnerships, pregnancy and maternity, race, religion or belief or sexual orientation.
We will ensure that members of all these groups are treated in ways that meet their needs, and that they have equal access to services and/or activities wherever possible. We will promote their inclusion and challenge discrimination against them.
Scope
This policy applies to all employees, board members, customers, consultants, partners and others who may be affected by the way that we collect and process personal information and extends to data whether it is held on paper or by electronic means.
Statement of Commitment
The Group is committed to maintaining high standards of security and confidentiality for information in our custody and control. Safeguarding this information is critical to the successful operation of the Group. The Group will treat all information in its care and control with the same degree of security and confidentiality, and this policy applies to all organisations within the Group and all employees. The Group undertakes to inform residents, contractors, employees and board members on how it uses information and the purposes for which information is processed.
Objectives
The objectives of this Data Protection Policy are:
• To comply with the Data Protection Act 1998.
• To outline, guide and monitor the coordination of the information security and data handling procedures in force within the Group.
• To promote confidence in the Group’s information security and data handling procedures.
• To provide assurances for third parties dealing with the Group.
• To provide a benchmark for employees on information security, confidentiality and data protection issues.
Enablers
In order to support these objectives, the Group will:
• Delegate the responsibility for gathering and disseminating and dealing with issues relating to information security, the Data Protection Act and other legislation.
• Ensure that all activities that relate to the processing of personal data have appropriate safeguards and controls in place to ensure information security and compliance with the Act.
• Ensure that all contracts and service level agreements (SLAs) between any part of the Group and external third parties (including contract staff), where personal data is processed, make reference to the Act where appropriate.
• Ensure that third parties acting on behalf of the Group are given access to personal information that is appropriate to the duties they are undertaking and no more.
• Ensure that all staff (including contract staff) and board members understand their responsibilities regarding data protection and information security under the Act.
Individuals’ rights of access to data
Individuals have a right of access to personal information held by the Group if they are the “data subject” of that information. Requests must be made in writing, signed by the data subject and addressed to the Company Secretariat. The person requesting the data must complete the Access Request Form providing details of the information required as well as their current address and some form of identification. The Act allows the Group to charge a £10 admin fee for searching for this information.
Someone may ask a third party to obtain the information on their behalf, but they must provide written consent in order to do this.
Exemptions
In some circumstances it may be appropriate to disclose information held by the Group to specific third parties for example to prevent a criminal offence from being committed, or to prevent the continuation of a criminal offence.
Data Retention
Data should not be kept for longer than is necessary. The Group Document Retention Policy should be referred to for guidance on the retention of data.
Disposal
Where personal and confidential information is no longer required, it will be destroyed. Employees should refer to the appropriate data retention guidelines for their respective departments.
Policy Promotion & Training
This policy will be made available within the Group as part of the induction process to all new and temporary employees and board members.
The policy will be promoted to current employees by requiring acknowledgement and acceptance of its aims and objectives. There will be a continuing series of awareness raising initiatives relating to security and privacy issues by the Data Protection Champions nominated around the Group in order to ensure that all staff understand their responsibilities under the Act.
All employees will be provided with education and training where appropriate and will be expected to comply with data protection legislation and adhere to the policies and procedures used to meet the objectives of the Group Data Protection Policy.
Breaches
Any wilful disregard or intentional breach of the Data Protection Policy by employees shall be regarded as a disciplinary offence and handled within the Group’s Disciplinary Procedures.
Any wilful disregard or intentional breach of the Data Protection Policy by consultants, constructor partners and other relevant data processors shall be regarded as a breach of contract and treated as such.
Equality Impact Assessment
After completing a Stage 1 EIA, it was found that this policy will affect all employees and residents in the same way as all personal data should be processed in accordance with the Act. As long as any data requested is made available in a way that is suitable for the needs of the data subject, there will be no adverse impact on any particular groups.
Monitoring and feedback
A programme of continuous review of this policy’s implementation and effectiveness is to be conducted under the direction of the Head of Governance and Legal Services. An annual report with recommendations will be presented to the Board of The Sovereign Housing Group Limited.
This policy can only be amended with the approval of the Board of The Sovereign Housing Group Limited.
Glossary of terms
• Personal Information – any information that relates to a living individual who can be identified by this data. This includes opinions about the individual and an indication of the intention of the Group or any other person in respect of the individual.
• Data Subject – the living individual that the personal data relates to.
• Data Controller – the company that decides the purpose for and the way in which any personal data is processed. The Group is a data controller.
• Data Processer – any company that carries out activities with personal data on behalf of the data controller.
