DATA PROTECTION POLICY
1. Purpose
This policy sets out how Castles & Coasts Housing Association (CCHA) will ensure compliance with the Data Protection Act 2018 and the UK retained Law version of the General Data Protection Regulation (UKGDPR) and other data protection legislation.
2. Scope
2.1 This policy applies to all personal data processed by CCHA, however it is collected, stored, or used, where CCHA is the data controller. That is where we decide what data to collect, the purposes it is used for and how long it will be retained. It includes personal data that is ascertained and shared verbally, and personal data collected via CCTV and other audio and visual recordings Data relating to deceased individuals, although not classed by law as personal data, at CCHA we shall treat this data as if it is.
2.2 Data protection is everyone’s responsibility and everyone (including employees, Board Members, temporary staff, and consultants), must comply with the requirements of this policy and supporting guidance. Some job roles and positions have additional responsibilities and this policy sets out what these are. Failure to comply with this policy or supporting guidance could result in disciplinary action.
3. Policy Statement
CCHA needs to collect, store, use and share personal data about customers, employees, and other individuals in order to operate. CCHA is committed to comply with data protection legislation and the obligations and responsibilities it places upon us. This protects the organisation from fines, enforcement action and reputational damage. It ensures that we maintain the rights and freedoms of those individuals whose data we process.
4. Introduction
4.1 This policy explains how the data protection legislation will be applied at CCHA and the roles and responsibilities people have. It does not set out to reiterate the data protection legislation or the guidance provided by the Information Commissioner’s Office (ICO). Full and detailed guidance is available on the ICO website and should be referred to for additional detail, or the Data Protection Officer (DPO) can be contacted for information advice and guidance.
4.2 At times this policy uses specific terms or abbreviations. A list of Abbreviations and Definitions that are used are provided in Appendix 1. A full list on Contents is provided in Appendix 2. This policy also provides web links to external guidance and internal documents 1
4.3 All employees, Board Members, temporary staff and consultants (everyone) has a role to play in ensuring CCHA meets its data protection obligations and responsibilities. Everyone should familiarise themselves with this policy This policy is supported by additional guidance. This guidance shall have the same standing as this policy and must be complied with at all times.
CCHA Data Protection Policy Version 2
Approved by Audit and Risk Committee on 3rd May 2022
Next Review Due May 2024
1 Links to internal documents require access via a CCHA account with VPN on.5. Data Governance Framework
5.1 CCHA views all data as important, so in addition to the responsibilities we have to personal data, CCHA is developing a Data Governance Framework that will set out the management of all data to ensure:
5.2 The Data Governance Framework will define the data governance accountabilities and responsibilities, including those that are assigned to Data Custodians and who the Data Custodians are The Data Custodians also have responsibilities set out in this policy. Until such a time that the Data Governance Framework is finalised, the relevant Head of Service will be considered the Data Custodian for the purpose of this policy, though they may delegate the operational actions to team managers and team members.
6. Record of Processing Activities
CCHA shall document all the processing of personal data it undertakes in the Record of Processing Activities The Data Custodian is accountable for ensuring this is completed for the personal data they are responsible for and that all the mandatory fields are populated The DPO will provide a template document for this and shall hold the master copy of the Record of Processing Activities and periodically review this with the Data Custodians.
7. Legal Basis for Processing
7.1 CCHA will record its legal basis for processing different types of personal data in the Record of Processing Activities Where Special Category data is being processed the additional condition for processing will be recorded For criminal conviction or criminal offence data the schedule 1 condition of processing must be documented.
7.2 Advice is available from the DPO on the legal basis for processing, additional conditions, and schedule 1 conditions The ICO website has full guidance on these.
7.3 Where new systems or processes are being introduced that involve collecting new types of data or using existing data in a new way, the Record of Processing Activities must be updated and approved by the Data Custodian and DPO before any processing commences. A Data Protection Impact assessment may also be required.
7.4 Personal data held by CCHA can only be used in line with the documented legal basis and conditions for processing. If existing personal data is being used for new purposes, you must ensure that this is consistent with the existing purpose. The only exception to this is where an exemption exists in law. Anyone relying on exemptions must be able to demonstrate that exemption if requested.
CCHA Data Protection Policy Version 2
Approved by Audit and Risk Committee on 3rd May 2022
Next Review Due May 2024
8. Consent
Where data is being processed (i.e. collected, stored, or shared) based on the individual having given consent, this must meet the requirements in the consent guidance. That is consent is informed, freely given, positively opted into and can be withdrawn at any time. If the individual withdraws their consent CCHA shall immediately cease to process the data. It is the responsibility of the person collecting or sharing personal data to make sure the consent guidance is followed, and a record of the consent is made.
9. Legitimate Interests Assessments
9.1 If CCHA is using legitimate interests as a legal basis for processing will only do so where the data is being processed in a way that data subjects would reasonably expect and will have a minimal impact on their privacy, or there is a compelling justification for the processing. We will balance our interests against the individual’s interests and their rights and freedoms. If they would not reasonably expect the processing, or if it would cause unjustified harm, this will override our legitimate interests. Data Custodians are accountable for ensuring we have documented:
• Our legitimate interest
• That the processing is necessary to achieve this
They must then balance this against the individual’s interests, rights and freedoms.
9.2 A Legitimate Interest Assessment template is available from the DPO for this purpose. A copy of all completed Legitimate Interest Assessments will be held by the DPO.
9.3 All staff are reminded that if legitimate interests are being used as a basis for sharing personal data, or for providing data to a data processor, these requirements still apply Where we share the same data for the same purpose with several processors, for example, when sharing data with repairs contractors, this can be covered on one legitimate interest assessment,
10. Data Minimisation
10.1 When processing personal data, we will ensure it is adequate and relevant to the purpose for which it is being used. It will be limited to only the data that is necessary for that purpose. For example, when collecting data, we will only collect the data that is needed and not collect data ‘just in case’ or because ‘we have done this previously’
10.2 Data Custodians ensure that data collected is fit for purpose and that no unnecessary, irrelevant, or unjustifiable personal data is collected or created either directly or indirectly through the data processing activities they are accountable for They will periodically review the data that is processed to ensure it adequate, relevant, and limited to the purpose for which it is being processed.
10.3 Anyone sharing data is responsible for ensuring the data sharing is limited to only the data that is required, and it is adequate and relevant for the purpose that it is being shared
11. Data Accuracy
11.1 It is a legal requirement to ensure that any personal data we hold is not incorrect or misleading and is complete and kept up to date. Data Custodians must ensure that personal data they are accountable for, either directly or indirectly is accurate at the point of collection, its accuracy is maintained, and the data is kept up to date. They should ensure processes are in place to identify and rectify inaccurate or out of date data. The responsibility for implementing and following these processes can be delegated to team managers and team members. The Data Governance Framework will set out CCHA’s approach to data accuracy for all data held and used by the organisation.
CCHA Data Protection Policy Version 2
Approved by Audit and Risk Committee on 3rd May 2022
Next Review Due May 2024
11.2 Any employee identifying personal data as inaccurate shall take steps to rectify this, in line with the systems and processes in place in their team/service area.
11.3 Where we discover that data we have shared with a third party is inaccurate, we shall notify the third party of this and provide them with the accurate data.
11.4 We are only required to amend historical records if they are incorrect or misleading. For example, if a date of birth had been recorded inaccurately, this would require rectifying. However, if someone stated they had a first aid qualification at the time they applied for a job, and this qualification subsequently lapsed, it would still be correct that they had a first aid qualification at the time they applied for the job, so would not need rectifying in their job application.
11.5 Sometimes different people may have different views on the accuracy of data. For example, AntiSocial Behaviour records may be disputed – such as someone who is accused of playing loud music may say that is inaccurate that the music was not loud. It is important that we are clear in our records what is someone’s view or opinion and what is fact. Where the accuracy of data is disputed, the relevant team manager or Head of Service shall, having considered all the facts and points of view, make the final decision on the data accuracy, consulting with the Data Custodian where relevant. It should be recorded in the relevant record that the accuracy of the data was disputed. The DPO can provide advice and guidance when there is a difference of opinion on the accuracy of data.
12. Data Retention
12.1 CCHA will not keep personal data for longer than it is needed for the purposes for which it was collected. We set out how long we keep the different types of personal data and the reason for this in our retention schedule Data Custodians must ensure that there is a retention specified in the retention schedule for all the personal data they are accountable for. The DPO can act as a source of advice on retention periods, but the Data Custodian decides the retention based on legal and regulatory requirements, the business needs, and best practice elsewhere. They must be able to justify the retention period. Retaining data ‘just in case’ is not considered adequate justification for retaining personal data. CCHA’s retention schedule is based on the schedule produced by the National Housing Federation to ensure our retention is in line with industry standards.
12.2 The DPO is responsible for keeping the master copy of CCHA’s retention schedule and making this available to staff and data subjects.
12.3 Where personal data is held in electronic format, the Data Custodians, in collaboration with the IT team, are responsible for ensuring data is deleted or anonymised at the end of its retention period. Where data is held electronically within team folders, team managers are responsible for ensuring it is deleted or anonymised in line with the retention schedule. Where personal data is held in paper format, team managers are responsible for ensuring it is securely disposed of at the end of its retention period.
12.4 The information and data confidentiality and security guidance will provide the operational details as to how data can be disposed of securely.
13. Data Protection Impact Assessments
13.1 Data Protection Impact Assessments (DPIAs) are a data protection risk assessment designed to help identify and minimise any data protection risks from projects or data processing activities. They are a useful tool to ensure compliance with data protection requirements and obligations. They are used to consider data protection through the data life cycle, from the point of collection to the time of destruction. They are an important part of ensuring data protection by design and default.
13.2 To make sure that we are identifying and managing any data risk and complying with our obligations and taking a data protection by design and default approach, a DPIA shall be completed, and regularly reviewed when we are considering:
CCHA Data Protection Policy Version 2
Approved by Audit and Risk Committee on 3rd May 2022
Next Review Due May 2024
• Collecting any new personal data
• Using existing personal data in a new way
• Any new IT system or app that will store or process personal data or other innovative technological or organisational solutions
• Sharing large volumes of personal data or sharing data that is high risk
• When we process criminal offence data
• Installing or using any monitoring technology
• Automated decision making, profiling or any evaluation or scoring involving personal data
• Combining, matching, or comparing personal data from multiple sources
• Processing any personal data that could result in a risk of physical harm in the event of a data breach
13.3 It is the responsibility of the person leading or managing any of these activities to make sure a DPIA is completed. This should be done as early in the process as possible and kept under review. The DPO can act as a point of information and advice when completing DPIA and will review and approve DPIAs before processing commences. Where a DPIA indicates that there are data risks that can’t be mitigated, we will consider if the processing is necessary. Where the DPIA shows that any processing that is likely to result in high risk to individuals that can’t be mitigated we will consult with the ICO before we start processing the personal data.
13.4 Completed DPIA should be sent to the DPO, who will maintain a record of all completed DPIAs
14. Data Protection by Design and Default
14.1 In addition to conducting DPIAs, CCHA will consider data protection and the requirements of this policy when:
• Reviewing or updating policies
• Undertaking new projects or programmes that involve personal data
• Implementing or updating systems or policies that involve personal data
14.2 It is the responsibility of the person leading these activities to ensure compliance with this policy to ensure data protection is maintained by design and default from the point that the data is first collected, through its lifecycle, to the secure disposal of the data.
15. Privacy Notice
15.1 Data subjects have the right to be informed about the data CCHA collects, why we collect it, who we will share it with and how long it will be kept for. We will do this through our Privacy Notice.
15.2 As CCHA has two distinct categories of data subjects for whom we collect and process personal data, we will have two distinct Privacy Notices. One notice will provide the Privacy Notice information for our current, former, and prospective tenants, residents, leaseholders and homeowners, and the other for our employees, volunteers and Board Members. The rationale for this is that these are two completely distinct groups of data subjects involving very distinct data processing activities. It aids clarity for the data subjects to provide specific processing notices for these two groups of data subjects.
15.3 Our Privacy Notices will meet the requirements as set out in ICO guidance right to be informed. The DPO will be the document owner for the Privacy Notices and make sure they comply with the ICO’s guidance. The DPO will keep these updated as and when they are notified by a Data Custodian of a change in our processing activities The DPO will make sure a copy of our Privacy Notice is available on our website.
CCHA Data Protection Policy Version 2
Approved by Audit and Risk Committee on 3rd May 2022
Next Review Due May 2024
15.4 We will provide either a copy of our Privacy Notice or a link to our Privacy Notice at the time we first collect data about individuals, or within a month of doing so, unless we have already provided them with this information, or it would require disproportionate effort to do so. This may be through a layered approach, such as a short notice with key information and links to the full Privacy Notice.
15.5 The HR Manager is responsible for ensuring the Privacy Notice for employees is provided at the point of application and remains available to all employees throughout their employment, by making this available on any employee communication platforms used by the organisation.
15.6 The Head of Housing will make sure that all applicants for housing (be that rented, Leasehold, Home Ownership or Independent Living) receive a copy of our Privacy Notice or a link to our Privacy Notice at the time of application, or within one month of application.
15.7 Where CCHA processes personal data relating to other data subjects, for example, members of the public who may contact us from time to time, they can access a copy of our Privacy Notice on our website: http://castlesandcoasts.co.uk/privacy.
15.8 At the locations that CCHA has CCTV in operation we will make sure clear signage is in place to inform people that CCTV is in operation. It shall be clear that CCHA is the data controller for this information. We will also endeavour to include on the signage our reasons for CCTV and contact details for any enquiries, though this information will be available in our Privacy Notices. The Head of Housing is accountable for ensuring signage is in place for CCTV systems that cover our housing schemes, though the responsibility for this can be delegated to the scheme manager. For CCTV in office locations, the Head of Customer Service has this accountability
15.9 When CCHA records telephone calls, either a recorded message shall be given informing people that calls are recorded or the person making/receiving the phone call shall provide this information.
15.10 There will be rare occasions where CCHA will apply exemptions to the right to be informed. These will be applied in line with the ICO’s guidance on exemptions.
16. Data Subject Rights
16.1 Data Protection legislation sets out that individuals have the following Data Subject Rights:
• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling
16.2 Whilst some data subject rights are absolute, some are dependent upon the lawful basis for which the data is processed – for example if we are processing data because of a legal obligation (for example, in relation to an employee’s PAYE tax) we are not required to comply with an erasure request. Likewise, there are some instances where exemptions exist, and it is likely that CCHA will apply these exemptions (for example, if a right of access request appears to have been made with no real purpose other than to harass or cause disruption to the organisation). CCHA will ensure it follows the ICO guidance on data subject rights and the ICO guidance on exemptions.
16.3 The DPO, or nominated person in their absence, shall coordinate the response to any data subject rights requests received and ensure that the ICO guidance is adhered to. As there are legal timescales to respond to data subject right requests, all managers, where requested, will support the DPO in responding to these requests. Where resourcing pressures may jeopardise the organisation’s
CCHA Data Protection Policy Version 2
Approved by Audit and Risk Committee on 3rd May 2022
Next Review Due May 2024
ability to respond to requests this, should be escalated to the relevant Head of Service, with a view to ensuring we respond within timescales Everyone should be aware that the legal timescales for responding are short, for example, the timescale for responding to a Subject Access request is one calendar month.
16.4 All employees, and anyone engaged to deliver services on our behalf is responsible for identifying any data subject rights requests and informing the DPO (via the GDPR@castlesandcoasts.co.uk email) as soon as they think they may have received a subject rights request. These requests may be made verbally, in writing or on social media; they do not have to use any specific language or use any specific words. If it is possible that a data subject right request is being made, this should be passed to the DPO.
16.5 CCHA will develop further guidance on how we will comply with data subject rights request to assist any staff member in administering data subject rights requests and provide clarity to data subjects on our approach.
17. Complaints
If anyone submits a complaint to the organisation about our processing of personal data, the organisation’s Complaints Policy shall be followed, though in responding to the complaint, the data subject will also be informed they have the right to complain to the ICO.
18. Data Processers and Data Sharing
18.1 CCHA shall, during our activities, have to share personal data with third parties. There are two different scenarios in which this will occur:
• Where CCHA is using services of a third party to deliver services on our behalf or at our request. In these circumstances, it is CCHA which is the data controller, and the third party is the data processor. CCHA remains in control of the data, and we shall specify to the processor what they can and cannot do with the data and how long they can process the data for. An example of a data processor is a repairs contractor. There must be a written agreement in place that covers data protection.
• When CCHA shares data with a third party who will be the data controller for that information. An example of this is HMRC with whom CCHA is legally obliged to share information relating to tax. This is referred to as data sharing or information sharing
18.2 Data protection legislation does not prevent us from providing data to third parties, but it does give us a clear framework to do this in.
18.3 Anyone providing personal data for which CCHA is the data controller to a third party must ensure it is done within this framework. The DPO shall provide operational guidance on how to go about this.
18.4 In summary the following will apply:
• We will have a lawful reason to share the data. Usually either the data subject has consented; there is a legal obligation; the sharing is in the public interest; or we have a legitimate reason
• Where the third party is a data processor, we have a Data Processing Agreement, or other contract in place, which meets the requirements of the ICO guidance – before any processing by the third party takes place
• We have informed the Data Subjects in our Privacy Notice (except in the rare occurrences where exemptions to the right to be informed apply)
• When we are providing data to a third party, we shall do this in line with our data minimisation approach
• When we provide data, we shall do this following any data security arrangements in place
CCHA Data Protection Policy Version 2
Approved by Audit and Risk Committee on 3rd May 2022
Next Review Due May 2024
19. Data Processors
19.1 Directors and Heads of Service are accountable, and team managers are responsible for ensuring that we have Data Processing Agreements or another contract which meets the ICO’s requirements in place with any data processors before any processing commences. They shall make sure the DPO is provided with a copy of the signed Data Processing Agreement or contract.
19.2 The DPO is responsible for holding a central record of all Data Processing Agreements or contracts that are in place. The DPO is also responsible for making a template Data Processing Agreement, that meets the legal requirements available to staff who require a copy.
19.3 Directors, Heads of Service and team managers shall make sure that sufficient due diligence has been undertaken on any data processor prior to engaging their services. This due diligence should be proportionate to the type and volume of data and risks associated with the data they will be processing, irrespective of the value of any contract. For example, a processor that has access to key systems or sensitive data should have more robust due diligence undertaken than a processor who is being provided with more basic data such as a few residents’ names and telephone numbers This due diligence must include details of the security measures the processor has in place.
19.4 Everyone is responsible for making sure they only provide data processors with the data that is set out in the data processing agreement, for the purposes set out in the agreement. A data minimisation approach must be followed, and the data shall be shared in line with any organisational guidance on sharing data securely.
20. Joint Controller Agreements
20.1 Very occasionally, CCHA will be the joint controller for personal data. This is when we are using the same data set (or database) that is designed, managed, and used in partnership other organisations. An example of this would be joint allocation systems, such as Cumbria Choice. In such circumstances, all joint controllers remain responsible under the UKGDPR. Clear arrangements must be in place which set out the accountabilities and responsibilities. As there will be joint responsibility, any such arrangements and agreements can only be approved by a Head of Service or Director, having taken appropriate advice.
21. Data Security
21.1 Maintaining the security, integrity, accessibility and confidentiality of personal data is imperative to data protection. Everyone is responsible for data security and should be vigilant to anything that could jeopardise this and take appropriate action.
21.2 CCHA uses a range of technical and organisational measures to ensure the security, integrity, accessibility and confidentiality of personal data.
21.3 The Data Governance Framework will set out the data governance for all data. It will specify the approach used to ensure that all data is accurate and accessible. It will identify the responsibilities for using, maintaining and updating data, and include audits of data accuracy.
21.4 The IT Lead has operational responsibility for compliance with data protection legislation and best practice for information security in respect of CCHA’s IT estate. The IT (and Cyber) Security Policy sets out the measures used to maintain IT and Cyber security. The IT Lead is responsible for this policy.
21.5 CCHA shall ensure the suitability of employees as set out in our Recruitment and Selection policies and other HR policies.
21.6 The IT Lead and DPO shall produce guidance to staff on information and data security and confidentiality. This guidance will contain the operational standards that all staff must comply with on
CCHA Data Protection Policy Version 2
Approved by Audit and Risk Committee on 3rd May 2022
Next Review Due May 2024
a day-to-day basis across the organisation. This guidance will have the same standing as this policy and failure to comply with this guidance could be considered a disciplinary matter.
21.7 Managers at all levels in the organisation are responsible for ensuring they frequently review systems and processes used by their team/service areas and put in place data security measures, where these have not been covered by the document set out above. They must ensure all their team are made aware of these measures and adhere to these. These measures should be documented.
21.8 Everyone is responsible for following all policies, guidance, and instructions that they are given in relation to data security. Anyone with any concerns about data security should raise this with their manager or the DPO.
21.9 Personal data should only be viewed or used where there is a clear business reason to do so. Anyone who accesses or uses personal data without a valid business reason for doing so could face disciplinary action.
22. Transfers of Personal Data to Other Countries
The UKGDPR sets out a high standard of data protection. Other countries do not necessarily have the same standard of data protection. Therefore, the transfer of any data outside of the UK must have additional safeguards in place. Advice must be taken from the DPO prior to such transferers to ensure the additional safeguards are in place. Anyone establishing new data processes should be particularly vigilant to check if any personal data is being transferred outside of the UK
23. Data Breaches
23.1 A data breach is anything that has, or could have, affected the confidentiality, integrity or availability of data, such as:
• Accidental or unauthorised disclosure or access to data
• Accidental or unauthorised loss or unavailability of data including destruction or alteration of data
• Anything that affects or could affect the security or confidentiality of data
23.2 Examples of a data breach include:
• Email, letter or text message sent to the wrong recipient
• A CCHA system being accessed by someone who is not authorised
• Data being shared with someone who is not authorised to receive it
• Ransomware attack affecting the availability of data
• Lost paper documents, or paper documents left unattended outside the office
23.3 Anyone who becomes aware that a data breach has occurred, or that a data breach may have occurred, must report this immediately to GDPR@castlesandcoasts.co.uk This includes notifications from data processors that a breach has occurred which involves CCHA’s data. Lost or stolen ICT equipment should be reported to the IT Helpdesk as soon as they are missing.
23.4 Upon notification that a breach has, or may have, occurred, the DPO or nominated representative, in their absence, shall coordinate the response using a five step process: 1.
CCHA Data Protection Policy Version 2
Approved by Audit and Risk Committee on 3rd May 2022
Next Review Due May 2024
23.5 If a breach is likely to pose a risk to people’s rights and freedoms, this will be reported to the ICO within 72 hours of first becoming aware of the breach.
23.6 If the breach is likely to pose a high risk to people’s rights and freedoms, the individual(s) data subjects will be notified.
23.7 The Head of Business Improvement shall be provided with a summary of the breach, the containment and recovery activities, and the outcome of the risk assessment. They will approve actions/decisions. If a breach is considered reportable, the Finance Director shall be informed prior to the breach being reported.
23.8 It is imperative that everyone is open and honest when reporting data breaches. Any employee reporting that things have, or could have gone wrong will not face disciplinary action unless it is found that they have acted:
• Illegally – against the law (e.g. selling personal data or theft of equipment)
• Maliciously – intending to cause harm (e.g. deliberately releasing confidential information)
• Recklessly – deliberately taking an unjustifiable risk where the employee either knew of the risk or deliberately closed their mind to its existence (e.g. working while under the influence of alcohol or repeatedly making the same careless mistake)
• Intentionally not following policies or guidance
23.9 However, not reporting a data breach may be considered a disciplinary matter.
23.10 Everyone is encouraged to report near misses so that lessons can be learned to prevent future incidents.
23.11 The DPO is responsible for maintaining a record of data breaches and actions taken as part of the investigation.
24. Role of the Data Protection Officer
24.1 CCHA has chosen to voluntarily appoint a DPO. The DPO’s role is to:
• Inform and advise the organisation on its obligations to comply with the UKGDPR and other data protection laws
• Monitor compliance
• Maintain the data protection records
• Be the first point of contact for the ICO
• Raise awareness and provide training in data protection
24.2 The DPO will only undertake other tasks so long as they do not conflict with the DPO’s primary tasks.
25. Training
25.1 Everyone must receive regular training in data protection. This will be undertaken in a number of ways.
25.2 New employees will receive a data protection brief as part of the corporate induction. They will also be required to read this policy and any associated guidance. Managers of new employees must ensure the new employee has received and they understand any additional data protection requirements that are relevant to their job role.
25.3 Existing employees will receive training at least once a year. This can be done via e-learning or sessions delivered by the DPO or another trainer. Training may be delivered by managers or the
CCHA Data Protection Policy Version 2
Approved by Audit and Risk Committee on 3rd May 2022
Next Review Due May 2024
DPO in team meetings or team talks. Training will be tailored to the roles and responsibilities of the employees. Employees are required to confirm they have read this policy and annually
25.4 The DPO and IT lead will from time to time send out all staff emails or undertake other awareness raising activities.
26. Related Policies and Documents
CCTV Policy
Complaints Policy
IT Security Policy
Call Recording Statement
Information Security and Confidentiality Guidance
27. Document Owner and Approval
The Data Protection Officer owns this policy and is responsible for ensuring that it is reviewed on a regular basis
CCHA Data Protection Policy Version 2
Approved by Audit and Risk Committee on 3rd May 2022
Next Review Due May 2024
Appendix 1 – Abbreviations and Definitions
Abbreviations
CCHA – Castles and Coasts Housing Association
DPA – Data Processing Agreement
DPIA – Data Protection Impact Assessment
DPO – Data Protection Officer
GDPR – General Data Protection Regulation
ICO – Information Commissioner’s Office
UKGDPR – the UK law retained version of the GDPR
Definitions
Personal data – any information relating to an identified or identifiable natural (living) person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Special Categories of Personal Data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data used for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Criminal Offence Data – information about offenders or suspected offenders in the context of criminal activity; allegations; investigations; and proceedings. It includes not just data which is obviously about a specific criminal conviction or trial but may also include personal data about: unproven allegations; and information relating to the absence of convictions.
Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Data Controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The Data Controller decides what data is collected, how it is used, how long it is stored for.
Data Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Data Custodian – a term used by CCHA for an Information Governance role that has specific accountabilities and responsibilities set out in the Data Protection Policy and the Information Governance Framework. They are usually a Head of Service.
Personal data breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Record of Processing Activities – a record that sets out what data is processed (used) by CCHA, the lawful basis for its processing, where the data comes from, who it is shared with and other information relating to processing activities. It is a requirement of GDPR.
Legal Basis for processing – GDPR sets out the lawful reasons for processing personal data. The legal basis for processing is the lawful reason that a specific category of personal data is being processed.
CCHA Data Protection Policy Version 2
Approved by Audit and Risk Committee on 3rd May 2022
Next Review Due May 2024
Data Protection Impact Assessment – a data protection risk assessment to identify and manage risk associated with processing personal data.
Privacy Notice – a document that gives data subjects information about the processing an organisation undertakes. GDPR sets out what should be included in the Privacy Notice.
CCHA Data Protection Policy Version 2
Approved by Audit and Risk Committee on 3rd May 2022
Next Review Due May 2024
Appendix 2 – Contents
Purpose
Scope
Policy Statement
Introduction
Data Governance Framework
Record of Processing Activities
Legal Basis for Processing
Consent
Legitimate Interests Assessments
Data Minimisation
Data Accuracy
Data Retention
Data Protection Impact Assessments
Data Protection by Design and Default
Privacy Notice
Data Subject Rights
Complaints
Data Processers and Data Sharing
Data Processors
Joint Controller Agreements
Data Security
Transfers of Personal Data to other Countries
Data Breaches
Role of the DPO
Training
Related Policies
Document Owner and Approval
Appendix 1 Abbreviations and Definitions
Appendix 2 Contents
CCHA Data Protection Policy Version 2
Approved by Audit and Risk Committee on 3rd May 2022
Next Review Due May 2024