1. Scope
As a landlord, we are committed to being fully compliant with all applicable UK and EU data protection legislation in respect of personal data, as well to safeguarding the rights and freedoms of persons whose information we collect pursuant to the General Data Protection Regulation (“GDPR”).
We will ensure safe data policies are developed, implemented, maintained and periodically reviewed.
We understand that the purpose of the GDPR is to ensure the rights and freedoms of living individuals, and to protect their personal data by ensuring that it is never processed without their knowledge and, when possible, their consent.
2. Objectives
Our objectives for managing and protecting data are as follows:
- To enable us to meet our data obligations in relation to how personal information is managed
- To support our business objectives
- To set appropriate systems and controls on data management
- To ensure we are compliant with all applicable obligations, whether statutory, regulatory, contractual and/or professional
- To safeguard personnel and stakeholder interests
3. Good practice
We shall ensure compliance with data protection legislation in the following ways:
- Processing personal information only when it is absolutely necessary
- Ensuring that the least possible amount of personal data is collected, and that personal data is never processed unduly
- Informing individuals how their personal data is or will be used and by whom
- Processing personal data in a lawful and fair manner
- Keeping a record of the various categories of personal data processed
- Ensuring that all personal data that is kept is accurate and up to date
- Retaining personal data no longer than required by statute or regulatory bodies, or for organisational purposes
- Giving individuals the right of ‘subject access’, as well as all other individual rights pertaining to their personal data
- Ensuring that all personal data is maintained securely
- Not transferring personal data outside of the EU unless it is appropriately secured
- Applying various statutory exemptions, where appropriate
- Implementing best practice data management
- Identifying stakeholders, both internal and external, that process data on our behalf
4. Notification
We are registered with the Information Commissioner as a Data Controller that engages in processing personal information of data subjects. We identified and recorded all of the personal data that it processes and recorded as part of our providing rental accommodation.
We will ensure that we record any data breaches and that these are reported to the Information Commissioner’s Office (“ICO”) within 72 hours.
We will review these breaches annually, as part of our ongoing data management responsibilities. Where we are updating or changing our data practices, we will use data protection impact assessments to ensure that these changes remain within our GDPR and data protection responsibilities.
This policy applies to us and any contractors and subcontractors we employ as part of our provision of rented accommodation. If we become aware of any breaches of the GDPR policy, we will deal with them up to and including terminating contracts or agreements with contractors / subcontractors. If there is a possibility that the breach could amount to a criminal offence, the matter shall be referred to the relevant authorities.
All third parties who have or may have access to personal data are required to read, understand and fully comply with this policy. The data protection obligations imposed by the data processor agreement shall be equally onerous as those to which we comply. We reserve the right to audit any personal data accessed by third parties to ensure the compliance of any third parties we have a data processor agreement with.
5. Responsibilities under the GDPR
Under GDPR, we are a Data Controller. This means that we are in charge of ascertaining the purposes and means by which personal data shall be processed. We undertake the following responsibilities.
Risk Assessment
It is vital that we are aware of all risks associated with personal data processing and are able to assess the level of risk. We will do this via regular risk assessment audits. Where necessary, we will carry out assessments of the personal data processing undertaken by other organisations on our behalf and to manage any identified risks, so as to mitigate the likelihood of potential non-compliance with this policy.
Where personal data processing is carried out using new technologies, or when a high risk is identified in relation to the rights and freedoms of data subjects, we will engage in a risk assessment of the potential impact.
If the outcome of an assessment shows that processing would result in a high risk of causing distress and/or may cause damage to data subjects, we will not start processing. Where necessary, we will inform a regulatory authority if significant concerns have been identified.
We will ensure that appropriate controls are in place to ensure that the risk level associated with personal data processing is kept to an acceptable level.
6. Principles of data protection
The principles of personal data processing are as follows:
- All personal data must be processed lawfully and fairly at all times.
- Policies must also be transparent. This means that we will ensure that our personal data processing policies, as well as any specific information provided to a data subject, are readily available, easily accessible and clear, drafted using clear and plain language.
- The data subject must be provided with the following information:
- The identity and contact details of the data controller (found on our contract)
- The purpose or purposes and legal basis of processing
- The length of time for which the data shall be stored
- Their right in relation to their data, namely:
- Right to request access
- Right of rectification
- Right of erasure and the
- Right to raise an objection to the processing of the personal data
- The categories of personal data
- The recipients and/or categories of recipients of personal data, if applicable
- If the controller intends to make a transfer of personal data to a third country and the levels of data protection provided for by the laws of that country, if applicable
- Any further information required by the data subject to ensure that the processing is fair and lawful.
- Personal data may only be collected for specified, explicit and legitimate reasons. When personal data is obtained for specific purposes, it must only be used in relation to that purpose.
- Personal data must be adequate, relevant and restricted to only what is required for processing. To this end, we will:
- Not collect data that is superfluous to the required for the purpose(s) for which it is obtained
- Approve all data collection forms, whether in hard-copy or electronic format
- Regularly check that all data collection methods are appropriate, relevant and not excessive
- Securely delete or destroy any personal data that is collected in a manner that is excessive or unnecessary
- Personal data must be accurate and up to date:
- We will not keep data unless it is reasonable to assume its accuracy.
- Ensure any staff we employ fully understand the importance of collecting and maintaining accurate personal data
- Ensure individuals are personally responsible for ensuring that the personal data we collect and hold are accurate and up to date
- We will carry out an annual review of all personal data to ascertain whether it is required and will delete or destroy old data in a safe manner.
- We will ensure that inaccurate or out-of-date personal data that has been passed on to third parties is corrected
- The form in which the personal data is stored must be such that the data subject can only be identified when it is necessary to do so for processing purposes. To this end, we will:
- Ensure personal data that is kept beyond when data is no longer needed for any purpose is deleted, or put beyond use
- Destroy or delete personal data as soon as the retention date has passed
- Only keep personal data beyond this period if it is in line with data protection requirements.
- The processing of personal data must always be carried out in a secure manner.
- Personal data should not be processed in an unauthorised or unlawful manner, nor should it be accidentally lost or destroyed at any time.
7. Security controls
Our security controls ensure that risks to personal data are appropriately mitigated as much as possible to reduce the potential for damage or distress to data subjects.
Personal data shall not be transferred to a country outside of the EU unless the country provides appropriate protection of the data subject’s rights and freedoms in relation to the processing of personal data.
We will not transfer the data outside of the EU, unless we can show appropriate safeguards. In the absence of these safeguards.
8. Accountability
We have nominated a person who is responsible for ensuring overall compliance with the GDPR and for demonstrating that each of its processes is compliant with the GDPR requirements. This person will:
- Maintain all relevant documentation regarding our processes and operations
- Implement proportionate security measures
- Carry out Data Processing Impact Assessments
- Comply with prior notification requirements
- Seek the approval of relevant regulatory bodies
9. The rights of data subjects
Data subjects enjoy the following rights in relation to personal data that we process:
- The right to make access requests for the personal data that we hold on them
- The right to refuse personal data processing
- The right to be informed about any automated decision-making processes that will have a significant effect on the data subject
- The right not to solely be subject to any automated decision-making process
- The right to claim compensation for any loss they suffer as a result of an infringement of this regulation
- The right to take the rectification, blocking and erasure of personal data, where appropriate
- The right to request that the ICO carry out an assessment as to whether any of the provisions of the GDPR have been breached
- The right to be provided with personal data in a format that is structured, commonly used and machine-readable
- The right to request that their personal data is sent to another data controller
- The right to refuse automated profiling without prior approval.
10. Data access requests
Tenants can contact us to make a data access request. Upon receiving a request, we will require proof of identity. Once we have received this, we will process the request within the requirements of the GDPR.
11. Complaints
All complaints our processing can be made directly to us or our agent Purple Frog Asset Management Limited at 47 Calthorpe Road, Birmingham, B15 1TH.
Complaints may also be made by a data subject directly to the relevant regulatory body and Purple Frog Asset Management Limited hereby provides the relevant contact details:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113
https://ico.org.uk/global/contact-us/
12. Consent
Consent to the processing of personal data by the data subject must be:
- Freely given
- Explicit
- Specific
- A clear and unambiguous indication of the wishes of the data subject
- Informed
- Provided either in a statement or by unambiguous affirmative action
- Demonstrated by active communication between the data controller and the data subject and must never inferred or implied by omission or a lack of response to communication
- In relation to sensitive data, consent may only be provided in writing, unless there is an alternative legitimate basis for the processing of personal data.
Other data subjects – Customers, supporters or members
If using consent as a condition to process data, we will obtain consent in accordance with the procedures outlined in the policy framework. We understand that according to Privacy and Electronic Communications Regulations (PECR) consent does not have to be explicit. We will use our judgement to decide how to obtain consent in different circumstances. However, we will always uphold the rights and freedoms of data subjects by always making it as easy to withdraw consent.
Parental consent
We will require parental or custodial consent if we need to process data for anyone under the age of 16. At present, we do not conduct this type of processing.
13. Data security
Under no circumstances may any personal data be disclosed to any third party unless we have provided express authorisation and has entered into a data processor agreement with the third party.
Accessing and storing personal data
Access to personal data shall only be granted to those who need it. We will ensure all personal data is stored:
- In a locked room, the access to which is controlled and/or
- In a locked cabinet, drawer or locker and/or
- Encrypted/password protected electronic format if stored on a computer and/or
- Encrypted/password protected if in electronic format and stored on removable media.
No manual records may be accessed by anyone not authorised by us and may not be removed from the business premises in the absence of explicit written authorisation. Manual records must be removed from secured archiving when access is no longer needed on a day-to-day basis.
Manual records that have passed their retention date must be shredded and disposed of as ‘confidential waste’ and any removable or portable computer media such as hard drives or USB sticks must be destroyed before being disposed of.
14. Data access rights
Data subjects have the right to access all personal data in relation to them that we hold. Data subjects therefore may at any time request to have sight of confidential personal references held by us, as well as any personal data received by us from third-parties.
15. Disclosure of data
We must take appropriate steps to ensure that no personal data is disclosed to unauthorised third parties. This includes friends and family members of the data subject, governmental bodies and, in special circumstances, even the Police.
Disclosure is permitted by the GDPR without the consent of the data subject under certain circumstances, namely:
- In the interests of safeguarding national security
- In the interests of crime prevention and detection, which includes the apprehension and prosecution of offenders
- In the interests of assessing or collecting a tax duty
- In the interests of discharging various regulatory functions, including health and safety
- In the interests of preventing serious harm occurring to a third party and
- In the interests of protecting the vital interests of the data subject i.e. only in a life and death situation
The data controller is responsible for handling all requests for the provision of data for these reasons and authorisation by the data controller shall only be granted with support of appropriate documentation.
16. Data retention and disposal
We must not retain personal data for longer than is necessary. Some data will be kept longer than others, in line with our responsibilities to comply with our legal and regulatory obligations.
Personal data must be disposed of safely to ensure that the rights and freedoms of data subjects are protected at all times.