4. Processing of Personal Data
5. Data Sharing
6. Data Storage and Security
8. Data Protection Officer
9. Data Subject Rights
10. Privacy Impact Assessments
11. Archiving, Retention and Destruction of Data
12. List of Appendices
Blochairn Housing Association is committed to ensuring the secure and safe management of data held by us in relation to customers, staff and other individuals. Our staff members have a responsibility to make sure we comply with the terms of this policy and to manage individuals’ data in accordance with the procedures outlined.
We need to gather and use certain information about customers (tenants, factored owners etc.), employees and other individuals that we have a relationship with. We manage a significant amount of data, from a variety of sources, which contains Personal Data and Sensitive Personal Data (known as Special Categories of Personal Data under the GDPR).
It is a legal requirement that we process data correctly under
(a) the General Data Protection Regulation (EU) 2016/679 (“the GDPR”);
(b) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as may be amended by the proposed Regulation on Privacy and Electronic Communications); and
(c) any legislation that replaces, amends or adds to current legislation
3.1 We hold data relating to individuals, including customers and employees, referred to as ‘data subjects’, which is known as Personal Data. Personal Data held and processed by us is detailed in our Fair Processing Notice, in Appendix 2, and the Data Protection Addendum to the Terms of and Conditions of Employment provided to our employees.
3.1.1 “Personal Data” is data that a living individual can be identified from either by that data alone or with other data held us.
3.1.2 We hold sensitive personal data. This normally relates to racial or ethnic origin and to health.
4. Processing of Personal Data
4.1 We are allowed to process Personal Data on behalf of data subjects provided it is doing so on one of the following grounds:
• Processing with the consent of the data subject (see clause 4.4);
• Processing is necessary for the performance of a contract between us and the data subject or for entering into a contract with the data subject;
• Processing is necessary for us to comply with a legal obligation;
• Processing is necessary to protect the vital interests of the data subject or another person;
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of our official authority; or
• Processing is necessary for the purposes of legitimate interests.
4.2 Fair Processing Notice
4.2.1 We have produced a Fair Processing Notice (FPN) which must be provided to all customers whose personal data we hold.
4.2.2 The FPN sets out the Personal Data processed by us and why we process it
4.3.1 Employee Personal data and, where applicable, Special Category Personal Data or Sensitive Personal Data is held and processed by us. An Employee Fair Processing Notice will be provided to employees with their Contract of Employment.
4.3.2 A copy of an employee’s personal data held by us is available upon written request by the employee to the Director
Consent to process information will required from time to time by us. It should be used by the Association where no other alternative ground for processing is available. In the event that we need to obtain consent to process a data subject’s personal data we will obtain it in writing. Consent must be freely given and the data subject will be required to sign a consent form. Consent must be for a specific and defined purpose (i.e. general consent cannot be sought).
4.5 Processing of Special Category Personal Data or Sensitive Personal Data
In the event that we process Special Category Personal Data or Sensitive Personal Data we must do so because:
• The data subject has given explicit consent to the processing of this data for a specified purpose;
• Processing is necessary for carrying out obligations or exercising rights related to employment or social security;
• Processing is necessary to protect the vital interest of the data subject or, if the data subject is incapable of giving consent, the vital interests of another person;
• Processing is necessary for the establishment, exercise or defence of legal claims, or whenever court are acting in their judicial capacity; and
• Processing is necessary for reasons of substantial public interest.
5. Data Sharing
5.1 We share data with third parties for numerous reasons in order that our day to day activities are carried out in accordance with our policies and procedures. In order that we can monitor compliance by third parties with Data Protection laws, we will require the third parties to enter in to an Agreement with the Association governing the processing of data, security measures to be implemented and responsibility for breaches.
5.2 Data Sharing
5.2.1 Personal data is from time to time shared with third parties who must process personal data that we process as well. Both us and the third party will be processing that data in their capacity as data controllers.
5.2.2 Where we share in the processing of personal data with a third parties (e.g. processing employees’ pensions), we require the third party to enter in to a Data Sharing Agreement with us as set out in Appendix 3.
5.3 Data Processors
A data processor is a third party entity that processes personal data on our behalf and are frequently engaged if our work is outsourced (e.g. payroll, maintenance and repair works).
5.3.1 A data processor must comply with Data Protection laws. Our data processors must ensure they have appropriate technical security measures in place, maintain records of processing activities and notify us if a data breach is suffered.
5.3.2 If a data processor wishes to sub-contact their processing, our prior written consent must be obtained. The data processor will be liable in full for the data protection breaches of their sub-contractors.
5.3.3 Where we contract with a third party to process personal data held by us, we will require the third party to enter in to a Data Protection Addendum with us as set out in Appendix 4.
6. Data Storage and Security
All Personal Data held by the Association must be stored securely, whether electronically or in paper format.
6.1 Paper Storage
If Personal Data is stored on paper it should be kept in a secure place where unauthorised personnel cannot access it. Employees should make sure that no Personal Data is left where unauthorised personnel can access it. When the Personal Data is no longer required it must be disposed of by the employee so as to ensure its destruction. If the Personal Data requires to be retained on a physical file then the employee should ensure that it is stored in accordance with our storage provisions.
6.2 Electronic Storage
Personal Data stored electronically must also be protected from unauthorised use and access. Personal Data should be password protected when being sent internally or externally to our data processors or those with whom we have entered in to a Data Sharing Agreement. If Personal data is stored on removable media (CD, DVD, USB memory stick) then that removable media must be stored securely at all times when not being used. Personal Data should not be saved directly to mobile devices and should be stored on designated drivers and servers.
7.1 A data breach can occur at any point when handling Personal Data and we have reporting duties in the event of a data breach or potential breach occurring. Breaches which pose a risk to the rights and freedoms of the data subjects who are subject of the breach require to be reported externally in accordance with Clause 7.3.
7.2 Internal Reporting
We take the security of data very seriously and in the unlikely event of a breach will take the following steps:
• As soon as the breach or potential breach has occurred, and in any event no later than six (6) hours after it has occurred, the Director must be notified in writing of (i) the breach; (ii) how it occurred; and (iii) what the likely impact of that breach is on any data subject(s);
• We will seek to contain the breach by whatever means available;
• The Director will consider whether the breach is one which requires to be reported to the Information Commissioner’s Office (ICO) and data subjects affected
• Notify third parties in accordance with the terms of any Data Sharing Agreements
7.3 Reporting to the ICO
The Director will require to report any breaches which pose a risk to the rights and freedoms of the data subjects who are subject of the breach to the ICO within 72 hours of the breach occurring. The Director will also consider whether it is appropriate to notify data subjects affected by the breach.
8. Data Protection Officer (“DPO”)
8.1. A DPO has an over-arching responsibility and oversight over our compliance with Data Protection laws. Our Director is our DPO.
8.2 The DPO is responsible for:
8.2.1 monitoring our compliance with Data Protection laws
8.2.2 co-operation with the ICO
8.2.3 reporting breaches or suspected breaches to the ICO and data subjects
9. Data Subject Rights
9.1 Data Subjects are entitled to view the personal data held about them by us, whether in written or electronic form
9.2 Data subjects have a right to request a restriction of processing their data; to be forgotten and a to object to our processing of their data. These rights are notified to our tenants and others in our FPN
9.3 Subject Access Requests
Data Subjects are permitted to view their data held by us by making a ‘Subject Access Request’. Upon receipt of a ‘Subject Access Request’ we must respond within one month of receipt of the request.
9.3.1 We must provide the data subject with an electronic or hard copy of the personal data requested, unless any exemption to the provision of that data applies in law.
9.3.2 Where the personal data comprises data relating to other data subjects we must take reasonable steps to obtain consent from those data subjects to the disclosure of that personal data to the data subject who has made the Subject Access Request, or
9.3.3 Where we do not hold the personal data sought we must confirm to the data subject that we do not hold the Personal Data, as soon as practicably possible, but not later than one month from the date on which the request was made.
9.4 The Right to be Forgotten
9.4.1 A data subject can exercise their right to be forgotten by submitting a request in writing to the Association seeking that we erase their Personal Data
9.4.2 Each request received will be considered on its own merits and we will seek legal advice as necessary. We will respond in writing to the request
9.5 The Right to Restrict or Object to Processing
9.5.1 A data subject may request that we restrict processing of the their Personal Data, or object to the processing of that data.
188.8.131.52 In the event that any direct marketing is undertaken by us a data subject has an absolute right to object to processing of this nature and if we receive a written request to cease processing for this purpose we will do so immediately.
9.5.2 Each request received will be considered on its own merits and we will seek legal advice as necessary. We will respond in writing to the request
10. Privacy Impact Assessments (“PIA”)
10.1 These are a means of assisting us to identify and reduce the risks that our operations have on personal privacy of data subjects.
10.2 The Association will:
10.2.1 Carry out a PIA before undertaking a project or processing activity which poses a “high risk” to an individual’s privacy. High risk can include, but is not limited to, activities using information relating to health or race, or the implementation of a new IT system for storing and accessing Personal Data; and
10.2.2 In carrying out a PIA, include a description of the processing activity, its purpose, an assessment of the need for the processing, a summary of the risks identified and the measures that it will take to reduce those risks, and details of any security measures that require to be taken to protect the personal data
10.3 The Association will consult the ICO in the event that a PIA identifies a high level of risk which cannot be reduced
11. Archiving, Retention and Destruction of Data
We cannot store and retain Personal Data indefinitely. We will ensure that Personal data is only retained for the period necessary and that all Personal data is archived and destroyed in accordance with the periods specified in Appendix 5.
12. List of Appendices
1. Fair Processing Notice
2. Table of Duration of Retention of certain data
Fair Processing Notice
Blochairn Housing Association is a Scottish Charity (No. SCO40816); a registered society under the Co-operative and Community Benefit Societies Act 2014 (No. 2341R) and was registered with the Scottish Housing Regulator on 5 March 1990 (No. HAC223). Under the GDPR the Association is registered as a Data Controller with the Office of the Information Commissioner (OIC), (No. Z5776715).
The GDPR came into force in 2018, replacing the Data Protection Act 1998. This notice explains what information we collect, when it is collected and how it is used. In processing personal data we will treat it in an appropriate and lawful manner and will take the issues of security and data protection very seriously.
We collect information when someone applies for housing; becomes a tenant; requests a service, e.g. a repair; enters into a factoring agreement; becomes a Member; makes a complaint; makes a payment to us or if they provide us with other personal details.
We receive information from third parties, e.g. about welfare benefits, including Housing Benefit/Universal Credit; bank payments; complaints about behaviour or alleged breaches of the Tenancy Agreement, including information from Police Scotland and Glasgow City Council; about tenancy reports and references from previous tenancies.
We use information to carry out our legal and contractual obligations and duties to tenants, owners, housing list applicants and others and to supply services and information in response to, for example, repair requests; housing applications and complaints made. We will analyse information to manage, improve and develop our services and for other purposes consistent with the proper performance of our operations and business.
We will treat information as confidential. We may disclose it to third parties who act for us. For example, contact details will be given to a contractor; if a complaint is investigated, information may be given to Police Scotland, Local Authority departments, Scottish Fire & Rescue Service and others. If tenancy details are updated, information may be given to, e.g. utility companies and the Local Authority. Payments information may be given to banks, the Local Authority and the Department of Work & Pensions. If a survey is being carried out, contact details will be given to the company carrying out the survey.
We will keep personal data secure and safe and will only hold it for as long as is necessary, as required by law or as set out in any relevant contract. It will be destroyed if it is no longer required for the reasons it was obtained. Unless required to do so by law, the Association will not share, sell or distribute information without consent.
You have the right to ask for a copy of your personal data held by us and can ask for any inaccuracy to be corrected or for it to be deleted. You also have the right to complain to the Information Commissioner’s Office, 45 Melville Street, Edinburgh EH3 7HL (0131 244 9001 Scotland@ico.org.uk) about our use of personal information.
The accuracy of personal information is important. Please help us to keep our records up to date by providing details of changes, in particular, on contact details, such as, telephone numbers and email addresses or on emergency contact details.
Any questions on the GDPR or about this Fair Processing Notice should be directed to our Director in writing; by email to firstname.lastname@example.org or by calling 553 1601.
Data Retention Periods
The table below sets out retention periods for Personal Data held and processed by us. It is intended to be used as a guide only. We recognise that not all Personal Data can be processed and retained for the same duration and retention will depend on the individual circumstances.
Type of record Suggested retention time
Membership records - 5 years after last contact
Personal files including training records and notes of disciplinary and grievance hearings - 5 years to cover the time limit for bringing any civil legal action, including national minimum wage claims and contractual claims
Redundancy details, calculations of payments, refunds, notification to the Secretary of State - 6 years from the date of the redundancy
Application forms, interview notes - Minimum 6 months to a year from date of interviews. Successful applicants documents transferred to personal file.
Documents proving the right to work in the UK - 2 years after employment ceases.
Facts relating to redundancies 6 years if less than 20 redundancies. - 12 years if 20 or more redundancies.
Payroll - 3 years after the end of the tax year they relate to
Income tax, NI returns, correspondence with tax office - At least 3 years after the end of the tax year they relate to
Retirement benefits schemes – notifiable events, e.g. relating to incapacity - 6 years from end of the scheme year in which the event took place
Pensioners records - 12 years after the benefit ceases
Statutory maternity/paternity and adoption pay records, calculations, certificates (MAT 1Bs) or other medical evidence - 3 years after the end of the tax year to which they relate
Parental Leave - 18 years
Statutory Sick Pay records, calculations, certificates, self-certificates - 3 years
Wages/salary records, expenses, bonuses - 6 years
Records relating to working time - 2 years from the date they were made
Accident books and records and reports of accidents - 3 years after the date of the last entry
Health and Safety assessments and records of consultations with safety representatives and committee - Permanently
Health records During employment and - 3 years thereafter if reason for termination of employment is connected to health
Committee Members Documents - 5 years after cessation of membership
Documents relation to successful tenders - 5 years after end of contract
Documents relating to unsuccessful form of tender - 5 years after notification
Applicants for accommodation - 5 years
Housing Benefits Notifications - Duration of Tenancy
Tenancy files - Duration of Tenancy
Former tenants’ files (key info) - 50 years
Third Party documents re care plans - Duration of Tenancy
Records re offenders. Ex-offenders (sex offender register) - Duration of Tenancy
Lease documents - 5 years after lease termination
ASB case files - 5 years/end of legal action
Committee meetings/residents’ meetings - 50 years
Minute of factoring meetings - Duration of appointment