Redhouse Farm Housing Cooperative
Under the General Data Protection Regulations.
- Personal Data
- Processing of personal data
- Data Sharing
- Data storage and Security
- Website use ( future)
- Data protection officer
- Data subject rights
- Privacy impact assessments
- Archiving Retention and Destruction of Data
- Related documents.
1.1 Redhouse Farm Housing Cooperative Ltd is committed to ensuring the secure and safe management of data it holds in relation to members/tenants ,applicants and other individuals.
Our management committee are responsible for ensuring compliance with the terms of this policy and for managing individuals data in accordance with the approach outlined in this policy and other documentation referred to
1.2 We need to gather and use certain information about individuals. These can include customers, ( member tenants,housing applicants etc..) contractors and other individuals that we have a relationship with .We manage an amount of data from a variety of sources. This data contains personal data and sensitive personal data from a variety of sources. This data contains personal data and sensitive personal data ( known as as Special Categories of Personal Data under the GDPR).
1.3 This policy sets out our duties in processing that data ; and the purpose of this policy is to set out approach for the management of such data.
2.1 It is a legal requirement that we process data correctly , we must collect handle and store personal information in accordance with the relevant legislation.
2.2 The relevant legislation in relation to the processing of data is:
.. the General Data Protection Regulation (EU) 2016/679 the GDPR.
.. the Privacy and Electronic Communications (EC Directive) Regulations 2003 ( as may be amended by the the proposed Regulation on Privacy and Electronic Communications) and
.. any legislation that ,in respect of the United Kingdom , replaces ,or enacts into United Kingdom domestic law, the General Data Protection Regulation (EU) 2016/679 ,the proposed Regulation on Privacy and Electronic Communications or any other law relating to data protection, processing of
Personal data and privacy as a consequence of the UK leaving the European Union.
3. Personal Data
3.1 We hold a variety of data relating to individuals , including prospective member tenants and contractors ( also referred to as data subjects) which is known as Personal Data. The Personal Data we hold and process is detailed within the Fair Processing Notices ( also referred to as the Privacy Notices.).
3.1.1 ‘Personal Data’ is that from which a living individual can be identified either by. that data alone, or in conjunction with other data we hold.
3.1.2 We also hold Personal Data that is sensitive in nature ( i.e. Relates to or reveals a a data subjects racial or ethnic origin ,religious beliefs, political opinions ,relates to health or sexual orientation .) This is Special Category Personal Data or Sensitive Personal Data.
4. Processing of Personal Data
4.1 We are permitted to process Personal Data on behalf of data subjects provided we are doing so on one or more of the following grounds:
.. Processing with the consent of the data subject ( see clause 4.4)
.. Processing is necessary for the performance of the contract between us and the data subject or for entering into a contract with the data subject.
.. Processing is necessary for our compliance with a legal obligation .
.. processing is necessary to protect the vital interests of the data subject or another person.
.. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of our official authority , or
.. processing is necessary for the purposes of our legitimate interests.
4.2 Fair Processing Notices ( Privacy Notices)
4.2.1 Privacy Notice for customers
184.108.40.206. We have produced a Privacy Notice which we are required to provide to all customers whose personal data is held by us. The Notice sets out the Personal Data processed by us .The notice sets out the personal data processed by us and the basis for that processing . The Privacy Notice is provided to all of our customers at the outset of processing their data and they will be advised of the terms of the Privacy Notice when it is provided to them.
4.2.2 Privacy Notices for contractors.
220.127.116.11 We hold and process contractors Personal Data , details of the data held and the processing of that data is contained within the contractors Privacy Notice. This Notice is provided at the same time as their contract.
4.3 1 We will require to use consent as a ground of processing from time to time when processing Personal Data.We will use this ground where no other alternative ground for processing is available. In the event that we require to obtain consent to process a data’s subjects Personal Data we will obtain that consent in writing. The consent provided by the data subject must be freely given and the data subject will be required to sign a relevant consent form if willing to consent. Any consent obtained by us must be for a specific and defined purpose ( i.e. General consent cannot be sought) .
4.4 Processing of Special Category Personal Data or Sensitive Personal Data.
4.4.1. In the event that we process Special category Personal Data or Sensitive Personal Data we will do in accordance with one of the following grounds of processing:
.. the data subject has given explicit consent to the processing of this data for a specified purpose
.. processing is necessary for carrying out obligations or exercising rights related to employment or social security..
.. processing is necessary to protect the vital interest of the data subject , or, if the data subject is incapable of giving consent , the vital interests of another person.
.. processing is necessary for the establishment ,exercise or defence of legal claims , or whenever court are acting in their judicial capacity and ,
.. processing is necessary for reasons of substantial public interest.
5. Data Sharing
5.1 We share data with third parties for many reasons in order that our day to day activities are carried out in accordance with our relevant policy and procedures . In order that we can monitor compliance by these third parties with Data Protection laws , we require the third party organisations to enter into an Agreement with us governing the processing of data, security measures to be implemented and responsibilities for breaches .
5.2 Data Sharing – Data Controllers
5.2.1 We share data from time to time with third parties who require to process personal data that we produce as well. Both We and the third party will be processing that data in our individual capacities as data controllers .
5.2.2 Where we share in the processing of personal data with a third party organisation ( e.g. For processing of contractors information ) we shall require the third party to enter into a Data Sharing Agreement with us .
5.3) Data Sharing – Data Processors
5.3.1 A data processor. Is a third party entity that processes personal data on our behalf , and are frequently engaged where we outsource services (e.g. Maintenance and repair works to our houses) .
18.104.22.168 A data processor must comply with Data Protection laws. Our data processors must ensure they have appropriate technical security measures in place ., maintain records of processing activities and notify us if a breach is suffered .
22.214.171.124 If a data controller wishes to sub contract their processing , prior written consent must be obtained from us. Where there is a sub contracting of processing , the data processor will be liable in full for the data protection breaches of their sub contractors .
126.96.36.199 Where we contract with a third party to process personal data held by us , we shall require the third party to enter in to a Data Processor Agreement with us .
6. Data storage and Security
6.1 All personal data held by us must be stored securely, whether electronically or in paper format.
6.2 Paper Storage
6.2.1 If personal data is stored on paper it must be kept in a secure place where unauthorised personnel cannot access it, usually in locked cabinets or cupboards.. Committees should make sure that no personal data is left where unauthorised personnel can access it. When the personal data is no longer required it must be disposed of by the Committee member so as to ensure its secure destruction . If the personal data requires to be retained on a physical file then the committee member should ensure that it is affixed to the file which is then stored in accordance with our storage provisions.
6.3 Electronic Storage
6.3.1 Personal Data stored electronically must also be protected from unauthorised use and access, this will usually be achieved by the use of restricted access arrangements and passwords. Personal data should be password protected when being sent internally or externally to our data processors or those with whom we have entered in to a data sharing agreement. Personal data must never be stored on removeable media unless it is encrypted and kept in a locked cabinet in the same way as hard copy paperwork is stored. ( CD , DVD, USB memory stick ) Personal Data should not be saved directly to mobile devices and should be stored on designated drivers and servers .
7. Website use
7.1 We will collect personal information from our website and we will take steps to safeguard that information .
7.2 We will collect. The following information
.. any personal details customers type in and submit, such as name , address, email address etc…
.. customers IP address ( this is customers computers individual identification number) which will be automatically logged by our web server. This is used to note customers interest in any future website.
.. customers preferences and use of email updates, recorded by any emails we send them ( if they select to receive email updates on services ).
7.3 What we do with personal information collected.
.. Any personal information we collect from our future website will be used in accordance with the General Data Protection Regulation (EU) 2016/679 and other applicable laws.
.. We will retain personal data for the purposes of either sending information customers have requested from our site or in certain cases we may use customers email addresses to send them information on other services . In such cases , customers will be offered the option to opt out for receiving this information .
.. we do not distribute any personal details or gathered data to third parties .
7.4 Customers Rights
7.4.1 customers can ask us to update or remove any personal information we hold by writing to us at the address below
Redhouse Farm Housing Cooperative
8.1 a data breach can occur at any point when handling personal data and we have reporting duties in the event of a data breach or potential breach occurring. Breaches which pose a risk to the rights and freedoms of the data subjects who are subject of the breach requires to be reported externally in accordance with section 8.3.
8.2 Internal Reporting
8.2.1 We take the security of data very seriously and in the unlikely event of a breach will take the following steps :
.. as soon as the breach or potential breach has occurred ,or we become aware of the breach ( if later ) and in any event no later than 6 hours after it has occurred or we become aware of it having occurred ( if later) the customer must be notified in writing of the breach, how it occurred and what the likely impact of that breach has on any data subject(s).
.. must seek to contain that breach by whatever means available.
.. the Secretary must consider whether the breach is one which requires to be reported to the ICO and data subjects affected and do so in accordance with this section 8.
.. notify third parties in accordance with the terms of any applicable Data Sharing Agreements.
8.3) Reporting to the ICO.
8.3.1 The Secretary will require to report any breaches which pose a risk to the rights and freedoms of the data subjects who are subject of the breach to the information Commissioners Office ( ICO) within 72 hours of us becoming aware of the breach.The Secretary must also consider whether it is appropriate to notify those data subjects affected by the breach.
9. Data Protection Officer
9.1 A data protection officer is an individual who has an over arching responsibility and oversight over compliance by the Cooperative with data protection laws.
9.2 We have elected to not appoint a Data Protection officer at this time. In the meantime our Secretary will be responsible for :
.. monitoring our compliance with data protection laws and this policy.
.. cooperating with and serving as our point of contact with the ICO
.. reporting breaches or suspected breaches to the ICO and data subjects in accordance with section 8.
10. Data Subject Rights
10.1 certain rights are provided to data subjects under the GDPR. Data subjects are entitled to view the personal data we hold about them by us , whether in paper or electronic form.
10.2 Data subjects have a right to request a restriction of processing their data, a right to be forgotten and a right to object to us processing their data. Those rights are notified to our tenants and other customers in our Fair Processing Notice.
10.3) Subject Access Requests
10.3.1 Data Subjects are permitted to view their data held by us on upon making a request to do so ( a subject access request) .Upon receiving a request by a data subject we must respond to the
Subject access request within one month of the date of receipt of the request. We :
.. must provide the subject with a hard copy or an electronic version of the personal data requested. Unless any exemption to the provision of that data applies in law.
.. where the personal data comprises data relating to other data subjects, must take reasonable steps to obtain consent from those data subjects to the disclosure of that personal data to the data subject who has made the subject access request, or
.. where we did not hold the personal data sought by the data subject must confirm that we do not hold any personal data sought by the data subject as soon as is practical and in any event ,not later than one month from the date on which the request was made.
10.4) The Right to be Forgotten.
10.4.1 a data subject can exercise the right to be forgotten by submitting a request in writing to The Secretary seeking that we erase the Data subjects personal data in its entirety.
10.4.2 Each request received by us will require to be considered on its own merits and legal advice will require to be obtained in relation to such requests from time to time. The Secretary will have responsibility for accepting or refusing the data subjects request in accordance with section 10.4 and will respond in writing to the request.
10.5) The Right to restrict or object to Processing.
10.5.1 a data subject may request that we restrict our processing of the data subjects personal data or object to the processing of that data.
10.5.2 in the unlikely event that any direct marketing is undertaken by us a data subject has an absolute right to object to processing of this nature by us , and if we receive a written request to cease processsing for this purpose then we must do so immediately.
10.5.3 Each request received by us will require to be considered on its own merits and legal advice will require to be obtained in relation to that request. The Secretary will have responsibility for accepting or refusing the data request in accordance with section 10.5 and will respond in writing.
11. Privacy impact Assessments (PIA,s )
11.1 These are a means of assisting us in identifying and reducing the risks that our operations have on personal privacy of data subjects.
11.2 We shall:
.. carry out a PIA before undertaking a project or processing activity which poses a high risk to an individuals privacy. High risk can include ,but is not limited to activities using information relating to health or race or the implementations a new IT system for storing and accessing personal data and
.. in carrying out a PIA ,include a description of the processing activity, its purpose, an assessment of the need for the processing ,a summary of the risks identified and the measures that we will take to reduce those risks, and details of any security measures that require to be taken to protect the personal data.
11.3 We will require to consult with the ICO in the event that a PIA identifies a high level of risk which cannot be reduced. The Secretary is responsible for such reporting and where a high level of risk is identified by those carrying out the PIA they require to notify the Secretary within 5 working days.
12. Archiving ,Retention and Destruction of Data
12.1 We cannot store and retain Personal Data indefinitely . We must ensure that personal data is only retained for the period necessary. We shall ensure that all personal data is archived and destroyed in accordance with the periods specified within the table at Appendix 1
13. Related documents
13.1 The following is a list of related documents that support the implementation of this policy by our Committee.
.. subject access requests procedure
.. email and usage policy
.. electronic communication and ICT security policy.
Retention Periods for Personal Data
Below sets out retention periods for Personal Data held and processed by Redhouse Farm Housing Cooperative.
|Type of Record||Retention Period|
|Membership Records||5 Years|
|Share certificate stubs||Permanently|
|Live share register||Permanently|
|Former members Register||5 years from end of membership|
|Current tenant / house files Tenancy Agreements Applications for assistance/ Adaptations, Housing benefit notifications, Arrears letters, anti social behaviour/ neighbour complaints. Records about sex offenders and ex offenders and other Correspondence.||Minimum of 5 years up to duration of tenancy|
|Landlords gas safety records||2 years from the issue of the current certificate|
|Repairs orders/ maintenance Requests property records||5 years on current property Thereafter will be archived without tenants names|
|Former tenant/house files e.g Tenancy Agreements, housing benefit notifications, arrears letters, anti social behaviour/ neighbour complaints||5 years|
|Housing applications e.g. Main application form Medical form., supporting documents||5 years from when removed from waiting lists for various reasons e.g. we have rehoused applicant, removed at request.|