Data Protection

This policy aims to enable Wythenshawe Community Housing Group to provide accessible information for its customers under the Data Protection Act 1998

Wythenshawe Community Housing Group is fully committed to complying with the requirements of the Data Protection Act 1998. This policy and guidance notes is designed to ensure that all employees, Board Members, contractors, agents, consultants and partners who have access to any Personal Data held by or on behalf of the , are fully aware and abide by their duties and responsibilities under the Data Protection Act.

The Group needs to collect and process certain Personal Data about individuals, including staff and customers, in order to operate effectively. The Group recognises the importance of the correct and lawful treatment of this Personal Data as specified in the Data Protection Act 1998.

This policy sets out the Group’s policy regarding compliance with Data Protection Act 1998 and associated legislation. It also outlines the responsibilities for data protection compliance, and how compliance is maintained and monitored.


1.0 Defintions – keywords, abbreviations and acronyms

Personal Data: Data which relates to a living individual who can be identified from that data, or from that data and other information which is in the possession of or is likely to come into the possession of the Group , and includes any expression of opinion about the individual and any indications of the intentions of the Group or any other person in respect of the individual.

Sensitive personal data: information about an individual’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sexual life, alleged criminal activity and court proceedings.

Data subject: The individual whose personal data is being processed

Data Processor: Individuals or organisations that use personal data provided by the  to carry out work or deliver services on its behalf (e.g. contractors, research companies, etc)

Third party: Anyone who is not the data subject,  Group staff, a data processor or an employee of a data processor

Subject Access Request: A formal written request made by a data subject to see all personal data that Wythenshawe Community Housing Group is processing. This is a legal right under schedule 1 Principle 6 of the Data Protection Act 1998.

Data Protection Act or DPA: Data Protection Act 1998

Processing: refers to any action involving personal data including obtaining, viewing, copying, amending, adding, deleting, extracting, storing, disclosing or destroying personal information.


2.0          Principles

The Data Protection Act is based on eight principles which require that Personal Data shall:

Be processed fairly and lawfully and shall not be processed unless certain conditions are met

Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose

Be adequate, relevant and not excessive for those purposes

Be accurate and, where necessary, kept up to date

Not be kept for longer than is necessary for that purpose

Be processed in accordance with the Data Subjects rights

Be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage by using the appropriate technical and organisational measures

And not to be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.


3.0          Policy Statement

The Group fully endorses and adheres to the eight principles of the Data Protection Act.

In order to meet the requirements of the principles, the Group will:

Observe fully the conditions regarding the fair collection and use of personal data

Meets its obligations to specify the purposes for which personal data is used

Collect and process appropriate Personal Data only to the extent that it is needed to fulfil operational or any legal requirements

Ensure the quality of Personal Data used

Apply appropriate checks to determine the length of time Personal Data is held

Ensure that the rights of individuals about whom the Personal Data is held, can be fully exercised under the Act

Take the appropriate technical and organisational security measures to safeguard Personal Data

And ensure that Personal Data is not transferred abroad without suitable safeguards

In addition, the Group will ensure that:

There is someone with specific responsibility for data protection in the organisation, (this is currently the Data Protection Officer)

Everyone managing and handling personal information understands that they are contractually responsible for following good data protection practice

Everyone managing and handling personal information is appropriately trained to do so

Everyone managing and handling personal information is appropriately supervised

Anyone wanting to make enquiries about handling personal information, whether a member of staff or a member of the public, knows what to do

Queries about handling personal information are promptly and courteously dealt with

Methods of handling Personal Data are regularly assessed and evaluated

Performance with handling Personal Data is regularly assessed and evaluated

Data sharing is carried out under a written agreement, setting out the scope and limits of the sharing

Any disclosure of personal data will be in compliance with approved procedures

Further policies and guidance notes support the Group’s Data Protection Policy and, together, these form the Group’s Data Protection System.


4.0          Providing information to Third Party Data Processors

All contractors and other third parties who are users of Personal Data supplied by the Group will be required to confirm that they will abide by the requirements of the Act with regard to information supplied by the Group.


5.0          Disclosing Personal Data

The Data Protection Act does not prohibit the sharing of information, but provides that disclosure can only be made when it is lawful to do so.


6.0          Subject Access

All individuals who are the subject of Personal Data held by the Group are entitled to:

Ash what information the Group holds about them and why

Ask how to gain access to it

Be informed how to keep it up to date

Be informed what the Group is doing to comply with its obligations under the Data Protection Act

We will provide this information in 40 days from the date of request

Further guidance on dealing with Subject Access Requests is detailed in the Group’s Subject Access Request Procedure.


7.0          Responsibilities of staff

All staff are responsible for checking that any Personal Data that they provide to the Group is accurate and up to date and informing the Group of any changes to information which they have provided e.g. changes of address.

All staff are responsible for ensuring that:

Any personal data that they hold or are responsible for is kept securely

Personal Data is not disclosed either orally or in writing or by any other means, accidentally or otherwise, to any unauthorised third party


8.0          Retention of Data

The Group will keep some forms of Personal Data for longer than others. All staff are responsible for ensuring that Personal Data is not kept for longer than necessary.


9.0          Information Governance

The Group will undertake a data mapping exercise to

Identify and define the Personal Data held

Identify the location and ownership of all Personal Data

Review the retention periods applicable to Personal Data

Risk assess the security of the Personal Data and compliance with the Data Protection Act

This assessment will be reviewed annually, and any resulting actions will be prioritised for implementation.

Notification to the Information Commission

The Information Commissioner maintains a public register of data controllers. The Group is registered as such.

The Data Protection Act 1998 requires every data controller who is processing Personal Data, to notify and renew their notification, on an annual basis. Failure to do so is a criminal offence.

Any changes to the register must be notified to the Information Commissioner, within 40 days and managers are responsible for notifying and updating the Data Protection Officer of the processing of Personal Data within their directorate. In addition, the Data Protection Officer will review the register notification with designated officers annually, prior to notification to the Information Commissioner.


11.0 Customer Impact

The Group handles large amounts of personal data to our customers, and holds sensitive Personal Data. The lack of robust procedures for the processing of personal data can lead to unsanctioned disclosure or processing that can cause damage and distress to the individuals concerned and the Group’s Data Protection System is designed to ensure that there are appropriate procedures in place covering the Processing of Personal Data.


12.0 Responsibilities

The Data Protection Officer directs responsibility for maintaining this policy, the data protection system and providing advice and guidance on its implementation.

All managers will be responsible for implementing the policy within their areas of responsibility.

All staff will be provided with education and training and will be expected to comply with data protection legislation and adhere to the policies and procedures.


13.0 Equality & Diversity

The Group will ensure that the Data Protection Policy is accessible to its diverse customers and will take into account the different needs of customers when explaining the options available to them and in tailoring the service around customer need.

Wythenshawe Community Housing Group has a responsibility to serve the needs and promote the interests of its entire staff and all it customers/service users. The Group’s Single Equality Scheme works towards developing services, facilities and working practices, which are equally accessible and non discriminatory for all its customers. This is irrespective of their gender, age, race, sexuality, disability, religion, marital status/civil partnerships, pregnancy/maternity and economic status, and in line with the nine protected characteristics part of the new legislation under Equality Bill 2010.

A key element of the Equality standards involves carrying out an Equality Impact Analysis on all existing and, in particular, new policies to ensure they DO NOT have an adverse impact or promote any form of discrimination to particular s or associated protected characteristics. An Equality Impact Analysis has been carried out to this policy and will be reviewed on a yearly basis

We will provide information in languages other than English, in Braille, Large Print and Audio format. Our reception and interview rooms are fitted with a hearing loop system and the use of mobile loop systems