This data protection policy sets out KNH’s commitment to protecting personal data and how this commitment will be implemented with regards to the collection and use of personal data.
- Author: John Gorell
- Publish Date: 25/06/18
- Review Date: 12/06/19
- Approving body: Board
© KNH 25/06/18, Published in United Kingdom
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilised otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from KNH at the address below.
- Date Originated: 17/10/11
- Date Revised: 12/06/18
- Ref: IT01/2
- Approved by: Board
- Approval Date: 20/06/18
- Minute Number 21.3
- 1 Policy Statement
- 2 Purpose
- 3 Scope
- 4 Responsibilities
- 5 Policy
- 6 Monitoring and Review
- 7 Referenced Documents and Further Reading
1 Policy Statement
1.1 Kirklees Neighbourhood Housing Limited (KNH) is committed to ensuring the highest standards of data security and processing are in place to safeguard the personal data that we hold. KNH controls and processes personal information about its customers, staff and Board members. The Data Protection Act 2018 (the ‘Act’) covers all personal information that relates to living individuals (data subject). The Act gives rights to the data subject and provides for the fair and transparent processing of individuals personal data.
1.2 KNH has produced a Privacy Statement that sets out in more detail what information we collect, for what purpose and who and when we share data with others.
1.3 This Policy sets out what Kirklees Neighbourhood Housing will do to comply with the Act and the following ensure the six data protection principles are followed:
- Process data lawfully and fairly
- Processing shall be specific, explicit and legitimate
- Personal data shall be adequate, relevant and not excessive
- Personal data shall be accurate and kept up to date
- To be kept for no longer than necessary
- Data shall be processed in a secure manner
2.1 This Data Protection Policy ensures KNH:
- Complies with data protection law and follows good practice
- Protects the rights of customers, staff and partners
- Is open about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach
3.1 This Policy applies to all employees (including students, volunteers or anyone undertaking duties on behalf of KNH), Board members, contractors and others who may be involved in the collection of and processing of personal information by or on behalf of Kirklees Neighbourhood Housing and extends to data whether it is held in structured paper or electronic files.
3.2 This policy outlines the behaviours and responsibilities expected in order to ensure that KNH continues to fulfil its obligations under the Act and any subsequent data protection or related legislation.
4.1 KNH Board is ultimately responsible for ensuring KNH meets its legal obligations.
4.2 KNH Senior Leadership Team have responsibility for:
- ensuring KNH complies with Data Protection legislation
- assigning responsibilities for adherence to KNH policies and procedures
- ensuring that complaints from the public or from the Information Commissioner’s Office are dealt with promptly and appropriately
4.3 The Data Protection Officer is responsible for:
- keeping the Board updated about data protection responsibilities, risks and issues
- advising Board members on all matters relating to Data Protection within the organisation
- ensure that data protection policies and privacy statements are reviewed and updated in line with an agreed schedule
- arranging data protection training and advice for the people covered by this policy
- answer data protection questions from staff and others
- answer requests from individuals to see the data KNH holds about them (called Subject Access Requests)
- checking and approving any contracts or agreements with third parties who may handle the company’s personal and sensitive data
- ensure privacy statements
- where necessary, working with others staff to ensure Privacy Impact Assessments are completed where new types of personal information are to be collected or existing information used for a new purpose
- reporting on data protection compliance to the Risk and Audit Committee
- report data breaches to the Information Commissionaire with the statutory timescale
4.4 All staff with line management or supervisory responsibilities are responsible for ensuring that staff under their control who process personal data in any way:
- adhere to KNH’s policies and procedures relating to security of personal information
- are made aware of their personal obligations and responsibilities under data protection law
- receive appropriate training
4.5 All individuals who have access to KNH data including its contractors, suppliers and other individuals are responsible for the following (and may be required to sign confidentiality and security agreements):
- complying with the policy and legislation
- ensuring good information governance practices (data security) are followed at all times.
5 Policy guidance for employees, and contractors
5.1 Data Storage
5.1.1 Personal data will be held securely. In the case of manual data, this will be in locked filling cabinets/cupboards or rooms with access restricted to named individuals or categories of individual only.
5.1.2 In the case of electronic information, access will be subject to internal controls, which include passwords, encryption, compartmentalised access and access logs, restricted use of USB and CD drives.
5.1.3 Particular care will be taken when PCs/laptops are used when processing personal/sensitive data away from the workplace. Devices will be encrypted and no data will be stored on the hard drive. Access to data will be via the server (remote access).
5.1.4 Care will be taken to ensure that PCs/laptops on which personal data are processed are not visible to unauthorised persons, especially in public places. Screens on which personal data are displayed should not be left unattended.
5.1.5 Personal and sensitive data will not be stored on memory sticks unless absolutely necessary. Where memory sticks are used they must be encrypted devices provided by KNH/Kirklees Intech. The type of data to be stored, the location (including transit) where the memory stick is going to be kept and the date the data is deleted from the stick will be recorded.
5.1.6 We will ensure our IT suppliers take reasonable steps to detect and prevent unauthorised access, that the IT infrastructure is designed to prevent and limit cyber-crime and that data is frequently backed up to ensure that personal/ sensitive data is not lost.
5.1.7 Checks will be applied to data held to ensure that it is not retained for longer than is necessary.
5.1.8 The Corporate Retention Schedule will be followed with regard to storage and archiving of personal data. Each department should maintain an archive record that records:
- what data is stored
- the date it was archived
- the date for disposal
5.1.9 All paper records of personal and sensitive data will be disposed of using confidential and secure shredding methods. For electronic data, hard drives, disks and other media containing personal data will be returned to System Support who will arrange reformatting, over-writing or degaussing before disposal.
5.2 Data Accuracy
5.2.1 KNH will take reasonable steps to ensure data is updated and the more important it is that the data is accurate the greater the effort that will be put into ensuring its accuracy.
5.2.2 Data will be held in as few places as necessary. Staff should not create additional datasets.
5.2.3 Staff should take every opportunity to ensure data is updated. For instance by updating a customer’s details when they call.
5.2.4 KNH will take steps to make it easy for data subjects to update the data KNH holds about them, for instance via the company website.
5.2.5 Data will be updated as inaccuracies are discovered.
5.3 Subject Access Requests
5.3.1 All individuals whose personal data is held by KNH are entitled to:
- ask what information the company holds about them and why
- ask how to gain access to it
- be informed how it is kept up to date
- be informed how the company is meeting its data protection obligations
5.3.2 An individual can contact KNH Data Controller asking for this information. This is called a Subject Access Request and must be made in writing. The Data Controller will ensure the identity of anyone making a Subject Access Request is verified before releasing any information.
5.4 Data sharing
5.4.1 Data will only be shared lawfully. Where data is shared regularly with other organisations the terms and responsibilities will be set out in either a legal contract or by way of a data sharing agreement.
5.5 Disclosing Data for Other Reasons
5.5.1 In certain circumstances, data protection law allows data to be disclosed to law enforcement and other agencies without the consent of the data subject. Provided the Data Protection Officer is satisfied that the request is legitimate and that sharing is lawful KNH will disclose the requested data.
6 Monitoring and review
6.1 The effectiveness of this policy and compliance with it will be monitored on an ongoing basis by the Business Information Manager, seeking feedback from section heads. Breaches of the policy will be reported to the Director of Resources, with statistics reported to Risk and Audit Committee on a quarterly basis.
6.2 This policy will be reviewed annually.
7 Rerenced documents and further reading
7.1 The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document.
- Information Governance Policy
- Employee Handbook
- Corporate Retention Schedule
- Electronic Communications and Social Media Policy
Staff guidance on keeping information secure
Positively identify customers calling by phone before revealing or discussing their personal data.
- Passwords used to protect computer systems and personal data must be strong (include uppercase, lowercase and numeric/special characters), changed regularly or as required by particular systems, must not be shared with or written down in a manner discoverable by any other person.
- Personal data of others should only be accessed as required by your work and should not be accessed or viewed without legitimate reason.
- Personal data should not be stored on computer internal storage e.g. C: Drive and should instead be stored on network i.e. G: or H: Drives. It should be deleted when no longer required.
- Where it is necessary to store personal data on a portable storage device the device must be encrypted and the data must be removed before the device is made available to another person.
- Computers should be logged out or the screen locked when left unattended.
- ID badges should be worn at all times. You should challenge anyone not wearing ID who you do not recognise, and expect to be challenged if you are not wearing your own ID.
- Documents containing personal or confidential information must be stored away from desktops when not in use (i.e. in locked drawers/cabinets) and must be disposed of in confidential waste bins after use. Paper containing personal data must not be recycled or used as scrap.
- Any loss of or damage to personal information, equipment holding personal information or equipment that could give access to premises or systems must be reported to the System Support Helpdesk immediately.
- When working in a mobile setting or a public space be aware of:
- the risk of loss/theft
- information leakage through being overlooked or overheard or by interception
- Do not open attachments to click hyperlinks in or reply to unsolicited or suspicious emails. Such emails should be forwarded to the SinBin mailbox.
- No software should be installed or executed on your computer without the agreement and assistance of System Support.