Data Protection & Information Security Policy

Version Number: 2
Policy Author: Martin Barber


1) Aim of policy

1.1. This document outlines the responsibilities of City West Housing Trust staff in respect of the collection, use and disclosure of data and the rights of the customer to have access to personal data concerning them.

2) The policy

2.1. It is the policy of City West Housing Trust to fully comply with the requirements of the Data Protection Act 1998 as amended by the Freedom of Information Act 2000 and to abide by its obligations in accordance with the Information Commissioner’s Office.

2.2. This document outlines the steps which all staff of City West Housing Trust must take to ensure that City West complies with the Data Protection Act

2.3. Definitions under the Data Protection Act 1998 are as follows:

2.4. "Data" means any information being Processed using equipment operating automatically in response to instructions given for that purpose and that has been recorded with the intention that it should be Processed by means of such equipment or is recorded as part of a Relevant Filing System or with the intention that it should form part of a Relevant Filing System or information which does not fall within the previous definitions but forms part of an accessible record.

2.5. "Data Controller" means an individual or undertaking who determines the purpose for which or the manner in which any personal data is or is to be processed. It also extends to a person who gives instructions about the use of Personal data even though it may not come into their possession.

2.6. "Data Processors" means any person other than an employee of the Data Controller who processes Data on behalf of the Data Controller. This would include people such as market researchers who collect Personal data on behalf of the Data Controller.

2.7. “Data Subject" means an identifiable or identified living individual who is the subject of the Personal data.

2.8. "Personal data" means Data which relates to an individual who can be identified from that Data or from that Data and other information which is in the possession of, or is likely to come into the possession of, the Data Controller and includes any expression of opinion about that individual and any indication of the Data Controller or any other person's intentions towards that individual.

2.9. "Processing" means organising, adapting and altering Data, retrieving, consulting or using the Data, disclosure of the Data in any way, aligning, combining, blocking or erasing Data. The definition is so wide that it would include someone looking at a computer screen.

2.10. "Relevant Filing System" means any set of information relating to individuals which is structured either by reference to individuals or by reference to criteria relating to individuals in such a way that specific information relating to a particular individual is readily accessible even where Processing does not take place automatically. This would include any paper files relating to an individual customer.

2.11. "Sensitive Personal data" means personal data about a Data Subject which relates to sensitive issues such as their racial or ethnic origin, their political opinions, religious or other similar beliefs, membership of a trade union, physical or mental health or condition, sex life, commission or alleged commission by them of any offence or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings and the Court's sentence in such proceedings.

3) Legislation and Regulation Standards

3.1. The Act includes all personal data that is held automatically, including word-processed documents, databases and e-mails. It also extends to Personal data held in manual records where these can be accessed by reference to a person.

3.2. The Act requires City West to notify the Information Commissioner of the types of personal data that it holds, the categories of individuals for which it holds this information, to whom it may be disclosed and the purposes for which personal data is processed. It also requires City West to confirm if it transfers Personal data worldwide.

3.3. All members of City West have a duty to ensure compliance with the Act.

3.4. The Data Protection Act 1998 contains eight governing principles relating to the collection, use and disclosure of data, and the rights of the subject to have access to personal data concerning them.
3.5. The First Principle. Personal data should be processed fairly and lawfully and, should not be processed unless certain conditions are met.

3.6. The Second Principle. Personal data will be obtained for only one or more specified lawful purposes and will not be further processed in any manner incompatible with that purpose or those purposes.

3.7. The Third Principle. Personal data will be adequate, relevant, and not excessive in relation to the purpose or purposes for which it is processed.

3.8. The Fourth Principle. Personal data shall be accurate and, where necessary, kept up to date.

3.9. The Fifth Principle. Personal data processed for any purpose or purposes will not be kept for longer than is necessary.

3.10. The Sixth Principle. Personal data will be processed in accordance with the rights of Data Subjects under this Act.

3.11. The Seventh Principle. Appropriate technical and organisational measures will be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data.

3.12. The Eighth Principle. Personal data must not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of personal data.

3.13. Access to Personal data includes disclosures and Subject Access requests. Disclosure of personal data is permitted under the 1998 Act where City West has both notified the usage to the Information Commissioner and complied with the requirements of both Principles 1 and 2 of the Act. It is essential that at the time the data is collected Data Subjects are informed of the purposes for which it will be used and the individuals or organisations to whom it may be disclosed.

3.14. Within the terms of the Act, the following are authorised persons to whom personal data may be disclosed:

  • The Data Subject or someone acting on behalf of the Data Subject.
  • A third party at the request or with the consent of the Data Subject, or of someone acting on behalf of the Data Subject.
  • A third party contact nominated by the Data Subject and notified to City West as the person to be contacted in the case of an emergency.
  • Within the terms of the Act personal data may only be disclosed where the purposes have been notified to the Information Commissioner and where the Data Subject's informed consent has been obtained.
  • Within the terms of the Act the following are purposes where data may be disclosed to third parties without the consent of the Data Subject.
  • For legal purposes, if the personal data is required by statute, rule of law or Court Order, is required to obtain legal advice, or required for legal proceedings in which the person making the disclosure is a party or witness.
  • For the prevention of crime and for taxation purposes. Disclosures for these reasons will only occur if City West is satisfied as to the purpose of such a request and the likelihood of substantial prejudice if the request was refused.
  • To protect the vital interests of the Data Subject.
  • To carry out regulatory functions such as securing the health, safety and welfare of persons at work.

3.15. It should be remembered that requests for disclosure for the purposes listed above should be considered on a case by case basis only by the Assistant Director of ICT & Facilities, or delegated to the relevant Senior Manager.

3.16. Information Security. Under the Data Protection Act, security measures apply not only to the security of computer hardware and storage media but also to source documents including manual records, printouts and oral disclosure.

3.17. Security measures are also applicable throughout the use and processing of Personal data, including the handling, transmission, disclosure and disposal of documents containing personal data.

3.18. City West’s procedures outlined in this document have incorporated security measures.

3.19. All Managers are responsible for ensuring that adequate security arrangements for personal data exist within their relevant areas. Although this responsibility may be delegated, it is the role of Managers to ensure that staff are aware of their responsibilities with regard to Data Protection.

3.20. Data Protection and email. Personal data includes any personal information stored in email messages and potentially, email addresses also.

3.21. Staff must therefore comply with this Policy in relation to any personal data which is sent, received or stored in the form of an email.

3.22. Data Protection and the internet. The provisions of the Data Protection Act apply equally to processing on the World Wide Web as they do to processing on all other information systems. When personal data is submitted to City West via the website the following information must be supplied to the Data Subject:

  • The purpose for which the data is collected.
  • The description of the organisations or individuals to whom the data might be disclosed.

3.23. A data subject is entitled to have communicated to them in an intelligible form the information constituting the personal data and the source of those data. Subject access procedures must be in place to enable us to respond to a subject information request within the specified period of time and to provide the specified information. We must respond to the subject information request within 40 days of having received the request or within 40 days of having received the information necessary to enable us to proceed with the request. The 40-day period will not start to run until the individual has paid the fee.

4) Conditions for Giving Subject Access

4.1. We do not have to give subject access unless:

  • The request for access is received in writingT
  • The fee has been paid by the individual
  • Enough information is provided to identify the individual and the location of the information.

4.2. We are not obliged to comply with a request if doing so would disclose information relating to another individual unless:

  • The other individual has consented or
  • It is reasonable in all the circumstances to comply with the request without obtaining consent. When deciding whether it is reasonable to disclose the information a data controller must consider:
  • whether the data controller owes a duty of confidentiality to that other individual
  • whether steps have been taken to obtain his consent -
  • whether the other individual is capable of giving consent
  • any express refusal of consent

4.3. This will not exempt us from disclosing that part of the information which does not disclose the identity of the other person (e.g. by blocking out names).

4.4. Where we have previously complied with a request, we are not obliged to comply with a subsequent request unless a reasonable interval has elapsed. For these purposes, we must consider the nature of the data, the purposes for the processing and the frequency with which data are altered.

4.5. Information must be supplied by reference to the data in question at the time when the request is received, However, we may taken account of any changes made between the time of receipt and the time of supply if those changes would have been made regardless of the receipt of the request.

5) Delivery and Monitoring

5.1. Overall responsibility for compliance with the Act lies with Board of City West Housing Trust managerial responsibility is exercised by Head of ICT.

5.2. Responsibility for compliance with the Act is delegated to each member of staff within their respective areas.

5.3. All employees have a general duty to observe the Act; any specific instruction’s given by City West’s procedures relating to the Act.

5.4. Employees should not disclose personal data that comes into their possession to any other person unless they are a member of City West undertaking their duties or the individual who the data relates to.