- 1.1 This policy sets out how Manchester City Council Housing Services handle personal data, whether that be information about our tenants, suppliers, employees or other third parties. Our policy takes into account the changes introduced by the General Data Protection Regulation (“The GDPR”) and the Data Protection Act 2018.
- 1.2 This policy applies to all staff. Data protection is a collective responsibility and all staff are required to demonstrate good data protection practices to support MCC Housing Services in creating a strong culture of data protection compliance. Further guidance for employees can be found at Appendix 2. Any breach of this policy may result in disciplinary action and, where data processors and sub-processors are concerned, termination of our relationship.
- 2.1 MCC Housing Services recognises that the correct and lawful treatment of personal data is important to our success as a business and to ensure that those whose personal information we process have confidence in us. Protecting the confidentiality and integrity of personal data is a critical responsibility that we take seriously at all times.
- 2.2 We have appointed a Data Protection Officer (“DPO”) who is responsible for overseeing this policy. The DPO is HY Professional Services (“HY”) who can be contacted as follows:- In writing: HY, 1 Reed House, Hunters Lane, Rochdale, OL16 1YL By email: DPO@wearehy.com By telephone: 0161 804 1144.
- 2.3 Please contact the DPO with any questions about the operation of this Policy.
3 JARGON BUSTER
- 3.1 For those who are not familiar with the terminology used under data protection laws, we have set out in Appendix 1 a number of definitions of terms used in this policy.
4. DATA PROTECTION PRINCIPLES
- 4.1 We will comply with the data protection principles set out under the GDPR when processing personal data. We will ensure that personal data is:- (a) Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency). (b) Collected only for specified, explicit and legitimate purposes (Purpose Limitation). (c) Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Data Minimisation). (d) Accurate and where necessary kept up to date (Accuracy). (e) Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed (Storage Limitation). (f) Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (Security, Integrity and ).
- 4.2 We will demonstrate our compliance with the data protection principles listed above (Accountability).
5. LAWFULNESS, FAIRNESS, TRANSPARENCY
- 5.1 Personal data must be processed lawfully. Under the GDPR, there are a number of ‘bases’ which make it lawful to process personal data. We will only process personal data if one or more of the following apply:- (a) the data subject has given his or her Consent. (b) the processing is necessary for the performance of a contract with the data subject. (c) to meet our legal obligations. (d) to protect the data subject’s vital interests. (e) to carry out a Public Task. (f) to pursue our legitimate interests for purposes where they are not overridden because the processing prejudices the interests or fundamental rights and freedoms of data subjects. Information will only be processed under this basis in rare circumstances.
- 5.2 We recognise that some categories of personal data are more sensitive and further conditions must be satisfied if we are to process this information. This includes information about an individual’s race, ethnic origin, political opinions, religion, trade union membership, genetics, biometrics, health, sex life or sexual orientation. Where we process this type of information, we will ensure that we do so in accordance with the GDPR and data protection laws.
- 5.3 Where consent is the lawful basis for processing, we recognise that under the GDPR, there are stricter rules about how this is obtained. If we do need to obtain consent, we will ensure that:- (a) the data subject either by a statement or positive action gives their consent. (b) consent is not inferred by silence. (c) pre-ticked boxes are not used as a means of obtaining consent. (d) consent is separated from other documents such as terms and conditions or contracts. (e) data subjects are able to withdraw consent to processing at any time.
- 5.4 The above rules ensure that data subjects give their consent freely, understand what they are consenting to and can change their mind should they wish to do so.
- 5.5 We will make guidance available to staff in relation to obtaining consent as appropriate.
- 5.6 We will keep appropriate records evidencing how we obtain consent.
6. PURPOSE LIMITATION
- 6.1 We will only collect personal data for specified, explicit and legitimate purposes.
- 6.2 We will not use personal data for new, different or incompatible purposes from those disclosed when it was first obtained, unless we have informed the data subject of the new purposes and they have consented where necessary.
7. DATA MINIMISATION
- 7.1 We will ensure that the personal data which we process is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. We will achieve this in the following ways:- (a) Staff will only process personal data when performing duties which require its use. (b) We will not collect excessive data and only process data that is necessary to complete a task. (c) When we no longer require the data, we will delete it in accordance with our retention procedures.
- 8.1 We will take all reasonable steps to ensure that personal data that we hold is accurate and, where necessary, kept up to date. Where we identify inaccuracies, we will correct or delete it without delay.
- 8.2 We will check the accuracy of any personal data at the point of collection and at regular intervals afterwards.
9. STORAGE LIMITATION
- 9.1 We recognise that personal data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed.
- 9.2 We will maintain retention policies and procedures to ensure personal data is deleted after a reasonable time for the purposes for which it was being held, unless a law requires such data to be kept for a minimum time.
- 9.3 We will take all reasonable steps to destroy or erase from our systems all personal data that we no longer require in accordance with our records retention schedules and policies.
10. SECURITY INTEGRITY AND CONFIDENTIALITY
Protecting Personal Data
- 10.1 We recognise that personal data must be secured by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage.
- 10.2 We will develop, implement and maintain safeguards to ensure that personal data which we process is kept secure and confidential. We will evaluate and test the effectiveness of those safeguards to ensure security of our processing of personal data.
- 10.3 All our employees will follow all the procedures and technologies we put in place to maintain the security of all personal data from the point of collection to the point of destruction.
- 10.4 We will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows: (a) Confidentiality means that only people who have a need to know and are authorised to use the personal data can access it. (b) Integrity means that personal data is accurate and suitable for the purpose for which it is processed. (c) Availability means that authorised users are able to access the personal data when they need it for authorised purposes. Reporting a personal data breach
- 10.5 We recognise that the GDPR requires Controllers, in some circumstances, to notify a personal data breach to the Information Commissioners Office and, in certain instances, the data subject.
- 10.6 We will put in place data breach procedures to deal with any suspected personal data breach. Where our employees suspect that a personal data breach has occurred, they will follow our personal data breach reporting procedure and notify the DPO.
11. TRANSFER LIMITATION
- 11.1 We recognise that the GDPR restricts data transfers to countries outside the European Economic Area (EEA) in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined.
- 11.2 We will only transfer personal data outside the EEA if one of the following conditions applies: (a) the European Commission has issued a decision confirming that the country to which we transfer the personal data ensures an adequate level of protection for the data subjects rights and freedoms. (b) appropriate safeguards are in place such as binding corporate rules (BCR), standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism. (c) the data subject has provided explicit consent to the proposed transfer after being informed of any potential risks; or (d) the transfer is necessary for one of the other reasons set out in the GDPR.
12. DATA SUBJECT’S RIGHTS AND REQUESTS
- 12.1 We recognise that data subjects have rights when it comes to how we handle their personal data. In particular, data subjects have a right to access information which we hold about them. We will respect these rights when processing personal data and maintain procedures for handling subject access requests.
- 13.1 The GDPR requires usto implement appropriate technical and organisational measures in an effective manner, to ensure compliance with data protection principles. We are responsible for, and must be able to demonstrate, compliance with the data protection principles.
- 13.2 To demonstrate our compliance with the data protection principles, we will do the following:- (a) appoint a suitably qualified DPO. (b) develop appropriate and relevant policies, privacy information and procedures. (c) implement privacy by design when processing personal data. (d) completing DPIAs where processing presents a high risk to rights and freedoms of data subjects. (e) providing training to staff (f) undertake information audits. (g) Providing appropriate training.
- 13.3 We will maintain a record of processing activities in accordance with the GDPR. Privacy by design and data protection impact assessment (DPIA)
- 13.4 We will implement privacy by design measures when processing personal data by implementing appropriate technical and organisational measures in an effective manner, to ensure compliance with the data protection principles.
- 13.5 We will conduct DPIAs in respect of high risk processing. In particular, we will conduct a DPIA when implementing a major system or change programs involving the processing of personal data.
- 13.6 The DPO will be consulted when carrying out a DPIA. The DPIA will include: i. a description of the processing, its purposes and the data controller’s legitimate interests if appropriate. ii. an assessment of the necessity and proportionality of the processing in relation to its purpose. iii. an assessment of the risk to individuals; and iv. the risk mitigation measures in place and demonstration of compliance.
14. DIRECT MARKETING
- 14.1 We recognise that we are subject to certain rules and privacy laws if we send marketing communications. We will ensure that our marketing communications comply with these laws at all times.
15. SHARING PERSONAL DATA
- 15.1 We will not share personal data with third parties unless certain safeguards and contractual arrangements have been put in place.
- 15.2 We will only share personal data we hold with another employee or representative if they have a job-related need to know.
- 15.4 We may share personal data as part of the National Fraud Initiative with other public bodies, as appropriate, for the detection and prevention of fraud. We also share information with Greater Manchester Police and Manchester City Council where it is lawful and necessary in the prevention, investigation and detection of crime or anti-social behaviour and in order to safeguard children or vulnerable adults.
16. CHANGES TO THIS POLICY
- We reserve the right to change this policy at any time and will communicate any changes to you accordingly.
APPENDIX 1 – JARGON BUSTER
Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the Processing of Personal Data relating to them.
Data Controller: the person or organisation that determines when, why and how to process Personal Data. MCC Housing Services is a
Data Controller. We are responsible for establishing practices and policies in line with the GDPR. We are the Data Controller of all Personal Data relating to our Personnel and Personal Data which we collect as part of our activities.
Data Privacy Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity. DPIA can be carried out as part of Privacy by Design. We will carry out a DPIA for all major system or change programs involving the Processing of Personal Data.
Data Protection Officer (DPO): MCC Housing Services is required by law to appoint a DPO. The DPO must have expertise in data protection laws and carry out certain data protection related tasks set out in law.
Data Subject: a living, identified or identifiable individual about whom we hold Personal Data.
ICO: Information Commissioner’s Office is the UK’s independent regulatory body set up to uphold information rights.
Personal Data: any information identifying a Data Subject.
Personal Data Breach: a breach of security, confidentiality or integrity of Personal Data. The loss, or unauthorised access or disclosure of Personal Data is a Personal Data Breach.
Personnel: all employees, workers, independent contractors, agency workers, consultants, directors, volunteers and others.
Privacy by Design: implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the GDPR.
Privacy Policies or Privacy Notices: documents provided to Data Subjects when we collect information about them explaining how we use their Personal Data.
Processing or Process: any activity that involves the use of Personal Data. It includes collecting, recording, holding, organising, amending, retrieving, using, disclosing, erasing or destroying it.
Special Categories of Personal Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.