Southstreet Privacy Policy

Purpose and Scope

The Southstreet Group ("the Group"), obtains, stores and processes information about its employees, board members, employment applicants, service users and suppliers ("data subjects") in order to carry out the functions of the business.

All individuals have a right to have their personal data protected and the Group is bound by the Data Protection Act 1998 ("DPA").

Companies within the Group will not hold or access personal data unless it is necessary and unless they are registered with the Information Commissioner as a data controller.

This Internal Data Protection Policy ("Policy") aims to protect and promote the rights of individuals and the Group. It identifies information that is to be treated as personal data under the DPA and the procedures for collecting, storing, handling and disclosing such information.

Paragraphs 2 – 10 provide a summary of the main principles of the DPA that you should be aware of and how they apply to the information held by the Group.

Responsibilities

A breach of the DPA is a serious matter and will have implications for both the Group and the individual responsible for the breach.

It is the responsibility of all staff to inform a senior manager when they are made aware of a breach of the DPA. The senior manager is responsible for taking action where there has been a breach.

Adnan Shaikh is the person responsible for ensuring that all employees of the Group and board members are circulated with a copy of this Policy and comply with this Policy.

What is personal data?

‘Personal data’ is defined in the DPA as information that relates to a living individual, and allows that individual to be identified. It includes expressions of opinion about a person.

Certain types of personal data are categorised as "sensitive personal data", this is information which relates to racial or ethnic origin, political opinions, religious beliefs, membership of a trade union, physical or mental health, sexual life, alleged or real offences and proceedings from offences. There are more stringent rules which apply under the DPA if you are dealing with sensitive personal data.

What is "processing" of personal data?

Under the DPA "processing" means "obtaining, recording or holding the information or data, or carrying out any operation or set of operations on the information or data". The definition is intentionally very wide and covers almost all actions the Group will take with personal data.

How is personal data collected from data subjects?

Data subjects may provide personal data directly to the Group when communicating orally or in writing.

Personal data can be provided when a service user registers, makes an enquiry, views a property, or enters into an agreement with the Group or for any other reason.

If a service user enters into a contract with the Group, they may be required to provide further personal data to enable the Group to perform any actions that may be required as a result of the agreement.

The Group will only request personal data from service users, employees/potential employees and suppliers that is appropriate for its business functions.

In some instances the Group may also receive a data subject’s personal data from an organisation that the data subject has previously dealt with, such as referral agencies/councils, past landlords and past employers.

Personal data obtained from data subjects is stored on databases, file servers, email systems and hard copy files throughout the Group.

How is personal information used?

The purposes for which the Group processes personal data include:

to allow the Group to provide information about its services to service users;

to organise viewings of properties by service users;

to enter into and continue to operate agreements with service users and suppliers;

for staff administration and recruitment purposes; and

to enable the Group to comply with its legal and regulatory obligations.

Personal data shall be obtained for one or more specified purposes and shall not be further processed for other purposes.

Storing personal data

All personal data held by the Group will be adequate and relevant for the purpose(s) for which it was provided and will be kept securely.

The Group is committed to protecting personal data. Staff should only have access to personal data where it is necessary to carry out their jobs. Where you have access to electronic data you should have a secure password which is changed regularly and which should not be shared with anyone else. Sensitive personal data should be held separately and marked as such. Personal data should not be removed from the office on mobile devices unless absolutely necessary and unless encrypted.

Employees and service users will be offered a private place to discuss anything in relation to their personal data if requested.

Personal data obtained on applications made by prospective employees will be held for a period of time not exceeding 12 months from the date of the closing date set out in the advertisement. After this time application forms of people not selected will be destroyed.

Employment applications forms will contain a paragraph outlining how the application form will be used and seeking the applicant’s consent to the processing.

Personal data will be held as long as necessary to perform the functions for which it has been obtained.

Where personal data is no longer required or is inaccurate it will be destroyed.

When data subjects provide personal data they will receive an explanation of the reason they are being asked to provide the data and the purpose for which it will be used. Where a data subject provides personal data by completing a form, the above information will be included on the form. By signing the form the data subject is consenting to the use of the personal data as described.

If data is supplied electronically, the data subject will be directed to the Group’s privacy statement on the website which sets out the Group’s policy in relation to the handling of personal data supplied. The online privacy statement sets out the reason why personal data is required, how it will be stored and processed and the people likely to have access to it. Please refer to Appendix 1 which sets out the Group’s draft online privacy statement.

Where there is a need to disclose personal data to a third party, consent to disclose such information will be obtained from each individual. Personal data will only be passed to a third party without consent in the circumstances described under paragraph 9.

All existing staff responsible for handling personal data will be given the opportunity to read this policy and it will be given to all new employees as part of their induction.

Ensuring the accuracy of personal data

The Group has responsibility to ensure that data subjects’ personal details are accurate. Wherever you become aware that any personal information processed by the Group is or could be out of date steps should be taken to check and/or update the personal details. Where the Group enters into an agreement with a service user we request they notify us of any changes.

Data subjects have a right to request access to their personal data under the DPA. The request should be made in writing and the data controller is entitled to charge an administration fee of £10 in the DPA. In addition you need to confirm the identity of the person making the request before providing the requested data. A detailed record should be kept of the request and of the information released to the data subject. Third parties’ personal data included in eg a service user’s file should not be disclosed as part of the response to a subject access request with the consent of the third party.

Who will the Group disclose the personal data to?

Data subjects’ personal data should not be disclosed to third parties without their consent except in the following instances:

To protect their vital interests in circumstances where they cannot consent.

For the administration of justice, the exercise of functions of the Crown or a government department or for the exercise of functions of a public nature exercised in the public interest.

We may be required by law to disclose personal details e.g. in response to a court order and to comply with lawful government requests. This could include disclosing personal details to the police etc for reasons of national security, in order to prevent or detect a crime or to apprehend offenders, or in relation to the assessment or collection of tax or benefits etc.

If you receive a request from a third party to disclose personal data in the absence of explicit consent from the data subject please refer the request to Adnan Shaikh.

Outsourcing

Due to the nature of the Group’s business it is necessary to outsource some of its property management and other functions to third party companies. These third parties are retained by the Group to inter alia manage properties and as such from time to time they process confidential information including personal data on behalf of the Group.

Where a third party company is retained by the Group to carry out any function, the Group is not relieved of its responsibilities as a data controller under the DPA. The third party company will handle the personal data passed to it by the Group as a data processor and will only process the data in accordance with the Group’s specific instructions. You should enter into a letter agreement with any third party companies that you contract with who handle personal data on behalf of the Group as a data processor and where you do not have a formal agreement in place or client care letter which covers this. Please refer to Appendix 2 which sets out the form of the letter agreement.

Consent of the data subjects will be required before personal data is supplied to a third party company. Consent will be obtained either on the paper form completed by the data subject or be obtained as part of the privacy statement provided electronically.