DATA PROTECTION POLICY - One Housing Group

6. Information is held by the Group in paper files and on its computer systems,including the email system. Each department has responsibility for the informationit holds in terms of security, keeping records up to date, retention andimplementation of the requirements of Data Protection legislation.7. Individuals have the right to request to see the data held about them. This isknown as a subject access request (SAR). All staff must be aware of how torecognise and respond to a subject access request. A full procedure is at page 6,and flowcharts are at Appendices E and F.8. A leaflet is available for service users outlining their data protection rights, andwith information on how to make a subject access request.9. Information will be securely destroyed when it is no longer needed. This iscovered in more detail in the Group policy on Retention and Disposal ofInformation.10. All personal data is to be treated as confidential. This policy should be read inconjunction with the Group’s Confidentiality Policy.11. Individuals are made aware of what personal data is collected and held by theGroup. Personal information is not to be shared without the consent of theindividual, except in exceptional circumstances. These may include where theGroup is required to share information in order to comply with the law, inconnection with legal proceedings, where an individual’s safety may be at risk, oranonymously for statistical or research purposes. Cross reference Disclosure ofpersonal data policy.12. All new staff, including temporary staff, are to be made aware of this policy as partof their induction. Staff training on data protection is also provided throughOrganisational Development and Learning. Where staff are temporary the localmanager is to ensure that these employees comply with the policy.13. The principles of the Data Protection Act are listed at Appendix A14. This policy will be reviewed annually.One Housing Group Data Protection Policy Page 3 of 7

Appendix B - Definitions of key termsDPA = Data Protection Act 1998SAR = Subject Access RequestDataData is information which is intentionally processed or recorded as part of an accessiblerecord.ProcessingProcessing of data is a broad term which includes a wide range of actions, includingcollecting, reading, recording, sharing, amending and storing. The government’sInformation Commissioner, who oversees the implementation of the Data Protection Act1998, says that “it is difficult to imagine any action involving data that does not amount toprocessing.”Data ControllerA person who determines the purposes for and the manner in which personal data are, orare to be, processed. This may be an individual or an organisation (e.g. OHG) and theprocessing may be carried out jointly or in common with other persons.Personal DataData which relates to a living individual who can be identified- from those data, or- from those data and other information which is in the possession of,or likely to come into the possession of the data controller.It includes any expression of opinion about the individual and any indication of theintentions of the data controller or any other person in respect of the individual.Sensitive DataSpecific provision is made under the DPA for processing sensitive personal information.This includes racial or ethnic origin, political opinions, religious or other beliefs, trade unionmembership, physical or mental health condition, sex life, criminal proceedings orconvictions.For sensitive personal data to be considered fairly processed, at least one of several extraconditions must be met. These include:• Having the explicit consent of the individual• Being required by law to process the information for employment purposesOne Housing Group Data Protection Policy Page 6 of 7

• Needing to process the information in order to protect the vital interests of theindividual or another person• Dealing with the administration of justice or legal proceedings.One Housing Group Data Protection Policy Page 7 of 7