The Data Protection Act 1998 governs the collection, storage, use and disclosure of personal data, whether held electronically (e.g. in emails, on a computer(s) or on paper. It applies to all staff who create, store, handle or view personal information that relates to any living individual who can be identified from that data or other information held by Hemel Garden Communities (HGC).
The DPA stipulates that all employers are required to comply with the ACT and has a duty to inform employees that they can in some cases be held responsible if any personal data is improperly disclosed or collected. HGC has a legal requirement to:
- be quite open about the reasons why there is a need to collect personal data;
- ensure that any personal data collected is relevant, adequate and not excessive accurate and held for no longer than necessary;
- ensure that personal data is only used for the purposes registered under the ACT;
- ensure the security of personal data held; and
- have measures in place to provide subject access allowing individuals to reassure themselves that everything operates properly to protect the confidentiality and accuracy of personal data.
HGC is exempt from being a registered data user under the Act, however it is good practice to comply with Data Protection Principles in relation to the personal data we hold. Personal data shall be:
- obtained and processed fairly and lawfully;
- held for specific lawful purpose(s) and not be used or disclosed in a way incompatible with the purpose(s);
- adequate, relevant and not excessive for the purpose(s);
- accurate and, where necessary, kept up to date;
- not kept longer than necessary;
- available to the data subject and processed in accordance with their rights;
- kept secure (safe from unauthorised access, accidental damage or loss);
The Data Protection Principles also provide for individuals to have access to data held about themselves and, where appropriate to have data corrected or deleted.
Written requests from individuals to have access to data held about them should be addressed to the Finance Director.
HGC's Finance Director is the Company’s Data Protection Officer. Duties under the Act include the registration of data on behalf of the Company if required (currently we are exempt, however should we bring the tenant letting service in-house the company’s status would change and registration would be required). Individual employees are not required to register independently but inform the Finance Director of their use of personal data so that all activity can be assessed and appropriately recorded. Penalties can be imposed for material which is not registered and therefore it is important the employees liaise with the Finance Director on an on-going basis informing the Finance Director of the type of information held and purpose for which it is being collected and used.
The Finance Director is also responsible for subject access requests and any such requests should be received in writing.
A breach of this policy or the regulations governing the use of computers and computing facilities may be a disciplinary offence and as such dealt with under the Company’s disciplinary procedures.