Frequestly Asked Questions on Data Protection and Your Rights.
Please see the answers to some of the common questions we are asked about regarding data protection and your rights, including when consent is needed and what amounts to a personal data breach.
GDPR stands for General Data Protection Regulations.
Originating from the EU has now been adopted by UK law to create the UK GDPR.
UK GDPR concerns the processing of personal data that enters, used within or exits the UK. It places obligations on companies to enable them to process your personal data including the principles of data protection as well as giving you more rights to control your personal data through data subject rights.
EU GDPR is the same as above, but relates to the processing of personal data within the EEA.
There are four key data protection entities you should be aware of and these are:
This is the 'living' person for whom the personal data is about and can identify.
This is the legal entity, normally a company, but could be an individual/s, that determines the purpose and means of the processing the personal data. They will decide why the personal data should be collected, how it is to be collected and what it is to be used for. their decisions will be based on requirements of the business or obligations set upon them through legal instruments. Examples include local authorities, Public bodies and Charities etc.
This is the legal entity, normally a company, but could be an individual/s, that is under instruction by contract/agreement to process the personal data on the controller's behalf. Examples include software providers, some contractors, and some outsourced services such as post management.
ICO stands for the Information Commissioner's Office and they are the regulators for UK data protection practices. They provide guidance to legal entities and data subjects as well as manage any data protection complaints once it gone through the controller/processor complaint's process first. The ICO has the power to fine legal entities, but this is usually a last resort and any monies from the fine is put back into the UK treasury. More information can be located on their website at ico.org.uk
This is everything you do with personal data and therefore needs to comply with data protection laws like the UK/EU GDPR and The Data Protection Act 2018.
This includes, but not limited to:
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collectively can lead to the identification of a particular person, also constitute personal data.
Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.
Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
Data Protection laws protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.
Examples of personal data
- a name and surname;
- a home address;
- an email address such as firstname.lastname@example.org;
- an identification card number;
- location data (for example the location data function on a mobile phone);
- an Internet Protocol (IP) address;
- a cookie ID
Examples of non personal data
- a company registration number;
- an email address such as email@example.com;
- anonymised data.
- any data that can directly or indirectly identify a decease person.
Special category data is personal data that is of a more sensitive nature and requires stronger protection.
Special category data includes:
- personal data revealing racial or ethnic origin;
- personal data revealing political opinions;
- personal data revealing religious or philosophical beliefs;
- personal data revealing trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- data concerning health;
- data concerning a person’s sex life;
- and data concerning a person’s sexual orientation.
Why is this data special?
The ICO confirm it’s not just that this type of information might be more sensitive or ‘private’. The recitals to the UK GDPR explain that these types of personal data merit specific protection. This is because use of this data could create significant risks to the individual’s fundamental rights and freedoms.
For example, the various categories are closely linked with:
- freedom of thought,
- conscience and religion;
- freedom of expression;
- freedom of assembly and association;
- the right to bodily integrity;
- the right to respect for private and family life;
- or freedom from discrimination.
The presumption is that this type of data needs to be treated with greater care because collecting and using it is more likely to interfere with these fundamental rights or open someone up to discrimination. This is part of the risk-based approach of the UK GDPR
As stronger protection is needed, Controllers need to establish a special condition as well as a lawful basis for processing personal data. In some cases, they may require an appropriate policy for processing special category data.
A lawful basis is a legal permission given to data controllers to process your personal data. This is outlined in Article 6 of both the UK and EU GDPR. Most people believe that a legal entity/ organisation need your consent to process your personal data, but this is only one of the lawful basis. There are six lawful basis and Network must establish at least one in order to process your personal data. The six lawful basis are:
- Contract: It is necessary to process the personal data for the performance of the contract with the data subject or to take steps into entering a contract. An example of this would be recruitment process or housing allocation.
- Legal Obligation: It is necessary to process personal data to fulfil a legal obligation and for Network to comply with the law. An example of this would be ensuring the safety of residents through annual gas service checks.
- Vital Interest: It is necessary to process the personal data to protect yours or another's life. An example of this would be staff providing specific details to the paramedics on a call out to an accident at one of the sheltered housing schemes.
- Public Task: the processing is necessary to for Network to perform a task in the public interest or supporting an official body with their obligations where there is a basis in law for doing so. An example of this would be Network supporting local authorities/ Police with their safeguarding cases.
- Legitimate Business Interest: the processing is necessary for Network's legitimate interests or the legitimate interests of one of our third party (i.e. contractor) unless there is a good reason to protect your personal data which overrides these legitimate interests.
- Consent: you have given Network homes clear consent (permission) for them to process your personal data for a specific purpose. Network only ask for your consent in limited circumstance and examples include photos, marketing and representative consent.
Special category data
Where Network is processing special category data it needs to establish a special condition in addition to a lawful basis. Special conditions are listed in Article 9 of UK and EU GDPR and include:
- Employment, social security and social protection law
- Vital interests
- Made public by the data subject
- Legal claims and judicial acts
- Substantial public interest conditions
- Health or social care
- Public health
- Archiving, research and statistics
- Explicit consent
Where Network relies on Substantial public interest conditions is will rely on the legal authority provided in the Schedule 1 of the Data Protection Act 2018 and where required have an appropriate policy document outlining the basis of their decision to use this authority as required by law.
There are 6 core principles followed by 1 overarching principle and these set out guidelines/obligations on legal entitles when processing personal data. In order to process personal data all 7 principles must be adhered to:
Personal data must be:
1. processed lawfully, fairly and transparently.
2. processed for a specific reason and not used in any manner incompatible with that process.
This means Network must have an established lawful basis for processing this data and specific purpose (use) of the personal data. Therefore, Network will never use your personal data obtained through your housing relationship or from the recruitment process to market their commercial properties as that would be incompatible with the original purpose.
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
This is often referred to as the data minimisation principle and it means that Network is only processing the personal data that is necessary (needed) for the purpose they require it for and nothing more. It should also be noted that this does not mean Network should hold less data on individual's, just that it needs to be necessary and proportionate to fulfil the desired purpose and in some cases more data may be collected then before to ensure Network records are as accurate as they can be, which leads on to the next principle.
4. accurate and, where necessary, kept up to date.
This is often referred as the accuracy principle and it does not mean that Network's is in breach of data protection law if the records they hold on you are not 100% accurate. This means that every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. This principle is closely aligned with your data subject right to rectification.
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
This is known as the storage limitation principle. It promotes better data management practices by ensuring personal data is not be kept indefinitely and that a legal entity can justify why they need to keep personal data for a specific time. Network's retention periods are based on law requirements, Limitation Act, best practices, industry guidelines and business needs.
6. processed in a manner that ensures appropriate security of the personal data,
This is the security (integrity and confidentiality) principle and puts an obligation on legal entities like Network to ensure your personal data is protected against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Network's appropriate technical measures include encryption, technical testing, software updates and security protocols for staff. Appropriate Organisational measures include training, policies and procedures, accountable data owners and designated DPO.
7. Accountability (evidence of the above)
This is the final principle and it's an overarching principle which requires controllers to evidence how they comply with the data protection principles mentioned above. Network shows accountability by:
- appointment of a DPO who monitors compliance and gives advice,
- maintaining a register of all processing activities known as Records of Processing,
- has a designated data protection team to manage data subject request and coordinate the investigation of data protection incidents,
- has published a suit of policies, procedures, forms and guidance on data protection matters and responsibilities,
- training is provided to staff through several different channels,
- allocations of Data Owners throughout the organisation,
- completion of Data Protection Impact Assessments where processing is deemed high risk,
- and holding contracts/ sharing agreements with providers of goods and services where required.
The UK and EU GDPR introduces a duty for controllers, like Network, to appoint a data protection officer (DPO) if they carrying out certain types of processing activities.
DPOs assist controllers to monitor internal compliance, inform and advise on their data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the Information Commissioner’s Office (ICO).
Network's DPO is contactable at DPO@networkhomes.org.uk.
It is recommended that should you wish to exercise one of your data subject rights or report a data protection incident that you complete the optional form under useful forms as this will ensure we have all the information we need to process your request/report.
Data Subject Rights
Under data protection law, you have the right to:
- request access to the personal data we hold about you , without charge (certain exceptions apply.)
- request correction of your personal data if it is incorrect or out of date. If the data we hold about you is out of date, incomplete or incorrect you can inform us and your data will be updated.
- request that we delete your data. If you feel we should no longer be using your data you can request that we erase the data that we hold. Upon receiving a request for erasure we will confirm whether it has been deleted or the reason why it cannot be deleted (for example because we have a legal obligation to keep the information or we need it for a compelling legitimate business interest).
- object to processing of your data. You may request that we stop processing information about you. Upon receiving your request we will contact you and let you know if we are able to comply or if we have legitimate grounds to continue to process your data. Even after you exercise your right to object, we may continue to hold your data to comply with your other rights or bring or defend legal claims.
- request that we transfer your data to another controller if the data is processed by automated means (ie excluding paper files) and we will provide this in a machine readable format including PDFs, CSV/excel and Word documents.
- request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- request to withdraw consent for processing your data if that process relies on consent.
You can read about the personal data we process on our privacy statement. We regularly update our privacy statement and if there are any significant changes to how we process your data, we will inform you individually.
A subject access request is a request for a copy of your personal data that Network Homes hold.
Additionally, you will find out the purposes of processing your data, any parties we shared your data with, as well as where we got your data from.
You will be able to request access to your personal data such as your call log, activity history, emails, correspondence, rent history, repairs history and so on.
For efficiency, it's important that you provide as much detail as possible when first submitting a request. Include exact type of data you wish to access, as well as a time period. For example, a call recording from a specific date, or repairs requested within a certain time range.
Please note Subject Access Requests are done for personal data, and not for entire documents. We will be excluding most of third party information, as well as data that is commercially sensitive or irrelevant to your request. We may also exclude other data that is exempt, such as data used for negotiations, criminal investigations, or is legally privileged.
Unless requested differently, we will provide you with a digital access to your personal data via SharePoint (document cloud sharing service). Once your file is created, you will be able to download the personal data instantly, or come back to access it anytime within a year.
We aim to process your requests without undue delay and latest within a calendar month, from the day we confirmed all required details with you. You'll be advised of a specific deadline via email.
In exceptional circumstances, we may take additional 2 months to process it, but in such cases, we will let you know about this in advance.
Yes, it's called the right to erasure. However, this right is not absolute - it means that we will be able to delete your personal data only in certain circumstances, for instance:
- The personal data is no longer required
- You withdrew your consent to process the personal data (where legal basis is consent)
- You objected to processing of your personal data and there are no overriding legitimate interests to keep your data (where legal basis is legitimate interests)
- Your personal data was processed for direct marketing purposes
You can request erasure of your personal data by filling in a Data Subjects Request Form from our useful form page or by contacting us. We will respond to you within a calendar month, advising whether we could remove your data and reasons behind our decisions.
It is important that we have your accurate and up to date information. Contact us via our contact centre or fill in the optional data subject request form to ask us to rectify the information that we hold about you. If applicable, please provide any supporting evidence.
Yes you can, however, we may not be able to do so in every circumstance. The right to object applies only when the data is processed for:
- A task carried out in the public interest
- The exercise of official authority
- Our legitimate interests
- Scientific or historical research, or statistical purposes
- Direct marketing purposes
You can object to us processing your personal data by filling in a Data Subject Request Form or contacting us. We will assess your request and respond to you within a calendar month, advising of the outcome.
Yes you can if we have legal authority from the data subject. You can demonstrate legal authority by:
- providing evidence of your legal rights (i.e. Lasting Power of Attorney for property and finance affairs, or court papers giving legal authority).
- submitting a Representative Consent form permitting you to speak on behalf of the data subject. If you are representing a resident, please ask the resident to complete our Representative Consent form.
The UK GDPR exclude the personal data of deceased individuals, therefore the rights listed above do not apply. However, you may be able to seek to update or remove the individual's data, if you have a legal authority to do so and can provide supporting evidence.
Evidence we require includes a death certificate and proof of your right to the personal data like Probate or Letters of Administration.
Under a Subject Access Request (SAR) you have the right to request your personal data.
Call Recordings: Should you wish for a copy of an actual call recording, or all call recordings. If we have it, we will listen to the call to identify if any third party personal data is present. Where third party personal data is present we will seek to obtain consent for it's release (where appropriate), remove the personal data using trim function where possible or with hold it confirming it contains personal data of a third party. Recordings are kept for a maximum of 6 months, unless downloaded and stored of the recording system, in that case it is stored for the length of the investigation/legal proceedings or 3 years post downloaded data for audit purposes (whichever is greater). Please note: not all calls are recorded. See 'Communications' >'Call Recordings' under our Privacy Statement for more information.
CCTV: Where CCTV contains information, objects, belongings, property and images that can identify another living person other than yourself this will be withheld unless consent of individual/s can be sought. Where CCTV is required to support a crime, we will provide the CCTV requested directly to the police after they have satisfied our internal compliance checks. Please see 'Public Bodies - Requesting Personal Data' for more information on how we share personal data with public bodies like the Police. Retention for CCTV is dependant on the camera itself and will kept for no longer than 30 days on the recording system. Where Footage is downloaded to use for criminal activity or investigations this will be retained on file for the length of the case or 3 years post the download date for audit purposes (whichever is greater).
See 'Your Personal Data Rights' to learn more about Subject Access Requests.
Data Protection Incidents
A personal data breach is defined in law as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data."
Examples of personal data breaches include:
- access by an unauthorised third party;
- deliberate or accidental action (or inaction) by a controller or processor;
- sending personal data to an incorrect recipient;
- computing devices containing personal data being lost or stolen;
- alteration of personal data without permission;
- and loss of availability of personal data due to cyber attack
The below is examples of non personal data breaches.
- contacting or processing your data without consent. (we only need your consent where we have no lawful basis or when the communication is that labelled as 'marketing' under the Privacy Electronic Communications Regulations.)
- sharing your contact information with contractors in order to carry out repairs
- sharing your rent information with local authorities where needed for benefit updates.
- supporting local authorities with their investigations when they have provided evidence of lawful basis and appropriate sharing safeguards.
- not being able to fulfil data subject rights (this is breach of legislation, rather than a personal data breach).
- sharing your name and tenancy start date with utility providers to enable correct debt collection process.
- carry out background checks and investigation into fraud allegations including tenancy fraud.
- not having update records, we are obliged to have accurate and up-to-date personal data (this is a legislative breach).
You can report a personal data breach or a data protection incident by completing our optional data protection incident reporting form via useful forms page.
We ask you complete this form as it asks for the information to understand what has happened and desired resolution. This form on submission goes to Network Homes Data Protection Officer for processing.
A personal data breach is reportable to the ICO by the Network's Data Protection Officer where it is identified that the breach has given rise to the risks of the rights and freedoms of the impacted individual/s (data subjects).
- unlawful disclosure of special category data such as health or ethnicity.
- unlawful access to our systems where personal data records have been compromised.
- lost portable device containing personal data which is unencrypted
When you raise any allegations of a data protection incident you will receive a response from our Data Protection Officer (DPO) or a colleague authorised on their behalf, unless you have expressed you don not want a response. Within the response it will inform you the outcome of any investigations, next actions and what to do if you are unhappy with the response provided.
So you are considering, or already decided to, install CCTV on your property. Whether it's a video doorbell or a security camera, you must consider data protection and privacy implications your decision might have on the general public.
Yes, you can. However, it's important to establish the rationale - why is CCTV necessary and how it will help solve any existing problems. Alternative security techniques should be considered first. So, if CCTV systems are used, it needs to be justified.
If you decide to use CCTV on your property, you must ensure that:
- The scope of your camera does not capture images outside of your property, such as the street with passers-by and cars, or even your neighbours.
- You are not operating a business from your property.
If you do any of the above, this may make you a data controller for the purposes of the UK Data Protection Act 2018.
Yes. You may require landlord’s consent before installing CCTV at your property. If you are a leaseholder, this will depend on the specific terms of your lease. Please speak to your property manager or your neighbourhood officer for clarification before installation of the CCTV.
If you monitor a public space or operate a business from your property, you will need to implement additional safeguards for your device and the data it records. This includes:
- setting and documenting a clear justification for capturing these images and being able to explain it,
- technical measures such as secure storage and retention of data,
- installing signage indicating that CCTV is operational in the area,
- responding to subject access and erasure requests.
It has to notify that CCTV is operational in the area, provide the purpose of its processing and your contact details as a data controller.
The information should be positioned at a reasonable distance from the places monitored in such a way that the public can easily recognize the circumstances of the surveillance before entering the monitored area.
Please note that where surveillance captures a public space, this processing cannot be regarded as an activity which is a purely ‘personal or household’ activity.
Under Article 15 of the General Data Protection Regulations (GDPR) an individual is entitled to request a copy of the personal data that a data controller is holding about them. This is known as a subject access request. In this instance, someone could request a CCTV footage of them captured by your device. You should respond promptly and in any event within a month of receiving the request.
No, dummy cameras are not subject to the data protection laws.
You can contact the Information Commissioner's Office or read their guidance.