Frequestly Asked Questions on Data Protection and Your Rights.
Please see the answers to some of the common questions we are asked about regarding data protection and your rights, including when consent is needed and what amounts to a personal data breach.
GDPR stands for General Data Protection Regulations.
Originating from the EU has now been adopted by UK law to create the UK GDPR.
UK GDPR concerns the processing of personal data that enters, used within or exits the UK. It places obligations on companies to enable them to process your personal data including the principles of data protection as well as giving you more rights to control your personal data through data subject rights.
EU GDPR is the same as above, but relates to the processing of personal data within the EEA.
There are four key data protection entities you should be aware of and these are:
This is the 'living' person for whom the personal data is about and can identify.
This is the legal entity, normally a company, but could be an individual/s, that determines the purpose and means of the processing the personal data. They will decide why the personal data should be collected, how it is to be collected and what it is to be used for. their decisions will be based on requirements of the business or obligations set upon them through legal instruments. Examples include local authorities, Public bodies and Charities etc.
This is the legal entity, normally a company, but could be an individual/s, that is under instruction by contract/agreement to process the personal data on the controller's behalf. Examples include software providers, some contractors, and some outsourced services such as post management.
ICO stands for the Information Commissioner's Office and they are the regulators for UK data protection practices. They provide guidance to legal entities and data subjects as well as manage any data protection complaints once it gone through the controller/processor complaint's process first. The ICO has the power to fine legal entities, but this is usually a last resort and any monies from the fine is put back into the UK treasury. More information can be located on their website at ico.org.uk
This is everything you do with personal data and therefore needs to comply with data protection laws like the UK/EU GDPR and The Data Protection Act 2018.
This includes, but not limited to:
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collectively can lead to the identification of a particular person, also constitute personal data.
Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.
Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
Data Protection laws protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.
Examples of personal data
- a name and surname;
- a home address;
- an email address such as firstname.lastname@example.org;
- an identification card number;
- location data (for example the location data function on a mobile phone);
- an Internet Protocol (IP) address;
- a cookie ID
Examples of non personal data
- a company registration number;
- an email address such as email@example.com;
- anonymised data.
- any data that can directly or indirectly identify a decease person.
Special category data is personal data that is of a more sensitive nature and requires stronger protection.
Special category data includes:
- personal data revealing racial or ethnic origin;
- personal data revealing political opinions;
- personal data revealing religious or philosophical beliefs;
- personal data revealing trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- data concerning health;
- data concerning a person’s sex life;
- and data concerning a person’s sexual orientation.
Why is this data special?
The ICO confirm it’s not just that this type of information might be more sensitive or ‘private’. The recitals to the UK GDPR explain that these types of personal data merit specific protection. This is because use of this data could create significant risks to the individual’s fundamental rights and freedoms.
For example, the various categories are closely linked with:
- freedom of thought,
- conscience and religion;
- freedom of expression;
- freedom of assembly and association;
- the right to bodily integrity;
- the right to respect for private and family life;
- or freedom from discrimination.
The presumption is that this type of data needs to be treated with greater care because collecting and using it is more likely to interfere with these fundamental rights or open someone up to discrimination. This is part of the risk-based approach of the UK GDPR
As stronger protection is needed, Controllers need to establish a special condition as well as a lawful basis for processing personal data. In some cases, they may require an appropriate policy for processing special category data.
A lawful basis is a legal permission given to data controllers to process your personal data. This is outlined in Article 6 of both the UK and EU GDPR. Most people believe that a legal entity/ organisation need your consent to process your personal data, but this is only one of the lawful basis. There are six lawful basis and Network must establish at least one in order to process your personal data. The six lawful basis are:
- Contract: It is necessary to process the personal data for the performance of the contract with the data subject or to take steps into entering a contract. An example of this would be recruitment process or housing allocation.
- Legal Obligation: It is necessary to process personal data to fulfil a legal obligation and for Network to comply with the law. An example of this would be ensuring the safety of residents through annual gas service checks.
- Vital Interest: It is necessary to process the personal data to protect yours or another's life. An example of this would be staff providing specific details to the paramedics on a call out to an accident at one of the sheltered housing schemes.
- Public Task: the processing is necessary to for Network to perform a task in the public interest or supporting an official body with their obligations where there is a basis in law for doing so. An example of this would be Network supporting local authorities/ Police with their safeguarding cases.
- Legitimate Business Interest: the processing is necessary for Network's legitimate interests or the legitimate interests of one of our third party (i.e. contractor) unless there is a good reason to protect your personal data which overrides these legitimate interests.
- Consent: you have given Network homes clear consent (permission) for them to process your personal data for a specific purpose. Network only ask for your consent in limited circumstance and examples include photos, marketing and representative consent.
Special category data
Where Network is processing special category data it needs to establish a special condition in addition to a lawful basis. Special conditions are listed in Article 9 of UK and EU GDPR and include:
- Employment, social security and social protection law
- Vital interests
- Made public by the data subject
- Legal claims and judicial acts
- Substantial public interest conditions
- Health or social care
- Public health
- Archiving, research and statistics
- Explicit consent
Where Network relies on Substantial public interest conditions is will rely on the legal authority provided in the Schedule 1 of the Data Protection Act 2018 and where required have an appropriate policy document outlining the basis of their decision to use this authority as required by law.
There are 6 core principles followed by 1 overarching principle and these set out guidelines/obligations on legal entitles when processing personal data. In order to process personal data all 7 principles must be adhered to:
Personal data must be:
1. processed lawfully, fairly and transparently.
2. processed for a specific reason and not used in any manner incompatible with that process.
This means Network must have an established lawful basis for processing this data and specific purpose (use) of the personal data. Therefore, Network will never use your personal data obtained through your housing relationship or from the recruitment process to market their commercial properties as that would be incompatible with the original purpose.
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
This is often referred to as the data minimisation principle and it means that Network is only processing the personal data that is necessary (needed) for the purpose they require it for and nothing more. It should also be noted that this does not mean Network should hold less data on individual's, just that it needs to be necessary and proportionate to fulfil the desired purpose and in some cases more data may be collected then before to ensure Network records are as accurate as they can be, which leads on to the next principle.
4. accurate and, where necessary, kept up to date.
This is often referred as the accuracy principle and it does not mean that Network's is in breach of data protection law if the records they hold on you are not 100% accurate. This means that every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. This principle is closely aligned with your data subject right to rectification.
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
This is known as the storage limitation principle. It promotes better data management practices by ensuring personal data is not be kept indefinitely and that a legal entity can justify why they need to keep personal data for a specific time. Network's retention periods are based on law requirements, Limitation Act, best practices, industry guidelines and business needs.
6. processed in a manner that ensures appropriate security of the personal data,
This is the security (integrity and confidentiality) principle and puts an obligation on legal entities like Network to ensure your personal data is protected against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Network's appropriate technical measures include encryption, technical testing, software updates and security protocols for staff. Appropriate Organisational measures include training, policies and procedures, accountable data owners and designated DPO.
7. Accountability (evidence of the above)
This is the final principle and it's an overarching principle which requires controllers to evidence how they comply with the data protection principles mentioned above. Network shows accountability by:
- appointment of a DPO who monitors compliance and gives advice,
- maintaining a register of all processing activities known as Records of Processing,
- has a designated data protection team to manage data subject request and coordinate the investigation of data protection incidents,
- has published a suit of policies, procedures, forms and guidance on data protection matters and responsibilities,
- training is provided to staff through several different channels,
- allocations of Data Owners throughout the organisation,
- completion of Data Protection Impact Assessments where processing is deemed high risk,
- and holding contracts/ sharing agreements with providers of goods and services where required.
The UK and EU GDPR introduces a duty for controllers, like Network, to appoint a data protection officer (DPO) if they carrying out certain types of processing activities.
DPOs assist controllers to monitor internal compliance, inform and advise on their data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the Information Commissioner’s Office (ICO).
Network's DPO is contactable at DPO@networkhomes.org.uk.
It is recommended that should you wish to exercise one of your data subject rights or report a data protection incident that you complete the optional form under useful forms as this will ensure we have all the information we need to process your request/report.