Data Protection

The Association recognises the importance of meeting tenant’s expectations of a very high standard of service delivery. The correct handling of data is therefore of high priority for the Association. This Policy ensures that such information is dealt with in accordance with the Data Protection Act 1998.

Listed below are the key Acts and regulations to be acknowledged:

(a) Data Protection Act 1998;
(b) Human Rights Act 1998;
(c) Crime and Disorder Act 1998;
(d) Regulation of Investigatory Powers Act 2000; (e) Immigration and Asylum Act 1999; and
(f) Mental Capacity Act 2005.

Under the Data Protection Act 1998, all personal and sensitive organisational information, however received, is treated as confidential including:

(a) Anything of a personal nature not a matter of public record about a resident; and
(b)Relating to client, applicant, stakeholders, staff or Board / Committee members.

Officers will ensure that they only involve other agencies and share information with the consent of the person concerned, unless the:

(a) Association is required by law; or
(b) Information is necessary for the safeguarding of children and adults at risk.

The Association holds personal information about staff and Board members, current tenants and potential tenants, and stakeholders. It is subject to the requirements of the Data Protection Act 1998, and respects the rights of all these people to privacy and confidentiality. This Policy covers all personal data held by the Association which relates to any individual. The law makes a distinction between how we deal with ‘personal data’ and ‘sensitive personal data’, the full definitions and principles of data protection are contained in (Appendix 1).

The Association is registered with the Information Commissioner’s Office [ICO] for the purposes of processing personal data under the Data Protection Act. Responsibility for compliance with the Act rests with all staff employed by the Association who have a duty to understand and implement this Policy. Any breach may be a disciplinary or criminal offence. All breaches of data protection must be reported to the Chief Executive.


Data Protection

The 8 Principles of Data Protection (from the Data Protection Act 1998) are:

(a)  Data must be obtained and processed fairly and lawfully;
(b)  Data must only be processed for the reasons intended and prescribed in the data register entries;
(c)  All data held must be adequate, relevant and not excessive;
(d)  All data held must be accurate and kept up-to-date;
(e)  Data must not be kept for longer than is necessary;
(f)  Data must be processed in accordance with the subject’s rights;
(g)  Data must be kept secure; and
(h)  Data must not be transferred outside of the European Economic Area without adequate security.

Definitions of key terms are:

(a) DPA = Data Protection Act 1998
(b) SAR = Subject Access Request

Data is:

Information which is intentionally processed or recorded as part of an accessible record.


Processing of data is a broad term which includes a wide range of actions, including collecting, reading, recording, sharing, amending and storing. The Government’s Information Commissioner, who oversees the implementation of the Data Protection Act 1998, says that “it is difficult to imagine any action involving data that does not amount to processing.”

Data Controller:

A person who determines the purposes for and the manner in which personal data are, or are to be, processed. This may be a dedicated person within the Association or the processing may be carried out jointly or in common with other persons.

Personal Data:

Data which relates to a living individual who can be identified from the data, or from other information which is in the possession of, or likely to come into the possession of the Data Controller.

It includes any expression of opinion about the individual and any indication of the intentions of the Data Controller or any other person in respect of the individual.

Sensitive Data:

Specific provision is made under the DPA for processing sensitive personal information.

Request a call back