Haywood Homes Group of Companies Data Protection Policy
This policy was prepared by Sumik Ventures Limited
Policy came into effect 8th November 2017
Policy will next be reviewed on 31st December 2018
The Group needs to gather and use certain information about individuals.
These can include customers, suppliers, business contacts, employees and other people that the organisation has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards – and to comply with the law.
Data Protection Law
The Data Protection Act 1998 describes how organisations – including the Haywood Homes Group must collect, handle and store information, whether on paper or electronically.
Such information must be collected, used fairly, stored safely and not disclosed unlawfully.
There are 8 important principles which each organisation in the group is required to follow, these say that personal data must:
- Be processed fairly and lawfully
- Be obtained only for specific lawful purposes
- Be adequate, relevant and not excessive
- Be accurate and kept up to date
- Not to be held for longer than is necessary
- Processed in accordance with the rights of data subjects
- Be protected in appropriate ways
- Not transferred outside of the EEA unless that country provides an adequate level of protection.
This policy applies to:
- The head office of the Haywood Homes Group
- All branches and offices managed by any organisation in the Haywood Homes Group
- All staff and Employees of the Haywood Homes Group
- All contractors, suppliers and other people working on behalf of the Haywood Homes Group.
The Policy applies to all data that any organisation within the Haywood Homes Group holds relating to identifiable individuals including but not exclusively
- Names of Individuals
- Postal Addresses, current and previous
- Email addresses
- Telephone Numbers
- Any other information relating to individuals
Everyone who works for or with the Haywood Group of Companies has some responsibility for ensuring data is collected, stored and handled appropriately in line with this policy.
Certain people within the organisation have key areas of responsibility:
- The Board of Directors is ultimately responsible for ensuring that the Haywood Homes Group meets its legal obligations.
- The Data Protection Officer, Sumik Ventures Limited, is responsible to
- Keep the Board updated about their data protection responsibilities
- Reviewing the policy and procedures
- Arranging training and advice
- Answering questions from people covered by this policy
- Dealing with Subject Access Requests
- Checking and agreeing contracts or agreements with any third parties who may handle the Group’s sensitive data.
- The marketing manager, Mrs Michelle Unwin, is responsible for
- Approving any Data protection Statements attached to communications such as emails and letters
- Addressing data protection queries from journalists or media outlets
- Ensuring that any marketing initiatives abide by data protection principles
General Staff Guidelines
- The only people able to access data covered by this policy should be those who need it for their work
- Data should not be shared informally, when access to confidential data is required only line managers are permitted to authorise its release.
- The Haywood Homes Group will provide training to any member of staff to help them understand their responsibilities when handling data
- Employees should keep all data secure by taking sensible precautions and following this policy.
- Personal Data should not be disclosed to unauthorised people whether within the organisation or otherwise.
- Data should be regularly reviewed and updated and deleted or destroyed when it is no longer required by the organisation.
- Employees should request guidance from the Data Protection Officer if they are unsure about any aspect of data protection.
These rules describe how and where data should be safely stored.
When data is stored on paper it should be kept in a secure place where unauthorised people cannot see it.
When no longer required paper documents should be shredded and disposed of securely.
When data is stored electronically it must be kept protected from unauthorised access, accidental deletion and malicious hacking attempts with the use of strong passwords that cannot be easily identified. Consideration should be given to the change of passwords on a regular basis.
Data should only be stored on designated drives and servers and if uploaded to a cloud backup service such service must be of an approved type with adequate data protection in place of their own.
All servers and computers should have installed and operational security software and firewalls.
When working with Personal data employees should ensure the screens of their computers cannot be accessed when left unattended.
One of the principal reasons for the Group sourcing personal data from customers is to provide information to their duly appointed estate agents to ensure the smooth progress of the sales process and to solicitors for the preparation of the legal documents associated with the sale.
The Group will also supply personal data to the providers of guarantees in respect of the property to be occupied by the person concerned for their benefit.
If sending personal data to an external contact such data should be in an encrypted form.
Data should never be sent outside of the EEA.
Employees should NOT save data to their personal devices, all data should only be held in a central location unless required for efficiency reasons at a remote location when such data will only be retained whilst a transaction is in progress.
The DPA requires that organisations take reasonable steps to ensure data is kept accurate and up to date in so far as is possible.
Data should be held in as few places as is possible, duplication of records should be kept to a minimum and only when absolutely essential for the efficient operation of the organisation.
Subject Access Requests
All individuals are entitled to make a request to the Organisation to identify:
- What information the Group holds about them and why
- How they can gain access to the personal data
- How the data is being kept up to date
- What measures the organisation is talking to meet its data protection obligations
Subject Access requests should be made in writing to the Data Protection Officer, Sumik Ventures Limited at 72, Dunstall Road, Halesowen, West Midlands, B63 1BE and copied by email to firstname.lastname@example.org in the prescribed form, a copy of which can be supplied on request, accompanied by a fee of £10 made payable to the relevant company within the group to whom the request is addressed, a separate fee is required for each application.
The Data Protection Officer will require proof of identity before replying to the Subject Access Request evidenced by a utility bill dated within three months of the request and a copy of a drivers licence or passport each certified by a professional person as being a correct representation of the person making the request.
Disclosure of Information for Other Purposes
The Haywood Homes Group retain the right to release information without the consent of the data subject to law enforcement agencies where the legitimacy of the request has been adequately established and appropriate advice taken from qualified professionals if any doubt exists.
The Haywood Homes Group aims to ensure that individuals are aware that their data is being processed, and that they understand:
- How the data is being used
- How to exercise their rights
To these ends the Group has a privacy statement, setting out how data relating to individuals is being used by the Group.
[This is available on request. A version of this statement is available on the Group’s website]