Privacy Policy
Contents
- Introduction
- Legislation
- Data
- Processing of personal data
- Data sharing
- Data storage and security
- Breaches
- Data protection officer
- Data subject rights
- Privacy impact assessments
- Archiving, retention and destruction of data
List of appendices
- Table of duration of retention of certain data
- Fair processing notice
- Model data sharing agreement
- Data protection statement of requirements for data processors
- Introduction
Homes for Good (Scotland) CIC (“we” or “us”) is committed to ensuring the secure and safe management of data held by us in relation to customers, staff and other individuals. Our staff members have a responsibility to ensure compliance with the terms of this policy, and to manage individuals’ data in accordance with the procedures outlined in this policy and documentation referred to herein.
We need to gather and use certain information about individuals. These can include customers (tenants, landlord clients etc.), employees and other individuals that we have a contractual relationship with. We manage a significant amount of data, from a variety of sources. This data contains “personal data” and “sensitive personal data” (known as “special categories of personal data” under the GDPR).
This policy sets out our duties in processing that data, and the purpose of this policy is to set out the procedures for the management of such data.
- Legislation
It is a legal requirement that we process data correctly; we must collect, handle and store personal information in accordance with the relevant legislation.
The relevant legislation in relation to the processing of data is:
- the General Data Protection Regulation (EU) 2016/679 (the GDPR);
- the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as may be amended by the proposed Regulation on Privacy and Electronic Communications); and
- any legislation that, in respect of the United Kingdom (UK), replaces, or enacts into UK domestic law, the General Data Protection Regulation (EU) 2016/679, the proposed Regulation on Privacy and Electronic Communications or any other law relating to data protection, the processing of personal data and privacy as a consequence of the UK leaving the European Union.
- Data
3.1 We hold a variety of data relating to individuals, including customers and employees (also referred to as “data subjects”) which is known as personal data. The personal data held and processed by us is detailed within the “fair processing notice” (FPN) at Appendix 2 hereto and the data protection addendum of the terms and conditions of employment which has been provided to all employees.
3.1.1 Personal data is that from which a living individual can be identified either by that data alone, or in conjunction with other data held by us.
3.1.2 We also hold personal data that is sensitive in nature (i.e. reveals a data subject’s racial or ethnic origin, religious beliefs, political opinions, or relates to health or sexual orientation). This is special category personal data or sensitive personal data.
- Processing of personal data
- We are permitted to process personal data on behalf of data subjects provided it is doing so on one of the following grounds:
- processing with the consent of the data subject (see clause 4.4 hereof);
- processing is necessary for the performance of a contract between us and the data subject or for entering into a contract with the data subject;
- processing is necessary for our compliance with a legal obligation;
- processing is necessary to protect the vital interests of the data subject or another person; or
- processing is necessary for the purposes of legitimate interests.
4.2 Fair processing notice
4.2.1 We have produced a fair processing notice (FPN) which we are required to provide to all customers whose personal data is held by us. That FPN must be provided to the customer from the outset of processing their personal data and they should be advised of the terms of the FPN when it is provided to them.
4.2.2 The FPN at Appendix
2 sets out the personal data processed by us and the basis for that processing. This document is provided to all our customers at the outset of processing their data.
4.3 Employees
4.3.1 Employee personal data and, where applicable, special category personal data or sensitive personal data, is held and processed by us. Details of the data held and processing of that data is contained within the employee FPN which is provided to employees at the same time as their contract of employment.
4.3.2 A copy of any employee’s personal data held by us is available upon written request by that employee from Alice Simpson.
4.4 Consent
Consent as a ground of processing will require to be used from time to time by us when processing personal data. It should be used by us where no other alternative ground for processing is available. In the event that we require to obtain consent to process a data subject’s personal data, we shall obtain that consent in writing. The consent provided by the data subject must be freely given and the data subject will be required to sign a relevant consent form if willing to consent. Any consent to be obtained by us must be for a specific and defined purpose (i.e. general consent cannot be sought).
4.5 Processing of special category personal data or sensitive personal data
In the event that we process special category personal data or sensitive personal data, we must do so in accordance with one of the following grounds of processing:
- the data subject has given explicit consent to the processing of this data for a specified purpose;
- processing is necessary for carrying out obligations or exercising rights related to employment or social security;
- processing is necessary to protect the vital interest of the data subject or, if the data subject is incapable of giving consent, the vital interests of another person;
- processing is necessary for the establishment, exercise or defence of legal claims, or whenever courts are acting in their judicial capacity; and
- processing is necessary for reasons of substantial public interest.
- Data sharing
- We share our data with various third-parties for numerous reasons in order that day to day activities are carried out in accordance with our relevant policies and procedures. In order that we can monitor compliance by these third-parties with data protection laws, we will require the third-party organisations to enter in to an agreement with us to govern the processing of data, security measures to be implemented and responsibility for breaches.
- Data sharing
5.2.1 Personal data is from time to time shared amongst us and third-parties who require to process personal data that we process as well. Both us and the third-party will be processing that data in their individual capacities as data controllers.
5.2.2 Where we share in the processing of personal data with a third-party organisation (e.g. for processing of the employees’ pension), we shall require the third-party organisation to enter in to a data sharing agreement with us in accordance with the terms of the model data sharing agreement set out in Appendix 3 to this policy.
- Data processors
A data processor is a third-party entity that processes personal data on behalf of us and are frequently engaged if certain parts of our work is outsourced (e.g. payroll, maintenance and repair works).
- A data processor must comply with data protection laws. Our data processors must ensure they have appropriate technical security measures in place, maintain records of processing activities and notify us if a data breach is suffered.
- If a data processor wishes to sub-contact their processing, our prior written consent must be obtained. Upon a sub-contracting of processing, the data processor will be liable in full for the data protection breaches of their sub-contractors.
- Where we contract with a third-party to process personal data held by us, it shall require the third-party to enter in to a data protection addendum with us in accordance with the terms of the model data protection addendum set out in Appendix 4 to this policy.
- Data storage and security
All personal data held by us must be stored securely, whether electronically or in paper format.
6.1 Paper storage
if personal data is stored on paper it should be kept in a secure place where unauthorised personnel cannot access it. Employees should make sure that no personal data is left where unauthorised personnel can access it. When the personal data is no longer required it must be disposed of by the employee so as to ensure its destruction. If the personal data requires to be retained on a physical file then the employee should ensure that it is properly secured within the file (e.g. stapled, or the documents are put on a Treasury Tag within the file) which is then stored in accordance with our storage provisions.
6.2 Electronic storage
personal data stored electronically must also be protected from unauthorised use and access. Personal data should be password protected when being sent internally or externally to our data processors or those with whom we have entered in to a data sharing agreement. If personal data is stored on removable media (CD, DVD, USB memory stick) then that removable media must be stored securely at all times when not being used. Personal data should not be saved directly to mobile devices and should be stored on designated drivers and servers.
- Breaches
7.1 A data breach can occur at any point when handling personal data and we have reporting duties in the event of a data breach or potential breach occurring. Breaches which pose a risk to the rights and freedoms of the data subjects who are the subject of the breach require to be reported externally in accordance with clause 7.3 hereof.
7.2 Internal reporting
We take the security of data very seriously and in the unlikely event of a breach will take the following steps:
- As soon as the breach or potential breach has occurred, and in any event no later than six (6) hours after it has occurred, the data protection officer (DPO) must be notified in writing of (i) the breach; (ii) how it occurred; and (iii) what the likely impact of that breach is on any data subject(s);
- we must seek to contain the breach by whatever means available;
- the DPO must consider whether the breach is one which requires to be reported to the Information Commissioner’s Office (ICO) and data subjects affected and do so in accordance with this clause 7;
- notify third parties in accordance with the terms of any applicable data sharing agreements
7.3 Reporting to the ICO
The DPO is required to report any breaches which pose a risk to the rights and freedoms of the data subjects who are the subject of the breach to the ICO within 72 hours of the breach occurring. The DPO must also consider whether it is appropriate to notify those data subjects affected by the breach.
- Data protection officer
8.1. A DPO is an individual who has an over-arching responsibility and oversight over compliance by us with data protection laws. We have elected to appoint a DPO whose details are noted on our website and contained within the fair processing notice at Appendix 2 hereto.
8.2 The DPO will be responsible for:
8.2.1 Monitoring our compliance with data protection laws and this policy;
8.2.2 co-operating with and serving as our contact for discussions with the ICO;
8.2.3 reporting breaches or suspected breaches to the ICO and data subjects in accordance with part 7 hereof.
- Data subject rights
9.1 Certain rights are provided to data subjects under the GDPR. Data subjects are entitled to view the personal data held about them by us, whether in written or electronic form.
9.2 Data subjects have a right to request a restriction of processing their data, a right to be forgotten and a right to object to our processing of their data. These rights are notified to our customers in our FPN.
9.3 Subject access requests
Data subjects are permitted to view their data held by us upon making a request to do so (a subject access request). Upon receipt of a request by a data subject, we must respond to the subject access request within one month of the date of receipt of the request. We:
9.3.1 must provide the data subject with an electronic or hard copy of the personal data requested, unless any exemption to the provision of that data applies in law;
9.3.2 where the personal data comprises data relating to other Data subjects, must take reasonable steps to obtain consent from those data subjects to the disclosure of that personal data to the data subject who has made the subject access request; or
9.3.3 where we do not hold the personal data sought by the data subject, must confirm that we do not hold any personal data sought by the data subject as soon as practicably possible, and in any event, not later than one month from the date on which the request was made.
9.4 The right to be forgotten
9.4.1 A data subject can exercise their right to be forgotten by submitting a request in writing to us seeking that we erase the data subject’s personal data in its entirety.
9.4.2 Each request received by us will require to be considered on its own merits and legal advice will require to be obtained in relation to such requests from time to time. The DPO will have responsibility for accepting or refusing the data subject’s request in accordance with this clause and will respond in writing to the request.
9.5 The right to restrict or object to processing
9.5.1 A data subject may request that we restrict our processing of the data subject’s personal data, or object to the processing of that data.
9.5.1.1 In the event that any direct marketing is undertaken from time to time by us, a data subject has an absolute right to object to processing of this nature by us, and if we receive a written request to cease processing for this purpose, then we must do so immediately.
9.5.2 Each request received by us will require to be considered on its own merits and legal advice will require to be obtained in relation to such requests from time to time. The DPO will have responsibility for accepting or refusing the data subject’s request in accordance with clause 9.5 and will respond in writing to the request.
- Privacy impact assessments
- Privacy impact assessments (PIAs) are a means of assisting us in identifying and reducing the risks that our operations have on personal privacy of data subjects.
- We shall:
- Carry out a PIA before undertaking a project or processing activity which poses a high risk to an individual’s privacy. High risk can include, but is not limited to, activities using information relating to health or race, or the implementation of a new IT system for storing and accessing personal data.
- In carrying out a PIA, include a description of the processing activity, its purpose, an assessment of the need for the processing, a summary of the risks identified and the measures that we will take to reduce those risks, and details of any security measures that require to be taken to protect the personal data.
10.3 We will require to consult the ICO in the event that a PIA identifies a high level of risk which cannot be reduced. The DPO will be responsible for such reporting, and where a high level of risk is identified by those carrying out the PIA they require to notify the DPO within five (5) working days.
- Archiving, retention and destruction of data
We cannot store and retain personal data indefinitely. We must ensure that personal data is only retained for the period necessary. we shall ensure that all personal data is archived and destroyed timeously and at the point that we no longer need to retain that personal data in accordance with the periods specified within the table at Appendix 1 hereto.
Appendix 1 – Data Retention Periods
Data retention periods
The table below sets out retention periods for personal data held and processed by me, as a letting agent. It is intended to be used as a guide only. I recognise that not all personal data can be processed and retained for the same duration, and retention will depend on the individual circumstances relative to the data subject whose personal data is stored.
Type of record | Retention time |
Records relating to working time | Two years from the date they were made |
Council Tax records | 10 years |
Accident books and records and reports of accidents | Three years after the date of the last entry |
Health and safety assessments and records of consultations with safety representatives and committee | Permanently |
Applicants for accommodation | Five years |
Housing Benefit notifications | Duration of tenancy |
Tenancy files | Duration of tenancy |
Former tenants’ files (key info) | Five years |
Third party documents | Duration of tenancy |
Records re offenders, ex-offenders (sex offender register) | Duration of tenancy |
Lease documents | Five years after lease termination |
Anti-social behaviour case files | Five years/end of legal action |
Appendix 2 – Fair Processing Notice
Homes for Good (Scotland) CIC
GDPR Fair Processing Notice
(How we use your personal information)
This notice explains what information we collect, when we collect it and how we use this. During the course of our activities we will process personal data (which may be held on paper, electronically, or otherwise) about you and we recognise the need to treat it in an appropriate and lawful manner. The purpose of this notice is to make you aware of how we will handle your information.
Who are we?
Homes for Good (Scotland) CIC, 97 & 123 Main Street, Bridgeton, Glasgow G40 1QD (“we” or “us”) take the issue of security and data protection very seriously and strictly adhere to guidelines published in the Data Protection Act of 1998 and the General Data Protection Regulation (EU) 2016/679 which is applicable from the 25 May 2018, together with any domestic laws subsequently enacted.
We are notified as a data controller with the Information Commissioner’s Office (ICO)
under registration number ZA228218 and we are the data controller of any personal data that you provide to us.
Our data protection officer is Alice Simpson, please see contact details below
- Email: alice@homesforgood.org.uk
- Telephone: 0141 406 1830
- Mobile: 07780 457 580
Any questions relating to this notice and our privacy practices should be sent to Alice Simpson using the details noted above.
How we collect information from you and what information we collect
We collect information about you:
- when you apply for housing with us, become a tenant, request services/repairs, enter in to a tenancy agreement with ourselves howsoever arising or otherwise provide us with your personal details;
- from your use of our online services, whether to report any tenancy related issues, make a complaint or otherwise;
- from your arrangements to make payment to us (such as bank details, payment card numbers, employment details, benefit entitlement and any other income and expenditure related information).
We collect the following information about you:
- Name;
- Address;
- Telephone and/ or mobile number;
- email address;
- National Insurance number;
- Next of kin;
- Employment details;
- Tenancy history;
- Proof of identity;
- Bank statements;
- Local authority & benefit letters (where relevant);
- NHS and/ or Social Work information (where this has been shared with us by you)
We receive the following information from third parties:
- benefits information, including awards of Housing Benefit/Universal Credit
- payments made by you to us;
- complaints or other communications regarding behaviour or other alleged breaches of the terms of your contract with us, including information obtained from Police Scotland;
- reports as to the conduct or condition of your tenancy, including references from previous tenancies, and complaints of anti-social behaviour.
Why we need this information about you and how it will be used
We need your information and will use your information:
- To assess your affordability or suitability for a tenancy that you have applied for;
- to undertake and perform our obligations and duties to you in accordance with the terms of our contract with you;
- to enable us to supply you with the services and information which you have requested;
- to enable us to respond to your repair request, housing application or any other benefit application that you have requested assistance with and complaints made;
- to analyse the information we collect so that we can administer, support and improve and develop our business and the services we offer;
- to contact you in order to send you details of any changes to our services or supplies which may affect you;
- for all other purposes consistent with the proper performance of our operations and business; and
- to contact you for your views on our products and services.
Sharing of your information
The information you provide to us will be treated by us as confidential and will be processed only by our employees within the UK/European Economic Area (EEA). We may disclose your information to other third parties who act for us for the purposes set out in this notice or for purposes approved by you, including the following:
- if we enter into a joint venture with or merge with another business entity, your information may be disclosed to our new business partners or owners;
- if we instruct repair or maintenance works, your information may be disclosed to any contractor;
- if we are investigating a complaint, information may be disclosed to Police Scotland, local authority departments, Scottish Fire & Rescue Service and others involved in any complaint, whether investigating the complaint or otherwise;
- if we are updating tenancy details, your information may be disclosed to third parties (such as utility companies and local authority);
- if we are investigating payments made or otherwise, your information may be disclosed to payment processors, local authority and the Department for Work & Pensions;
- if we are conducting a survey of our products and/or service, your information may be disclosed to third parties assisting in the compilation and analysis of the survey results;
- if we are asked by HMRC in regard to taxation, your information may be accordingly disclosed;
- if we are acting as your representative in relation to a (for example) a benefit application, your information may be accordingly disclosed;
- If you provide our details as a referee, such as to provide a tenancy reference or recommendation in relation to the time you have been our customer.
To manage our business, we share data with the following companies:
- SME Professional – we use SME Professional to manage all aspects of property management for our landlords, tenants and potential tenants. use a top-tier, third-party data hosting provider (Amazon Web Services) with servers located in the U.S., to host our online and mobile services. For more information about AWS’s approach to compliance with the GDPR, see https://aws.amazon.com/compliance/gdpr-center/ (https://www.smeprofessional.co.uk/privacy-policy-third-party-applications/)
- Bulk SMS – we use Bulk SMS to send occasional text messages to our customers from our property management software. It stores the mobile phone numbers that we enter into it. (https://www.bulksms.com/company/data-protection-and-privacy-policy.htm)
- Google Inc. – We use Googledrive to store all of our electronic data. Google complies with the EU-U.S. Privacy Shield Frameworks. (Read Google Analytics’ Privacy Policy)
- Mailchimp software (The Rocket Science Group LLC d/b/a MailChimp ) – We use Mailchimp for sending newsletter and promotional emails. To do this Mailchimp stores user names, email addresses and analytical data. We use that data to ensure we only send emails relevant to the individual. The Rocket Science Group complies with the EU-U.S. Privacy Shield Frameworks. (https://mailchimp.com/legal/privacy/)
- Xero – we use Xero accounting software to manage all accounting requirements of our organisation. Xero use a top-tier, third-party data hosting provider (Amazon Web Services) with servers located in the U.S., to host our online and mobile services. For more information about AWS’s approach to compliance with the GDPR, see (https://aws.amazon.com/compliance/gdpr-center/) (https://www.xero.com/about/terms/privacy/)
- Fixflo – we use Fixflo to assist in our repairs management, enabling our tenants to report repairs and be provided with guidance at every step. Fixflo only stores the data provided by our tenants when reporting a repair. (http://help.fixflo.com/en/articles/327)
Unless required to do so by law, we will not otherwise share, sell or distribute any of the information you provide to us without your consent.
Transfers outside the UK and Europe
We may transfer your information outside the UK and/or EEA.
Where information is transferred outside the UK or EEA we ensure that there are adequate safeguards in place to protect your information in accordance with this notice, including the following:
- Google Inc. – We use Googledrive to store all of our electronic data. Google complies with the EU-U.S. Privacy Shield Frameworks. (Read Google Analytics’ Privacy Policy)
- Mailchimp software (The Rocket Science Group LLC d/b/a MailChimp ) – We use Mailchimp for sending newsletter and promotional emails. To do this Mailchimp stores user names, email addresses and analytical data. We use that data to ensure we only send emails relevant to the individual. The Rocket Science Group complies with the EU-U.S. Privacy Shield Frameworks. (https://mailchimp.com/legal/privacy/)
- Xero – we use Xero accounting software to manage all accounting requirements of our organisation. Xero use a top-tier, third-party data hosting provider (Amazon Web Services) with servers located in the U.S., to host our online and mobile services. For more information about AWS’s approach to compliance with the GDPR, see (https://aws.amazon.com/compliance/gdpr-center/) (https://www.xero.com/about/terms/privacy/)
- SME Professional – we use SME Professional to manage all aspects of property management for our landlords, tenants and potential tenants. (https://www.smeprofessional.co.uk/privacy-policy-third-party-applications/) use a top-tier, third-party data hosting provider (Amazon Web Services) with servers located in the U.S., to host our online and mobile services. For more information about AWS’s approach to compliance with the GDPR, see (https://aws.amazon.com/compliance/gdpr-center/)
Security
When you give us information we take steps to make sure that your personal information is kept secure and safe.
- When we no longer require your data to process your request or manage our contractual obligations we will shred and delete all personal data in line with the timescales set out in appendix 1.
- All paper copies of data will be securely filed in an area where unauthorised persons cannot access it.
- Data that is stored electronically can only be accessed by employees of Homes for Good.
- Keys for all of the properties that we managed are tagged with codes that do not allow of the property to be identified.
How long we will keep your information
We review our data retention periods regularly and will only hold your personal data for as long as is necessary for the relevant activity, or as required by law (we may be legally required to hold some types of information), or as set out in any relevant contract we have with you.
Our full retention schedule is available in appendix 1 above.
Your rights
You have the right at any time to:
- ask for a copy of the information about you held by us in our records;
- require us to correct any inaccuracies in your information;
- make a request to us to delete what personal data we hold about you; and
- object to receiving any marketing communications from us.
If you would like to exercise any of your rights above please contact us at alice@homesforgood.org.uk. Should you wish to complain about the use of your information, we would ask that you contact us to resolve this matter in the first instance. You also have the right to complain to the Information Commissioner’s Office (ICO) in relation to our use of your information.
The ICO’s contact details are noted below:
The Information Commissioner’s Office – Scotland
45 Melville Street, Edinburgh, EH3 7HL
Telephone: 0131 244 9001
email:scotland@ico.org.uk
The accuracy of your information is important to us – please help us keep our records
updated by informing us of any changes to your email address and other contact details.
Appendix 3 – Model Data Sharing Agreement
DATA SHARING AGREEMENT
between
[insert name of letting agent], [insert address] (“[Party 1]“);
and
[Insert organisation name, a [e.g. Company] registered in terms of the Companies Acts with registered number [registered number] and having its registered office/main office at [address]] (“[Party 2]“) ]”);
(each a “Party” and together the “Parties“).
WHEREAS
- [insert name of party] (“[Party1]”) and [Insert name of party] (“[Party 2]”)intend that this data sharing agreement will form the basis of the data sharing arrangements between the parties (the “Agreement”); and
- The intention of the Parties is that they shall each be independent Data Controllers in respect of the Data that they process under this Agreement.
- Nothing in this Agreement shall alter, supersede, or in any other way affect the terms of [insert details of relationship/contract with Party 2]
NOW THEREFORE IT IS AGREED AS FOLLOWS:
- DEFINITIONS
- In construing this Agreement, capitalised words and expressions shall have the meaning set out opposite:
“Agreement” means this Data Sharing Agreement, as amended from time to time in accordance with its terms, including the Schedule;
“Business Day” means any day which is not a Saturday, a Sunday or a bank or public holiday throughout Scotland;
“Data” means the information which contains Personal Data and Sensitive Personal Data (both of which have the definition ascribed to them in Data Protection Law) described in Part 1;
“Data Controller” has the meaning set out in Data Protection Law;
“Disclosing Party” means the Party (being either [Party1] or [Party 2], as appropriate) disclosing Data (or on behalf of whom Data is disclosed to the Data Recipient);
“Data Protection Law” means Law relating to data protection, the processing of personal data and privacy from time to time, including:
- the Data Protection Act 1998;
- (with effect from 25 May 2018) the General Data Protection Regulation (EU) 2016/679;
- the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as may be amended by the proposed Regulation on Privacy and Electronic Communications); and
- any legislation that, in respect of the United Kingdom, replaces, or enacts into United Kingdom domestic law, the General Data Protection Regulation (EU) 2016/679, the proposed Regulation on Privacy and Electronic Communications or any other law relating to data protection, the processing of personal data and privacy as a consequence of the United Kingdom leaving the European Union;
“Data Recipient” means the party (being either [Party1] or [Party 2], as appropriate) to whom Data is disclosed;
“Data Subject” means any identifiable individual to whom any Data relates: and the categories of data subjects within the scope of this Agreement are listed in Part 1;
“Data Subject Request” means a written request of either party as Data Controller by or on behalf of a Data Subject to exercise any rights conferred by Data Protection Law in relation to the data or the activities of the parties contemplated by this Agreement;
“Disclosing Party” means the party (being either [Party1] or [Party 2], as appropriate) disclosing Data to the Data Recipient;
“Information Commissioner” means the UK Information Commissioner and any successor;
“Law” means any statute, directive, other legislation, law or regulation in whatever form, delegated act (under any of the foregoing), rule, order of any court having valid jurisdiction or other binding restriction, decision or guidance in force from time to time;
“Legal Basis” means in relation to either Party, the legal basis for sharing the Data as described in Clause 2.3 and as set out in Part 2;
“Purpose” means the purpose referred to in Part 2;
“Representatives” means, as the context requires, the representative of [Party1] and/or the representative of [Party 2] as detailed in Part 4 of the Schedule. The same may be changed from time to time on notice in writing by the relevant Party to the other Party;
“Schedule” means the Schedule in 6 Parts annexed to this Agreement and a reference to a “Part” is to a Part of the Schedule; and
“Security Measures” has the meaning given to that term in Clause 2.4.6
- In this Agreement unless the context otherwise requires:
- words and expressions defined in Data Protection Law shall have the same meanings in this Agreement so that, in the case of Data Protection Law, words and expressions shall be interpreted in accordance with:
- the Data Protection Act 1998, in respect of processing undertaken on or before 24 May 2018;
- the General Data Protection Regulation (EU) 2016/679, in respect of processing undertaken on or after 25 May 2018; and
- in respect of processing undertaken on or after the date on which legislation comes into force that replaces, or enacts into United Kingdom domestic law, the General Data Protection Regulation (EU) 2016/679, that legislation;
- more generally, references to statutory provisions include those statutory provisions as amended, replaced, re-enacted for the time being in force and shall include any bye-laws, statutory instruments, rules, regulations, orders, notices, codes of practice, directions, consents or permissions and guidelines (together with any conditions attached to the foregoing) made thereunder;
- data sharing
Purpose and Legal Basis
- The Parties agree to share the Data for the Purpose set out in accordance with the provisions of Part 2 of the Schedule.
- Save as provided for in this Agreement, the Parties agree not to use any Data disclosed in terms of this Agreement in a way that is incompatible with the Purpose.
- Each Party shall ensure that it processes the Data fairly and lawfully in accordance with Data Protection Law and each Party as Disclosing Party warrants to the other Party in relation to any Data disclosed, that such disclosure is justified by a Legal Basis.
Parties Relationship
- The Parties agree that the relationship between them is such that any processing of the Data shall be on a Data Controller to Data Controller basis. The Data Recipient agrees that:
- it is a separate and independent Data Controller in respect of the Data that it processes under this Agreement, and that the Parties are not joint Data Controllers or Data Controllers in common;
- it is responsible for complying with the obligations incumbent on it as a Data Controller under Data Protection Law (including responding to any Data Subject Request);
- it shall comply with its obligations under Part 6 of the Schedule;
- it shall not transfer any of the Data outside the United Kingdom except to the extent agreed by the Disclosing Party;
- Provided that where the Data has been transferred outside the United Kingdom, the Disclosing Party may require that the Data is transferred back to within the United Kingdom:
- on giving not less than 3 months’ notice in writing to that effect; or
- at any time in the event of a change in Law which makes it unlawful for the Data to be processed in the jurisdiction outside the United Kingdom where it is being processed; and
- it shall implement appropriate technical and organisational measures including the security measures set out in Part 5 of the Schedule (the “Security Measures“), so as to ensure an appropriate level of security is adopted to mitigate the risks associated with its processing of the Data, including against unauthorised or unlawful processing, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or damage or access to such Data.
- The Disclosing Party undertakes to notify in writing the other as soon as practicable if an error is discovered in Data which has been provided to the Data Recipient, to ensure that the Data Recipient is then able to correct its records. This will happen whether the error is discovered through existing Data quality initiatives or is flagged up through some other route (such as the existence of errors being directly notified to the Disclosing Party by the Data Subjects themselves).
Transferring Data
- Subject to the Data Recipient’s compliance with the terms of this Agreement, the Disclosing Party undertakes to endeavour to provide the Data to the Data Recipient on a non-exclusive basis in accordance with the transfer arrangements detailed in Part 3 of the Schedule.
- BREACH NOTIFICATION
- Each Party shall, promptly (and, in any event, no later than 12 hours after becoming aware of the breach or suspected breach) notify the other party in writing of any breach or suspected breach of any of that Party’s obligations in terms of Clauses 1 and/or 2 and of any other unauthorised or unlawful processing of any of the Data and any other loss or destruction of or damage to any of the Data. Such notification shall specify (at a minimum):
- the nature of the personal data breach or suspected breach;
- the date and time of occurrence;
- the extent of the Data and Data Subjects affected or potentially affected, the likely consequences of any breach (in the case of a suspected breach, should it have occurred) for Data Subjects affected by it and any measures taken or proposed to be taken by that party to contain the breach or suspected breach; and
- any other information that the other Party shall require in order to discharge its responsibilities under Data Protection Law in relation to such breach or suspected breach.
- The Party who has suffered the breach or suspected breach shall thereafter promptly, at the other Party’s expense (i) provide the other Party with all such information as the other Party reasonably requests in connection with such breach or suspected breach; (ii) take such steps as the other Party reasonably requires it to take to mitigate the detrimental effects of any such breach or suspected breach on any of the Data Subjects and/or on the other Party; and (iii) otherwise cooperate with the other Party in investigating and dealing with such breach or suspected breach and its consequences.
- The rights conferred under this Clause 3 are without prejudice to any other rights and remedies for breach of this Agreement whether in contract or otherwise in law.
- Each Party shall, promptly (and, in any event, no later than 12 hours after becoming aware of the breach or suspected breach) notify the other party in writing of any breach or suspected breach of any of that Party’s obligations in terms of Clauses 1 and/or 2 and of any other unauthorised or unlawful processing of any of the Data and any other loss or destruction of or damage to any of the Data. Such notification shall specify (at a minimum):
- Duration, Review and amendment
- This Agreement shall come into force immediately on being executed by all the Parties and continue for [insert termination: this will be when Parties cease sharing data in terms of a contractual relationship with each other], unless terminated earlier by the Disclosing Party in accordance with Clause 4.5.
- This Agreement will be reviewed one year after it comes into force and every two years thereafter until termination or expiry in accordance with its terms.
- In addition to these scheduled reviews and without prejudice to Clause 4.5, the Parties will also review this Agreement and the operational arrangements which give effect to it, if any of the following events takes place:
- the terms of this Agreement have been breached in any material aspect, including any security breach or data loss in respect of Data which is subject to this Agreement; or
- the Information Commissioner or any of his or her authorised staff recommends that the Agreement be reviewed.
- Any amendments to this Agreement will only be effective when contained within a formal amendment document which is formally executed in writing by both Parties.
- In the event that the Disclosing Party has any reason to believe that the Data Recipient is in breach of any of its obligations under this Agreement, the Disclosing Party may at its sole discretion:
- suspend the sharing of Data until such time as the Disclosing Party is reasonably satisfied that the breach will not re-occur; and/or
- terminate this Agreement immediately by written notice to the Data Recipient if the Data Recipient commits a material breach of this Agreement which (in the case of a breach capable of a remedy) it does not remedy within five (5) Business Days of receiving written notice of the breach.
- Where the Disclosing Party exercises its rights under Clause 4.5, it may request the return of the Data (in which case the Data Recipient shall, no later than fourteen (14) days after receipt of such a written request from the Disclosing Party, at the Disclosing Party’s option, return or permanently erase/destroy all materials held by or under the control of the Data Recipient which contain or reflect the Data and shall not retain any copies, extracts or other reproductions of the Data either in whole or in part and shall confirm having done so to the other Party in writing), save that the Data Recipient will be permitted to retain one copy for the purpose of complying with, and for so long as required by, any law or judicial or administrative process or for its legitimate internal compliance and/or record keeping requirements.
- Liability
- Nothing in this Agreement limits or excludes the liability of either Party for:
- death or personal injury resulting from its negligence; or
- any damage or liability incurred as a result of fraud by its personnel; or
- any other matter to the extent that the exclusion or limitation of liability for that matter is not permitted by law.
- The Data Recipient indemnifies the Disclosing Party against any losses, costs, damages, awards of compensation, any monetary penalty notices or administrative fines for breach of Data Protection Law and/or expenses (including legal fees and expenses) suffered, incurred by the Disclosing Party, or awarded, levied or imposed against the other party, as a result of any breach by the Data Recipient of its obligations under this Agreement. Any such liability arising from the terms of this Clause 5.2 is limited to £ (STERLING) in the aggregate for the duration of this Agreement.
- Subject to Clauses 5.1 and 5.2 above:
- each Party excludes all liability for breach of any conditions implied by law (including any conditions of accuracy, security, completeness, satisfactory quality, fitness for purpose, freedom from viruses, worms, trojans or other hostile computer programs, non-infringement of proprietary rights and the use of reasonable care and skill) which but for this Agreement might have effect in relation to the Data;
- neither Party shall in any circumstances be liable to the other party for any actions, claims, demands, liabilities, damages, losses, costs, charges and expenses that the other party may suffer or incur in connection with, or arising (directly or indirectly) from, any use of or reliance on the Data provided to them by the other Party; and
- use of the Data by both Parties is entirely at their own risk and each party shall make its own decisions based on the Data, notwithstanding that this Clause shall not prevent one party from offering clarification and guidance to the other party as to appropriate interpretation of the Data.
- Nothing in this Agreement limits or excludes the liability of either Party for:
- DISPUTE RESolution
- The Parties hereby agree to act in good faith at all times to attempt to resolve any dispute or difference relating to the subject matter of, and arising under, this Agreement.
- If the Representatives dealing with a dispute or difference are unable to resolve this themselves within twenty (20) Business Days of the issue arising, the matter shall be escalated to the following individuals in Part 4 of the Schedule identified as escalation points who will endeavour in good faith to resolve the issue.
- In the event that the Parties are unable to resolve the dispute amicably within a period of twenty (20) Business Days from date on which the dispute or difference was escalated in terms of Clause 6.2, the matter may be referred to a mutually agreed mediator. If the identity of the mediator cannot be agreed, a mediator shall be chosen by the Dean of the Royal Faculty of Procurators in Glasgow.
- If mediation fails to resolve the dispute or if the chosen mediator indicates that the dispute is not suitable for mediation, and the Parties remain unable to resolve any dispute or difference in accordance with Clauses 6.1 to 6.3, then either Party may, by notice in writing to the other Party, refer the dispute for determination by the courts in accordance with Clause 9.
- The provisions of Clauses 6.1 to 6.4 do not prevent either Party from applying for an interim court order whilst the Parties attempt to resolve a dispute.
- NOTICES
- Any Notices to be provided in terms of this Agreement must be provided in writing and addressed to the relevant Party in accordance with the contact details noted in Part 4 of the Schedule, and will be deemed to have been received (i) if delivered personally, on the day of delivery; (ii) if sent by first class post or other next working day delivery, the second day after posting; (iii) if by courier, the date and time the courier’s delivery receipt if signed; or (iv) if by fax, the date and time of the fax receipt.
- Governing law
- This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) (a “Dispute”) shall, in all respects, be governed by and construed in accordance with the law of Scotland. Subject to Clause 6, the Parties agree that the Scottish Courts shall have exclusive jurisdiction in relation to any Dispute.
IN WITNESS WHEREOF these presents consisting of this and the preceding [enter number or pages] pages together with the Schedule in 6 parts hereto are executed by the Parties hereto as follows:
On behalf of [Party1] at
on | ||
by
| ||
Print Full Name
before this witness
| Director/Secretary/Authorised Signatory | |
Print Full Name
| Witness | |
Address
| ||
On behalf of [Party 2] at
on | ||
by
| ||
Print Full Name
before this witness
| Director/Secretary/Authorised Signatory | |
Print Full Name
| Witness | |
Address
| ||
This is the Schedule referred to in the foregoing Data Sharing Agreement between [Party1] and [Party 2]
Schedule Part 1 – Data
Drafting note: This part should contain details of the personal data to be shared between parties and will need to be populated on a case by case basis when utilising this agreement.
DATA SUBJECTS
For the purposes of this Agreement, Data Subjects are all living persons about whom information is transferred between the Parties.
Schedule Part 2: Purpose and Legal Basis for Processing
Purpose
The Parties are exchanging Data to allow [insert details].
Legal Basis
[insert details – this will require specific requirements to be drafted in to the model agreement depending on the relationship between [Party1] and Party 2]
Schedule Part 3 – Data Transfer Rules
Information exchange can only work properly in practice if it is provided in a format which the Data Recipient it can utilise. It is also important that the Data is disclosed in a manner which ensures that no unauthorised reading, copying, altering or deleting of personal data occurs during electronic transmission or transportation of the Data. The Parties therefore agree that to the extent that data is physically transported, the following media are used:
- Face to face
- Secure email
- Courier
- Encrypted removable media
- [insert further methods of transport of data (and delete above if desired)]
The data is encrypted, with the following procedure(s):
- [insert details]
Schedule Part 4 – REPRESENTATIVES
Contact Details
[Party1]
Name:
Job Title:
Address:
email:
Telephone Number:
[Party 2]
Name:
Job Title:
Address:
email:
Telephone Number:
Schedule part 5 – Security measures
- The Parties shall each implement an organisational information security policy.
- Physical Security
- Any use of data processing systems by unauthorised persons must be prevented by means of appropriate technical (keyword / password protection) and organisational (user master record) access controls regarding user identification and authentication. Any hacking into the systems by unauthorised persons must be prevented. Specifically, the following technical and organisational measures are in place:
The unauthorised use of IT systems is prevented by:
- User ID
- Password assignment
- Lock screen with password activation
- Each authorised user has a private password known only to themselves
- Regular prompts for password amendments [Delete/amend as appropriate]
The following additional measures are taken to ensure the security of any Data:
- Network Username
- Network Password
- Application Username
- Application Password
- Application Permissions and access restricted to those who require it (Drafting note: though this is no longer recommended so individual members may wish to delete)
[Delete/amend as appropriate]
- Disposal of Assets
- Where information supplied by a Party no longer requires to be retained, any devices containing Personal Data should be physically destroyed or the information should be destroyed, deleted or overwritten using techniques to make the original information non-retrievable rather than using the standard delete or format function.
- Malicious software and viruses
Each Party must ensure that:
- PCs used in supporting the service are supplied with anti-virus software and anti-virus and security updates are promptly applied.
- All files received by one Party from the other are scanned to ensure that no viruses are passed.
- The Parties must notify each other of any virus infections that could affect their systems on Data transfer.
Appendix 4 – Data Protection Statement of
Requirements for Data Processors
DATA PROTECTION STATEMENT OF REQUIREMENTS FOR DATA PROCESSORS
I/We, Homes for Good (Scotland) CIC, (“the Data Controller”) as the Data Controller require, pursuant to or in connection with the Principal Agreement/Contract, I/we have with you, [insert organisation name who is being contracted with] [insert designation – registered in terms of the Companies Acts with registered number [registered number] and having its registered office/main office at [insert address]], (“the Data Processor”), that you are compliant with the General Data Protection Regulation 2016/679, and any subsequently enacted legislation in furtherance of Data Protection. Within this document, we state what we require of you as the Data Processor in order to be compliant. Should you have any questions regarding the contents of this document, you should contact [insert point of contact for data protection/GDPR within your operations].
- Definitions
- Applicable Laws shall mean (a) European Union or member state laws with respect to any Company Personal Data in respect of which any Company Group Member is subject to EU Data Protection laws; and (b) any other applicable law with respect to any Controller Personal Data in respect
- Controller Personal Data shall mean any personal data processed by the Data Processor on behalf of the Data Controller pursuant to or in connection with the Principal Agreement or Contract;
- Principal Agreement/ Contract shall mean the main contract or agreement of services or other activities existing between the Data Controller and Data Processor;
- Subprocessor shall mean any person (including any third party, but excluding an employee of the Processor or any of its sub-contractors) appointed by or on behalf of Processor which is engaged in the processing of personal data on behalf of the Controller in connection with the Principal Agreement/Contract;
- Processor and Personnel
- The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of the Processor who may have access to the Controller Personal Data; and
- The Processor must ensure that access to the Controller Personal Data is strictly limited to those individuals who need to know or need to access this data.
- Security
- The Processor must, when processing Controller Personal Data, implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk; and
- In assessing the appropriate level of security, the Processor shall take into account in particular the risks that are presented by processing, in particular a Personal Data Breach.
- Subprocessing
- The Controller authorises the Processor to appoint (and permit each Subprocessor appointed to appoint) Subprocessors;
- This is only insofar as prior written notice is given of its intention to appoint a Subprocessor, including within this, the scope of processing that shall be undertaken by the Subprocessor, and that the Controller thereafter provides prior written consent of such appointment;
- The Processor may continue to use those Subprocessors already engaged by the Processor as at 25 May 2018, so long as such Subprocessors are able to meet the obligations under section 4.5; and
- The Processor must ensure that it undertakes adequate due diligence of the Subprocessor, and their systems, prior to their processing of Controller Personal Data to warrant that there is a level of protection as mandated in the Principal Agreement.
- The Controller authorises the Processor to appoint (and permit each Subprocessor appointed to appoint) Subprocessors;
- Data Subject Rights
- The Processor must ensure that have appropriate technical and organisational measures so as to assist in the fulfilment of the Controller’s obligations to respond to requests by any Data Subject under any Applicable Law;
- The Processor must notify the Controller on receipt by them, or any Subprocessor, of a request from a Data Subject under any Applicable Law; and
- The Processor must ensure that no response is given to any such request by the Processor or the Subprocessor, except on documented instructions of the Controller, or as required by the Applicable Laws to which the Processor is subject, in which latter case, the Processor shall to the extent permitted by Applicable Laws inform the Controller of that legal requirement before the Contracted Processor responds to the request.
- Personal Data Breach
- The Processor must notify the Controller without undue delay upon the Processor or any Subprocessor becoming aware of a Personal Data Breach affecting the Controller Personal Data, providing the Controller with sufficient information to allow them to meet any obligations under the Applicable Laws.
- The Processor shall co-operate with the Controller, and at their own expense take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each Personal Data Breach.
- Data Protection Impact Assessment and Prior Consultation
- The Processor shall provide reasonable assistance to the Controller with any Data Protection Impact Assessment and Prior consultations with Supervising Authorities.
- Deletion or return of Controller Personal Data
- The Processor must promptly and in any event, within seven (7) days of the termination or conclusion of any Services involving the processing of Controller Personal Data (“Cessation Date”), delete and procure the deletion of all copies of any Controller Personal Data.
- The Controller may also, at its own discretion, by providing seven days written notice of the Cessation Date, require the Processor, to:
- Return a complete copy of all Controller Personal Data to the Controller by secure file transfer in such a format as is reasonably notified by the Controller to the Processor; and
- Delete and procure the deletion of all other copies of Controller Personal Data that they, or any Subprocessor, have.
- The Processor must only do what is required under Clause 8.1 and 8.2 to the extent that the Applicable Laws do not require them to retain such information. In such event, the Processor must ensure the confidentiality of all such Controller Personal Data, and that it is processed, for such periods as mandated, only insofar as said Applicable Laws require it to be processed.
- The Processor must provide written certification, within 14 days of the Cessation Date, to the Controller that it has fully complied with their obligations under this Clause.
- Audit Rights
- The Processor shall make available to the Controller on request all information necessary to demonstrate compliance with this Statement, and shall allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller in relation to the processing of the Controller Personal Data by the Processor;
- The Controller shall give the Processor reasonable notice of any audit or inspection to be conducted, and shall make reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to the Processor’s premises, equipment, personnel and business while the Controller’s personnel are on those premises in the course of such an audit or inspection; or
- The Processor need not give access to its premises for the purposes of an audit or inspection to any individual unless they produce reasonable evidence of identity and authority; or outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and the Controller has given notice that this will be the case.