Data Protection Policy

1.  Introduction

This Policy sets out the obligations of The Letting Partnership (“the Company”) with regard to data protection and the rights of customers (“data subjects”) in respect of their personal data under the Data Protection Act 2018 and the General Data Protection Regulation. (“the Act”).

This Policy sets out the procedures that are to be followed when dealing with personal data.  The procedures set out herein must be followed at all times by the Company, its employees, agents, contractors, or other parties working on behalf of the Company.

The Company is committed not only to the letter of the law but also to the spirit of the law and places a high premium on the correct, lawful and fair handling of all personal data, respecting the legal rights, privacy and trust of all individuals with whom it deals.

The Company is registered with the Information Commissioner as a data controller under the register held by the Information Commissioner pursuant to Section 19 of the Act.

This data protection policy ensures the company:

  • Complies with the data protection laws and follows good practice and codes of conduct
  • Protects the rights of all natural living persons on which it controls and processes data
  • Is open about how the organisation controls and processes a natural living person’s data
  • Protects itself from the risks of data breach and information leakage
  • Protect its proprietary information

2.  The Data Protection Law

The Data Protection Act (DPA)

DPA describes how organisations — including the company— must collect, handle and store personal information.

These rules apply regardless of whether data is stored electronically, on paper or on other materials.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The Data Protection Act is underpinned by eight important principles. These say that personal data must:

  • Be processed fairly and lawfully meaning that at least one of the following conditions must be met:
    • The data subject has given his or her consent to the processing;
    • The processing is necessary for the performance of a contract to which the data subject is a party, or for the taking of steps at the request of the data subject with a view to entering into a contract;
    • The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract;
    • The processing is necessary in order to protect the vital interests of the data subject;
    • The processing is necessary for the administration of justice, for the exercise of any functions of either House of Parliament, for the exercise of any functions conferred on any person by or under any enactment, for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or for the exercise of any other functions of a public nature exercised in the public interest by any person;
    • The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data is disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
  • Be obtained only for specified and lawful purposes and shall not be processed in any manner which is incompatible with those purposes;
  • Be adequate, relevant and not excessive with respect to the purposes for which it is processed;
  • Be accurate and, where appropriate, kept up to date;
  • Be kept for no longer than is necessary in light of the purpose(s) for which it is processed;
  • Be processed in accordance with the rights of data subjects under the Act
  • Be protected against unauthorised or unlawful processing, accidental loss, destruction or damage through appropriate technical and organisational measures; and
  • Not be transferred to a country or territory outside of the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

3.  Regulation (EU) 2016/679 General Data Protection Regulation (GDPR)

GDPR describes how organisations — including the company— must collect, handle and store personal information.

Article 5 of the GDPR requires that personal data shall be:

3.1  processed lawfully, fairly and in a transparent manner in relation to individuals;

3.2  collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

3.3  adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

3.4  accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay;

3.5  kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is to be processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;

3.6  Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

4.  Individuals Rights

The GDPR provides the following rights for individuals:

  1.   The right to be informed
  2.   The right of access
  3.   The right to rectification
  4.   The right to erasure
  5.   The right to restrict processing
  6.   The right to data portability
  7.   The right to object
  8.   Rights in relation to automated decision making and profiling.

5.  Scope

This policy applies to:

  • The head office of the company
  • All employees of the company
  • All contractors, agents, contractors, suppliers and other parties working on behalf of the company

It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the DPA or GDPR.

This can include but is not limited to:

  • Any other information from which an individual’s identity can be inferred.
  • Information relating to credit history
  • Information concerning physical or mental health
  • The company’s proprietary Information.
  • Any proprietary information belonging to third parties that the company is contractually obligated to protect.

5.1  Data protection risks

This policy helps to protect the company from some very real data security risks, including:

  • Breaches of confidentiality. For instance, information being given out inappropriately.
  • Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
  • Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.
  • Damage to business operations through the disclosure of proprietary information

6.  Responsibilities

Everyone who works for or with the company has some responsibility for ensuring data is controlled and processed in a compliant manner.

Each team that handles sensitive data must ensure that it is handled and processed in line with this policy and the eight data protection principles of the DPA.

7.  The Principles of Data Protection

7.1  Fair, lawful and transparent conditions for processing

The Company will ensure any processing of personal data has a documented legal basis. All parties who are responsible for processing personal data will be aware of the conditions for processing. The conditions for processing will be available to data subjects in the form of a privacy notice/policy or a fair processing notice.

7.2  Privacy Notices/Policies

To ensure fair, lawful and transparent processing, Privacy Notices shall be issued to data subjects to make them aware of how the company intends to use and protect their data.

These notices:

  • State the purposes of processing data.
  • State the information that is to be held
  • State the legal basis for processing data
  • State the length of time that the data will be retained for
  • State the measures taken to protect all data held
  • State the third parties that can access this data
  • Provides the contact details of the third parties’ Client Services Manager
  • Inform the data subjects of their rights

7.2  Accuracy

The company shall ensure that any personal data processed is accurate and up to date when collecting or processing data.

Data subjects have a responsibility to take reasonable steps to ensure that any personal data the company holds is accurate and updated as required. For example, if their personal circumstances change, they should inform the company so that their records can be updated.

7.3  Adequacy and relevance

The company shall ensure that any personal data collected is used only for the purpose for which it was obtained. Personal data obtained for one purpose shall not be used for any unconnected purpose unless the individual concerned has provided consent or there is a legal obligation to do otherwise.

7.4  Data retention

The company will retain personal data for no longer than is necessary. What is necessary will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained, but should be determined in a manner consistent with the company’s data retention guidelines. This retention does not affect the subject’s right to erasure. Assets should be disposed of by following the disposals procedure outlined I below:

  • paper records to be shredded;
  • digital records (including emails) to be permanently deleted;
  • computer devices no longer used to have their hard drive removed and destroyed before disposal.

7.5  Data Security

The Company shall keep sensitive data secure against loss, misuse or unauthorised disclosure. Where other organisations process personal data as a service on behalf of the company, there must be contractual clauses to provide the same level of data protection as the company.

Data Protection Procedures
The Company shall ensure that all of its employees, agents, contractors, or other parties working on behalf of the Company comply with the following when working with personal data:

  • All emails containing personal data should be encrypted;
  • Personal data may be transmitted over secure networks only – transmission over unsecured networks is not permitted in any circumstances;
  • Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;
  • Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself should be deleted.  All temporary files associated therewith should also be deleted;
  • Where Personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data;
  • Where Personal data is to be transferred in hardcopy form it should be passed directly to the recipient or sent via courier.
  • No personal data may be shared informally and if an employee, agent, sub-contractor, or other party working on behalf of the Company requires access to any personal data that they do not already have access to, such access should be formally requested from the Business Operations Manager.
  • All hardcopies of personal data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet or similar;
  • No personal data may be transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of the Company or not, without the authorisation of the Business Operations Manager.
  • Personal data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, sub-contractors or other parties at any time;
  • If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it;
  • Any unwanted copies of personal data (i.e. printouts or electronic duplicates) that are no longer needed should be disposed of securely. Hardcopies should be shredded and electronic copies should be deleted.
  • No personal data should be stored on any mobile device (including, but not limited to, laptops, tablets and smartphones), whether such device belongs to the Company or otherwise without the formal written approval of the Business Operations Manager and, in the event of such approval, strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary.
  • No personal data should be transferred to any device personally belonging to an employee and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with the letter and spirit of this Policy and of the Act (which may include demonstrating to the Company that all suitable technical and organisational measures have been taken);
  • All personal data stored electronically should be backed up daily with backups stored onsite and offsite. All backups should be encrypted.
  • All electronic copies of personal data should be stored securely using passwords and encryption;
  • All passwords used to protect personal data should be changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols. All software used by the Company is designed to require such passwords;
  • Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of the Company, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method.  IT staff do not have access to passwords;
  • All personal data held by the Company shall be regularly reviewed for accuracy and completeness. Where the Company has regular contact with data subjects, any personal data held about those data subjects should be confirmed at least annually. If any personal data is found to be out of date or otherwise inaccurate, it should be updated and/or corrected immediately where possible.  If any personal data is no longer required by the Company, it should be securely deleted and disposed of;
  • Where personal data held by the Company is used for marketing purposes, it shall be the responsibility of the Business Operations Manager to ensure that no data subjects have added their details to any marketing preference databases including, but not limited to, the Telephone Preference Service, the Mail Preference Service, the Email Preference Service, and the Fax Preference Service.

Organisational Measures
The Company shall ensure that the following measures are taken with respect to the collection, holding and processing of personal data:

  • The Company has appointed the Client Services Manager with the specific responsibility of overseeing data protection and ensuring compliance with this Policy and with the Act. The Client Services Manager shall in particular be responsible for:
    • Overseeing the implementation of, and compliance with this Policy, working in conjunction with the relevant employees, managers and/or department heads, agents, contractors and other parties working on behalf of the Company;
    • Organising suitable and regular data protection training and awareness programmes within the Company;
    • Reviewing this Policy and all related procedures not less than annually
  • All employees, agents, contractors, or other parties working on behalf of the Company are made fully aware of both their individual responsibilities and the Company’s responsibilities under the Act and under this Policy, and shall be provided with a copy of this Policy;
  • Only employees, agents, sub-contractors, or other parties working on behalf of the Company that need access to and use of personal data in order to carry out their assigned duties correctly shall have access to personal data held by the Company;
  • All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be appropriately trained to do so;
  • All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be appropriately supervised;
  • Methods of collecting, holding and processing personal data shall be regularly evaluated and reviewed;
  • The Performance of those employees, agents, contractors, or other parties working on behalf of the Company handling personal data shall be regularly evaluated and reviewed;
  • All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be bound to do so in accordance with the principles of the Act and this Policy by contract;
  • All agents, contractors, or other parties working on behalf of the Company handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of the Company arising out of this Policy and the Act;
  • Where any agent, contractor or other party working on behalf of the Company handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.

Privacy by design and default

The company shall follow the principle of privacy by design and default. This is an approach to projects that promote privacy and data protection compliance from the start. When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.

7.7  Data protection Impact Assessments (DPIA)

Where processing personal information is likely to result in a risk to the rights and freedoms of the data subjects, a data protection impact assessment shall be carried out and the results shall be implemented and incorporated into the project. Records of all DPIAs shall be kept.

7.8  Storing data

All data controlled by the company must be kept in a secure manner. In cases where data is stored on printed paper, it should be kept in a secure place where unauthorised personnel cannot access it. Printed data should be shredded when it is no longer needed. Data stored on a computer should be protected by security software and strong firewalls. It is company policy to prohibit the use of removable media devices such as CDs, DVDs, external hard drives, USB memory sticks (or flash drives). Data should be regularly backed up in line with the company’s continuity and disaster recovery plans. All servers containing sensitive data must be approved and protected by security software and strong firewalls.

7.9  Transferring data internationally

The company complies with the strict restrictions on transferring data internationally. No data can be transferred without first obtaining prior explicit consent from the data subject.

 

8.  Data Subject rights

8.1  Processing data in accordance with the individual’s rights

The company shall abide by the data subject’s rights laid out in both the DPA and GDPR. Any request from an individual shall be handled by the Client Services Manager and a response issued within a month.

8.2  Consent

Where the company uses consent as the legal basis for processing data, there must be a record of the data subject’s active consent. Consent should be gathered in the manner outlined in the Consent Management Procedure. The data subject has the right to withdraw this consent at any time. This right does not affect any of the other rights.

In cases where sensitive personal data is processed, the data subject’s explicit consent to this processing will be required, unless exceptional circumstances apply or there is a legal obligation to do this (e.g. to comply with legal obligations to ensure health and safety at work). Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.

8.3  The right to be informed

Under GDPR data subjects have the right to be informed about how their data is processed. To comply with this right, the company provides the required information in its Privacy Policy (Fair Processing Notice).

8.4  The right of access

Under the Data Protection Act, data subjects are entitled, subject to certain exceptions, to request access to information held about them by the Company.

These ‘Subject Access Requests’ (SARs) must be made in writing

When handling these requests, a response must be made to the data subject within one month.  The following information will be provided to the data subject:

  • Whether or not the Company holds any personal data on the data subject;
  • A description of any personal data held on the data subject;
  • Details of what that personal data is used for;
  • Details of any third-party organisations that personal data is passed to; and
  • Details of any technical terminology or codes.

The requests must be recorded and monitored and the process from the Subject Access Request Procedure should be followed.

8.5  The right to data portability

Upon request, a data subject should have the right to receive a copy of their data in a structured format. These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals. A data subject may also request that their data is transferred directly to another system. This must be done for free.

Under GDPR data subjects can request that their personal data is transferred from one data controller to another.

When handling these requests, a response must be made to the data subject within one month. The requests must be recorded and monitored and the following procedure should be followed:

  • Verify the identity of the data subject making the request;
  • Identify where the data is held;
  • Contact the data controller in the request and agree a format to transfer the data;
  • Transfer the data to the controller in the request in the agreed format;
  • Confirm to the data subject that the data has been transferred

8.6  The right to rectification

Under GDPR data subjects can request that personal information held on them is corrected.

These requests shall be passed to the Client Services Manager to handle.  When handling these requests, a response must be made to the data subject within one month. The requests must be recorded and monitored and the procedure below should be followed:

  • Verify the identity of the data subject making the request;
  • Identify where the data is held;
  • Rectify the data held using the information provided by the data subject;
  • Confirm to the data subject that the data has been rectified.

8.7  The right to erasure

Under GDPR data subjects may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.

When handling these requests, a response must be made to the data subject within one month. The requests must be recorded and monitored and the procedure below should be followed:

  • Verify the identity of the data subject making the request;
  • Identify where the data is held;
  • Delete or destroy the data as requested;
  • Confirm to the data subject that the data has been erased.

8.8  The right to restrict processing

Under GDPR data subjects can request a restriction of processing on their personal data in instances where the data subject does not wish for their data to be erased but does not want the data processed.

These requests shall be passed to the Client Services Manager to handle. When handling these requests, a response must be made to the data subject within one month. The requests must be recorded and monitored and the procedure below should be followed:

  • Verify the identity of the data subject making the request;
  • Identify where the data is held;
  • Verify that the request is valid
  • Stop using the data as requested
  • Confirm to the data subject that the data has been erased
  • Where fulfilling contract or obligation the right of restriction does not apply

8.9  The right to object

Under GDPR data subjects can object to processing if they suspect that their data is being processed illegally. Following an objection, the data controller is required to investigate the claim and communicate the results to the data subject.

These requests shall be passed to the Client Services Manager to handle. When handling these requests, a response must be made to the data subject within one month. The requests must be recorded and monitored and the procedure below should be followed:

  • Identify where the data is held;
  • Investigate the reason for using the data
  • Confirm to the data subject the reason for using the data
  • Either stop using the data or continue to use it if the reason is valid

8.10  Rights in relation to automated decision making and profiling

This does not apply at this time.

 9.  Personal Data

Personal data is defined by the Act as data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

The Company only holds personal data that is directly relevant to its dealings with a given data subject.  That data will be collected, held, and processed in accordance with the data protection principles and with this Policy.  The following data may be collected, held and processed by the Company:

  • Data about your company including bank details for billing purposes (“company data”)
  • Data about your staff including names, email addresses and telephone numbers (“staff data”)
  • Landlord, tenant and contractor data that you store on our services (“client data”)

10.  Processing Personal Data

Any and all personal data collected by the Company (as detailed in Part 9 of this Policy) is collected in order to ensure that the Company can provide the best possible service to its customers, and can work effectively with its partners, associates and affiliates and efficiently manage its employees, contractors, agents and consultants.  The Company may also use personal data in meeting certain obligations imposed by law.

Personal data may be disclosed within the Company, provided such disclosure complies with this Policy.  Personal data may be passed from one department to another in accordance with the data protection principles and this Policy.  Under no circumstances will personal data be passed to any department or any individual within the Company that does not reasonably require access to that personal data with respect to the purpose(s) for which it was collected and is being processed.

In particular, the Company shall ensure that:

  • All personal data collected and processed for and on behalf of the Company by any party is collected and processed fairly and lawfully;
  • Data subjects are always made fully aware of the reasons for the collection of personal data and are given details of the purpose(s) for which the data will be used;
  • Personal data is only collected to the extent that is necessary to fulfil the purpose(s) for which it is required;
  • All personal data is accurate at the time of collection and kept accurate and up to date while it is being held and/or processed;
  • No personal data is held for any longer than necessary in light of the purpose(s) for which it is required;
  • All personal data is held in a safe and secure manner, as detailed in Part 7.5 of this Policy, taking all appropriate technical and organisational measures to protect the data;
  • All personal data is transferred securely, whether it is transmitted electronically or in hard copy.
  • No personal data is transferred outside of the European Economic Area (as appropriate) without first ensuring that the destination country offers adequate levels of protection for personal data and the rights of data subjects; and
  • All data subjects can fully exercise their rights with ease and without hindrance.

11.  Notification to the Information Commissioner’s Office (ICO)

As a data controller, the Company is required to notify the Information Commissioner’s Office that it is processing personal data.  The Company is registered in the register of data controllers, registration number: Z8961940.

Data controllers must renew their notification with the Information Commissioner’s Office on an annual basis.  Failure to notify constitutes a criminal offence.

Any changes to the register must be notified to the Information Commissioner’s Office within 28 days of taking place.

The Client Services Manager shall be responsible for notifying and updating the Information Commissioner’s Office.

12.  Implementation of Policy

This Policy shall be deemed effective as of May 2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.