Data Handling Policy
The management of personal data in both paper and an electronic form is done in accordance with the statutory requirements of the General Data Protection Regulation Act (GDPR).
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
As part of Swansea4students Ltd role as a letting agent the office and staff will have access to some personal data and ensure all personal data shall be processed fairly and lawfully.
Reasons/purposes for processing information
Swansea4students Ltd process personal information to enable them as a letting agent to carry out property management services; promote and advertise their services; maintain their own accounts and records; and support and manage their employees.
Type/classes of information processed
Swansea4students Ltd process information relevant to the above reasons/purposes.
- This may include:
- Personal details
- Family details
- Lifestyle and social circumstances
- Employment and educations details
- Goods and services
- Financial details
- All information contained in references
Swansea4students Ltd also process sensitive classes of information that may include:
- Racial or ethnic origin
- Religious or other beliefs
- Trade union membership
- Physical or mental health details
Who the information is processed about
Swansea4students Ltd process personal information about:
- Professional advisers and consultants
- Complainants, enquirers
Who the information may be shared with
Swansea4students Ltd sometimes need to share the personal information they process with the individual themselves and with other organisations. Where this is necessary they will comply with all aspects of the GDPR and Data Protection Act(DPA). What follows is a description of the types of organisations they may need to share some of the personal information they process with for one or more reasons.
Where necessary or required they share information with:
- Business associates
- Suppliers of goods or services
- Financial organisations
- Credit reference agencies
- Debt collection and tracing agencies
- Local and central government
- Police forces
- Current, past and prospective employers
- Employment and recruitment agencies
- Educators and examining bodies
- Other companies in the same group
Swansea4students Ltd are responsible for ensuring that the data handling policy is followed by the members of the establishment and respect the GDPR.
The staff are responsible for their safe handling of the offices available, and potentially sensitive, data. Staff need to adhere to the GDPR.
As with staff members of Swansea4students Ltd, directors will need to adhere to the same rules as other members of staff when, as part of their role, they have access to data.
Swansea4students Ltd ensure all members of staff comply with GDPR by way of signing a data protection declaration and undertaking staff training.
Training and CPD
All staff are trained on electronic data handling and need to be reminded of their responsibilities, as per this policy.
Training normally takes the form of an induction, as well as third party training, such as online training, as part of Safeguarding. Any relevant updates involving the emergence of new technology will be given as they arise.
Swansea4students Ltd ensure there is a contract between the controller (individual responsible for determining the purposes and means of processing personal data) and the processor(s) (individual responsible for processing personal data on behalf of a controller) to ensure both parties understand their responsibilities and liabilities under the GDPR.
Swansea4students Ltd ensure that written records are kept and made available on the request of the Information Commissioner's Office (ICO) in relation their processing activities.
Both Controllers and processors have documentation obligations and are responsible for maintaining these records.
Data Protection Impact Assessment
Swansea4Students Ltd will conduct a data protection Impact assessment (DPIA) when processing certain data is likely to result in a high risk to individuals interests. Staff undertake training so that they understand the need to consider a DPIA at the early stages of any plan involving personal data.
Codes of conduct and certification
Swansea4Students Ltd are registered with the ICO under the registration reference:
Staff undertake third party GDPR training and are provided with certification of achievement with an aim to improve standard by establishing best practice.
Swansea4students Ltd recognises that under GDPR data subjects have a number of rights in connection with their personal data. The rights for individuals are as follows:
- The right to be informed - You have the right to be informed about the collection and use of your personal data
- The right of access - You have the right to access all information held about you
- The right of rectification - You have the right to correct any information held on you if you think it is inaccurate or incomplete
- The right of erasure - You have the right to request the deletion of your personal information
- The right of restrict processing - You have the right to request information to be stored but not used
- The right of data portability - You have the right to have information in a portable format so you can reuse your information
- The right to object - You have the right to object direct marketing, profiling and research
- Rights related to automated decision making including profiling -
Swansea4students Ltd do not have any automated decision making without human involvement
Swansea4Students Ltd ensure that data subjects are provided with information on rights 1-8 in a concise way that is transparent, intelligible, easily accessible and uses clear and plain language.
Personal and sensitive data will only be accessed on machines that are securely password protected. Any device that can be used to access data is locked if left (even for very short periods). Auto lock will be enabled when devices are left unattended.
Swansea4students Ltd encourage users to have strong passwords, which are changed regularly. User passwords must never be shared.
Storage media is stored in a secure and safe environment that avoids physical risk, loss or electronic degradation.
Personal data is only stored on Swansea4students Ltd equipment (this includes computers and portable storage media. Private equipment is not be used for the storage of personal data. Where personal devices are used to access data remotely passwords are not be stored on the device and personal data is not be downloaded. When personal data is stored on any mobile device or removable media:
- The data is encrypted and password protected
- It has virus and malware checking software
- The data is securely deleted from the device, in line with
Swansea4students Ltd policy (see guidance below) once it has been transferred or its use is complete.
Swansea4students Ltd does not recommend the use of “Cloud Based Storage Systems” (for example dropbox, google apps and google docs).
Swansea4Students Ltd are responsible for the security of any data passed to a “third party”. Data Protection clauses will be included in all contracts where data is likely to be passed to a third party.
All paper based Protected and Restricted (or higher) material is held in lockable storage, either on or off site.
Secure transfer of data and access out of office
On occasion it may be necessary for personal data to be accessed or transferred by users out of office. In these circumstances:
- Before removing or copying sensitive, restricted or protected data the user must gain permission from the data controller and ensure the media is encrypted and password protected and is transported and stored securely.
It may sometimes be necessary to transfer personal information overseas. In these circumstances:
- Information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of the data protection act.
Swansea4students Ltd comply with the requirements for the safe destruction of personal data when it is no longer required. The GDPR states within that “data shall not be kept for longer than is necessary”. Swansea4students Ltd will generally hold your information for the whole time of your contract and for a period of 5 years after your tenancy has ended. They will also hold information for the period when assisting you with finding accommodation. The disposal of personal data, in either paper or electronic form, is conducted in a way that makes reconstruction highly unlikely. Electronic files are securely overwritten, in accordance with government guidance, and other media is shredded, incinerated or otherwise disintegrated for data.
Swansea4students Ltd do not subscribe to cloud based services. If this decision changes the policy, they would conduct a thorough investigation to be carried out before moving to a cloud system. If staff employed by Swansea4students Ltd choose to subscribe to cloud based services outside of office, it is their responsibility to ensure that only non-personal and non-sensitive data is saved to the cloud.
Swansea4students Ltd adhere to the Privacy and Electronic Communications Regulations which protects staff and individual’s privacy.
Data Breach and reporting incidents
Swansea4students Ltd have appropriate technical and organizational measures in place against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Logs are kept providing evidence of accidental or deliberate data security breaches by a controller, processor or third parties – including loss of protected data or breaches of an acceptable use. All significant data protection incidents which risk people’s rights and freedoms will be reported through to the Information Commissioner’s Office (IOC) within 72 hours of becoming aware of the breach.
Not all individual rights will apply in all circumstances. Please contact our Data Protection Officer (DPO) if you wish to exercise any of your rights or if you're unhappy with the way Swansea4students Ltd are handling your information and wish to raise a complaint.
You also have the right to complain to the ICO, which is the regulator for data protection laws; https://ico.org.uk/concerns/