Data Protection Policy
Hits Homes Trust needs to collect and use certain types of information about the
Data Subjects who come into contact with it in order to carry on our work. This
personal information must be collected and dealt with appropriately– whether on
paper, in a computer, or recorded on other material – and there are safeguards to
ensure this under the Data Protection Act 1998.
The following list below of definitions of the technical terms we have used and is
intended to aid understanding of this policy.
Data Controller – The person who (either alone or with others) decides what
personal information Hits Homes Trust will hold and how it will be held or used.
Data Protection Act 1998 – The UK legislation that provides a framework for
responsible behaviour by those using personal information.
Data Protection Officer – The person(s) responsible for ensuring that it follows its
data protection policy and complies with the Data Protection Act 1998
Data Subject/Service User – The individual whose personal information is being held
or processed by Hits Homes trust (for example: a client, an employee, a supporter)
‘Explicit’ consent – is a freely given, specific and informed agreement by a Data
Subject (see definition) to the processing* of personal information* about her/him.
Explicit consent is needed for processing sensitive* data
* See definition
Notification – Notifying the Information Commissioner about the data processing
activities of Hits Homes trust as certain activities may be exempt from notification.
Information Commissioner – The UK Information Commissioner responsible for
implementing and overseeing the Data Protection Act 1998.
Processing – means collecting, amending, handling, storing or disclosing personal
Personal Information – Information about living individuals that enables them to be
identified – e.g. name and address. It does not apply to information about
organisations, companies and agencies but applies to named persons, such as
individual volunteers or employees within Hits Homes Trust.
Sensitive data – means data about:
• Racial or ethnic origin
• Political opinions
• Religious or similar beliefs
• Trade union membership
• Physical or mental health
• Sexual life
• Criminal record
• Criminal proceedings relating to a data subject’s offences
Hits Homes Trust is the Data Controller under the Act, which means that it
determines what purposes personal information held will be used for. It is also
responsible for notifying the Information Commissioner of the data it holds or is likely
to hold, and the general purposes that this data will be used for.
Hits homes Trust may share data with other agencies such as the local authority,
funding bodies and other voluntary agencies.
The Data Subject will be made aware in most circumstances how and with whom
their information will be shared. There are circumstances where the law allows Hits
Homes Trust to disclose data (including sensitive data) without the data subject’s
consent. Hits Homes Trust will endeavor to get specific written consent for sensitive
information wherever possible. Processing may be necessary to operate Hits Homes
Trust policies such as Whistle Blowing, Child Protection, Adults who are vulnerable
and Health & Safety. Unless already specified, a third party will have to show signed
consent for receiving personal data.
1. Carrying out a legal duty or as authorised by the Secretary of State
2. Protecting vital interests of a Data Subject or other person
Information that is already in public domain is exempt from the 1998 Act.
3. Information that is already in public domain is exempt from the 1998
4. Conducting any legal proceedings, obtaining legal advice or defending
any legal rights
5. Monitoring for equal opportunities purposes – i.e. race, disability or
6. Providing a confidential service where the Data Subject’s consent cannot
be obtained or where it is reasonable to proceed without consent: e.g. where we
would wish to avoid forcing stressed or ill Data Subjects to provide consent
Purposes for Which Personal Data may be Held
Personal data relating to employees may be collected primarily for the purposes of:
• recruitment, promotion, training, redeployment, and/or career
• administration and payment of wages and sick pay;
• calculation of certain benefits including pensions;
• disciplinary or performance management purposes;
• performance review;
• recording of communication with employees and their representatives;
• compliance with legislation;
• provision of references to financial institutions, to facilitate entry onto
educational courses and/or to assist future potential employers; and educational
courses and/or to assist future potential employers; and
• staffing levels and career planning.
The organisation considers that the following personal data falls within the categories
set out above:
• personal details including name, address, age, status and qualifications.
Where specific monitoring systems are in place, ethnic origin and nationality will also
be deemed as relevant;
• references and CVs;
• emergency contact details;
• notes on discussions between management and the employee;
• appraisals and documents relating to grievance, discipline, promotion,
demotion, or termination of employment;
• training records;
• salary, benefits and bank/building society details; and
• absence and sickness information.
Tenant’s date kept for:
• Support Planning
Hits Homes Trust intends to ensure that personal information is treated lawfully and
Hits Homes Trust fully endorses and adheres to the eight principles of the Data
Protection Act. These principles specify the legal conditions that must be satisfied in
relation to obtaining, handling, processing, transportation, and storage of personal
data. Employees and any others who obtain, handle, process, transport and store
personal data for the Law Society must adhere to these principles.
Specifically, the Principles require that personal data shall:
1. Shall be processed fairly and lawfully and, in particular, shall not be
processed unless specific conditions are met;
2. Shall be obtained for a specified and lawful purpose and shall not be
processed in any manner incompatible with that purpose;
3. Shall be adequate, relevant and not excessive in relation to those
4. Shall be accurate and, where necessary, kept up to date;
5. Shall not be kept for longer than is necessary for that purpose;
6. Shall be processed in accordance with the data subject’s rights;
7. Shall be kept secure from unauthorised or unlawful processing and
protected against accidental loss, destruction or damage by using the appropriate
technical and organisational measures;
8. Shall not be transferred to a country or territory outside the European
Economic Area unless that country or territory ensures an adequate level of
protection for the rights and freedoms of data subjects in relation to the processing of
In order to meet the requirements of the principles, Hits Homes Trust will:
• Observe fully the conditions regarding the fair collection and use of
• Meet its legal obligations to specify the purposes for which the personal
data is used;
• Collect and process appropriate personal data only to the extent that it is
needed to fulfill its operational needs or to comply with any legal requirements;
• Ensure the quality of personal data used;
• Apply strict checks to determine the length of time personal data is held;
• Ensure that the rights of individuals about whom personal data is held,
can be fully exercised under the Act. These include:
o The right to be informed that processing is being undertaken,
o The right of access to one’s personal information
o The right to prevent processing in certain circumstances and
o The right to correct, rectify, block or erase information which is regarded
as wrong information
• Take appropriate technical and organisational security measures to
safeguard personal data;
• Ensure that personal information is not transferred abroad without
• Treat people justly and fairly whatever their age, religion, disability,
gender, sexual orientation or ethnicity when dealing with requests for personal data;
• And set out clear procedures for responding to requests for information.
Informed consent is when
A Data Subject clearly understands why their information is needed,
who it will be shared with, the possible consequences of them agreeing or refusing
the proposed use of the data
and then gives their consent.
Hits Homes Trust will ensure that data is collected within the boundaries defined in
this policy. This applies to data that is collected in person, or by completing a form.
When collecting data, Hits Homes Trust will ensure that the Data Subject:
• Clearly understands why the information is needed, usually during tenant
selection, commencing a tenancy and recruitment
• Understands what it will be used for and what the consequences are
should the Data Subject decide not to give consent to processing
• As far as reasonably possible, grants explicit consent, either written or
verbal for data to be processed
• Is, as far as reasonably practicable, competent enough to give consent
and has given so freely without any duress
• Has received sufficient information on why their data is needed and how
it will be used
Information and records relating to service users will be stored securely and will only
be accessible to authorised staff and volunteers.
Information will be stored for only as long as it is needed or required statute and will
be disposed of appropriately.
It is Hits Homes Trust responsibility to ensure all personal and company data is
non-recoverable from any computer system previously used within the organisation,
which has been passed on/sold to a third party.
Data access and accuracy
All Data Subjects have the right to access the information Hits Homes Trust holds
about them. Hits Homes Trust will also take reasonable steps ensure that this
information is kept up to date by asking data subjects whether there have been any
In addition, Hits Homes Trust will ensure that:
• It has a Data Protection Officer with specific responsibility for ensuring
compliance with Data Protection,
• Everyone processing personal information understands that they are
contractually responsible for following good data protection practice,
• Everyone processing personal information is appropriately trained to do
• Everyone processing personal information is appropriately supervised,
• Anybody wanting to make enquiries about handling personal information
knows what to do,
• It deals promptly and courteously with any enquiries about handling
• It describes clearly how it handles personal information,
• It will regularly review and audit the ways it hold, manage and use
• It regularly assesses and evaluates its methods and performance in
relation to handling personal information
• Compliance with this policy is a condition of employment and any
deliberate breach or persistent failure to follow this policy will result in disciplinary
action, which may include dismissal and possible legal action.
• Any Data Subject who considers that the policy has not been followed in
respect of personal data about themselves should raise the matter following the
relevant complaints procedure
• Accessing another employee’s records without authorization is a
criminal offence under the Data Protection Act 1998, section 55
• Access to Personal Data (“Subject Access Requests”)
Employees have the right to access personal data held about them. The Company
will arrange for the employee to see or hear all personal data held about them within
40 days of receipt of a written request. Some of the files may not be available for
inspection if we are waiting for consent from a third party. This inspection will be
under the supervision of the Data Controller.
• Retention of records.
The organisation follows the retention periods recommended by the Information
Commissioner in its Employment Practices Data Protection Code.
These are as follows, in the absence of a specific business case supporting a longer
Document Retention period
Application form Duration of employment
References received 1 year
Payroll and tax information 6 years
Sickness records 3 years
Annual leave records 2 years
Unpaid leave/special leave records 3 years
Annual appraisal/assessment records 5 years
Records relating to promotion, transfer, training, disciplinary matters 1 year from
end of employment
References given/information to enable references to be provided 5 years from
reference/end of employment
Summary of record of service, eg name, position held, dates of employment
10 years from end of employment
Records relating to accident or injury at work 12 years
Any data protection queries should be addressed to your line manager or our Data
This policy will be updated as necessary to reflect best practice in data management,
security and control and to ensure compliance with any changes or amendments
made to the Data Protection Act 1998.
In case of any queries or questions in relation to this policy please contact the Hits
Homes Trust Data Protection Officer:
Naila Siddiqui Walker Project Manager 86 Evington Road, Leicester LE2 1HH Tel:
This Policy should be read in conjunction with Hits Homes Trust:
Child Protection Policy
Adults Who Are Vulnerable Policy
Whistle Blowing Policy
Breach of Tenancy Policy
Further information on data protection can be gained from:
Policy agreed by the Management Committee on 17th August 2010
Policy due for review August 2011