How do we manage data safely?

There are specific principles from the GDPR that inform us how we should collect, store, process and dispose of the personal information.

Article 5 of the GDPR requires that personal data shall be:

1. Processed lawfully, fairly and in a transparent manner in relation to individuals. We will ensure we are transparent by producing a ‘Privacy Statement’ and making this available to anyone on whom we hold data. Our ‘privacy statement’ for customers and staff can be found on the Bron Afon website.
2. Collected for specified, explicit and legitimate purposes. We identify within our privacy statements the reason for collecting information on individuals. The main reason for collecting data is due to the contract we hold with them. This could be via an occupation contract, support plan or employment contract. There are also legal and regulatory reasons for holding data, e.g. equalities data so that we can ensure our services are provided in a manner that meets the needs of the individual. We may also use ‘legitimate interests’ for collecting data and this may be where we need this information to perform our tasks as a community mutual organisation. In these cases, we will consider the purpose for processing and whether processing is necessary and then balance this against the rights and freedoms of the person we are collecting the information from.
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. We keep a ROPA, (Record of Processing Activities) of all information held and this will ensure that we can check and challenge what is held, why we hold and what we do with it.
4. Accurate and, where necessary, kept up to date. It is essential that records are kept up to date and we will use all opportunities of interactions with our customers to ensure data is updated. We will also respond in a timely matter to any notifications from our customers to update their records.
5. Kept in a form which allows us to identify individuals and delete their records when no longer needed. We keep a retention schedule for our information, this follows National Housing Federation guidelines, statutory requirements and best practice. The retention schedule will be reviewed periodically and in line with changes to business practice and regulatory or legal requirements.
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. We will upgrade our IT systems and ensure processes are in place to protect against external risks. All staff will be trained to understand their roles and responsibilities in keeping personal and special category data safe.