Policy document - Broad Court Property Management Ltd
General Data Protection Regulation (GDPR).
The GDPR regulations are an evolution of the existing Data Protection Act of 1998 (DPA) and Privacy and Electronic Communications Regulations 2003 (PECR). GDPR adds to the requirements Broad Court Property Management Ltd (hereafter, Broad Court) already have regarding data handling.
GDPR is designed to prevent the sharing of information between companies, and thus cutting down on nuisance emails and phone calls. A simple analysis of our business shows that we do not access any data other than the information specially given to us by our clients (tenants and landlords) or contractors. We do not purchase or accept contact lists from any other source. However, we do keep and use personal data obtained from a large number of individuals
In our sphere of activity, personal data can include (but is not limited to) information such as:
When individuals (tenants, landlords or contractor) register their personal data with us, we will always obtain their permission to store and use that data only for the purposes that it was provided.
We will never send emails or correspondence of any kind to individuals who have not given their consent for us to hold their data.
Use of data
At the point of data collection, we will explain clearly to tenants and landlords (and subsequently others, for example guarantors) how we intend to lawfully use the data. Uses can include –
· General administration carried out in the office
· For use in contacting tenants or landlords and distributing marketing material
· For giving contact details to workmen and suppliers
· For sharing with third parties, such as HMRC, utility companies and Council tax offices
· For marketing purposes, for use by companies such as Virgin Media or Glide
From the above, we can separate data into four different areas.
· First, the data handled by Broad Court staff
Data given to us will be treated appropriately – kept securely and disposed of when no longer required. Any data that is given verbally (for example someone giving their address or card details over the phone) will not be repeated back to the person over the phone if anyone else could overhear the conversation. If card details are given over the phone, the details will be entered straight onto our payment systems by using a keyboard, and the details will never be written down or otherwise recorded.
Data taken out of the office - for example maintenance orders with tenants’ names and contact details on them – will be kept secure by the individual concerned and returned to the office as soon as possible Mobile phone numbers used by workmen to contact tenants will be deleted once the job has been completed
Data that is no longer required will be securely disposed of
· Second, data handled and stored by systems that are used by Broad Court – these include
1. Internal computer systems and databases.
2. The Broad Court website
3. Credit and debit card payment systems.
4. Our email provider.
5. Rightmove or similar advertising platforms.
To an extent these systems are run by separate companies and those companies are responsible for providing a system that complies with the regulations. Broad Court in turn will check that those companies are GDPR compliant and are prepared to confirm this to us.
· Third, Data shared with third parties such as contractors (Data Processors)
We have to share data with third parties to enable them to carry out work on behalf of Broad Court – for example, a contractor could be given the address of the property, the name of one of the tenants, and their phone number to arrange a delivery or repair
In order to safeguard this data, our policy is that any such third parties such as maintenance contractors must sign an agreement with Broad Court confirming that a) any such data will be kept securely whilst it is needed to carry out a job and b) it will be either destroyed or returned to Broad Court on completion of the job.
Any other third parties (for example Birmingham City Council, HMRC or utility companies) will be asked to forward a copy of their policy document before any data is shared with them.
· Fourth, Data shared with third parties for marketing purposes
Very occasionally, we share contact details of tenants or landlords with companies such as Glide, Virgin Media, or perhaps a company offering insurance. Before any such data is shared the intended recipient will be asked to give their explicit consent (“opt in”) to receive any such information.
Any such third party we share the data with will be required to confirm they will not pass it on to anyone else, and, while they are using the data, that it is held and secured in line with GDPR requirements.
All members of staff are aware of their responsibilities in regard to safeguarding data whilst it is being used by them. All practical steps are taken to ensure this data is kept safe and under lock and key with alarms set when the office is closed. Our network is actively protected and monitored to detect and prevent any attempts to access our data from the Internet, and also to generate a report should any incident occur that may have led to a data breach. If any such report is generated, or any other incident such as a break-in occurs, it will be reported and then investigated promptly.
GDPR introduces and enhances the rights individuals have. These rights include -
· The right for data to be deleted
GDPR rules provide data subjects with the right to request that their information is erased from our records. In most cases any such request will be acted on promptly and all data disposed of safely. This particularly applies to data relating to individuals who have registered for marketing information and do not actually rent a property from us.
However, it is not possible for us to remove some types of data. Broad Court have a legal obligation to keep details of contracts (and thus the tenant and landlord details) on file for seven years after the conclusion of an agreement. Tenants and landlord who register with us need to agree that their data can be kept for this period of time.
· The right to be informed about how we will use the data (covered above)
· The right of access to the data we hold on individuals
If an individual requests access to the data we hold regarding them, we will supply this information within a month. Invariably the basis of this data will be the information supplied by the individual to us when they first registered with us, as we do not obtain data from any other source. This could also include any email or other correspondence shared with that individual. We do not make a charge for the supply of data.
· The right to have data corrected
· The right to restrict processing
· The right to object
· The right not to be subject to automated decision making including profiling
Our appointed data controller is Mr Brian Mothersdill, who can be contacted on firstname.lastname@example.org