Dorchester Municipal Charities (DMC) is committed to the protection and safety of all data collected for the lawful business of the Charity. This Privacy Notice tells you what to expect when DMC processes your personal information.
The Board of Trustees is the data controller. This means the Board decides how your personal information is processed and for what purposes.
The data controller may be contacted through its representative, the General Manager and Clerk to the Trustees, at the above address.
Purpose of this Privacy Notice
This Privacy Notice applies to information DMC processes about applicants (for housing and employment), residents, employees and trustees, whether the personal data was obtained directly from you or a third party such as a health or care professional or a family member. It tells you the purposes for which we may process your personal information, the legal basis for processing (including keeping your personal information) and your rights.
Why we Collect, Process and Store your Personal Information
DMC needs to collect, process and store personal information about applicants, residents, staff and trustees, so it may lawfully:
- Operate as an almshouse charity
- Operate as a registered provider of social housing
- Operate as an employer
- Deliver effective services.
Information is collected from you and we also receive some information from third parties.
How we Process and Store your Personal Information
DMC complies with the six principles of data protection by ensuring your data, whether in paper or electronic (computer, phone, email) form is:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, legitimate purposes and not further processed in a way that is incompatible with these
- Adequate, relevant and limited to what is necessary
- Accurate and where necessary, kept up to date. It will be erased or altered if inaccurate
- Kept in a way that allows your identification for no longer than is necessary for the purposes for which the personal data are processed
- Processed securely including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures.
Please see Appendix 1 for further information about these principles.
Access to your information is limited to authorised individuals only such as relevant staff and trustees. We use robust security arrangements to safeguard your data as listed in the Data Protection Policy and Procedures.
Lawful basis for processing: General Processing
DMC processes personal information about applicants, residents, employees and trustees using the following legal bases:
- Contractual obligations: To satisfy our contracts with applicants, residents, employees and trustees.
- Legal obligations: To comply with the law, including but not limited to employment law, charity law and our obligations as a registered provider of social housing.
- Consent: We ask your consent to share your personal information with third parties such as health or care professionals. Our consent form lists those with whom we may wish to share information.
Lawful basis for processing: Sensitive Information
Some personal information is treated as more sensitive (such as health, race; ethnic origin; politics; religion; sexual orientation, trades union membership), because it could increase the likelihood of discrimination against you. This is known as special category data.
The lawful basis we use for processing more sensitive information about you is the same as above and the following may also apply and will be documented:
- Legal obligations: Needed in relation to the rights of the controller in relation to employment, social security, social protection
- Your information has been made public
- Legal claims: Where we or another person needs to bring or defend legal claims
- For archiving purposes for historical research or statistical purposes, measures such as the use of pseudonyms may be used to safeguard your rights and freedoms.
Lawful Basis for Processing: Criminal Convictions Data
We request information about criminal convictions to meet our legal obligations regarding applicants, residents, employees and trustees.
Types of Data Processed by DMC
We process the following types of information about you in accordance with data protection principles. Information is processed in paper and electronic (computer, phone, email) forms:
Applicants (Housing): Information requested on our application forms, supporting evidence list, Equality & Diversity form (anonymous) and references, plus contact chronology, interview data, references and copies of letters sent and received.
Residents: Information as for Applicants above plus your photograph, information requested on our Wellbeing Assessment form, consent form, risk assessments, financial information related to your contribution, Medvivo application form, diary sheets, daily call sheets, emergency call out log, Warden’s report, flat maintenance data, information relating to fire drills and events, annual trustee visits record, social events records and Social Group records, resident survey findings, complaints, file notes, any other information required to provide an efficient service to you within the limitations of DMC’s purpose.
Applicants (Employment): Information requested in initial application form, Equality & Diversity form (anonymous), references, NI number, letters and notes sent and received plus interview data.
Employees: As for Applicants (Employment) plus DBS result, contract, register of interests information, financial information related to payroll and pension, letters and notes sent and received, annual appraisals, supervision (Warden only), staff meetings, sick leave, annual leave, training, grievance information, disciplinary information, any other information required to enable DMC to meet its obligations as an employer.
Trustees: Name, contact details and preferences, signed roles and responsibilities document, Equality & Diversity form (anonymous), DBS result, appointment terms, register of interests information, personal history information (including photograph), bank signatory information where appropriate, trustee visits information, Trustee meetings, Working Groups information.
Please note these lists are not exhaustive.
Sharing Your Personal Information
Your personal data will be treated as confidential within the organisation and will generally be used by DMC for the purposes outlined above. However, we may need to share information with external organisations and individuals in order to meet our purposes or legal obligations. Information will be shared with data protection principles in mind. The following list is illustrative rather than exhaustive:
- To comply with the law eg the Police, local authority council tax officers, benefit fraud officers, employment law, charity law, court orders, HMRC
- Regulator of Social Housing as a registered provider of social housing
- Charity Commission as a registered charity
- The Housing Ombudsman
- Almshouse Association
- Contractors or other agents acting on DMC’s behalf including accountant, surveyor, insurance company, HR professional, lawyer, banking and investment company, training company, careline provider and hardware maintenance company, fire safety companies, maintenance contractors such as plumbers, electricians, builders
- Utilities companies: Gas, electricity, water, communications
- TV licensing company
- Local Housing Team in relation to applications for housing or benefits
- Health and care professionals / organisations
- Named family members
- Local authority departments where DMC has entered into a contract
- Local authorities in relation to safeguarding issues
- Bona fide statistical or research organisations (anonymised information)
- Applicant referees
- Future employer of an employee
How long we keep your data
We hold your information during the period of our relationship with you and for a set period afterwards to allow us to meet our legal obligations including resolving any follow up issues between us. A full list of retention periods for data held by DMC is available in the Data Protection Policy and Procedures.
Your rights and your personal data
Unless subject to an exemption, you have the following rights:
- Right to be Informed: To be informed about the collection and use of your personal data in an easily accessible way. Our Privacy Notice provides this information, a copy of which will be given to you when we ask you for personal information or if we receive information from another source, if you have not already received the Notice.
- Right to Access: To request a copy of the personal information DMC holds about you: A Subject Access Request. Further information about this and a form are available from the Clerk’s Office.
- Right to Rectification: To request that DMC corrects any factual personal data found to be inaccurate, incomplete or out of date. You may request this in writing or verbally and we will respond within one calendar month. We can refuse the request or charge a reasonable fee if we think the request is obviously false, excessive or repetitive. If this is the case, we will inform you within one month of your request.
- Right to be Forgotten: To request your personal data is erased (the right to be forgotten), where it is no longer necessary for DMC to retain your information or you withdraw your consent for us to process your information, unless we have another lawful basis for processing it. You may contact us verbally or in writing and we have one month to respond to your request.
- Right to Restriction: To request that we restrict how we process your information, where we are investigating the accuracy of your information if you have asked us to correct what we hold for you; if we are processing your information unlawfully and you ask us to restrict processing instead of erasing your information; we no longer need your information but you need us to keep it to establish, exercise or defend a legal claim or you challenge our lawful basis for processing your data. If we have shared information with a third party, we must inform them of the restriction. When data is restricted, we may store it but cannot use it. You may contact us verbally or in writing and we have one month to respond to your request. We must inform you before we lift the restriction and the reasons why.
- Right to Data Portability: To obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy or transfer personal information from one IT environment to another in a safe and secure way. The right only applies to personal data you have provided to us where the reason we rely on to process it is your consent or for the performance of a contract. We must respond to your request within one month though this may be extended by another two months if the request is complex or we have many requests. We will inform you within once month if this is the case. There is no charge for this service.
- Right to Object: To object to processing where we say it is in our legitimate business interests. We must stop using the information unless we can show there is a compelling legitimate reason for the processing, which override your interests and rights or the processing is necessary for us or someone else to bring or defend legal claims.
- Right to Withdraw Consent: You have the right to withdraw your consent to us processing your information at any time. If the basis on which we are using your personal information is your consent, then we must stop using the information. We can refuse if we can rely on a different lawful basis for processing your data.
- Right to Make a Complaint to the Information Commission’s Office (ICO): To make a complaint if you think we have breached the data protection regulations. Contact details are below.
If we wish to use your personal data for a new purpose, not covered by this Privacy Notice, we will provide you with a new notice explaining the new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
Information Commissioner’s Office (ICO): The Supervisory Authority
The Information Commissioner (ICO) is a source of further information about data protection and your rights. The ICO is an independent official body.
Information Commissioner's Office
Wycliffe House, Water Lane
Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
Six Principles of Data Protection
The data protection principles set out the main responsibilities for organisations. The General Data Protection Regulations requires that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.