General Data Protection Regulations
BIRMINGHAM CIVIC HOUSING ASSOCIATION
GDPR & DATA PROTECTION 2018
DATA SECURITY GUIDELINES & PROCEDURES
Following the introduction of GDPR and Data Protection detailed below are the guidelines and procedures that all BCHA staff must adhere to when processing, handling or dealing with personal data relating to tenants and contractors. This is to ensure that the association processes all personal data safely and securely.
1. Sharing information securely by phone
These guidelines cover the correct procedure, and precautions to take, when sharing personal information by telephone. These guidelines also cover what you should do if you are sending text messages or leaving voicemails.
No personal information should be shared by phone unless you can be absolutely sure of the caller’s identity and their legal entitlement to the information you are providing.
If there is any doubt, don’t share any information, until you are satisfied of their identity and legal entitlement to the information requested.
1.1 Verify the identity of the caller.
Ask the caller to confirm some personal details that you hold,
Lead tenant’s name, full address and post code.
(Always check this information on all incoming and outgoing tenant calls)
B. Plus one or two of the following, depending on the information requested:
Date of Birth.
Rent payment are they in receipt of state support.
What if any state support do they receive regarding rent payments (and what percentage) i.e., HB/UC – full or Part.
Name of a family member.
Year starts of tenancy.
Lead mobile phone number.
NB Do not offer the caller this information, request it from them, and then check it against the information held on SASSHA.
If the person requesting the information is from one of BCHA contractors or associated bodies, confirm the name, job title, department and/or organisation of the person requesting the information and reason for it.
Where possible, take a main switchboard or organisation contact telephone number as additional verification (never a direct line or mobile telephone number) and if any doubt arranges to phone back to verify authenticity.
If the request is from the police, the Department for Work and Pensions or similar organisation asking for information to prevent or detect a crime, apprehend and prosecute an offender, or in relation to the collection of a tax or duty, please refer the matter to the Chief Executive, prior to disclosing any information.
If you are unable to verify the identity of the caller, do not share personal or confidential information with them until you can.
1.2 Verify entitlement to the information.
Check that the case file or computer record has identified the caller as a person to whom the requested information can be released.
You must make sure that you have the data subject’s permission to discuss their personal data with the caller, or that the caller has authority or a legal entitlement to the information. Delegated authority to another individual must be made in writing and held on file, if none exists then the data cannot be shared.
If the individual is requesting access to all data held (SAR), advise them they will need to make a written request to the Chief Executive.
Where the information relates to a child, it is good practice to seek consent of an adult where possible. All people aged over 16 are presumed in law, to have capacity to give or withhold their consent to sharing of confidential information, unless there is evidence to the contrary.
There may be exceptional circumstances where obtaining the consent of the data subject is not possible and sharing can take place without consent, for example, in an emergency life or death situation.
If you are unable to verify the caller’s entitlement to some or all of the information being requested, do not share it with them until you can.
1.3 Providing / withholding the information.
Restrict the information that you provide to the minimum essential for the purpose, and only to that which the caller is entitled to receive.
Make a record of the disclosure, which includes your name, date and time of the disclosure, the reason for it.
Make a record of the disclosure, which includes the recipient’s name, telephone number, relationship to the data subject, and description of the information provided to them, and checks performed to verify the identity of the individual and their right to the information.
If you decide that you need to withhold information that is being requested, advise the caller that BCHA has to be certain that it only discusses personal details with individuals who are entitled to it. If the caller remains dissatisfied, ask them to put their request in writing, with any required proof of identity and entitlement to the information.
Make sure that you terminate all phone calls completely before discussing the call or other issues with colleagues, to avoid being overheard by the caller.
1.4 Consider your surroundings.
If you must discuss sensitive matters over the telephone, make sure your conversation takes place in a private space such as a meeting room. Do not discuss sensitive matters or other people’s personal data in public spaces.
Be mindful of your surroundings and do not raise your voice when discussing sensitive matters in earshot of others. Where possible make sure you shut doors and/or windows if you are discussing something sensitive.
1.5 Outbound calls and voicemails
Always make sure that you have the correct number and have dialled correctly.
Verify the identity of the individual who has answered the phone, before disclosing information to them.
Only leave a voicemail message where you are certain that the number you have dialled is correct.
Do not disclose any personal or confidential information in voicemail messages – leave your details and request a call back.
Hang up properly at the end of the call before talking to colleagues.
1.6 Text messages
Only disclose personal information by text where you are certain that the number you are texting is correct. Never text any bank account details, date of birth, sex or telephone numbers i.e., anything that might be used for identity fraud or information that may place in the individual at risk or harm.
2. Carry paper files off site
This guidance covers the correct procedure and additional precautions to take when carrying paper files, containing personal and/or confidential and/or business sensitive information, off-site.
What you must do:
Only carry paper files/records if necessary. Consider alternative means of sending the information or accessing the information from your destination.
Count how many files you have before you set off and check that you have the same number of files prior to leaving all destinations.
Ensure that you sign in and out any paper files, place a marker in filing drawer.
Where possible anonymise records that you are carrying so only minimum personal data is carried.
If you are keeping sensitive papers with you overnight, do not leave them locked in your car; make sure that they are stored securely inside your property.
If you intend to visit several clients in one go and need to take out all of their files, where possible, only take in the client’s file that you are seeing and keep the rest locked in your car, out of sight.
Ensure your briefcase, file or bag, contains your name, job title, team name and contact telephone number, in case it is lost or stolen.
If you have lost or had stolen any files containing sensitive information, contact the Police on 101 and notify the Chief Executive immediately.
What you must not do:
Do not take out more information than you really need to.
Never leave sensitive papers unattended, even for a short time. Lock them away or keep them with you.
Do not carry loose papers. Carry them in a locked briefcase or in a folder or bag that can be securely closed or zipped up.
Do not walk around in public, with a file that shows a person’s name on the front. Place it inside another file, with no identifying information on.
Do not share or leave any paper files with customers or clients without first fully checking that you are sharing the correct information, and that the contents are appropriate.
3. Keep my mobile device secure
This guide covers the correct procedure and additional precautions to take, when using a BCHA mobile devices. This guidance covers, but is not limited to, mobile phones and laptops.
What you can do to keep your device secure:
Do not leave mobile devices unattended, for any length of time.
Portable equipment must be securely locked away, out of sight, when not in use (includes at home).
Keep your device out of sight and always accounted for whilst travelling.
Do not leave mobile devices in the car overnight.
Lock screen with password or PIN.
What you can do to keep information confidential:
Consider your surroundings when accessing BCHA information on your mobile device – make sure that the public and other parties not authorised to access the information cannot view it.
Consider your surroundings when holding a conversation on the phone. Refer to our guide about sharing information securely by phone.
Do not allow family members and other individuals to use BCHA mobile devices.
Use a screen-lock on all mobile devices when not in use.
Do not store personal data for longer than is necessary on your work mobile i.e., texts, voice messages, etc.
Lost or stolen mobile devices.
In the event that your device is lost or stolen, you must report the incident to the Chief Executive immediately; (advising of any personal or sensitive data relating to tenants contained on the phone), who will make sure that the device cannot be used by unauthorised individuals.
You should also report the missing device to the police using the101 service advising them of any personal or sensitive data relating to tenants contained on the phone.
4. Removable Data Storage
Staff are not permitted to save personal or sensitive data relating to data subjects to removable storage device, such as USB without written approval from the Chief Executive who will specify the security measures to be put in place.
5. Sending Personal or Sensitive data by email
Best practice is not to send any personal or sensitive data via email, however it is recognised that this is increasingly becoming the preferred method of corresponding with tenants and contractors.
Sending email to tenants. Any detailed personal information should only be sent in a password protected file attached to the standard BCHA email. The password may be agreed in advance with the tenant, or the tenant can contact BCHA on receipt of the email. Password examples: Date of Birth, tenant reference number, name, and date of birth of first child.
Sending tenants’ details to BCHA suppliers for repairs etc. Personal data should only be sent in a password protected file. Data should be kept to a minimum; name, address and contact details, requests for additional personal data should be queried regarding relevance/need to the supplier (this should be noted on file and referred to the Chief Executive and/or Internal Audit prior to disclosure).
All BCHA emails go through Fuse mail. They always attempt to send email securely (encrypted with SSL) but this is not mandatory. Equally, incoming connections are set to SSL preferred, but not mandated. What this means is that non-secure email services which our tenants may be using are beyond the control of BCHA or Fuse mail.
Issued August 2018