Data subjects rights policy

1.1 The Housing Ombudsman Service is an independent, impartial, and free service for social housing residents. We make the final decision on disputes between residents and landlords that are registered members of our Scheme - including tenants and leaseholders of social landlords (housing associations and local authorities), as well as for our voluntary members (private landlords and letting agents). We also work to strengthen internal complaints procedures and encourage landlords to learn from complaints to prevent service failures being repeated.

1.2 We process large amounts of personal data about a variety of people, including residents who wish to use our service and landlords and landlord staff who are involved in dispute resolution or who wish to access the Housing Ombudsman Service online training material. The Housing Ombudsman Service is also an employer and we therefore process personal data about our staff and individuals who wish to work for us.

2.1 This policy applies to any individual who wishes to exercise their data subjects rights over their personal data held by the Housing Ombudsman Service.

2.2 This policy also applies to all persons within the Housing Ombudsman Service (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the company). Adherence to this policy is mandatory and non-compliance could lead to disciplinary action.

2.3 This policy does not cover requests for data made by third parties under the Freedom of Information Act or ‘one-off’ disclosure requests where a legitimate lawful basis has been cited for the release of personal information. Our approach to such requests is explained in our Freedom of Information Policy (PDF) and our Information Sharing Policy (in development).

3.1 The Information Governance Manager (Casework) will monitor compliance with this policy and provide advice on responding to data subject rights requests. The Information Governance (IG) Manager (Casework) will also provide staff with appropriate training/guidance so that they are able to comply with their responsibilities under this policy.

3.2 The Information Governance team is responsible for managing all responses to data subject rights requests within organisational and statutory deadlines.

3.3 All staff are responsible for:

• identifying data subject rights requests
• referring data subject rights requests immediately to the Information Governance (Casework) Team via the email inbox inforequests@housing-ombudsman.org.uk
• co-operating with and assisting the Information Governance Casework team
  to coordinate responses to requests

4.1 This policy sets out our commitment to:

4.1.1 Respond to all data subject rights requests in an individual manner and according to the values of transparency and integrity.

4.1.2 Ensure that all personal data is processed fairly and lawfully and in accordance with data subjects' rights.

4.1.3 Ensure that everyone working for us or on our behalf to comply with this policy when dealing with data subject rights.

4.1.4 Identify the approach that we will routinely take when responding to requests, including setting out in general terms any exemptions in the Data Protection Act 2018 (DPA) we are likely to apply when responding to requests.

5.1 Rights of the data subject

The DPA 2018 and the UK General Data Protection Regulations (UK GDPR) sets out 8 rights, which individuals can exercise in terms of their personal information. This policy sets out how we seek to enable data subjects to exercise their rights in accordance with the legislation. The legislation gives individuals the following rights:

5.1.1 The right to be provided with specified information about the processing of their personal data (‘the right to be informed’).

5.1.2 The right to access their personal data and certain supplementary information (‘the right of access’, sometimes known as ‘Data Subject Access’).

5.1.3 The right to have their personal data rectified, if it is inaccurate or incomplete (‘the right of rectification’).

5.1.4 The right to have, in certain circumstances, their personal data deleted or removed (‘the right of erasure’, sometimes knowns as ‘the right to be forgotten’).

5.1.5 The right, in certain circumstances, to restrict the processing of their personal data (‘the right to restrict processing’).

5.1.6 The right, in certain circumstances, to move personal data the individual has provided to another organisation (‘the right of data portability’).

5.1.7 The right, in certain circumstances, to object to the processing of their personal data and, potentially, require the Housing Ombudsman Service to stop processing that data (‘the right to object’).

5.1.8 The right, in relevant circumstances, to not be subject to decision making based solely on automated processing (‘Rights related to automated decision making, including profiling’).

5.2 Rights of the Housing Ombudsman as Data Controller

5.2.1 The Housing Ombudsman (as Data Controller) may refuse or restrict access to information where disclosure may have a prejudicial effect on any of the exemptions outlined in the Data Protection Act 2018.

5.2.2 The Housing Ombudsman (as Data Controller) may refuse or restrict access to information where disclosure may have a detrimental effect on the rights and freedoms of others.

5.2.3 The Housing Ombudsman has the right to ask that the data subject provide documentation to verify their identity or to provide further information necessary to support the request prior to progressing any data subjects rights request.

5.2.4 If the request is deemed ‘manifestly excessive or unfounded’, the Housing Ombudsman has the right to:

• charge a reasonable fee taking into account the administrative costs of providing the information
• refuse to respond

Where a request is refused on the grounds of being manifestly excessive or unfounded the data subject will be advised of this.

5.2.5 The Housing Ombudsman has the right to refuse a request for reasonable adjustments where complying would be unreasonable or would likely engage the manifestly excessive or unfounded exemption of the DPA 2018.

5.2.6 The Housing Ombudsman delegates these rights to the Information Governance Manager (Casework) and the Information Governance Casework Team in order to carry out its statutory obligations under the DPA 2018 with respect to data subjects rights.

5.3 Receipt of requests

5.3.1 Individuals wishing to exercise their rights under the DPA can do so either verbally or in writing. A request can be made to any part of the Housing Ombudsman Service and doesn’t have to be made directly to the Information Governance (Casework) Team although any request received outside of this team must be forwarded to the team immediately to deal. In order to consider a data subject rights request, the IG Casework Team may ask the requestor to complete an appropriate request form. Responses to data subjects rights requests will only be made by the Information Governance (Casework) Team.

5.3.2 In order to be considered as a request under the data subject rights provisions it should be clear that the individual is wishing to exercise one of the rights outlined in section 5.1.

Requests received in writing – any requests received in the Organisation in writing (either by letter, email or via Social Media) should be forwarded to the Information Governance (Casework) Team via inforequests@housing-ombudsman.org.uk

Requests made verbally – The Information Governance (Casework) Team does not operate a customer facing telephone service and is only able to respond in writing. For any requests which are made verbally to our enquiries and reception service, details of the request and the requestor should be taken by the recipient call handler and forwarded via email to the above inbox.

The request must state the specific records or information to which the data subject is to exercise their rights. Where a request has been made verbally, the Information Governance (Casework) Team will confirm the nature of the request in writing back to the applicant. Please note that making a request verbally does not negate the requirement for us to verify the identity of the individual making the request.

5.3.3 Any requests for reasonable adjustments in respect of making a request under the data subjects rights provisions will be considered and implemented where possible and where reasonable.

5.3.4 In order to comply with our obligations under the legislation, the Housing Ombudsman Service will need to locate the correct information identified in the request and therefore it is important that we receive the following information as a minimum:

• full name and residential address of data subject
• an address to which correspondence can be sent – responses to requests
  will be made in writing and therefore we require a correspondence address
  to which to send this response - this can be a residential postal address,
  an email address or a social media handle (however, please be aware of
  character number restrictions if choosing to send requests via the latter)
• any relevant details as to the nature of the request – please see below for
  further information

5.4 Verification of identity

5.4.1 Recital 64 of the GDPR states:

The controller shall use all reasonable measures to verify the identity of a data subject who requests access in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.

5.4.2 The Information Governance (Casework) Team who deal with data subject’s rights requests do not have dealings in dispute resolution and in the majority of cases, will not have had previous contact with the data subject. It is, therefore, important, that this team is satisfied as to the identity of an individual and the validity of their entitlement to exercise their rights under the legislation. Details of this identification validation are also important for our record keeping, audit responsibilities and to ensure that we are able to defend a disclosure if challenged.

5.4.3 The vast majority of data subjects rights requests received by the Housing Ombudsman Service will require the data subject to provide proof of identity. The minimum requirements to satisfy identity verification should be a document/record which verifies the data subject’s name, address and date of birth. The address on the identity document should match the address recorded by the Housing Ombudsman Service on our case management system.

5.4.4 Where the Information Governance (Casework) Team is otherwise satisfied as to the identity of the person making the request, it may elect to waive the requirements for the applicant to provide proof of identity. However, this will be on an exceptional basis and will be exercised by the Information Governance Manager (Casework) only.

5.4.5 Copies of identification documents will be saved to the relevant data subjects rights request record on our case management system; in a segregated folder. Records relating to data subjects rights requests are accessible to the Data Protection team only and will be retained for the duration of the request record (3 years from the date of closure) in line with our retention schedule.

5.5 Authorisation of representatives

5.5.1 Under the Housing Ombudsman scheme, a service user can authorise a third party to raise a dispute on their behalf by providing their consent via the complaints form. Authorising a representative to act in this way with regards to dispute resolution does not automatically extend to the data subjects rights process and a data subject will need to provide additional and explicit consent for a third party to make a data subject’s rights request and receive a response on their behalf.

5.5.2 Consent of the data subject is defined as:

Any freely given, specific informed and unambiguous indication of the data subject’s wishes by which he or she by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

5.5.3 In order to facilitate disclosure to a third party, the data subject will need to provide explicit and specific consent at the time of making their request. This can take the form of:

I. A short statement within the request affirming that disclosure is to be made to a third party and details of that party along with the specific description of the information to which the consent relates. A general statement from the data subject advising that the representative is authorised to make a request for data will not be accepted as explicit consent.
II. Completing a Housing Ombudsman Service explicit consent form and disclosing it along with their request. A copy of this consent form can be obtained from the Information Governance (Casework) Team inforequests@housing-ombudsman.org.uk

5.5.4 Identification of the data subject will still need to be provided as per section 5.4 and the Housing Ombudsman Service reserve the right to request further proof of identity or authority as necessary to satisfy itself as to the entitlement of the individual making the request.

5.6 Clarifying requests

5.6.1 Where a data subjects rights request is unclear, the Information Governance (Casework) team may ask the requestor for further information to clarify the request. The team will send correspondence asking for clarification to the applicant as soon as possible following receipt of the request. The request ‘clock’ will not start until a clear and valid request has been received.

5.6.2 Clarifying requests: Right of Access requests

5.6.2.1 The data subject should identify the information subject their data subjects rights request by providing a specific description of this information within their request correspondence. This can include specific case reference numbers or dates and times when the information is likely to have been captured.

5.6.2.2 Recital 63 states:

Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.

Therefore, any requests which do not appropriately identity the information being asked for may be subject to further correspondence from the Information Governance (Casework) team asking for clarity as to the specific information being requested. Where this occurs, the request will not be actioned until the team is in receipt of the further clarification being sought.

5.7 Timescales for compliance

5.7.1 The Information Governance (Casework) team must log the date that a data subject’s rights valid and complete request was received. The date that a request becomes ‘valid’ will be the date on which identification verification and any requested clarification of the request is received.

5.7.2 For all requests made under data subjects’ rights provisions, a response should be provided without delay and at the latest, within one month of the valid request being received.

5.7.3 The time limit to comply is calculated from the day the valid request is received (whether it is a working day or not) until the corresponding calendar date in the next month. If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. If the corresponding date falls on a weekend or a public holiday, the Housing Ombudsman Service has until the next working day to respond.

5.7.4 Where a request is deemed to be complex, the time for compliance can be extended by a further two months as necessary. The Information Governance (Casework) team will inform the data subject of this extension within one month and explain the reasons for the extension.

5.8 Record keeping and audit

5.8.1 The Information Governance Casework Team will maintain records of:

• the requests we receive and any supporting documentation submitted such as identification documents
• the ‘raw’ products of any searches undertaken
• a master copy of any information about the applicant which we have collated to comply with a request along with a record of any exemptions applied
• any correspondence with the applicant, including our final response
• any advice received or records prepared during the course of handling the request

5.8.2 Records relating to data subjects rights requests will be held on the Housing Ombudsman Service’s primary case management system. Access to records relating to data subjects rights requests is restricted to members of the Information Governance Team only. Access by requirement is extended to the IT team (for resolving IT issues and the Performance Team (for extracting anonymised performance data only). A copy of the completed response will be held on the request record and kept for a maximum of 3 years from the date the request is closed in line with our retention schedule. Identification documents will be held in a segregated folder within the file marked as sensitive personal information.

5.9 Exemptions

5.9.1 The DPA and UK GDPR set out a number of exemptions which may apply to data subject rights requests. We may be exempt from complying (in full or in part) with a request if:

• the information sought is classed as ‘third party data’ meaning that it is information about other individuals and not the requester
• we do not have the consent to release third party information and it is not reasonable in the circumstances to disclose the data
• the disclosure of information or, granting an individual’s request would prejudice the prevention or detection of crime or the apprehension or prosecution of offenders
• the disclosure of information or, granting an individual’s request would prejudice our regulatory functions, or the functions of another regulator
• the information contains legally privileged personal data
• disclosure of information or, granting an individual’s request would be likely to prejudice our negotiations with the data subject
• we are asked to erase data which we are required to process in order to comply with a legal obligation, for the performance a task carried out in the public interest or for reasons of public interest
• there is another applicable exemption in the DPA or, UK GDPR

6.1 A key transparency requirement of the UK GDPR is the right of individuals to be informed about the collection and use of their personal data by a data controller. The Housing Ombudsman Service sets out the use of personal data and provides supplementary information about the processing of personal data in our general privacy notice which is available on our website: How we look after your data - Housing Ombudsman

6.2 Please refer to our Data Protection & Data Privacy by Design Policy for more information on the data subjects rights to be informed.

7.1 Searching for personal data

7.1.1 The Information Governance (Casework) Officer will review the information being requested and access the appropriate computer systems in order to locate the records/information being sought. These records will then be saved to the Information Governance (Casework) Teams request management system, for disclosure to be considered and facilitated. The IG (Casework) Officer will apply any redactions and restrictions on access to information as legislated by the Data Protection Act and record the decisions for these in our response letter back to the requestor. This includes the redaction of third party and operationally sensitive material.

7.1.2 The Information Governance (Casework) team will undertake a reasonable and proportionate search for the personal data pertaining to a request in conjunction with relevant staff. These searches will be based on the information provided to us in the request.

7.1.3 Where a request is not specific enough regarding the information or records sought, basic preliminary searches of our primary dispute and complaints management system will be conducted based on the data subjects name/address only. Only records located from these searches the case management system will be considered for disclosure.

7.1.4 During the course of their research, the IG Officer may have cause to liaise with individual Housing Ombudsman staff members or Departments in order to locate any specified records or information falling within the scope of the data subject’s request. The IG Officer must not be impeded in this research and any records requested by the IG Officer should be provided to them in order for them to consider any exemptions on disclosure.

7.1.5 The IG Officer may seek the view of individual staff members and departments on specific disclosure; however, it is the responsibility of the IG Officer in liaison with the IG Manager (Casework) where required, to apply any appropriate exemptions on disclosure. Any exemptions placed on disclosure should only be done in line with the Data Protection legislation.

7.2 Disclosure

7.2.1 Under the DPA 2018, an individual is only entitled to their own personal information held by a data controller. The IG (Casework) Officer will review records located as a result of their research and will remove any information which relates to a third party or any information which falls within an exemption under the legislation. This redaction will be applied using Adobe electronic redaction software and will be represented by a black panel over the removed information. Redactions will be burned into the document and the document will be sanitised to ensure that any electronically disclosed material will not be able to be ‘un-redacted’ by the recipient.

7.2.2 The data subject will be advised as to why material has been removed in the accompanying response letter unless the expression of a specific exemption in itself would be prejudicial.

7.2.3 The default disclosure mechanism for all responses will be via electronic means such as email. Hard copy disclosures must be specifically requested at the point the request is made and not after an email response has already been submitted. If a request for alternative media is received after disclosure has been emailed it will be deemed as a request for further disclosure (see section 7.3).

7.2.4 Emailed disclosure will be composited into a PDF document which may be password protected (if required) and sent to the data subject to the email address specified within their request. The determination as to whether the document should be password protected will depend on the sensitivity and GCS marking of the records being disclosed. This is to protect the data subject against unauthorised access to any sensitive or confidential information being disclosed.

7.2.5 The Housing Ombudsman Service cannot provide information via USB or media discs as the use of such media is not compatible with our IT Acceptable Use Policy.

7.2.6 Our responses to data subject rights requests will contain the following
information:

• a summary of the request
• our decision as to disclosure or, whether we are granting or refusing a request
• clear reasons for any redactions, exemptions or, our reasons for refusing to grant a request. We will cite relevant sections of the DPA and UK GDPR in these circumstances
• any information we need to send to comply with a request will be attached
• information about how an Internal Review can be requested along with contact details for the Information Commissioners Office (ICO)
• supplementary information about the way we process personal data

7.2.7 The subject access right applies to information (i.e. personal data) and not to documentation. Accordingly the team may extract the requestors personal data from documentation or redact information, which is not the applicant’s personal data when preparing our response. Where appropriate, the team may provide relevant contextual information to assist the requestor.

7.3 Further copies of disclosure

7.3.1 The right of access as defined under the UK GDPR extends to the provision of one copy of the data requested to be provided free of charge. Any additional copies of the same disclosure requested could incur a reasonable fee as determined by the IG Manager for Casework. The data subject will be advised as to the relevant fee prior to the further disclosure being provided and full payment is to be received before a further copy is given. Any relevant fee applicable will be reasonable and relate to the administrative costs of producing and providing the information only.

8.1 Data subjects may request that the Housing Ombudsman Service correct any of their data held by the Service that the data subject believes to be inaccurate. Data subjects have the right to have incomplete personal data completed, including by means of a supplementary statement if necessary.

8.2 On receiving such a request, the IG (Casework) Team shall check the accuracy of the data at the centre of the request. Whilst the IG (Casework) team works with colleagues to review the accuracy of the data, the data subject shall have the right to request a restriction on the further processing of the personal data in question. As a matter of good practice, we should restrict the processing of the personal data in question whilst we are verifying its accuracy, whether or not the individual has exercised that right.

8.3 The IG (Casework) team shall take into consideration any arguments or evidence given by the data subject when assessing the accuracy of the data held by the Service.

8.4 Where the IG (Casework) team finds that the personal data is incorrect or misleading as to any matter of fact, the Housing Ombudsman Service shall take reasonable and proportionate steps to rectify the data. If we have disclosed the personal data to others, we must contact each recipient and inform them of the rectification or completion of the personal data - unless this proves impossible or involves disproportionate effort.

8.5 Where the Housing Ombudsman Service considers the data to be accurate and does not agree to make any changes to the data, the IG (Casework) Team shall explain this decision to the data subject, informing them of their right to complain to the Information Commissioner’s Office or seek judicia  remedy.

8.2 The accuracy of opinions

8.2.1 A record of an opinion is not necessarily inaccurate personal data just because the data subject disagrees with it, or it is later proved to be wrong. Opinions are, by their very nature, subjective and not intended to record matters of fact. However, in order to be accurate, the Housing Ombudsman recognises that records should attempt to make clear where information records constitutes an opinion, and, where appropriate, whose opinion it is.

9.1 Data subjects may request the deletion of any of their personal data held by the Housing Ombudsman Service where there is no lawful basis for its continued processing or retention.

9.2 Data subjects may also object to any of the Housing Ombudsman Service’s processing of the personal data or request that restrictions are put in place on any further processing of their data by the Service.

9.3 These rights are not absolutes in most cases (see 9.5), as such the Housing Ombudsman Service shall consider each request individually and take reasonable steps to comply.

9.4 Where the Housing Ombudsman Service can demonstrate compelling legitimate grounds for the continuing retention or processing of personal data, which override the interests, rights and freedoms of the individual; or the processing is for the establishment, exercise or defence of legal claims, the Housing Ombudsman Service may not comply with the request.

9.5 The right to object to the processing of personal data for direct marketing or promotional purposes (only) will be treated as an absolute right. Where the data subject objects to processing for those purposes, the Housing Ombudsman Service discontinue processing the personal data for those purposes.

9.6 In responding to the data subject the IG Casework Team shall confirm the extent to which the Housing Ombudsman Service has complied with the request as well as explaining the reasoning used to make any decision in relation to the request. The data subject will also be informed of their right to make a complaint to the Information Commissioner’s Office or seek judicial remedy if they are dissatisfied with the Housing Ombudsman Service’s response.

10.1 Data subjects also have the right to data portability as well as rights related to automated decision-making including profiling. It is recognised that these rights would apply to only a very limited number of Housing Ombudsman processing activities. As such, if a data subject wishes to exercise these rights, the Information Governance Casework Team shall consider these on a case by case basis having due regard to any advice issued by the Information Commissioner’s Office when responding.

11.1 If the request is deemed ‘manifestly unfounded or excessive; The Housing Ombudsman has the right to:

• charge a reasonable fee taking into account the administrative costs of providing the information
• refuse to respond

11.2 A minority of data subjects could potentially attempt to use the data subjects rights process as a means to harass the Housing Ombudsman Service with no real purpose other than to cause disruption. An example of this can be repeated requests for the same information over a short period of time (or over several years).

11.3 ‘Excessive requests’ can refer to those which would involve a disproportionate effort to respond to.

11.4 ‘Unfounded requests’ are those which are clearly without basis or where the request is not made out.

11.5 In the event that a request is refused by the Housing Ombudsman Service, the data subject will be informed in writing within one calendar month of receipt of the request. The data subject will be advised as to the reasons their request is being refused and given details on their right of appeal to the Information Commissioner.

12.1 Children are to be afforded the same rights regarding their personal information as is given to adults as long as they are competent to do so. Under Scottish legislation, a child would be considered to be able to apply their data subjects rights at age 12 and this is therefore the basis for our process on dealing with requests from children. However, each case will be reviewed on its individual circumstance. Where a child is not considered to be ‘competent’, an adult with parental responsibility may exercise the child’s data protection rights on their behalf. The parent must provide proof of parental responsibility in these cases as well as valid identification for themselves. Disclosure will not be facilitated until we are in receipt of such documents as required to validate the requestor’s identity and parental responsibilities to the child in question.

13.1 Where a data subject is not happy with a response made in relation to a data subjects rights request, for example, if they are unhappy with the application of exemptions or are contesting the completeness of the information disclosed, they can ask for the handling of their request to be reviewed.

13.2 Complaints about responses should be referred to the IG Casework Manager in the first instance.

13.3 If the appeal or complaint relates to a response provided by the IG Casework Manager then it will be passed for review to the Head of Corporate Information and Governance.