Data Protection Policy


ForViva and its subsidiaries hold a lot of personal data including sensitive personal data in respect of our customers, staff and service users. Any reference in this policy to information is a reference to personal data under any applicable data protection legislation.

Information is held on a number of different electronic systems as well as paper based files. The policy covers all information whether it is stored electronically or physically.

Aim of Policy

The policy specifies ForViva’s approach to data protection in order to ensure compliance with legislation, our approach to controlling information and the ways in which we promote a culture valuing and protecting information. The aims of this policy are:

· To ensure that all staff are data protection conscious and to create a culture of good data practice

· To ensure that data protection compliance and control measures are recognised by all staff, business partners and stakeholders.


When processing customer information we need to ensure we do so securely and with honesty and respect. This applies to dealing with information requests, information sharing, the storing of information and protecting our customer’s personal information.

The Group must comply with the Act and work in partnership with customer’s and the Information Commissioner’s Office (ICO) when processing customer information.


The potential impact of non-compliance is high for customers and The Group. In the case of failure to follow policy and good data protection practice the impact can be significant dependent on circumstances. The Information Commissioner’s Office (ICO) have enforcement powers and monetary penalties at their disposal which provides a risk to The Group. There is also a significant risk to customers with the potential for their data to be misused and the possibility for data to be used for criminal purposes.


ForViva supports the principles of Data Protection legislation and regulation and implement best practice based on our moral obligation as well as our legal obligations. The principles that guide our approach to data are outlined below:

· Fair and lawful processing of data

· Collected for specified, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes

· Adequate, relevant and limited to what is necessary

· Accurate and up-to-date;

· Not kept for longer than is necessary in a form which permits identification;

· Kept in a secure manner

We treat our obligations very seriously and ensure that information is treated as confidential and that unauthorised disclosure is a breach of contract and may be considered gross misconduct.

ForViva will make use of individual Group Member privacy notices to be as open and transparent about the way we handle data within the organisation, and any changes to privacy statements will be communicated through out

Where data is collected and held on a consent basis rather than our legitimate interest or performance of a contract we will make use of clear consent forms which are clear and easy to read for al.

Data Protection Code

ForViva will follow the principles and practices stated in all relevant Data Protection regulation and good practice as set out by the ICO, ForViva will:

· Value all personal information entrusted to us and ensure we have safeguards in place to protect it

· Implement good practices and go further than just the law where possible

· Consider and address privacy risks when we plan to use data in new ways, and account for these implications in any decision making process

· Be open and transparent to individuals about how we use their data

· Make it easy for individuals to access and correct their information

· Keep information to a minimum and delete it when this is no longer needed

· Make use of technology to secure data and to ensure it is kept securely

· Provide training to staff who handle personal information and treat it as a disciplinary matter if they misuse information and systems

· Put appropriate technological, financial and human resources into looking after personal data so that we can live up to our promises

· Monitor and review services to provide assurances that we are meeting our expectations


· Guidance will be made available to employees to help comply with the Act. Mandatory E- learning will be communicated to staff when they join and when changes are made to legislation

· All staff will need to act in line with legislation and disciplinary action will be taken against staff contravening any laws

· Staff should only use systems which are approved to process personal data.


· All systems used in the organisation will be designed to comply with the Act

Requests to disclose personal information

All requests to access information will be processed by ForViva’s Data Protection Officer and requests should be made through a Subject Access Request Form, although requests do not need to be made in writing. The information will be made available within one calendar month of the request being made.

To ensure information is only sent the correct party ForViva will make relevant steps to verify the identity of the requestor.

Information which relates to a third party, a criminal investigation, would be prejudicial to health or would threaten national security can not be shared.

If a customer has difficulties completing the form then Group staff should assist. If a customer has asked someone to act on their behalf, such as the Citizens Advice Bureau, they will be asked to supply an Authority to Act before a request can be processed.

The Authority to Act form can be obtained from the agency acting on customer behalf or from one of the Group’s Offices. Customers will also need to complete the section on the Accessing Personal Information form at the end of this document detailing who they are.

Where to send the request

Customers and service users making a Subject Access Request should send their completed form along with the information detailed above, to:

The Data Protection Officer


52 Regent Street



M30 0BP

The Data Protection Officer will arrange for customer request to be actioned.

Staff requesting information

The Group will treat all staff information in line with the above and will deal with any formal subject access requests in line with the Act.

Staff must comply with the Code of Conduct in relation to the use of information and action may be taken for a breach of that policy.

Sharing Information with third parties.

Unless authorised under the Act to share information with third parties the Group will obtain the express written consent of the individual to whom the information relates. ForViva will not undertake any activity which involves the selling of data.

There may be occasions when we have to share information with others to enable us to deliver our services and fulfil our legal and contractual obligations, for example sharing some information with our repairs contractors, other housing providers, our Regulators or Social Services.

Where we are legally required to do so we will share information in the following circumstances:

· Prevention or detection of crime

· Apprehension or prosecution of offenders

· Assessment or collection of tax or duty owed to customs and excise

· In connection with legal proceedings; and

· To comply with the law.

ForViva may participate in information sharing schemes that further the interests of tenants and communities. Before agreeing to participate in any such scheme the advice of the Data Governance Manager should be sought.

It is good practice for a data sharing agreement to be in place before the transfer of large amounts of data takes place. It is the responsibility of the officer leading on the scheme to arrange for the agreement but the Data Governance Manager should be given a final version to store

Data Retention

ForViva will comply with data protection legislation relating to the retention of data and data will be stored for no longer than is necessary. We will follow the retention schedules set out in good practice such as the NHF “Document Retention for Housing Associations” and the HMRC “Keeping records for business- what you need to know”.

The full retention schedule is outlined in appendix one. There may be situations where documents need to be kept for longer than the timeframes below i.e. for ongoing legal action.


Responsibility for compliance with data protection legislation is the responsibility of all staff that have an obligation to inform line managers and the Data Protection Officer of any breaches immediately. The breach will be investigated by the Governance and Assurance Team.

The Governance and Assurance team has the responsibility to oversee compliance across the entire Group and to produce training and guidance materials.

It is the responsibility of relevant Directors to ensure data is kept for no longer than necessary.

Related Policies and Procedures

· Mobile Device Acceptable Use Policy

· Removable Media Policy

· E-Mail and Internet Policy

· Staff Code of Conduct

Email to a friend