PART A - OUR APPROACH TO DATA PROTECTION AND INFORMATION MANAGEMENT
PART B - DATA PROTECTION AND INFORMATION MANAGEMENT - STAFF RESPONSIBILITIES
1 - Who is responsible?
2 - Our obligations
3 - Your responsibilities
DATA PROTECTION RESPONSIBLE PERSON/BUSINESS OWNERS
PART A - Our Approach to Data Protection and Information Management
This policy sets out the firm’s approach to data protection and information management, including how the firm manages confidential information and the precautions we take to keep information secure.
The people responsible for this policy are listed at the end of this document.
Protection and Security of Confidential Personal Information
Confidential personal information will not be passed to anyone outside the firm save with the consent of the client (where appropriate) or where client confidentiality does not apply, when that is reasonably necessary for normal business purposes, where there is a legitimate interest to do so.
In publications and publicity material all client identification information will be removed unless clients have consented.
Retention and Disposal of Information
We retain personal information as follows:
Contractual/Consented/Legitimate Interest Information
Is retained for a maximum of 7 years in line with our statutory, regulatory and business needs to keep records. Personal data will be deleted at your request if we no longer have an obligation to retain it.
Will be deleted after 12 months or as above. Property data base email address and personal data will be retained until you unsubscribe (regular contact will be made giving the opportunity to unsubscribe).
Thereafter information is disposed of securely, by shredding, electronic deletion, or otherwise as appropriate.
The firm maintains a firewall and commercial antivirus software to prevent unauthorised access to our network and data. All messages entering or leaving the firm’s intranet pass through the firewall, which blocks those that do not meet specified security criteria by applying a rule set which establishes a barrier between the trusted secure internal network and the internet or other networks which are not assumed to be secure or trusted.
Secure Configuration of Network Devices
Network devices are things like Local Area Network (LAN) equipment, used to connect computers and Proctors offices etc so that they can share files, printers and other resources. A LAN requires a hub, router, cabling or radio technology, network cards, and for online access, a high-speed modem. The firm uses a standard Local Area Network which provides appropriate security configuration.
Procedures to Manage User Accounts
User accounts are managed by the business owner (see list of Proctors business owners/responsible person). User accounts can be disabled at any time, for example on discovering a breach of security. Accounts are disabled when a member of staff leaves the firm.
Procedures to Detect and Remove Malicious Software
If, despite the precautions described elsewhere malicious software (malware) is present on the system this should be detected by the firm’s anti-virus software. It is then the responsibility of the firm’s business owner to remove the malware, according to the nature of the threat and industry standard procedures at the relevant time.
Register of Software Used by the Firm
The firm currently uses the following software (this is not an exhaustive list):
• Microsoft Office
• Avast Antivirus
• Microsoft Outlook
• Internet Explorer
• Firewall Protection Packages
• Firewall Cyberoam
• Cloud cloud to me
• Spam Filter McAfee
• Norton Anti Virus
Register of Third Parties Used by the Firm
The firm currently uses the following third parties (this is not an exhaustive list):
DezRez – Internal operating system
RONIN Marketing – Social media, PR and design
L & C Mortgages
Rent4Sure – Referencing (may vary by office)
EPC assessors (may vary by office)
Val Pal – Online marketing tool
Business Networks (DA8) – IT support (may vary by office)
Mydeposits – Tenant Deposit Protection (may vary by office)
• Technicweb – Website hosting
Training for Personnel on Information Security
The firm has provided all staff with its information security rules (the current version of which is set out below) and recirculates them to all staff at least annually.
In addition the firm trains staff about information security risks and precautions on joining, and thereafter at least annually using the online course provided by Socrates Training. In addition the business owner periodically circulates e-mails reminding staff of current criminal methodologies and risks as well as necessary precautions.
Updating and Monitoring of Software
All software used by the firm is supported by external software suppliers who issue routine updates from time to time. It is the responsibility of the business owner to decide whether and when updated versions are to be installed or new or better software should be obtained.
PART B - Data Protection and Information Management - Staff Responsibilities
1. Who is Responsible?
The firm holds a huge amount of confidential information about people including clients, other parties to associated transactions, and staff. All of us must comply with data protection law and keep confidential information secure. Accordingly all staff must study and observe the precautions set out below.
The business owners have overall responsibility for data protection and implementation of this policy. Questions on or concerns about these issues should be referred to them.
In particular if you are aware of breaches of security with confidential information you must report that promptly to that person. The firm has a duty to report breaches of security to clients, and sometimes to the Information Commissioner’s office.
2. Our Obligations
When we hold information about identifiable people (known as “data subjects”) this gives rise to obligations under the General Data Protection Regulation (GDPR). The GDPR applies whether such information is held in electronic form or in a paper filing system.
People have rights if we hold information about them. That includes the right to be informed what we hold, the right to have errors corrected, and the right to have data deleted if we have no justification for holding it.
We may be liable in various ways if we fail to hold data appropriately. The following is a summary of our obligations under data protection law, but is not a substitute for research where appropriate.
The Data Protection Principles:
In processing personal data we must be able to demonstrate that we comply with the “data protection principles”. These require that personal data must be:
• processed lawfully, fairly and in a transparent manner
• collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes
• adequate, relevant and limited to what is necessary
• accurate and, where necessary, kept up to date
• kept for no longer than is necessary
• kept with appropriate security.
Grounds for Processing Personal Data:
We should only process personal data if we have a legitimate justification for doing so. Often the justification will be the consent of the person concerned. Otherwise we may be entitled to proceed without consent on a number of grounds. Those which most often apply are the following.
• It is necessary for the performance of a contract to which the person concerned is a party.
• It is necessary for compliance with a legal obligation.
• It is necessary to protect someone’s vital interests.
• It is necessary for our legitimate interests or those of a third party, except where such interests are overridden by the interests or rights of the person concerned.
Sensitive Personal Data:
Sensitive personal data can only be processed under strict conditions. Sensitive personal data includes information about someone’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life and sexual orientation, genetic data and biometric data.
The usual grounds which entitle us to process sensitive personal data are the following.
• Explicit consent of the data subject.
• It is necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent
• Data manifestly made public by the data subject.
• It is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity.
• It is necessary for our legitimate interest, or those of a third party, except where such interests are overridden by the interest or rights of the person concerned.
3. Your Responsibilities
Do not collect or use personal data without a good reason:
If clients give us information about themselves this is rarely a problem, as they will usually expect us to record that information and use it for the usual purposes of our business. However take particular care with information about third parties, who may be unaware that we hold information about them. Bear in mind three simple principles.
• Do not record information about people unless you need to do so.
• Keep it secure.
• Delete it promptly when you no longer need it.
Those principles apply especially to information of an embarrassing, secret or sensitive nature, and where the people concerned have not consented to us holding the information.
Take care when sending personal data to others:
You will often need to share personal data and confidential information with others such as solicitors, referencing companies, contractors/suppliers, agents involved within a transaction, buyers/sellers/landlords/tenants, counterparties to transactions, surveyors and others. However before doing so consider these issues.
• Do they really need the information?
• Should we redact documents so that they do not include irrelevant and unnecessary confidential information?
• Can we rely on the recipient to keep the information secure?
• Also, take extra care before sending personal data outside the European Economic Area. Before doing so you should check either that the country in question has been designated by the EU Commission as providing adequate data protection, or that we have appropriate contract clauses agreed with the recipient to protect the data.
Keep papers secure
• Keep confidential papers in secure cabinets. Bear in mind that cleaning personnel, temporary staff and others may be present in the building, and that leaving papers where they can be seen risks a breach of security.
• Keep office premises secure to avoid unauthorised access and report any breaches.
• Only take confidential files out of the office when it is necessary to do so. Take precautions to ensure that such items are not stolen or lost. For example do not leave files in an unattended car.
• Be aware that taking paper files out of the office is especially risky. Where possible take information in encrypted digital form, e.g. on a laptop.
• Also bear in mind that laptops and other electronic devices may be stolen if taken out of the office. Hence confidential files taken out of the office in electronic form must be encrypted. It is not enough that the machine on which they are stored is password protected. Where possible if you are working out of the office, access documents over the internet.
• Ensure confidential papers are shredded on disposal.
Keep IT secure
• Take care with any e-mail you receive from an unknown source. Bear in mind that clicking on attachments or links may result in viruses being downloaded.
• It is the firm’s policy that passwords are to be at least 8 characters in length and to include both upper and lower case and numerals and letters. Follow this policy and other precautions such as not writing them down in any form which might be intelligible to a third party. Secure passwords are particularly important with mobile devices, or with logins that would enable people to access the firm’s systems remotely.
• Log off from your computer when it is left unattended/overnight/holidays.
• Ensure that your computer screen does not show confidential information to those who are not authorised to see it. This is particularly important when using a laptop or other device outside the office.
• Update the software on your computer whenever required to do so. Updates frequently fix security weaknesses.
• Take particular care when transferring data between the firm’s system and an external system. For example:
o if you use a data stick or similar storage device to load documents onto your work computer that may introduce viruses or other malware into the firm;
o if you transfer confidential files to your home computer you must ensure that computer is properly secure. that is a particular risk if your home computer is shared with other users or vulnerable to theft.
If in any doubt check with the business owner.
• Even if data has been deleted from electronic media it may be possible for others to recover it. Hence computer hard drives, data sticks, floppy disks, CD-ROMs etc should either be cleaned by a trusted expert or physically destroyed when no longer required.
Take Care With Payments
• Those responsible for making payments from our bank account receive separate guidance, which includes a strict prohibition on divulging account credentials or security information (including usernames, passwords, PINs and other security codes).
• All staff should be aware of the risk of criminals seeking to divert funds, e.g. by phone calls or e-mails to the firm purporting to be from clients, our bank or senior staff, or to clients purporting to be from the firm, asking for payments to be made to inappropriate accounts. Staff must report to their business owner immediately any request they receive for information which might be used to facilitate fraudulent payments.
Take Care When Dealing with Enquiries
• Beware of “blaggers” (people who attempt to obtain confidential information by deception). This is most commonly done by phone but may also be by e-mail or by calling in person. The following are examples of the precautions you should take when dealing with enquiries.
o Check the identity of the person making the enquiry.
o Check we are authorised by the client or other relevant person to pass on this information.
o Ask callers to put their request in writing if you are not sure about the caller's identity and their identity cannot be checked.
o Refer to your business owner for assistance in difficult situations.
o Take particular care with callers who claim to be from the bank. Some firms have had money stolen from their bank accounts after staff gave confidential banking information out over the phone.
Forward any “Subject Access Request” You Receive
Under data protection law we may receive a written request (known as a “subject access request”) from someone for information that we hold about them. If you receive such a request you should forward it to the business owner immediately.
DATA PROTECTION RESPONSIBLE PERSON/BUSINESS OWNERS
Office - Anerley
82 Elmers End Rd, Anerley, London SE20 7UX
020 8676 0093
Office - Beckenham
102 Hight Street, Beckenham, Kent BR3 1EB
020 8650 2000
Office - Bromley
11 Plaistow Lane, Sundridge Park, Bromley, Kent BR1 4DS
020 8460 4166
Office - Orpington
192 High Street, Orpington, Kent BR6 0JW
Office - Park Langley
104 Wickham Road, Beckenham, Kent BR3 6QH
020 8658 5588
Office - Petts Wood
1 Fairway, Petts Wood, Kent BR5 1EF
Office - Shirley
285-287 Wickham Road, Shirley, Croydon, Surrey CR0 8TJ
020 8777 2121
Office - West Wickham
318 Pickhurst Lane, West Wickham, Kent BR4 0HT
020 8460 7252
Office - New Homes
104 Wickham Road, Beckenham, Kent BR3 6QH
020 8658 1155
Office - Land & Development
285-287 Wickham Road, Shirley, Croydon, Surrey CR0 8TJ
020 8777 0743