Confidentiality & Data Protection Policy

1. Purpose

This policy sets out how Heritage Housing Education & Advisory Hub (“the Hub”) collects, stores, uses, and protects personal information. It ensures compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and best practice standards for confidentiality within community‑based support services.

The policy applies to all staff, volunteers, contractors, and anyone acting on behalf of the Hub.

2. Policy Statement

Heritage Housing Education & Advisory Hub is committed to protecting the privacy, dignity, and rights of all clients. We handle personal information lawfully, fairly, and transparently. Confidentiality is central to building trust with the individuals and families we support.

We only collect information that is necessary for delivering our services, and we ensure it is stored securely and shared appropriately.

3. Legal Framework

This policy is guided by:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Human Rights Act 1998
  • Common law duty of confidentiality
  • Safeguarding Adults & Children statutory guidance

4. Definitions

Personal Data

Any information relating to an identifiable individual (e.g., name, address, contact details, housing situation).

Special Category Data

Sensitive information requiring extra protection (e.g., health, ethnicity, immigration status, safeguarding concerns).

Processing

Any action involving personal data, including collecting, storing, sharing, or deleting it.

Data Subject

The individual whose data is being processed.

5. Principles of Data Protection

The Hub adheres to the six core principles of UK GDPR. Personal data must be:

  1. Processed lawfully, fairly, and transparently
  2. Collected for specified, explicit, and legitimate purposes
  3. Adequate, relevant, and limited to what is necessary
  4. Accurate and kept up to date
  5. Stored only as long as necessary
  6. Processed securely

6. What Information We Collect

We may collect the following types of information:

Personal Information

  • Name, address, date of birth
  • Contact details
  • Nationality and immigration status (if relevant to housing rights)

Housing‑Related Information

  • Eviction notices
  • Correspondence with local authorities
  • Housing applications
  • Tenancy details

Support Needs

  • Health information (only when relevant to housing)
  • Safeguarding concerns
  • Vulnerability indicators

We only collect information necessary to provide effective advice and support.

7. How We Use Personal Data

We process personal data to:

  • Provide housing advice and support
  • Assess needs and risks
  • Liaise with local authorities or partner agencies (with consent)
  • Maintain accurate case records
  • Meet legal obligations (e.g., safeguarding)
  • Improve service quality through anonymised data analysis

We do not sell or share data for marketing or commercial purposes.

8. Lawful Bases for Processing

We rely on the following lawful bases under UK GDPR:

  • Consent – when sharing information with partner agencies
  • Legitimate interests – delivering advice and support
  • Legal obligation – safeguarding, court orders, statutory requirements
  • Vital interests – when someone is at immediate risk of harm

9. Confidentiality

We keep all client information confidential unless:

  • The client gives explicit consent to share it
  • There is a safeguarding concern
  • There is a risk of serious harm to the client or others
  • We are legally required to share information (e.g., court order)

Where possible, we will inform the client before sharing information without consent.

10. Information Sharing

We may share information with:

  • Local authority housing teams
  • Legal aid providers
  • Domestic abuse services
  • Health or social care professionals
  • Police or emergency services (only when necessary)

Sharing is always:

  • Minimal
  • Relevant
  • Proportionate
  • Secure

11. Data Storage & Security

Digital Records

  • Stored on secure, password‑protected systems
  • Access restricted to authorised staff
  • Regularly backed up

Paper Records

  • Stored in locked cabinets
  • Access limited to authorised staff
  • Shredded when no longer needed

Email & Communication

  • Sensitive information sent via secure email where possible
  • Staff must not use personal devices for client data

12. Data Retention

We retain client records for 6 years after case closure unless:

  • Legal requirements specify otherwise
  • There is an ongoing safeguarding concern

After this period, data is securely deleted or destroyed.

13. Client Rights

Clients have the right to:

  • Access their personal data
  • Request corrections
  • Request deletion (where legally appropriate)
  • Withdraw consent
  • Object to processing
  • Request a copy of their data

Requests must be responded to within one month.

14. Data Breach Procedure

A data breach includes loss, theft, unauthorised access, or accidental disclosure.

Procedure

  1. Staff report the breach to the Data Protection Lead immediately
  2. The Lead assesses the severity
  3. Serious breaches reported to the ICO within 72 hours
  4. Affected individuals notified where appropriate
  5. Incident recorded and reviewed

15. Staff Responsibilities

All staff and volunteers must:

  • Follow this policy
  • Complete data protection training
  • Use secure systems
  • Report breaches or concerns immediately
  • Maintain confidentiality at all times

16. Policy Review

This policy is reviewed annually or sooner if legislation changes. Updates must be approved by the Service Manager or Board.