This page includes mhs homes' full data protection policy. We understand that sometimes it's hard to find what you want from documents like this, which is why we've made this page accessible.

This page includes:

The purpose of this policy is to protect and promote the rights of individuals and the rights of the mhs homes group. mhs homes group (the Group) recognises that all individuals have a right to expect that safeguards will be maintained to protect the integrity of their personal information.

Scope and definitions

This policy applies to all members of the group and to all data processed on computer systems and stored in structured manual filing systems.

The Data Protection Act 1998 is designed to protect the individual and their personal data, which is held and processed on their behalf. The Act defines the individual as the ‘data subject’ and their personal information as ‘data’. These are further defined as:

Data Subject

Any living individual who is the subject of personal data, whether in a personal or business capacity.


Any personal information that relates to a living person who can be identified. This includes any expression of opinion about the individual.

Data is information stored electronically i.e. on a computer, including word processing documents, e-mails, computer records, CCTV images, microfilmed documents, backed up files or data bases, faxes and information recorded on telephone logging systems.

Manual records which are structured, accessible and form part of a 'relevant filing system' (filed by subject, reference, dividers or content) and where individuals can be identified and personal data easily accessed without the need to leaf through a file.

All departmental managers must ensure adherence to this policy and any other departmental policies must fit in with this Group Policy.

Policy standard

The Group fully endorses and adheres to the 8 principles of Data Protection as set out in the Data Protection Act 1998. These principles state that personal data must be;

  • Fairly and lawfully processed
  • Processed for limited purposes and not in any other way which would be incompatible with those purposes
  • Adequate, relevant and not excessive
  • Accurate and kept up to date
  • Not kept for longer than necessary
  • Processed in line with the data subject’s rights
  • Kept secure
  • Not transferred to a country that does not have adequate data protection laws

Roles and responsibilities

The primary officer responsible for Data Protection is the Company Secretary. A Data Protection Team has been established to support the delivery of the policy made up of all Assistant Directors (Composition of project team changed from ADCS, ADAM & Heads of ICT). Regular Data Protection meetings are held to consider data protection and security risks and issues which are reported to the bi monthly risk review if required.

Company Secretary

The Company Secretary is responsible for;

  • Overseeing The Group data protection system and ensuring compliance with the Act is monitored and maintained
  • Completing the organisations Notification to the Information Commissioner and ensuring that operational processing of personal data is consistent with the notified purposes
  • Conducting regular cross-functional meetings with Assistant Directors (Changed from Heads of Service) to discuss process and procedural implementation
  • Receiving reports of potential breaches, weaknesses, concerns and requests for assistance
  • Producing and maintaining a data protection and security risks and issues log, performing and monitoring corrective actions to closure and preparing regular reports to the board

Assistant Directors

Assistant Directors (Changed from Heads of Service) are responsible for;

  • Ensuring their functional processes are documented and include staff instructions/procedures that embed Data Protection obligations into working practice
  • Ensuring all forms (whether electronic or manual) used within their department only collect personal data that is necessary for the service being provided and that they contain approved Fair Processing Notices to the Data Subject. In particular, to ensure that Departmental forms do not collect excessive or irrelevant personal data, and not to allow that data to be used or disclosed to any third party, or for any additional or other purposes other than those previously advised to the Data Subject upon collection. Should additional future processing become “Necessary”, ensure that the Data Subject is subsequently informed.
  • Ensuring all completed forms used for the collection of personal data result in a positive indication of the Data Subject’s consent (i.e. signed)
  • Ensuring staff are fully aware of their obligations both in terms of The Group and individually for Data Protection and Security and are appropriately supervised
  • Ensuring staff receive appropriate training to enable them to comply with this Policy
  • Ensuring staff are only granted access to IT systems and manual files containing personal data required to perform their duties
  • Periodically review files on a regular basis as described in the Monitoring and Review Section of this Policy and records are maintained of the review on the file.
  • Nominating a responsible person for the archiving or disposing of departmental records
  • Assessing and approving the nature and suitability of any work containing Personal Data to be performed outside of the office environment and ensuring employees are properly provisioned with IT equipment (e.g. encrypted laptops or secure remote access) to facilitate mobile working or working from home
  • Ensuring Personal Data used or acquired within their functional department is not input into any external databases, online systems or new Data repositories (e.g. spread sheets) without the recipient having gained prior approval of the Company Secretary


Staff are responsible for:

  • Reporting any incidents, concerns or suggestions for improvement to their Assistant Director (Changed from Head of Service) or in confidence to the Company Secretary
  • Informing their Manager if they are unsure how to comply with Departmental Procedures, particularly when asked to disclose the Personal Data to a third party.
  • Being familiar with the organisation’s Information Security Policies and acceptable use of IT Systems, including restrictions on including/sharing Personal Data in unencrypted e-mail attachments, protection of passwords and files.
  • Ensuring they gain Manager’s approval for any work involving Personal Data to be conducted from outside the office unless this is performed using a Company Encrypted Laptop, via Secure Remote Access or using approved personal computing devices

It is the responsibility of staff and Board Members to manage Personal Data as set out in this policy. A breach of this policy is a serious offence and will result in disciplinary action under the mhs homes Disciplinary Procedure which could result in summary dismissal.

Primary record keeping by management

Management are required to keep essential records that may be called upon to defend a breach of the data protection policy. Essential records would include items such as dates/outcomes of compliance audits, inspections and spot-checks (e.g. file reviews), third party (data sharing) approvals, privacy impact assessment outcomes for new systems and third party processors, training records, staff acknowledgement of system access permissions and training attendance etc.

Data categories and purpose limitation

Data should only be used for the purpose it was collected and not to create new data repositories, e.g. spreadsheets and other user created tools without approval. The Company Secretary should be engaged to approve any new uses of existing data and to ensure new uses are legitimate. The use of any new IT Systems or Outsourcing Contracts should be approved by the Company Secretary in conjunction with the Assistant Director of Treasury, Systems and Finance (Changed from Head of ICT) to maintain compliance.



Personal Data relating to all employees is held in the Human Resources Department.

Personal Data relating to customers, housing applicants and suppliers are held on the housing database, the file servers and the email system.

Staff handling Personal Data will do so in accordance with this policy.

Members of staff, customers or housing applicants will be offered a private place to discuss their Personal Data if requested.

Personal Data will be held and disposed of in accordance with the Data Retention Policy. Fair Processing notices will be displayed in all instances where personal data is collected to gain data subjects consent prior to collection of their data.

Disclosure of Information

All third parties that have access to Personal Data held by The Group through manual processes or automatic interfaces must be approved by the Company Secretary and sign the Data Protection Agreement. The Data Protection Agreement must be included in any contract/tender that requires the sending of mhs homes group information. Failure to complete this document will see the supplier removed from the approved contactors or suppliers list. It is the managers’ responsibility to assure that all third parties have signed the contract. A copy of this contract must be given to the Company Secretary.

Personal Data will only be passed to other organisations on a need-to-know basis and with an individual’s consent unless there are exceptional circumstances.

Exceptional circumstances include:

  • Where there is clear evidence of fraud
  • To comply with the law
  • In connection with legal proceedings
  • Where it would be essential to enable mhs homes to carry out its duties e.g. where the health and safety of an individual would be at risk by not disclosing the information or where there is a legal requirement to do so
  • Anonymously for statistical or research purposes

Monitoring & review

This policy will be reviewed by the Company Secretary every two years or earlier if required to maintain the policy in line with changes to other Acts of Parliament, enforcement notices, Codes of practice and case law judgements issued by the Information Commissioner and the Courts.


We welcome suggestions and complaints from people who use or provide our services. We believe that this can provide some important lessons to help us ensure that the service is improved for everyone.

Equality statement

mhs homes has a duty to ensure that no person receives less favourable treatment from the organisation on the grounds of age, disability, gender reassignment, marriage, civil partnership, pregnancy, religion or belief, race, sex or sexual orientation.