Data Protection Policy
Protecting Personal Information All Services 4U is committed to protecting the personal data of our employees, clients, residents, suppliers, and anyone whose information we process. This Data Protection Policy sets out how we comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and the responsibilities of everyone in our organisation. This policy applies to all employees, directors, officers, agency workers, contractors, and anyone who processes personal data on our behalf.
Our Commitment
We are committed to
- Lawfulness — Processing personal data lawfully, fairly, and transparently
- Purpose Limitation — Collecting data for specified, explicit, and legitimate purposes
- Data Minimisation — Processing only the data we need
- Accuracy — Keeping personal data accurate and up to date
- Storage Limitation — Retaining data only as long as necessary
- Security — Protecting data against unauthorised access, loss, or damage
- Accountability — Demonstrating compliance with data protection law
Legal Framework
This policy is based on the requirements of
- UK General Data Protection Regulation (UK GDPR)
- Data Protection Act 2018
- Privacy and Electronic Communications Regulations (PECR) 2003
- Information Commissioner’s Office (ICO) guidance
Key Definitions
| Term | Definition |
| Personal Data | Any information relating to an identified or identifiable living individual |
| Special Category Data | Sensitive data including race, health, religion, sexual orientation, biometric data |
| Processing | Any operation performed on personal data (collecting, storing, using, sharing, deleting) |
| Data Subject | The individual whose personal data is processed |
| Data Controller | The organisation that determines the purposes and means of processing |
| Data Processor | An organisation that processes data on behalf of a controller |
| Personal Data Breach | A security incident affecting personal data |
Our Role
All Services 4U is a Data Controller for personal data we collect and use for our own purposes.
We are a Data Processor when we process personal data on behalf of our clients (e.g., resident information provided by housing associations).
Data Protection Principles
We adhere to the seven data protection principles set out in the UK GDPR.
Principle 1 Lawfulness, Fairness, and Transparency
Requirements
- Process personal data lawfully
- Have a valid legal basis for processing
- Be fair and not use data in unexpected ways
- Be transparent about how we use data
Our Approach
- Identify and document the legal basis for all processing
- Provide clear privacy information to data subjects
- Do not deceive or mislead about data use
- Publish our Privacy Policy and make it accessible
Principle 2 Purpose Limitation
Requirements
- Collect data for specified, explicit, and legitimate purposes
- Not use data for incompatible purposes without consent or legal basis
Our Approach
- Define and document purposes before collecting data
- Only use data for stated purposes
- Assess compatibility before any new use
- Update privacy notices when purposes change
Principle 3 Data Minimisation
Requirements
- Process only data that is adequate, relevant, and limited to what is necessary
Our Approach
- Only collect data we actually need
- Review data collection to eliminate unnecessary fields
- Do not collect just in case data
- Regularly review what data we hold
Principle 4 Accuracy
Requirements
- Keep personal data accurate and up to date
- Correct or delete inaccurate data without delay
Our Approach
- Verify data accuracy at collection
- Provide mechanisms for data subjects to update their information
- Conduct regular data quality reviews
- Correct errors promptly when identified
- Delete data that cannot be corrected
Principle 5 Storage Limitation
Requirements
- Keep data only as long as necessary for the purposes
- Delete or anonymise data when no longer needed
Our Approach
- Define and document retention periods
- Implement retention schedules
- Regularly review and delete expired data
- Anonymise data where possible for statistical purposes
Principle 6 Integrity and Confidentiality (Security)
Requirements
- Protect data against unauthorised or unlawful processing
- Protect against accidental loss, destruction, or damage
- Implement appropriate technical and organisational measures
Our Approach
- Implement robust security controls
- Restrict access on a need-to-know basis
- Train staff on security requirements
- Regularly test and review security measures
Principle 7 Accountability
Requirements
- Demonstrate compliance with data protection principles
- Maintain appropriate documentation
Our Approach
- Maintain records of processing activities
- Document policies and procedures
- Conduct data protection impact assessments
- Train staff and maintain training records
- Audit compliance regularly
Roles and Responsibilities
Managing Director
- Overall accountability for data protection compliance
- Ensuring adequate resources for data protection
- Championing a culture of data protection
Data Protection Lead
The Data Protection Lead is responsible for
- Day-to-day data protection compliance
- Advising on data protection matters
- Maintaining records of processing activities
- Handling data subject requests
- Managing data breach response
- Delivering data protection training
- Liaising with the ICO
- Reporting to senior management
Contact Name [Name] Email dataprotection@allservices4u.co.uk Phone [Phone number]
IT Manager
- Implementing technical security measures
- Managing access controls
- Ensuring system security
- Supporting breach response
- Maintaining backup and recovery
Human Resources
- Protecting employee personal data
- Managing recruitment data
- Ensuring HR processes comply
- Supporting employee data requests
Managers
- Ensuring team compliance with this policy
- Identifying training needs
- Reporting data protection concerns
- Authorising access to data
All Employees
- Following this policy and related procedures
- Protecting personal data they handle
- Reporting breaches and concerns
- Completing required training
- Only accessing data they need
Lawful Basis for Processing
We must have a lawful basis before processing personal data.
Lawful Bases
| Basis | When It Applies |
| Consent | The individual has given clear consent for specific processing |
| Contract | Processing is necessary to perform or prepare a contract with the individual |
| Legal Obligation | Processing is necessary to comply with the law |
| Vital Interests | Processing is necessary to protect someone’s life |
| Public Task | Processing is necessary for a public function or task in the public interest |
| Legitimate Interests | Processing is necessary for our legitimate interests (unless overridden by the individual’s rights) |
Documenting Lawful Basis
For each processing activity, we document
- The lawful basis relied upon
- Why that basis applies
- If legitimate interests, the balancing test
- If consent, how consent was obtained
Special Category Data
Special category data requires an additional condition
| Condition | Examples |
| Explicit consent | Health data for reasonable adjustments |
| Employment obligations | Sickness records, diversity monitoring |
| Vital interests | Emergency medical information |
| Legal claims | Data needed for legal proceedings |
| Substantial public interest | Safeguarding, preventing fraud |
Criminal Record Data
Processing criminal record data (e.g., DBS checks) requires
- A lawful basis under Article 6
- A condition under Schedule 1 of the Data Protection Act 2018
- An appropriate policy document
Privacy Notices
We provide clear information about how we use personal data.
When to Provide Privacy Information
- When collecting data directly from individuals
- Within one month if data obtained from other sources
- Before using data for a new purpose
Content of Privacy Notices
Privacy notices include
- Our identity and contact details
- Contact details for the Data Protection Lead
- Purposes and lawful basis for processing
- Legitimate interests (where applicable)
- Categories of data (if not collected directly)
- Recipients or categories of recipients
- International transfer information
- Retention periods
- Data subject rights
- Right to withdraw consent (where applicable)
- Right to complain to the ICO
- Whether data provision is required
- Automated decision-making information
Our Privacy Notices
| Notice | Audience | Location |
| Privacy Policy | Clients, residents, website visitors | Website, on request |
| Employee Privacy Notice | Employees | Staff handbook, intranet |
| Candidate Privacy Notice | Job applicants | Application process |
| Supplier Privacy Notice | Suppliers, subcontractors | Contract documentation |
| CCTV Notice | Visitors, employees | Displayed at premises |
Data Subject Rights
Individuals have rights under the UK GDPR. We respect and facilitate these rights.
Rights Overview
| Right | Description |
| Right to be informed | Know how we use their data |
| Right of access | Obtain a copy of their data |
| Right to rectification | Correct inaccurate data |
| Right to erasure | Request deletion of data |
| Right to restrict processing | Limit how we use data |
| Right to data portability | Receive data in portable format |
| Right to object | Object to certain processing |
| Rights related to automated decisions | Not be subject to solely automated decisions |
Handling Requests
Step 1 Receive and Log
- Record all requests in the data subject request log
- Note date received, requester details, and nature of request
Step 2 Verify Identity
- Confirm the requester’s identity
- Request additional verification if needed
- Do not disclose data to the wrong person
Step 3 Assess and Respond
- Determine if the request is valid
- Identify any exemptions that apply
- Gather the relevant data or take required action
- Respond within the required timescale
Step 4 Document
- Record actions taken and response provided
- Retain records for audit purposes
Timescales
| Request Type | Timescale | Extension |
| Access (Subject Access Request) | 1 month | +2 months if complex |
| Rectification | 1 month | +2 months if complex |
| Erasure | 1 month | +2 months if complex |
| Restriction | 1 month | +2 months if complex |
| Portability | 1 month | +2 months if complex |
| Objection | Without undue delay | NA |
Exemptions
We may refuse or limit requests where exemptions apply
- Legal professional privilege
- Management forecasting or planning
- Negotiations with the requester
- Confidential references
- Legal claims and proceedings
- Regulatory functions
We will explain if exemptions apply.
Fees
- Requests are free in most cases
- We may charge a reasonable fee for manifestly unfounded or excessive requests
- We may charge for additional copies beyond the first
Data Security
We implement appropriate security measures to protect personal data.
Technical Measures
| Measure | Implementation |
| Access Controls | Role-based access, unique user accounts, least privilege principle |
| Authentication | Strong passwords, multi-factor authentication for sensitive systems |
| Encryption | Encryption of data in transit (TLS) and at rest where appropriate |
| Firewalls | Network firewalls and intrusion detection |
| Antivirus | Up-to-date antivirus and anti-malware |
| Patching | Regular security updates and patches |
| Backup | Regular backups with secure offsite storage |
| Mobile Devices | Device encryption, remote wipe capability |
| Email Security | Spam filtering, phishing protection |
Organisational Measures
| Measure | Implementation |
| Policies | This policy and supporting procedures |
| Training | Mandatory data protection training for all staff |
| Access Management | Starterleaver processes, regular access reviews |
| Clear Desk | Clear desk and clear screen policy |
| Confidentiality | Confidentiality clauses in contracts |
| Incident Response | Breach response procedures |
| Physical Security | Secure premises, locked storage |
| Disposal | Secure disposal of documents and equipment |
| Supplier Management | Due diligence and contracts with processors |
Password Requirements
| Requirement | Standard |
| Minimum length | 12 characters |
| Complexity | Mix of upper, lower, numbers, symbols |
| Expiry | Every 90 days (or as risk-based) |
| History | Cannot reuse last 12 passwords |
| Sharing | Never share passwords |
| Storage | No written passwords, use password manager |
Physical Security
- Offices and depots secured with access controls
- Visitors signed in and escorted
- Documents stored in locked cabinets
- Sensitive documents shredded before disposal
- Equipment physically secured
Remote Working
When working remotely
- Use company devices or approved personal devices
- Connect via VPN for network access
- Do not use public Wi-Fi for sensitive data
- Keep devices secure and attended
- Lock screens when not in use
- Do not print sensitive documents at home
Data Breaches
A personal data breach must be handled promptly and appropriately.
What is a Breach
A personal data breach is a security incident that leads to
- Accidental or unlawful destruction of personal data
- Loss of personal data
- Alteration of personal data
- Unauthorised disclosure of personal data
- Unauthorised access to personal data
Examples of Breaches
| Type | Examples |
| Confidentiality | Data sent to wrong recipient, data accessed by unauthorised person, data stolen |
| Integrity | Data altered without authorisation, data corrupted |
| Availability | Data lost, data destroyed, data inaccessible due to ransomware |
Reporting a Breach
All suspected breaches must be reported immediately.
Report to
Data Protection Lead Email dataprotection@allservices4u.co.uk Phone [Phone number]
Out of hours Phone [Emergency number]
Information to Report
When reporting, provide
- Date and time of discovery
- Date and time breach occurred (if known)
- Description of what happened
- Type of data involved
- Number of individuals affected
- Actions already taken
- Your contact details
Breach Response Process
Step 1 Containment (Immediate)
- Stop the breach if possible
- Recover lost data if possible
- Limit further access or disclosure
- Preserve evidence
Step 2 Assessment (Within 24 hours)
- Investigate what happened
- Identify data and individuals affected
- Assess the risk to individuals
- Determine if notification is required
Step 3 Notification (Within 72 hours if required)
If the breach is likely to result in a risk to individuals
- Notify the ICO within 72 hours of becoming aware
- Document the decision and rationale
If the breach is likely to result in a high risk to individuals
- Notify affected individuals without undue delay
- Provide clear information about the breach and their options
Step 4 Review and Learn
- Complete root cause analysis
- Implement corrective actions
- Update procedures as needed
- Document lessons learned
Breach Register
All breaches (including near misses) are recorded in the breach register, including
- Date and description
- Data and individuals affected
- Risk assessment
- Actions taken
- Notifications made
- Lessons learned
Data Protection Impact Assessments
A Data Protection Impact Assessment (DPIA) helps identify and minimise data protection risks.
When is a DPIA Required
A DPIA is required when processing is likely to result in a high risk to individuals, including
- Systematic and extensive profiling with significant effects
- Large-scale processing of special category data
- Systematic monitoring of publicly accessible areas
- New technologies
- Automated decision-making with legal or significant effects
- Large-scale processing of children’s data
- Data matching or combining datasets
Our DPIA Process
Step 1 Screening
Determine if a DPIA is required using the screening checklist.
Step 2 Description
Describe the processing
- Nature, scope, context, and purposes
- Data types and sources
- Recipients and transfers
- Retention periods
- Technical and organisational measures
Step 3 Necessity and Proportionality
Assess whether the processing is
- Necessary for the purpose
- Proportionate to the aim
- Based on a lawful basis
Step 4 Risk Assessment
Identify and assess risks to individuals
- Likelihood of harm
- Severity of harm
- Types of harm (physical, material, non-material)
Step 5 Mitigation
Identify measures to mitigate risks
- Technical measures
- Organisational measures
- Policy changes
- Training
Step 6 Sign-Off
The DPIA is reviewed and approved by the Data Protection Lead before processing begins.
Step 7 Review
DPIAs are reviewed
- When processing changes significantly
- If new risks emerge
- At least every 3 years
DPIA Records
All DPIAs are documented and retained, including
- Screening decision
- Full DPIA (if required)
- Approval and sign-off
- Review dates
Data Sharing
We share personal data appropriately and in compliance with data protection law.
Internal Sharing
- Data is shared internally on a need-to-know basis
- Access is restricted to those who require it for their role
- Staff are trained on confidentiality requirements
External Sharing
Before sharing data externally, we consider
- Is there a lawful basis for sharing
- Is sharing necessary and proportionate
- Is the recipient trustworthy
- Are appropriate safeguards in place
- Have data subjects been informed
Data Sharing Agreements
For regular or significant data sharing, we put in place data sharing agreements that cover
- Parties to the agreement
- Data to be shared
- Purpose of sharing
- Lawful basis
- Security requirements
- Restrictions on use
- Retention and deletion
- Breach notification
- Responsibilities of each party
Sharing with Clients
When we process data on behalf of clients
- We act only on their documented instructions
- We have a data processing agreement in place
- We implement appropriate security measures
- We assist with data subject requests
- We notify breaches promptly
Sharing with Suppliers
When suppliers process data on our behalf
- We conduct due diligence before engaging
- We have data processing agreements in place
- We only use suppliers providing sufficient guarantees
- We monitor compliance
International Transfers
We restrict transfers of personal data outside the UK.
Restricted Transfers
A restricted transfer is a transfer of personal data to
- A country outside the UK that is not covered by adequacy regulations
- An international organisation not covered by adequacy
Permitted Transfers
Transfers are permitted where
- The destination has an adequacy decision (e.g., EUEEA countries)
- Appropriate safeguards are in place (e.g., Standard Contractual Clauses)
- A derogation applies (e.g., explicit consent, contract performance)
Our Approach
- We primarily process data within the UK
- We use UK and EUEEA based service providers where possible
- For transfers to other countries, we implement appropriate safeguards
- We conduct Transfer Impact Assessments where required
Transfer Impact Assessments
Before transferring data to a country without adequacy, we assess
- Laws and practices in the destination country
- Whether the safeguards will be effective
- Whether supplementary measures are needed
Data Retention
We retain personal data only as long as necessary.
Retention Principles
- Define retention periods for all data types
- Retain data only for as long as needed
- Consider legal, regulatory, and business requirements
- Delete or anonymise data when no longer needed
- Document retention decisions
Retention Schedule
| Data Type | Retention Period | Basis |
| Client contracts | Duration + 6 years | Limitation Act |
| Service records | Duration + 6 years | Contractual, legal |
| Compliance certificates | Validity + 6 years | Regulatory |
| Building Safety Act evidence | Life of building | BSA 2022 |
| Financial records | 7 years | Tax, Companies Act |
| Employee records | Employment + 6 years | Limitation Act |
| Recruitment (unsuccessful) | 6 months | ICO guidance |
| CCTV footage | 30 days | Proportionality |
| Website analytics | 26 months | Business need |
| Complaints | 6 years | Limitation Act |
| Accident records | 6 years (40 years for serious injury) | H&S regulations |
| Training records | Employment + 6 years | Legal, regulatory |
Secure Deletion
When data reaches the end of its retention period
- Electronic data is securely deleted or overwritten
- Paper records are confidentially shredded
- Backup copies are included in deletion
- Deletion is documented
Exceptions
Data may be retained longer if
- Required by law or regulation
- Subject to a legal hold
- Needed for ongoing legal proceedings
- Required by client contract
Records of Processing Activities
We maintain records of our processing activities as required by Article 30 of the UK GDPR.
Controller Records
For processing where we are the controller, we record
- Name and contact details
- Purposes of processing
- Categories of data subjects
- Categories of personal data
- Categories of recipients
- International transfers and safeguards
- Retention periods
- Security measures
Processor Records
For processing where we are a processor, we record
- Name and contact details of controller and processor
- Categories of processing
- International transfers and safeguards
- Security measures
Maintaining Records
- Records are maintained by the Data Protection Lead
- Updated when processing changes
- Reviewed at least annually
- Available for inspection by the ICO
Training and Awareness
We ensure all staff understand their data protection responsibilities.
Training Programme
| Training | Audience | Frequency |
| Data protection awareness | All employees | Induction |
| Data protection refresher | All employees | Annual |
| Data handling procedures | All employees | Induction + updates |
| Breach response | All employees | Annual |
| Advanced data protection | Data handlers | As required |
| DPIA training | Project leads | As required |
Training Content
Training covers
- Data protection principles
- Lawful bases for processing
- Data subject rights
- Security requirements
- Breach recognition and reporting
- This policy and procedures
- Role-specific responsibilities
Training Records
- Training completion is recorded
- Refresher training is scheduled
- Non-completion is escalated
- Training is a condition of employment
Awareness
We promote awareness through
- Regular communications
- Policy updates
- Lessons learned from incidents
- Data protection tips and reminders
Third-Party Processors
We ensure processors we engage provide appropriate data protection guarantees.
Due Diligence
Before engaging a processor, we assess
- Their data protection policies
- Security measures
- Track record and reputation
- Ability to support our compliance
- Location and international transfers
Data Processing Agreements
All processors must sign a data processing agreement covering
- Subject matter and duration
- Nature and purpose of processing
- Type of data and data subjects
- Controller’s obligations and rights
- Processor’s obligations including
- Processing only on documented instructions
- Confidentiality of personnel
- Security measures
- Sub-processor restrictions
- Assistance with data subject rights
- Assistance with security and breach notification
- Deletion or return of data on termination
- Audit rights
Ongoing Management
- We monitor processor compliance
- We review processors regularly
- We address non-compliance promptly
- We update agreements as needed
Monitoring and Audit
We monitor compliance and conduct regular audits.
Compliance Monitoring
- Regular review of processing activities
- Monitoring of access and security
- Review of breaches and near misses
- Tracking of data subject requests
- Review of training completion
Audits
| Audit | Frequency | Scope |
| Internal data protection audit | Annual | All processing activities |
| IT security audit | Annual | Technical controls |
| Processor audits | Risk-based | Third-party processors |
| Record keeping review | Annual | ROPA, retention, consent |
Audit Findings
- Findings are documented
- Corrective actions are assigned
- Progress is tracked
- Serious issues escalated to management
Reporting
The Data Protection Lead reports to senior management
- Quarterly Summary of data protection activity
- Annually Comprehensive compliance report
- As needed Significant incidents or risks
Consequences of Non-Compliance
Failure to comply with this policy may result in
Internal Consequences
- Disciplinary action up to and including dismissal
- Removal of access to systems and data
- Retraining requirements
External Consequences
- ICO investigation and enforcement
- Fines up to £17.5 million or 4% of global turnover
- Compensation claims from data subjects
- Reputational damage
Reporting Concerns
Report data protection concerns to
- Your line manager
- The Data Protection Lead
- The Confidential Whistleblowing Hotline
You will not be penalised for reporting genuine concerns.
Policy Review
This policy is reviewed annually and updated to reflect
- Changes in legislation or ICO guidance
- Changes in our processing activities
- Audit findings and lessons learned
- Best practice developments
Related Policies and Procedures
This policy should be read in conjunction with
- Privacy Policy
- Information Security Policy
- Acceptable Use Policy
- Clear Desk and Clear Screen Policy
- Data Retention Schedule
- Breach Response Procedure
- Subject Access Request Procedure
- DPIA Procedure
- Employee Privacy Notice
Approval
This Data Protection Policy has been approved by the Managing Director.
Date [Date]
Review Date [Date + 1 year]
Contact
Data Protection Lead Email dataprotection@allservices4u.co.uk Phone [Phone number]
To Report a Breach Email dataprotection@allservices4u.co.uk Phone [Phone number] (24-hour)
Information Commissioner’s Office Website www.ico.org.uk Phone 0303 123 1113
Quick Reference
The Seven Principles
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Security
- Accountability
Your Responsibilities
- Only access data you need for your role
- Keep personal data secure
- Follow the clear desk policy
- Report breaches immediately
- Complete required training
- Handle data subject requests correctly
- Ask if you are unsure
Report Breaches Immediately
Data Protection Lead Email dataprotection@allservices4u.co.uk Phone [Phone number]
Do not delay — even if you are not sure it is a breach, report it.
All Services 4U is committed to protecting personal data. This policy sets out how we comply with data protection law and the responsibilities of everyone in our organisation.
- Our Commitment
- Legal Framework
- Data Protection Principles
- Roles and Responsibilities
- Lawful Basis for Processing
- Privacy Notices
- Data Subject Rights
- Data Security
- Data Breaches
- Data Protection Impact Assessments
- Data Sharing
- International Transfers
- Data Retention
- Records of Processing Activities
- Training and Awareness
- Third-Party Processors
- Monitoring and Audit
- Consequences of Non-Compliance
- Policy Review
- Related Policies and Procedures
- Approval
- Contact
- Quick Reference