If you are in danger
please use a safer computer,
or call 999 or
1800 RESPECT (1800 737 732).

To leave this site quickly
click the ‘Quick Exit’ button
at the top of any page.

Home > Information > Data Protection

Data Protection

The Data Protection Act 2018 (as revised) and the General Data Protection Regulations (an EU wide mandatory requirement) came into force in May 2018. The Soha Housing Data Protection Policy (SP06) sets out the organisations approach to the Protection and retention of personal data. 

This document should be read in conjunction with the Soha Data Protection Policy SP06.

Soha (as data controller) recognises that personal information gathered and held about staff, clients, contractors or others must be processed lawfully and correctly under the principles set by both the DPA 2018 and GDPR (Published May 2018) and those individuals have a right to access the information held.

Soha acknowledges and understands that the consequences of failing to comply with the requirements of both the DPA 2018 & GDPR may result in:

  • Personal accountability and liability
  • Organisational accountability and liability 
  • Criminal and Civil legal action
  • Enforcement powers and fines being issued by the Information Commissioners Office (ICO)
  • Loss of confidence in the integrity of the Soha systems and procedures
  • Significant reputational damage
  • Loss of trust from our employees, clients (tenants and leaseholders), regulators and other stakeholders


This document aims to provide reassurance that Soha (as data controller) will process personal data in accordance with the six data protection principles outlined in the GDPR namely that data shall be:

  • Processed lawfully, fairly and in a transparent manner
  • Collected for specified, explicit and legitimate purposes
  • Adequate, relevant and limited to what is necessary
  • Accurate and, where necessary, kept up to date
  • Kept in a form which permits identification of data subjects for no longer than necessary
  • Processed in a manner which ensures appropriate security of the personal data


Soha recognises that communities are made up of individuals with different needs and values and that those differences are important. We will actively promote equality of access for everyone and value their diversity. We will work to eliminate discrimination and in line with the law, we will treat everyone fairly. Soha will comply with all legal requirements in an open and transparent manner. Soha shall provide equal access to this service and will not discriminate on protected grounds, or in a way which may cause a person to be treated unjustly.

This document applies equally to all Soha employees, board members and others who may be involved in the collection, and processing, of personal information on behalf of the organisation and extends to all data whether held on paper or electronically.

During the course of business, Soha collects and uses personal data from:

  • Residents, former residents and housing applicants
  • Leaseholders and shared owners
  • Soha employees and applicants for employment
  • Soha Board Members
  • Complainants
  • Contractors and Suppliers
  • Others who may not fall into any of the above categories, but to whom Soha provides services or with whom Soha contracts


The collection of personal data only applies to individuals and not to limited companies or other corporate entities. 

For more information please contact out Data Protection Officer. You can do this by email or calling us on 01235 515900 / 0800 014 15 45 (freephone).

Data protection documents:


The GDPR specifies the function and responsibilities of the Controller and Processor and specifies that an organisation in many cases will appoint a “Data Protection Officer” (DPO) this is a new role and the tasks that the DPO is responsible for are specified in the Regulation.

The responsibilities of a controller and processor are clarified in Article 4 (section 7 & 8).

“‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member States law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;”

The Data Controller has to register with the Information Commissioner Office (ICO) on an annual basis.

“’Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;”

The Data Protection Officer’ Article 38 states that the DPO must be involved in a timely manner in all issues that relate to the protection of personal data. The processor and controller must support the DPO in performing tasks and ensure that they are independent and they may not be dismissed or penalised for performing the tasks.

The DPO must be contactable by data subjects with regard to all issues relating to the processing of their personal data. The DPO shall be bound by secrecy concerning the performance of these tasks.

The DPO may be given other tasks to perform provided that they do not result in a conflict of interest.

The duties of the DPO are to inform and advise the controller or the processor and the employees who carry out processing of their obligations under the Regulation. They are to monitor compliance with the Regulation and to provide advice where requested as regards the data protection impact assessment in accordance with Article35.

They are also to cooperate with the supervisory authority and to act as a contact point for the supervisory authority.

The organisation has appointed the Soha Compliance Manager as Data Protection Officer.

Is any living individual who is the subject of personal information examples include: 

  • A current, past or prospective individual, (current or prospective employees’ resident, leaseholder, licensee) about whom personal information is held and processed examples include:
  • Staff (including volunteers), agents, consultants, temporary and casual workers
  • Customers and Clients
  • Suppliers
  • Relatives, guardians and associates of the data subject
  • Board Members

This refers to the general description supplied as part of the notification provided to ICO. (Note: there is an ICO template of classes describing the type of classes)


Personal details: included in this category is any information that identifies the data subject and their personal characteristics.  I.e. name, Address, Contact Details, Age, Sex, Date of Birth, Physical Description and any identifier issued by a public body. In addition the following also falls within this categorisation:

  • Statement of fact.
  • Any expression or opinion expressed about an individual.
  • Minutes of meetings, reports, income recovery orders.
  • Emails and files notes, handwritten notes, post it notes.
  • CCTV footage if the individual can be identified by the footage or they can be focused on by manipulation of the image.
  • Tenancy agreements.
  • Employment References (not all).
  • Anti-social behaviour reports / statements (not all).
  • Excel spreadsheets, data base and list of people set up by code or tenancy reference number. 
  • Income.
  • Bank or Building Society details.
  • Employment history.

This information may only be processed provided that:

  • The individual has given their consent to the processing.
  • It is necessary for the performance of a contract with the individual.
  • It is required under legal obligation.
  • It is necessary to protect the vital interests of the individual.
  • It is to carry out public functions.
  • It is necessary in order to pursue the legitimate interests of the data controller or certain third parties (unless prejudicial to the interests of the individual).
  • Consent has been applied due to the nature of the collection and processing.

Sensitive Personal Information (Data):

This is defined as any information relating to an individual’s:

  • Ethnicity
  • Gender
  • Religion or other beliefs
  • Political opinions
  • Membership of a trade union
  • Sexual orientation
  • Medical history
  • Offences committed or alleged to have been committed by the individual

This information may only be processed provided that:

  • The individual has given their explicit consent (i.e. in writing with signature).
  • The individual has already made the information public.
  • It is to protect vital interests of the individual or other individuals.
  • It is necessary for the purpose of, or in connection with, legal proceedings, or for obtaining legal opinion and or for the administration of justice, an enactment, and function of the Crown.
  • It is for medical purposes and is undertaken by a certified health professional or a person who in the circumstances owes a duty of confidentiality which is equivalent to that of a health professional.
  • It is necessary for the purposes of exercising or performing any right or obligation as a data controller in connection with employment.
  • Consent has been applied due to the nature of the collection and processing.  

Goods or Services: included in this category is any information relating to goods and services that have been provided. Examples are details of the goods and services supplied, licenses issued, agreements and contracts, payment details (BACS).


Refers to any person or organisation to whom personal data is disclosed in the course of processing data for the data controller. It includes any person such as:

  • An employee of the data controller
  • An agent of the data controller
  • A data processor for the data controller or
  • An agent or employee of the data processor

The Individuals Rights under GDPR 

Under the GDPR the rights of the individual are:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

This encompasses the organisations obligation to provide fair and clear processing information usually through a privacy notice and specify how the individual’s personal data is used. The information supplied about the processing must be: 

  • Clear, written in plain English (or the language that the data subject will understand).
  • Free of charge.
  • Specifically we must provide or make explicit:

      • Contact details of the data controller and the data protection officer.
      • The purpose of and the legal basis for the processing.
      • The categories of personal data that is held or processed.
      • Who we send the data to.
      • Any transfers to a third country and how we safeguard the data (not applicable to Soha activities).
      • The retention period of the data. (see annex a.)
      • The right of the data subject to withdraw their consent at any time.
      • If the data subject believes that Soha are processing their data unfairly, they have the right to lodge a complaint with a ‘supervisory authority’ and who that is.
      • Where the data was obtained from and if it is a publicly accessible source.
      • Whether the personal data formed part of a statutory or contractual obligation.
      • Whether Soha uses automated decision making and how the decisions are made and the consequences of those decisions.


The data subject has the right to obtain confirmation that their data is being processed and what data is held by Soha.

Individuals have a right of access to personal information held by Soha if they are the ‘data subject’ of that information.

When a SAR is received Soha must comply free of charge ‘without delay’ and within one month unless the request is complex or numerous, in which case we will have a further two months to comply with notification sent to the data subject that this is the case. (note: notification should be sent within the first month following initial request).

Where requests are “manifestly unfounded” or “excessive” it is permissible to charge a “reasonable fee” or you can refuse to respond however, you must ensure if Soha initiate either of these we need to ensure that the actions taken are justified.

All subject access requests are to be forwarded upon receipt to the Soha Data Protection Officer who will log and action the request.

Data subjects are entitled to have their data rectified if it is found to be inaccurate or incomplete. If data has been disclosed or Soha has received data from a third party, it is incumbent upon Soha to inform them of the rectification. Soha must also tell the data subject about the third parties involved. Soha must comply within one month unless the request is complex in which case the period may be extended by up to two months.

Should Soha decide not to rectify the data the decision shall be explained why this decision has been made and inform the data subject of their right to complain to the supervisory authority.

The right to erasure is to enable a data subject to request the deletion of their personal data where there is no compelling reason for its continued processing.

Soha will comply with the right to erasure when:

  1. The data held is no longer necessary in relation to the purpose for which it was originally collected or processed. 
  2. The data subject has withdrawn consent.
  3. The data subject objects to the processing and there is no overriding legitimate interest for continuing to process the data.
  4. The personal data has to be erased in order to comply with a legal obligation.
  5. The data was unlawfully processed.
  6. The data relates to a child.


Soha has the right in some circumstances when refusal to erase the data held is justified:

  1. Soha are exercising the right of freedom of expression and information. 
  2. Soha are complying with a legal obligation.
  3. Data is held for public health interest.
  4. Data is archived for historical research or statistical purposes.
  5. Soha needs the data in the exercise of or to defend a legal claim.


If the subject data held has been passed to a third party, it is incumbent on Soha to inform the third party that the data has been erased. 

The Soha DPO must be informed and provided with details of the transferred data so that an appropriate record can be maintained.

The right to restrict processing means that a data subject does not want their data erased or the have asked for it to be erased and that Soha are verifying that this is the right course of action however, there is a need to “restrict” further processing.

In the event of Soha having passed the data to a third party Soha must inform them that further processing must be restricted.

Should Soha at a later date conclude that restricting is not needed, the data subject must be informed of the decision to remove the restriction on further processing and why.

Soha will be required to restrict processing in the following circumstances:

  1. Where the accuracy of the information held by Soha has been contested by an individual or organisation further processing should be restricted whilst a thorough investigation is undertaken.
  2. Where a data subject has objected to the processing of their personal data but it is believed by Soha that it was necessary “in the public interest” or “for the performance of Soha’s legitimate interests” and that Soha are investigating its legitimate grounds to override those of the data subject.
  3. Where the data processing is unlawful and the data subject opposes erasure and wants restriction instead.
  4. Soha no longer needs the personal data but the data subject requires the data in order to pursue a legal claim.


This is a new right under the GDPR and it allows the data subject to request a copy of their data in a common format under certain circumstances:

  1. The data subject had provided the data to Soha.
  2. Processing was based on the data subject’s consent or for the performance of a contract.
  3. Processing is being carried out by automated means.


This specific aspect allows the data subject to take a copy of their data, and passes it on to another organisation. Soha will need to ensure that it is able to meet the obligations of this aspect.

The data must be provided to the data subject “free of Charge” and Soha must respond “without undue delay” and within one month. This time may be extended by up to two months, where the request is complex or a number of requests are received.

Data subjects have a right to object at the earliest opportunity and must be included in the Soha privacy notice. This must be presented clearly, in easy to understand language and separate from other information. It cannot be buried in lengthy terms and conditions statements. 

Data subjects have the right to object to processing that is based on:

  1. Legitimate interests or the performance of a task in the public interest.
  2. Direct marketing, including profiling.
  3. Processing for the purpose of scientific or historical research and statistics.


However, the objection must be based on grounds relating to the data subjects particular situation.

Should an objection be received Soha must stop processing immediately unless it can be demonstrated that there are compelling legitimate grounds for the processing which, overrides the interests, rights and freedoms of the individual or the processing is for the establishment, exercise or defence of a legal claim. 

The GDPR includes provisions to safeguard data subjects against the risk that a potentially damaging decision is taken without human intervention.

Soha will identify and record if any of its operations constitute a risk that a potentially damaging decision can be taken without human intervention to ensure that Soha is complying with the GDPR.

The rights under GDPR apply to individuals to ensure that they are not subject to a decision when it is based on automated processing and it produces a significant effect on the individual.

Soha must ensure that data subjects are able to:

  • Obtain human intervention.
  • Express their point of view.
  • Obtain an explanation of the decision and challenge it.


The above will not apply if:

  • Necessary for entering into or for the performance of a contract Soha has with the data subject.
  • Is authorised by law.
  • Is based on explicit consent.

Profiling is a form of automated processing that is intended to evaluate or to predict a data subjects:

  • Performance at work
  • Economic situation
  • Health
  • Personal preferences
  • Reliability
  • Behaviour
  • Location
  • Movements


Soha must ensure when processing personal data for profiling that:

  • The processing is fair and transparent by providing clear and meaningful information about the logic and methodology used.
  • The data subject is aware of the consequences of the processing.
  • That Soha have used appropriate mathematical or statistical procedures.
  • Soha have put in place sufficient measures to enable any inaccuracies to be identified and corrected.
  • Soha has secured the data in a way that is proportionate to the value and sensitivity of the data.


Automated decision making must not:

  • Concern a child
  • Be based on the processing of special categories of data unless:


  • Soha has the explicit consent of the data subject.
  • The processing is necessary to comply with the law.


A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.


Personal data breaches can include:

  • access by an unauthorised third party;
  • deliberate or accidental action (or inaction) by a controller or processor;
  • sending personal data to an incorrect recipient;
  • computing devices containing personal data being lost or stolen; 
  • alteration of personal data without permission; and
  • loss of availability of personal data.


A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.

  • Soha only have to notify the relevant supervisory authority result in discrimination;
  • damage to reputation;
  • financial loss; or
  • loss of confidentiality or any other significant economic or social disadvantage.


If a breach if it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals. For example:

In more serious cases, for example those involving victims and witnesses, a data breach may cause more significant detrimental effects on individuals.

Soha have to assess this on a case by case basis and you need to be able to justify your decision to report a breach to the supervisory authority, the Information Commissioner.  

Soha must include:

  • the nature of the personal data breach including, where possible;
  • the categories and approximate number of individuals concerned;
  • the categories and approximate number of personal data records concerned;
  • the name and contact details of the data protection officer (if you have one) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures you have taken, or propose to take, to deal with the personal data breach and, where appropriate, of the measures you have taken to mitigate any possible adverse effects.


If a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly without undue delay.

A ‘high risk’ means the threshold for notifying individuals is higher than for notifying the relevant supervisory authority.

The duty to notify an individual about a breach does not apply if:

  • Soha has implemented appropriate technical and organisational measures which were applied to the personal data affected by the breach;
  • Soha has taken subsequent measures which will ensure that any high risk to the rights and freedoms to individuals is no longer likely to materialize; or
  • it would involve disproportionate effort.


Where a communication of a breach would involve disproportionate effort, Soha must make the information available to individuals in another, equally effective way, such as a public communication.

What information should Soha tell individuals who have been affected by the breach?

Soha must inform individuals about:

  • the nature of the personal data breach;
  • the name and contact details of the data protection officer (if relevant) or other contact point where more information can be obtained;
  • the likely consequences of the personal data breach; and
  • the measures Soha have taken, or propose to take, to deal with the personal data breach and, where appropriate, of the measures Soha have taken to mitigate any possible adverse effects.


Soha are required to report a notifiable breach to the relevant supervisory authority without undue delay and within 72 hours of when you became aware of it. Part 3 of the Act recognises that it will often be impossible for you to investigate a breach fully within that time-period and allows you to provide information in phases. If you cannot provide all the information required above within 72 hours, you must also explain reasons for the delay in your breach notification.

If the breach is sufficiently serious to warrant notification to the public, Soha must do so without undue delay.

Contact Us


Soha Housing
Royal Scot House
99 Station Road
OX11 7NN


01235 515 900
0800 014 15 45

Quick Links