This policy sets out how Home Run collects, stores and uses information about you and complies with the law on data protection, specifically:
- The lawful basis for data processing
- What personal data we collect about you
- How we collect your data
- What we use personal data for
- How we store personal date and keep it safe
- How long we keep your personal data
- Your rights in relation to the data we hold
Data protection legislation means the Data Protection Act 1998 as long as it is in force and thereafter the General Data Protection Regulation (Regulation (EC) 2016/679 which comes into force in the UK on 25 May 2018) (GDPR) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then any successor legislation to the GDPR or the Data Protection Act 2018
Data subject (you) means the individual that is subject of any personal data, e.g. the client accessing Home Run
Data processor (Home Run/”we”/“us”) means the person or entity responsible for processing personal data on behalf of a controller
Data controller (Information and compliance manager): means the person who determines the purposes and means of processing personal data. The Information and Compliance Officer is Toby Cunningham. You can contact him at firstname.lastname@example.org.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Student account registration form means the electronic form we ask you to use to complete to create your student account on Studentpad, our property management system.
Complaints form means the paper or electronic form which is used to raise a complaint against a Home Run landlord.
Further definitions can be found here. https://gdpr-info.eu/art-4-gdpr/
Lawful basis for data processing
Our lawful basis for processing of personal information (Article 6 GDPR) is:
- Via consent on completion of a student account registration form. This is to allow you access to an online list of properties which have been accredited by Home Run.
- Via consent to provide you with information on our services and marketing from us, such as an invitation to complete our annual survey
- Our legitimate interest to action and keep a record of any complaints you wish to raise against a Home Run landlord
When you complete a student account registration form, you will be asked whether you wish to receive marketing emails. You can withdraw consent to marketing emails at any time by updating your preferences online via your student account. Log in to your student account and you will see a menu which includes ‘Account Settings’. Click this option and a form will load giving you the option to update your marketing preferences.
We will never share your data with a third party unless you have provided explicit written consent or we have a legal obligation to do so.
What data do we collect about you?
- Your first name, surname and email address
- Your title, first name, surname, email address, level of study, student type, graduation year and school of study
- Your first name, surname, student ID, telephone number, email address and description of the nature of your complaint
How we collect data about you
We collect data about you via:
- A telephone call or face to face meeting at our office
- Our student account registration form
- Our complaints form
What we use your data for
We use your data to:
- provide you with information on our services
- verify your affiliation with University of East Anglia (UEA) as access to the list is limited to affiliated individuals
- allow you access to an online list of properties which have been accredited by Home Run
- allow you access to an online message board where other students advertise spare rooms and look for housemates
- keep a written record of any complaints raised by you relating to a Home Run landlord
- keep a written record of any relevant actions, decisions or correspondence we may have had with a Home Run landlord which relates to your complaint
We may also use your data anonymously (where your individual details cannot be identified)
- for monitoring and statistical purposes
o help us can identify trends and patterns to enable us to plan enhancements to our service
We will not:
- use your data for marketing purposes, unless you have given consent
- request or use any genetic or biometric data about you
- carry out any automated data processing
- share your personal data without your express consent unless we are required to do so by law
How we store personal data and keep it safe
There are four places we store your personal data:
1. in a secure property management system (Studentpad)
2. in Microsoft Outlook when you email us
3. in a Microsoft Excel registration tracker (when you supply a non UEA email address during completion our student account registration form) and a complaints log
4. in OneDrive as this is where the registration tracker and complaints log are stored
Personal details are stored within Studentpad, our secure property management system. This system can only be accessed by trained Home Run staff and is password protected.
Studentpad is a highly trusted property management system used by many Universities and Students’ Unions and is fully compliant with the GDPR.
We record your name and email address on our Microsoft Excel registration tracker so that we can keep a record of when you were contacted to obtain confirmation of your affiliation with UEA. Your details will be removed from the tracker once your affiliation has been confirmed or within 14 days if we have not heard from you.
The re-registration tracker and complaints log are stored on OneDrive. OneDrive can only be accessed by trained Home Run staff and is password protected.
All staff are required to undertake Data Protection training.
Data security in the office
All staff are individually responsible for locking their PC when left unattended and locking any written notes or client documents in their desk drawers when they are away from the office.
Deletion of data
We retain electronic data on Studentpad for three years. This is on the basis that a student will sign up for a student account during their first year at University and most courses will last for a period of three years.
Studentpad have a procedure in place in the event of a data breach. The Head of Advice is responsible for ensuring the primary contact details held by Studentpad are up-to-date to ensure there is no delay in reporting a data breach. If a member of Home Run staff is informed of a data breach involving Studentpad then they are to alert Studentpad immediately. As well as informing Studentpad we are also required to inform the Information Commissioners Office (ICO) within 72 hours of becoming aware of the breach (where feasible) and the client/s affected.
Your rights in relation to the data we hold
The right of access
You have the right to an electronic copy of your data and to know whether or not your personal data is being processed, where and what for. Clients wishing to have a copy of their data can email email@example.com with their request. Once we have confirmed that you are a Home Run student account holder, we will provide, free of charge, an electronic copy of your data within one month of the request. We may ask you to confirm your identity before sending you the copy.
The right to rectification
If you think the data we hold for you is incorrect then you can make the necessary amendments online. You can view your details by logging in to your student account and clicking ‘Account Settings’.
Alternatively, contact us and discuss the updates required. We may require confirmation of your identity before making any changes.
The right to erasure
You have the right to erasure if the personal data is no longer necessary for the purpose which it was originally collected or processed, for example if you are no longer a registered student at UEA. An erasure request can be made verbally or in writing to firstname.lastname@example.org.
Your request will be actioned free of charge, within one month. We may require confirmation of your identity before making any changes.
The right to restrict processing
If you have requested for your personal data to be updated then you can also request that processing is restricted whilst we apply the requested updates.
The right to object to processing
You have right to object to the processing of your personal data in some circumstances. This right applies where an organisation is using your data for a task carried out in the public interest, for its legitimate interests, for scientific or historical research, or statistical purposes, or for direct marketing.
The right to data portability
You have the right to be provided with a copy of the personal data you have provided for the performance of a contract or via consent. The information must be provided in a way that is accessible and machine-readable. You also have the right to ask for your data to be transferred to another organisation, if technically feasible.
Updated: May 2019