Board member privacy statement

BOARD OR COMMITTEE APPLICANT PRIVACY STATEMENT
Islington & Shoreditch Housing Association Limited

1. Your personal data – what is it?
   
   Personal data means any information which relates to you or identifies you as an individual.
   
   
2. What type of personal information do we collect?
   
   Islington and Shoreditch Housing Association Limited (ISHA) collects a range of information about you. This includes:
   
   • Your name, address and contact details, including e-mail address and telephone number
   • Details of your qualifications, skills, experience and employment history
   • Whether or not you have a disability for which ISHA needs to make reasonable adjustments during the recruitment process
   • Whether you are related to any ISHA employees or board members
   
   We may collect this information in a variety of ways such as CVs or collected through interviews or other forms of assessment.
   
   We may also collect personal information about you from third parties including references.This will only be once an offer has been made to you and we will inform you that we are doing so. 
   
   Your data will be on your application file and on other IT systems (including e-mail).
   
   
3. Who are we?
   
   ISHA is the data controller (contact details below). This means it decides how your personal data is used and for what purposes.
   
   
4. How do we use your personal data?
   
   As part of any board or committee recruitment process, ISHA collects and processes personal data relating to applicants. We are committed to doing so transparently and fairly and to treat your information with the utmost care and confidentiality to meet our data protection obligations.
   
   ISHA complies with its obligations under Data Protection legislation by keeping personal information up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal information from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal information.
   
   
5. What is the legal basis for processing your personal data?
   
   • Holding your personal data enables us to fulfil our governance responsibilities as a registered society under the Co-operative and Community Benefit Societies Act 2014 and company law. We will also process your personal information in other circumstances, provided you have given your consent for us to do so. We use your personal data to take steps at your request before entering into an agreement with you.
   We may also need to process your data to enter into an agreement with you.
   •We have a legitimate interest in processing personal data during the recruitment process and keeping records of the process. Processing data from board and committee applicants allows us to manage the recruitment process, assess and confirm a candidate’s suitability for board and committee membership and decide who to appoint. We may also need to process data from applicants to respond to and defend against legal claims.
   • We may process special categories of data such as information about ethnic origin, sexual orientation, religion or belief or disability to monitor recruitment statistics. We also process such information to carry out our obligations and exercise specific rights in relation to equalities legislation.
   • If your application is unsuccessful, we may keep your personal data on file in case there are future board opportunities for which you may be suited. We will ask for your consent before we keep your data for this purpose and you are free to withdraw your consent at any time.
   
   
6. Sharing your personal data
   
   Your information may be shared internally for the purposes of the recruitment exercise. This includes members of the Senior Management team, board member interviewers involved in the recruitment process, the Company Secretary and IT staff, if access to the data is necessary for the performance on their role.
   We will not share your information with a third party unless your application for board or committee membership is successful and we make you an offer. We may then share your data with former employers and referees to obtain references for you. We may undertake the transfer of your personal data to countries outside of the United Kingdom, for example when a processor holds their data in the EU. When doing this, we ensure we comply with the UK GDPR's rules around international transfers.
   
   
7. How do we keep your information safe
   
   We understand the importance of security of your personal information and take appropriate steps to safeguard it. We have internal polices and controls in place to make sure that your data is not lost, accidentally destroyed, misused or disclosed and is not accessed except by our employees in the proper performance of their duties. All those who have access to your data are trained in how to use your information in a secure and sensitive way. All paper copies of recruitment packs are kept in locked cabinets when not in use. Information on e-mails sent externally is encrypted or password protected and information in databases is password protected. We regularly review our IT provision for security and that it is fit for purpose.
   
   
8. How long do we keep your personal data?
   
   If your application for board or committee membership is unsuccessful, we will hold your data on file for one year after the end of the relevant recruitment process. At the end of that period your data is deleted or destroyed.
   
   If your application for board or committee membership is successful, personal data gathered during the recruitment process will be transferred to your personal folder and retained during your tenure. The periods for which your data will be held will be provided to you in a new privacy notice which is on our website and also stored on the Board Portal.
   
   
9. Your rights and your personal data
   
   Unless subject to an exemption under data protection legislation, you have the following rights with respect to your personal data:
   • The right to request a copy of your personal data which ISHA holds about you;
   • The right to request that ISHA corrects any personal data if it is found to be incorrect or incomplete;
   • Require ISHA to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing
   • Object to the processing of your data where we are relying on our legitimate interests as the legal ground for processing
   • Where we rely on your consent as your legal basis to process your personal data, you have the right to withdraw your consent and ask for your data to be deleted or restrict/object to some elements of the processing. As we explain above we will not rely on consent in many cases.
   • The right to lodge a complaint with the Information Commissioners Office.
   
   
10. Erasure (Your Right to be Forgotten)
    
    You have the right to ask us to delete personal information we hold about you. You can do this where:
    
    • the information is no longer necessary in relation to the purpose for which we originally collected/processed it
    • you withdraw consent
    • you object to the processing and there is no overriding legitimate interest for us continuing the processing
    • we unlawfully processed the information
    • the personal information has to be erased in order to comply with a legal obligation
    We can refuse to erase your personal information where the personal information is processed for the following reasons:
    • where we have an overriding legitimate interest for continuing with the processing
    • to exercise the right of freedom of expression and information
    • to enable functions designed to protect the public to be achieved eg government or regulatory functions
    • to comply with a legal obligation or for the performance of a public interest task or exercise of official authority
    • for public health purposes in the public interest
    • archiving purposes in the public interest, scientific research historical research or statistical purposes
    • the exercise or defense of legal claims
    
    
11. Further processing
    
    If we wish to use your personal data for a new purpose, not covered by this Privacy Statement, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing
    conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
    
    
12. What if you do not provide personal data?
    
    You are under no statutory or contractual obligation to provide data to ISHA during the recruitment process. However, if you do not provide the information, we may not be able to process your application properly or at all.
    
    
13. Automated decision making
    
    Recruitment processes are not based solely on automated decision-making.
    
    
14. Who do you contact?
    
    To exercise all relevant rights, queries of complaints please in the first instance contact ISHA at dataprotection@isha.co.uk or at 0300 131 7300.
    
    
15. How can you complain?
    
    If you are not happy with the way your information is being handled, or with the response received from us you can contact the Information Commissioners Office on 0303 123 1113 or via their website: https://ico.org.uk/make-a-complaint/.
    
    Version 2, approved by ISHA’s Data Protection Group, February 2024