Data subjects rights policy

The UK General Data Protection Regulation (UK GDPR) provides living individuals (data subjects) with a set of data rights in relation to their personal data. These rights can be viewed on our Privacy Notice. This policy outlines how the Housing Ombudsman Service will uphold these rights and comply with the legal obligations set out under the UK GDPR, Data Protection Act 2018 and Data (Use and Access) Act 2025.

The purpose of this policy is to provide a framework to:

• respond to all data subject rights requests in an individual manner and according to the values of transparency and integrity
• ensure that all personal data is processed fairly and lawfully and in accordance with data subjects' rights
• ensure that everyone working for us or on our behalf to comply with this policy when dealing with data subject rights
• identify the approach that we will routinely take when responding to requests, including setting out in general terms any exemptions in the Data Protection Act 2018 we are likely to apply when responding to requests

This policy applies to:

• any individual whose personal data the Housing Ombudsman Service processes in line with the definition set out in the UK GDPR
• all persons within the Housing Ombudsman Service (meaning permanent, fixed term, and temporary workers, any third-party representatives or sub-contractors, agency workers, volunteers, apprentices, and agents engaged with the Company)
• all personal information processed by us and our processors

This policy does not apply to:

• requests for data made by third parties under the Freedom of Information Act
• ‘one-off’ disclosure requests where a legitimate lawful basis has been cited for the release of personal information. Our approach to such requests is explained in our Freedom of Information Policy

The Information Governance (Casework) Manager will monitor compliance with this policy and provide employees with appropriate training/guidance to comply with their responsibilities under this policy.

The Information Governance (Casework) Team is responsible for managing all responses to data subject rights requests and complaints within organisational and statutory deadlines.

All employees are responsible for:

• identifying data subject rights requests

• referring data subject rights requests immediately to the Information Governance (Casework) Team via the email inbox inforequests@housing-ombudsman.org.uk

• co-operating with and assisting the team to coordinate responses to requests

Data subjects can submit requests either verbally or in writing to any department or employee, including through our own managed social media platforms. Requests must be identified and sent immediately to the Information Governance (Casework)Team.

Data subjects are encouraged to submit written requests however employees must not refuse to take a request verbally under the rights of the data subject. Verbal requests must be recorded and sent to the Information Governance (Casework) Team using the Data Subject Rights Request Verbal Submission Form. This form is also a template in the case management system.

The Information Governance (Casework) Team may ask the requestor to clarify unclear requests. Clarification will be requested as soon as possible following receipt of the request.

The Housing Ombudsman Service must be satisfied that the individual making a request is the data subject or an authorised representative. The Information Governance (Casework) Team may contact the data subject to verify their identity prior to processing the request.

Requests will be assessed on an individual basis. The method of identity verification will be proportionate to the sensitivity of the information requested and the potential risk associated with unauthorised disclosure.

Any identity documentation will be requested via a secure transfer link. The relevant details from the documentation will be recorded using the ‘Requester Identity Authentication Record.’ Copies of identity documents will not be retained.

Records relating to data subject rights requests are accessible only to the Information Governance Team and will be retained for 3 years from the date of closure, in accordance with the organisation’s retention schedule.

Authorised third parties can raise a dispute with the Housing Ombudsman Service on behalf of an individual. This authorisation does not extend to data subject rights requests under data protection legislation.

To facilitate disclosure to a third party, the data subject will need to provide explicit and specific consent at the time of making their request. This can take the form of:

• completing the Housing Ombudsman Service data subject rights explicit consent form and disclosing it along with their request
• a short statement that disclosure is to be made to a third party. This should include details of that party along with the specific description of the information to which the consent relates

A general statement from the data subject advising that the representative is authorised to make a request for data will not be accepted as explicit consent.

Identification of the data subject will still need to be provided as per Section 6. We reserve the right to request further proof of identity or authority as necessary to verify the entitlement of the individual making the request.

Requests will be responded to by the Information Governance (Casework) Team without undue delay and within the one-calendar month timescale set by the UK GDPR.

Timescales will start immediately if identity verification is not required or once the data subject’s identity has been verified.

The timescale for responding will be paused if clarification is requested from the data subject to progress the request. The timeframe will be extended by the number of days the pause has been in effect.

Complex or multiple requests from the same data subject may be extended by a further 2 months. The Information Governance (Casework) Manager is responsible for approving extensions. The data subject will be informed without undue delay and within the initial deadline provided.

9.1 The Right to be Informed

A key transparency requirement of the UK GDPR is the right of individuals to be informed about the collection and use of their personal data. We explain the use of personal data and provide supplementary information about the processing of personal data in our general privacy notice available on our website: How we look after your data - Housing Ombudsman (housing-ombudsman.org.uk).

Please refer to our Data Protection & Data Privacy by Design Policy for more information on the data subject’s rights to be informed.

9.2 The Right of Access

Data subjects may request confirmation that their data is being processed as well as a copy of any of their personal data held by us. This right extends to copies of information rather than documentation.

9.2.1 Searching for Personal Data

The Information Governance (Casework) Team will conduct reasonable and proportionate searches based on the details provided in the request.

Data subjects may be asked to refine their request on an individual basis to identify only the necessary information for disclosure. This will not affect the statutory timescale.

If a request is broad or not narrowed down only basic searches using the data subject’s name and/or address/email will be conducted within the primary case management system. Our internal network will be searched for requests from employees. Disclosure will be limited to records identified through these searches.

The Information Governance (Casework) Team will use Microsoft Purview eDiscovery to access information held within the internal network. Access to eDiscovery within the team is restricted to the Information Governance (Casework) Manager and Information Governance Senior Casework Officer.

9.2.2 Third Party Information

The Information Governance (Casework) Team will review all located records and remove third party information subject to legal exemptions. Records containing intermixed personal information will be considered for disclosure by balancing the data subject’s rights against the rights of the third parties concerned.

Third party information will be removed from records using a secure application.

9.2.3 Disclosure

The default disclosure mechanism for all responses will be via secure electronic means. Hard copy disclosures must be requested at the point of submission. Requests for alternative media after a disclosure has been emailed will be deemed as a request for further disclosure.

Any additional copies requested could incur a reasonable fee. The data subject will be advised of the relevant fee prior to the further disclosure being provided. Full payment must be received before a further copy is given. Any relevant fee applicable will be reasonable and relate to the administrative costs of producing and providing the information only.

The IT Acceptable Use Policy prohibits the use of removable media to transfer information. Requests for disclosure via removable media will only be considered for reasonable adjustment purposes. These requests must be approved by the Operational Senior Information Risk Owner (Head of Data, Digital and Technology).

9.3 The Right to Rectification

Data subjects have the right to request the correction of inaccurate personal data and the completion of incomplete data.

The Information Governance Officer will assess the accuracy of the disputed data and consider any evidence provided by the data subject upon receipt of request. Employees must assist with this assessment where requested.

A restriction on processing may be applied whilst the accuracy of the information in question is being considered.

We will take reasonable and proportionate steps to correct the data where inaccuracies are confirmed. Third parties in receipt of the inaccurate data will be informed of the correction unless this is not possible or would require disproportionate effort.

Disputed opinions will not be rectified where it is evidenced that this information is an opinion and not fact. Employees should attempt to make clear where the record constitutes an opinion and whose opinion it is. Rectification requests may be responded to by adding a supplementary statement to the record.

9.4 The Right to Erasure, Restriction or Objection of the Processing of Personal Data

Data subjects may request the deletion of their personal data if there is no lawful basis to keep it. They may also object to processing or request restrictions on further use of their data.

These rights are not absolute. Requests will be considered individually and may be refused if there are compelling legitimate grounds which override the interests, rights, and freedoms of the data subject; or if the information is required for the establishment, exercise, or defence of legal claims.

Overriding compelling legitimate grounds must be identified and confirmed by the Information Asset Owner responsible for the information. Advice and assistance will be provided by the assigned Information Governance Casework Officer.

Objections to direct marketing will always be accepted. We will stop processing for that purpose immediately.

 9.5 Other Rights

Data subjects also have the right to data portability as well as rights related to automated decision-making including profiling. It is recognised that these rights would apply to only a limited number of our processing activities. Requests exercising these rights will be considered on an individual basis having due regard to any advice issued by the Information Commissioner when responding.

The Housing Ombudsman Service has the right to refuse requests under data protection law. The data subject will be informed of the reasons their request is being refused as far as the explanation will not prejudice the purpose of the exemption.

The data subject will be given details on their right to submit a complaint to us or appeal to the Information Commissioner in our response.

10.1 Manifestly Unfounded and Excessive Requests

We may refuse to respond to requests which we consider are manifestly unfounded or excessive. We may also consider charging a fee to process the request under these circumstances.

Excessive requests can refer to those which would involve a disproportionate effort to respond to. Unfounded requests are those which are clearly without basis or where the request is not made out.

10.2 Exemptions

Data protection law provides certain exemptions under which we are not required to comply with a request. We can refuse to comply with a request wholly or in part if an exemption applies.

We will follow regulatory guidance when assessing and applying exemptions on an individual basis.

The Information Governance (casework) Team may need to consult with colleagues in other departments. Employees must cooperate fully and provide requested records to support the assessment of any applicable exemptions.

We may also contact a third party who has disclosed information to us to inform our decision on whether an exemption can be applied.

The final decision on disclosure and exemptions rest with the assigned Information Governance (casework) Officer. All exemptions will be applied in accordance with data protection legislation.

Children have the same rights over their personal data as adults. The Housing Ombudsman Service considers that children aged 12 and over can make data subject requests.

Children not deemed competent may require a parent or guardian with parental responsibility to act on their behalf. Proof of parental responsibility and valid ID must be provided in such cases. No disclosure will be made until these documents are received and verified.

The Data (Use and Access) Act 2025 provides data subjects with the right to complain about the response or handling of their request.

Data protection complaints will be processed by the Information Governance (Casework) Team and will be responded to within one calendar month of receiving the complaint.

Complaints will be reviewed and responded to by a senior member of the Information Governance (Casework) Team who was not involved in the original response.

Complaints relating to a response provided by the Information Governance Casework Manager will be passed for review to the Head of Data, Digital and Technology.