Providence Row Housing Association

Privacy Notice

This Privacy Notice was updated in November 2023 and supersedes all previously issued Privacy Notices for our tenants and service users.

Click this link to download a copy of our Privacy Notice PRHA Privacy Notice (November 2023)

If you require access to this Privacy Notice in a different language or in a different format, please contact our Performance & Privacy Advisor via the contact details given in the section below and we will seek to accommodate this.

 

How we use your personal information

Identity and contact details of Controller

Providence Row Housing Association (“PRHA”) is a Controller of personal information for the purposes of the UK General Data Protection Regulation (‘UK GDPR’).

Our contact details for data protection purposes are as follows:

Peter Allison: Performance & Privacy Advisor, PRHA, 15a Kelsey Street, London, E2 6HD. 0207 920 7300 – pallison@prha.net

The individual responsible for data protection compliance at PRHA is Fiona Humphrey, CEO. They are contactable using the above contact details.

PRHA is registered as a Data Controller with the Information Commissioners Office (ICO).  Our registration number is: Z8892903

 

Purpose of this Privacy Notice

This Privacy Notice tells you what to expect when PRHA processes personal information. It applies to information about applicants, tenants, residents and other service users. It tells you the purposes for which we may process your personal information and the legal basis for the processing (‘processing’ includes us just keeping your personal information).

PRHA is a Registered Social Landlord and also a provider of supported services. Our relationship with you may be as a tenant, a service user, or both.   The type and amount of information that PRHA processes in relation to you will vary depending on that relationship.

Why do we collect and store personal information?

PRHA needs to collect, process and store personal information about you and other household members (when you provide information about household members we assume that you do so with their full knowledge and consent) in order to operate as a registered provider of housing and as a provider of support.  We collect, process and store personal information in order to deliver efficient and effective services, to monitor and meet contractual obligations for our commissioned services, and in compliance with the legal and regulatory obligations that PRHA is subject to.

 

Where do we get your personal information from?

It depends on your relationship with us, but we will get much of the personal information that we process directly from you.  For those in our supported services we may receive information from the local authority that has referred you to our services, and also from other support agencies and organisations that are involved in your support and with whom we work together to provide you with appropriate support.

 

Legal basis for processing

We often have two main legal bases for processing personal data. Firstly, where it is necessary for the purposes of the legitimate interests pursued by PRHA or by a third party to process your information. We can do that so long as we do not interfere with your fundamental rights or freedoms (UK GDPR, Article 6(1) (f) legitimate interests).

Secondly, because we have your consent (i.e. agreement) to us processing your personal information. Our residents are asked to sign a data protection consent form when they apply to us for housing or later if they did not sign one when they were granted their first tenancy. The consent form sets out the organisations and type of organisations we often have to share personal information about residents with. Under the UK GDPR, consent is a legal basis for processing personal information (UK GPDR, Article 6(1) (a) consent).

Where we are processing your personal data on the basis of consent, you can withdraw your consent for that processing at any time. This is explained further below in the section entitled ‘Your rights under UK GDPR’.

The other reasons we can rely upon to process your personal information under UK GDPR is as follows:

  • Where we are under a legal obligation or an obligation under a contract to process/disclose the information (UK GDPR, Article 6(1) (c) legal obligation).
  • Where we need to protect the vital interests (i.e. the health and safety) of you or another person (UK GDPR, Article 6(1) (d) vital interests).

Some personal information is treated as more sensitive (for example information about health, sexuality, and ethnic background).  This is known as “special category personal data”, and is defined within UK GDPR as covering personal data related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where used for identification purposes), data concerning health or data concerning a person’s sex life or sexual.  The legal basis for processing these special categories of personal information is more limited. To lawfully process special categories of personal data, we must identify a lawful basis for the processing and meet a separate condition for the processing.

The basis we can use for the processing of special category data are:

  • With your consent (UK GDPR Article 9(2) (a) explicit consent);
  • Where we need to protect the vital interests (i.e. the health and safety) of you or another person (UK GDPR Article 9(2) (c) vital interests;
  • Where you have already made your personal information public (UK GDPR Article 9(2) (e) made public by the data subject);
  • Where we or another person needs to bring or defend legal claims (UK GDPR Article 9(2) (f) legal claims and judicial acts); and/or
  • Substantial public interest grounds (UK GDPR Article 9(2) (g) substantial public interest). To process special category personal data on the basis of substantial public interest we also need to meet one of the “conditions of processing” outlined in Schedule 1 of the Data Protection Act (DPA) 2018.  The conditions we may rely on include: equality of opportunity or treatment; safeguarding of children and of individuals at risk; safeguarding of economic well-being of certain individuals; preventing or detecting unlawful acts; regulatory requirements relating to unlawful acts and dishonesty etc.
  • For the purposes of archiving, research and statistics (UK GDPR Article 9(2) (j) archiving and research). Where we process special category personal data on this basis it will additionally meet the relevant condition under Schedule 1 of the DPA 2018 (Schedule 1 (Part 1) (4) research).

To process personal data about criminal convictions or offences, we must have both a lawful basis for the processing and either legal authority or official authority for the processing.

 

Information we may hold about you and how we use it

The information we hold on our records concerns our relationship with you.  For example:

  • We hold names & dates of birth, photographic ID and information about your previous housing circumstances to assess housing applications and help prevent tenancy fraud.
  • We hold contact details for you so we can communicate with you by your preferred means, and keep you informed about services we offer which may be useful to you.
  • We record information about your needs (for example if you have a support worker or social worker; if you need adaptations in your home; if you need large print or translated text) to ensure that we take account of any support needs in our dealings with you, and to improve our communications with you.
  • If you live in our supported housing we will record and store information about your support needs, agencies who also provide support to you; any medication you may be taking and any contacts you may have had with the criminal justice system.
  • We record information to enable us to provide housing management services. For example we record reports of anti-social behaviour; complaints; change in circumstances (for example when your employment status changes etc.) and information about housing options (e.g. if you have a medical need which means you need to move).
  • We keep financial records about the amount of money you have paid us; any amount(s) outstanding and action taken to recover money you owe.
  • We may hold information about you if you are engaged with any additional guidance and support services. For example in connection with access to training and employment we may hold information about your job history and skills and experience, or if we support you to improve your financial circumstances, we may hold information about your household income and expenditure.
  • We may capture your image on our CCTV systems if you visit a property, office or community facility. Any CCTV recordings will be held in accordance with our corporate retention policy before being erased.
  • We may hold group/individual photographs for PR purposes only.  Where we use such photographs in our publications or online we will ask for your consent.
  • We record the findings of surveys and other research to help us improve our service to customers. The information you provide will be used within anonymous and aggregated datasets unless you agree that we can use your details.

This list is not exhaustive, as we hold records of most contacts we have with you, or about you, and we process this information so we can deliver services to you. Generally the information we hold will have been provided by you (on application or enquiry forms or when we communicate with you), but we may also hold information provided by third parties where this is relevant to your housing circumstances or to the provision of support e.g. from social workers and health professionals (such as doctors and occupational therapists).

We will only ask for personal information that is appropriate to enable us to deliver our services. In some cases you can refuse to provide your details if you deem a request to be inappropriate. However, you should note that this may impact our ability to provide some services to you if you refuse to provide information that stops us from doing so.

 

How we manage your personal information

We process your personal information in accordance with the principles of UK GDPR.

We will treat your personal information fairly and lawfully and we will ensure that information is:

  • Processed for limited purposes;
  • Kept up-to-date, accurate, relevant and not excessive;
  • Not kept for longer than is necessary;
  • Kept secure.

Access to personal information is restricted to authorised individuals on a strictly need to know basis.

We are committed to keeping your personal details up to date, and we encourage you to inform us about any changes needed to ensure your details are accurate.

To help us to ensure confidentiality of your personal information we may ask you security questions to confirm your identity when you call us. We will not discuss your personal information with anyone other than you, unless you have given us prior written authorisation to do so.

Periods for which we will store your personal information

We will only hold your records during the period of our relationship with you and for a set period afterwards to allow us to meet our legal obligations including resolving any follow up issues between us.

Sharing your personal information

Normally, only PRHA staff will be able to see and process your personal information. However, there may be times when we will share relevant information with third parties for the purposes as outlined, or where we are legally required to do so. When sharing personal information, we will comply with all aspects of the UK GDPR. Special categories of personal data about health, sexual life, race, religion and criminal activity for example is subject to particularly stringent security and confidentiality measures.

Where necessary or required, we may share information as follows:

  • to comply with the law (e.g. the police and other law enforcement agencies, Inland Revenue, Council Tax Registration Officer, Electoral Registration Officers, Social Security Fraud Act) or a court order
  • where there is a clear health or safety risk to an individual or members of the public, evidence of fraud against PRHA, other irregular behaviour or a matter PRHA is investigating
  • in connection with court proceedings or statutory action to enforce compliance with tenancy conditions (e.g. applications for possession or for payment of Housing Benefit direct)
  • where PRHA has entered into a formal protocol with the police, a local authority department, or other statutory agencies/agencies carrying out contracts on behalf of statutory agencies
  • to comply with lawful requests from local authority departments and other statutory bodies in areas of health and social care (e.g. in support of statutory processes for the safeguarding of vulnerable adults and children)
  • to facilitate joint working with other support providers and agencies in accordance with our legitimate interests in providing effective support to our service users, and to meet the requirements of local authority commissioners
  • in providing the name, address and contact number of a resident to contractors or other agents providing services on PRHA’s behalf
  • in providing the name of a resident and the date of occupancy to gas, electricity and water companies
  • in providing information anonymously for bona fide statistical or research purposes, provided it is not possible to identify the individuals to whom the information relates
  • in giving the name, address and stated local connection of applicants for housing to councils for housing which gives priority to people with a local connection
  • in providing information required by the Regulator for Social Housing (RSH) when monitoring PRHA’s activities in its capacity as the regulator of housing associations.
  • to protect the vital interests of an individual (in a life or death situation)

 

Your rights under the UK GDPR

You have a number of rights under the UK GDPR:

Access to personal information

Under the UK GDPR, you have a right to ask us what personal information we hold about you, and to request a copy of your information.  This is known as a ‘subject access request’ (SAR).  SARs need to be made in writing and we ask that your written request is accompanied by proof of your identify.  We have one calendar month within which to provide you with the information you’ve asked for (although we will try to provide this to you as promptly as possible). Different rules and timescales apply where your requested is unfounded or manifestly unreasonable.

Following your SAR, we will provide you with a copy of the information we hold that relates to you.  This will not generally include information that relates to your property such as repair logs or details of contractor visits, as this is not considered personal information.

Rectification

If you need us to correct any mistakes contained in the information we hold about you, you can let us know by contacting your Housing Officer/Support worker/Project Manager.

Erasure (‘right to be forgotten’)

You have the right to ask us to delete personal information we hold about you.  You can do this where:

  • the information is no longer necessary in relation to the purpose for which we originally collected/processed it
  • where you withdraw consent (for personal data that we are processing solely on the basis of consent)
  • where you object to the processing and there is no overriding legitimate interest for us continuing the processing
  • where we unlawfully processed the information
  • the personal information has to be erased in order to comply with a legal obligation

We can refuse to erase your personal information where the personal information is processed for the following reasons:

  • to exercise the right of freedom of expression and information;
  • to comply with a legal obligation or for the performance of a public interest task or exercise of official authority which includes our requirement to hold information about you for the purposes of granting you a tenancy or license agreement or where we hold a contract to provide social care services to you.
  • for public health purposes in the public interest;
  • for archiving purposes in the public interest, scientific research historical research or statistical purposes;
  • for the exercise or defence of legal claims;

 Restriction on processing

You have the right to require us to stop processing your personal information. When processing is restricted, we are allowed to store the information, but not do anything with it. You can do this where:

  • You challenge the accuracy of the information (we must restrict processing until we have verified its accuracy)
  • You challenge whether we have a legitimate interest in using the information
  • If the processing is  a breach of the UK GDPR or otherwise unlawful
  • If we no longer need the personal data but you need the information to establish, exercise or defend a legal claim.

If we have disclosed your personal information to third parties, we must inform them about the restriction on processing, unless it is impossible or involves disproportionate effort to do so.

We must inform you when we decide to remove the restriction giving the reasons why.

Objection to processing

You have the right to object to processing where we say it is in our legitimate business interests. We must stop using the information unless we can show there is a compelling legitimate reason for the processing, which override your interests and rights or the processing is necessary for us or someone else to bring or defend legal claims.

 Withdrawal of consent

You have the right to withdraw your consent to us processing your information at any time. If the basis on which we are using your personal information is your consent, then we must stop using the information. We can refuse if we can rely on another reason to process the information such as our legitimate interests.

 Right to data portability

The right to data portability allows us to obtain and reuse your personal data across different services. It allows us to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way. The right only applies to personal data you have provided to us where the reason we are relying on to use the information is either your consent or for the performance of a contract. It also only applies when processing is carried out by us using automated means.

 Changes to this Privacy Notice

We keep our privacy notice under regular review and will place any updates on our website; you will be notified of any major changes to this policy.

Further information

For further information on how to request your personal information and how and why we process your information, you can contact us using the details below.

Peter Allison: Performance & Privacy Advisor: PRHA, 15a Kelsey Street, London, E2 6HD. 0207 920 7300 – pallison@prha.net 

The Information Commissioner (ICO) is also a source of further information about your data protection rights. The ICO is an independent official body, and one of their primary functions is to administer the provisions of the UK GDPR.

You have the right to complain to the ICO if you think we have breached the UK GDPR. You can contact the ICO at:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF (Helpline: 0303 123 1113) / http://www.ico.org.uk/