Our privacy notice

During your residency, we will collect and process information about you and members of your household. We do this to:

• Be able to contact you and respond to you directly;
• Assess applications and set up your tenancy or leasehold and carry out any relevant necessary checks;
• Give effect to and manage your tenancy/leasehold, property, and the OHGL property it relates to (including carrying out maintenance and repairs, notifying utility companies and local authorities);
• Monitor compliance with the terms of your tenancy or service agreement, investigate and report issues (e.g. tenancy fraud, anti-social behaviour etc.);
• Share information with other agencies where we have your agreement, are required to do so, or where doing so gives effect to the tenancy/leasehold agreement;
• Investigate and resolve complaints and queries raised by residents and others;
• Comply with our safeguarding and health and safety duties;
• Deliver support for special needs to you or any member of your household;
• Provide information about additional services we offer, including opportunities to participate in meetings, training, employment services, youth services and events;
• Complete consultations, facilitate residents’ groups and community grant applications;
• Conduct transactional surveys in order to monitor and improve our service, for example, repairs and maintenance, complaints, lettings, anti-social behaviour issues and training;
• Monitor equality and diversity;
• Provide information about our performance and services through newsletters and email campaigns;
• Verify your identity so that we can give you access to your MyOneHousing account;
• Share information with our payment gateways to enable payments to be taken online via the MyOneHousing portal.

Unless we advise you otherwise, we will only collect and process personal information to carry out these functions. For more information on use of CCTV, please see the CCTV section below.

Legal basis for processing personal data

All processing of personal data must have a legal basis. The most common legal bases which apply to the processing described above are:

• Where we need to take measures to enter into and then perform a contract we have entered into with you (provision of services set out in a tenancy or leasehold agreement);
• Where we need to comply with legal obligations (e.g. housing regulations, health and safety, safeguarding, tenancy fraud investigation);
• Where it is necessary for our legitimate interest (or those of a third party) and your interests and fundamental rights do not override those interests (e.g. maintaining security of our property, customer satisfaction surveys and market research).

We may also use your personal data under the following legal bases:

• Where we have your consent (e.g. provision of additional benefits or services, information gathered through feedback or surveys);
• Where we need to protect your vital interests (or someone else’s vital interests);
• Where the processing is necessary in the public interest or for official purposes set out in legislation (e.g. monitoring of diversity and equality, where we work with local authorities etc.)

Processing of sensitive personal data

Some personal data is more sensitive than other data. Special category data (e.g. health, ethnicity, sex life and sexual orientation, religious beliefs, political affiliations, biometric data etc.) and criminal convictions data need additional protections. This includes additional conditions set out in legislation for processing the data.

Where possible we will seek your explicit consent to process sensitive personal data. In cases where consent may not be appropriate the following conditions for processing may apply:

• Legal obligations relating to social security and social protection (especially where we act on behalf of local authorities);
• Vital interests (e.g. where your life or that of another individual is in danger and you aren’t able to give your consent);
• Safeguarding of individuals at risk (including children);
• Monitoring equality of opportunity or treatment (where the data isn’t used to make decisions on particular individuals);

Examples of where we may need to process your sensitive personal data are to:

• Process pre-tenancy checks, determine eligibility for special needs housing etc.;
• Offer aids and adaptions to your property, offer suitable alternative properties where needed;
• Manage risks (e.g. fire, health and safety);
• Safely carry out repairs and maintenance;
• Respond to enquiries and complaints;

To process personal data about criminal convictions or offences we must have both a lawful basis for the processing and either legal authority or official authority for the processing.

Who might we share your personal information with?

Generally we collect personal data directly from you, but we may in some cases also receive personal data from government bodies and local authorities, third party suppliers, other individuals or partner organisations (e.g. where work with other parties to provide services, for investigating a complaint etc.).

Normally, only OHGL staff will be able to see and process your personal information. However, there will be occasions when we will need to share personal information with third parties for the purposes as outlined or where we are legally required to do so.

When sharing personal information, we will comply with all aspects of the GDPR. Special categories of personal data about health, sexual life, race, religion and criminal activity, for example, are subject to particularly stringent security and confidentiality measures.

We also share information:

• To allow us to tailor our services to you
• For detecting possible fraud (e.g. as part of the National Fraud Initiative)
• To deal with rent arrears (e.g. tracing and/or debt collection agencies)
• To deal with unpaid bills (e.g. utility or council tax bills - we may need to pass on your forwarding address)
• To help us communicate with you (e.g. we sometimes use external printers, translators etc.)
• To assist the Police in solving crime and investigating anti-social behaviour.

As part of the government’s reform of welfare benefits, new regulations have been introduced on information sharing. This means we can now share limited information about our residents and their properties with local authorities, for example, name, address and National Insurance Number. The new regulations will help us identify and support those who could be affected by welfare reform.

We will also disclose your personal details, if required to do so, by law or by any Government body.

OHGL contracts external companies to manage certain areas of our business to fulfil our obligations as a landlord. We share limited personal information of our residents with external contractors, such as name, address and telephone number.

Examples include:

• Repairs and maintenance contractors
• Out of hours call centre service
• Health and safety compliance checks (i.e. gas servicing, lifts, asbestos, legionella)

We will only share the minimum information necessary for the contractor to carry out their services on behalf of OHGL. We will also ensure that data sharing agreements are in place, where we are sharing personal data with data processors. If you have any concerns about a company operating on behalf of OHGL, or information that has been shared with an external company, please contact us using the details below.

When you register for the MyOneHousing using your Facebook or Google account, we will collect the name and email address associated with that account and process it for registration purposes. We will not share any personal information with Facebook or Google. However, they may process your information based on the affiliation to One Housing Group. Please see their privacy policies for further information on this.

OHGL will never sell personal information to a third party.

Security and retention

Personal information is stored on our computer systems and/or tenancy files. It is held securely, and we have security measures in place to protect it. We have processes in place to delete your personal information when it is no longer needed. Our main retention periods are as follows and are based on limitations of liability:

• Personal data relating sale/purchase of property and land – 12 years from end of relationship;
• Personal data relating to administering tenancies and provision of services relating to residents and occupants – 6 years from end of relationship;
• Personal data relating to safeguarding etc. – 8 years from end of relationship.

Use the contact details below to ask for more details about our retention periods for your personal data.

Please see below for further information on your data protection rights and how to contact OHGL regarding your personal data.

We will collect relevant information from you in accordance with our contracts or information sharing agreements. This may include names and qualification information relating to your staff.

Purposes for processing personal data.

The purpose for collecting personal data is to enable you to provide services to our residents on behalf of OHGL.

Legal bases for processing personal data

The legal bases for our processing of personal data are:

• Where we need to comply with legal obligations (e.g. health and safety);
• Where it is necessary for our legitimate interest (or those of a third party) and the individual’s interests and fundamental rights do not override those interests (e.g. maintaining security of our property, performing and monitoring the contract).

Data sharing, security and retention

Information will be held centrally by our Procurement Team, on our computer system and by the relevant team/department, in line with our data retention periods (usually 6 years from end of the service for limitation of liability reasons). Personal data is held securely, and we have security measures in place to protect it.

We will share personal data with third parties, including third-party service providers. We require third parties to respect the security of your data and to treat it in accordance with data protection legislation and put in place contractual arrangements for this purpose.

Please see below for further information on your data protection rights and how to contact OHGL regarding your personal data.

We collect and process personal data relating to OHGL’s workforce. This includes staff, contractors, temporary workers and volunteers.

Purposes for processing personal data

We collect and process personal data for the following purposes:

• Recruitment and appointment, including suitability for the role;
• Set up employment, volunteering or supply contract;
• Administration purposes (e.g. for onboarding into OHGL, to operate payroll, pensions, annual and sick leave, workforce management, administering TUPE, bidding for contracts etc.);
• Managing performance and training, including conducting performance reviews and determining performance and training requirements;
• Conducting disciplinary and grievance investigations;
• Offering any necessary support requirements in your role (e.g. disability, health and safety or wellbeing support), including contacting next of kin where necessary;
• Risk assessing for lone working, where relevant;
• Complying with legal or industry standards to ensure that your tax and National Insurance contributions are paid, that you are eligible to work in the UK, undertake DBS checks and suitability for the role (where appropriate for the role, e.g. CQC regulated roles), and to meet Health and Safety Requirements. Please note: providing this data will usually be a legal requirement;
• Conducting transactional surveys to monitor and improve our services (for example, following training courses);
• For promoting communication and engagement across OHGL (e.g. through the intranet)
• Monitoring diversity in our applicants and workforce, as recommended by the Equality and Human Rights Commission;
• Monitoring our premises for security and safeguarding reasons (e.g. access card data, CCTV, email/internet traffic etc).

Unless we advise you otherwise, we will only collect and process personal data relating to you to carry out these purposes.

We take care to protect personal data and that it is held securely. We have physical and IT security measures in place to protect it. Personal data is held centrally by our HR team on our computer systems. Individuals and line managers can access certain personal information through our internal systems (e.g. onboarding, payroll, leave, training data).

Legal bases for processing personal data

All processing of personal data must have a legal basis. The most common legal bases which apply to the processing described above are:

• Where we need to take measures to enter into and then perform a contract we have entered into with you;
• Where we need to comply with legal obligations (e.g. employment related, safeguarding, health and safety);
• Where it is necessary for our legitimate interest (or those of a third party) and your interests and fundamental rights do not override those interests (e.g. maintaining security of our property, internal communications engagement initiatives, workforce planning).

We may also use your personal data under the following legal bases, which are likely to be rare:

• Where we have your consent (e.g. provision of additional benefits);
• Where we need to protect your vital interests (or someone else’s vital interests);
• Where the processing is necessary in the public interest or for official purposes set out in legislation (e.g. monitoring of diversity and equality etc.)

Processing of sensitive personal data

Some personal data is more sensitive than other data. Special category data (e.g. health, ethnicity, sex life and sexual orientation, religious beliefs, political affiliations, biometric data etc.) and criminal convictions data need additional protections. This includes additional conditions set out in legislation for processing the data:

• Explicit consent (where appropriate and does not conflict with legal obligation or contractual requirements);
• Vital interests (e.g. where your life or that of another individual is in danger and you aren’t able to give your consent);
• Obligations relating to employment (e.g. DBS checks);
• Safeguarding of individuals at risk;
• Determining eligibility for occupational pensions;
• Monitoring equality of opportunity or treatment (where the data isn’t used to make decisions on particular individuals);
• Promoting or maintaining diversity in racial or ethnic origins of senior leaders.

Data sharing, security and retention

Generally we collect personal data directly from you, but we may in some cases also receive personal data from government bodies, third party suppliers (if you are a contractor), other individuals or partner organisations (e.g. for investigating a complaint or grievance etc.).

We will share your data with third parties, including third-party service providers, for example, payroll and pension administration. Where we use recruitment agencies, we may share personal data with them, or they will collect it on our behalf.

We require third parties to respect the security of your data and to treat it in accordance with data protection legislation and put in place contractual arrangements for this purpose.

We have processes in place to delete your personal information when it is no longer needed. Our main retention period is as follows and is based on the general limitation of liability:

• 6 years (end of financial year) from end of relationship;

Use the contact details below to ask for more details about our more detailed retention periods for your personal data.

Please see below for further information on your data protection rights and how to contact OHGL regarding your personal data.

When a referral is made on your behalf to OHGL for care or support, we will collect and process personal information about you.

We do this to:

• Process requests and administer care and support services, including billing and payment plans;
• Be able to contact you, respond to you directly and verify your identity;
• Identify your care and support needs and complete our assessments, in order to offer you the most effective service possible;
• Complete individual risk assessments and investigate any issues or incidents;
• Update our records of your care and support needs;
• Share information about your care and support with your family or next of kin;
• Share information with other agencies where we have your agreement, are required to do so, or where doing so gives effect to our agreement with you;
• Monitor our premises and maintain a safe environment for residents and staff;
• Provide information about additional services we offer;;
• Complete consultations, conduct transactional surveys in order to monitor and improve our service;
• Provide assistance to the police in the event of a Missing Person case;
• Monitor equality and diversity;
• Provide reporting to and carry out audits for local authorities and regulators.

Legal basis for processing

All processing of personal data must have a legal basis. The most common legal bases which apply to the processing described above are:

• Where we need to take measures to enter into and then perform a contract we have entered into with you (provision of services set out in our agreements with you);
• Where we need to comply with legal obligations (e.g. as set out by CQC, health care, health and safety and safeguarding legislation);
• Where the processing is necessary in the public interest or for official purposes set out in legislation (e.g. where we work in partnership with local authorities and the NHS);
• Where we have your consent (e.g. provision of additional benefits and services);
• Where we need to protect your vital interests (or someone else’s vital interests);
• Where it is necessary for our legitimate interest (or those of a third party) and your interests and fundamental rights do not override those interests (e.g. maintaining security and safety of our property, customer satisfaction surveys and market research).

Processing of sensitive personal data

Due to the nature of the services provided by our care and support services, much of the personal data being processed for the purposes set out above will be sensitive personal data.

Sensitive personal data, consisting of special category data (e.g. health, ethnicity, sex life and sexual orientation, religious beliefs, political affiliations, biometric data etc.) and criminal convictions data, need additional protections. This includes additional conditions set out in legislation for processing the data.

Where possible we will seek your explicit consent to process sensitive personal data. In cases where consent may not be appropriate the following additional conditions may apply:

• Legal obligations relating to social security and social protection (especially where we act on behalf of local authorities or the NHS);
• Vital interests (e.g. where your life or that of another individual is in danger and you aren’t able to give your consent);
• Safeguarding of individuals at risk (including children);
• Monitoring equality of opportunity or treatment (where the data isn’t used to make decisions on particular individuals);

To process personal data about criminal convictions or offences we must have both a lawful basis for the processing and either legal authority or official authority for the processing.

Who might we share your personal information with?

Generally we collect personal data directly from you, but we may in some cases also receive personal data from government bodies and local authorities, third party care and support providers, other individuals or partner organisations.

Normally, only OHGL staff will be able to see and process your personal information. However, there will be occasions when we will need to share personal information with third parties for the purposes outlined above or where we are legally required to do so. When sharing personal information, we will comply with all aspects of the GDPR.

Where authorisation is in place (e.g. Lasting Power of Attorney) we may share personal data with the authorised individuals acting on your behalf. In some exceptional circumstances we need to share care information with relatives/next of kin without authority.

We also share information:

• To allow us to tailor our services to you;
• Where we work in partnership with local authorities, the NHS, charities etc. to provide you with care and support services;
• For detecting possible fraud (e.g. as part of the National Fraud Initiative)
• To deal with arrears and unpaid bills and put payment plans in place;
• To help us communicate with you (e.g. we sometimes use external printers, translators, communications specialists etc.)
• To assist the Police in solving crime and investigating anti-social behaviour.

As part of the government’s reform of welfare benefits, new regulations have been introduced on information sharing. This means we can now share limited information about our residents and their properties with local authorities, for example, name, address and National Insurance Number. The new regulations will help us identify and support those who could be affected by welfare reform.

We will also disclose your personal details, if required to do so, by law or by any Government body.

We may also share limited personal information with external contractors for:

• Provision of care and support services;
• Repairs and maintenance;
• Health and safety compliance checks.

We will only share the minimum information necessary for the contractor to carry out their services on behalf of OHGL. We will also ensure that data sharing agreements are in place, where we are sharing personal data with data processors. If you have any concerns about a company operating on behalf of OHGL, or information that has been shared with an external company, please contact us using the details below.

OHGL will never sell personal information to a third party.

Security and retention

Information is held centrally by our Care and Support teams on our computer system and relevant contact information is held by individual teams in line with our retention periods. Personal data is held securely, and we have security measures in place to protect it. We also assess ourselves against the NHS Data Security and Protection Toolkit.

We have processes in place to delete your personal information when it is no longer needed. Our main retention periods are as follows and are based on limitations of liability or legal obligation:

• Personal data relating to administering and providing care and support services – 6 years from end of relationship;
• Personal data relating to general safeguarding and risk assessments etc. – 8 years from end of relationship;
• Investigations of incidents – 10 years, 20 years (if a serious incident) from end of relationship.

Use the contact details below to ask for more details about our retention periods for your personal data.

Please see below for further information on your data protection rights and how to contact OHGL regarding your personal data.

Surveillance

Care and support services use surveillance as part of service delivery to provide safe care and treatment or to help people stay safe without restricting their activities or movement.

This can be used across a whole service or on an individual need basis and examples include, but are not exhaustive to, technology such as acoustic monitoring, bed sensors and call bell systems such as Tunstall or Nurse Call, and communal CCTV.

Any surveillance that is undertaken within a care and support service, outside the use of communal CCTV usage, is individually risk assessed with each customer and consent clearly recorded.

Usage of surveillance for the provision of care and treatment is managed in line with the Health and Social Care Act, Mental Capacity Act, and guidance on using surveillance published by the Care Quality Commission (CQC) as well as data protection legislation mentioned and guidance or codes of practice issues by the Information Commissioner’s Office.

CQC do not authorise the use of hidden cameras or other hidden recording equipment within private areas of a registered residential service or customers own home. Covert surveillance may only be used in rare circumstances and for a short period of time, for example, to identify a specific allegation.

Under Sections 62 –64 of the Health and Social Care Act 2008, CQC are permitted to have access to information that has been recorded using covert or overt surveillance (or to have access to surveillance systems) where CQC consider it necessary and proportionate to do so to exercise their functions as a regulator.

In some circumstances we collect and process personal data relating to members of the public. For capture of CCTV footage, please see the separate section below.

Purposes for processing personal data

We may collect and process personal information about you for the following purposes:

• To respond to requests for information regarding our services (e.g. when you submit information for reporting anti-social behaviours);
• To contact you regarding property you have registered an interest in;
• To comply with relevant legislation and regulation;
• To register you for our employment, training and youth services.

Personal information is stored on our computer systems. It is held securely, and we have security measures in place to protect it.

Legal bases for processing personal data

The legal bases for our processing of personal data are:

• Where we need to take measures to enter into and then perform a contract with you.
• Because we have your consent (i.e. agreement) to us processing your personal information. You can withdraw your consent at any time. This is explained further below in the section entitled ‘Your rights under GDPR’.
• Where it is necessary for the purposes of the legitimate interests pursued by OHGL or by a third party to process your information. We can do that as long as we do not interfere with your fundamental rights or freedom.
• Where processing is necessary to comply with the law or a statutory obligation.

Other reasons we can rely upon to process your personal information under GDPR are as follows:

• Where we are under a legal obligation or an obligation under a contract to process/disclose the information.
• Where we need to protect the vital interests (i.e. health and safety) of you or another person.

Processing of sensitive personal data

Some personal data is more sensitive than other data. Special category data (e.g. health, ethnicity, sex life and sexual orientation, religious beliefs, political affiliations, biometric data etc.) and criminal convictions data need additional protections. This includes additional conditions set out in legislation for processing the data:

• Explicit consent (where appropriate and does not conflict with legal obligation or contractual requirements);
• Vital interests (e.g. where your life or that of another individual is in danger and you aren’t able to give your consent);
• Safeguarding of individuals at risk;
• Monitoring equality of opportunity or treatment (where the data isn’t used to make decisions on particular individuals);

Unless otherwise stated at the point we collect your personal data, providing sensitive personal data will usually be voluntary, e.g. to provide you with additional benefits/services, to monitor equality of opportunity or treatment. However, there may be legal requirements where we need to safeguard individuals at risk, e.g. when volunteering in our care schemes.

Data sharing, security and retention

Generally we collect personal data directly from you, but we may in some cases also receive personal data from government bodies, other individuals or partner organisations.

We may share your data with third parties. This will usually be with third-party service providers. We require third parties to respect the security of your data and to treat it in accordance with data protection legislation and put in place contractual arrangements for this purpose.

We may also need to share your data with other parties in order to respond to a request or where we have a legal obligation or authorisation. Where possible you will usually be notified of this before we do so.

Please see below for further information on your data protection rights and how to contact OHGL regarding your personal data.

We survey and monitor our property and buildings, including the areas directly surrounding our buildings, for the following purposes:

• For security purposes in the public interest (including national security);
• For the prevention and detection of crime;
• To prevent and investigate anti-social behaviour and nuisance;
• To assess property maintenance and assist with estate and property management;
• To provide safe and secure places of work for employees;
• For insurance purposes as required;
• For internal investigations carried out by One Housing in accordance with approved policy (e.g. in response to complaints or disciplinary cases).

We process personal data captured through CCTV footage in line with our CCTV and Surveillance Policy. Unless otherwise stated, we do not carry out live CCTV surveillance. We will take a reasonable and proportionate approach to downloading and viewing of CCTV footage which balances infringement of privacy, seriousness of incident, resource cost and meeting the stated purposes.

Legal bases for processing personal data

The processing is carried out under the following legal bases:

• Where we need to comply with legal obligations (e.g. provide safe spaces for residents and customers to live, protect the health and safety of our employees);
• Where it is necessary for our legitimate interest (or those of a third party) and your interests and fundamental rights do not override those interests (e.g. ensuring the security of our properties and assets, insurance purposes, carrying out internal investigations).

Data sharing, security and retention

OHGL will generally not disclose CCTV footage to third parties. However, OHGL will consider requests from the following where there is a legal basis for the disclosure and the footage is necessary for a legitimate purpose:

• The police or other law enforcement agency and not disclosing the CCTV footage would prejudice the investigation;
• Regulatory bodies;
• Insurance companies, for example when acting on behalf of One Housing or an individual affected by a crime for which One Housing holds relevant evidence. In such cases, OHGL will assess whether there is a legal basis for the disclosure and seek assurance that disclosing the CCTV footage is necessary. An administrative fee may be charged to cover costs.

Data captured by CCTV systems will be stored securely. Typically, the data will be retained for 30 days. Data identified as necessary for an investigation or one of the other purposes set out above will be downloaded to secure storage and retained for the retention period relevant to that purpose (e.g. 6 years under limitation of liability).