Privacy notice


This page explains how One Housing Group Limited collects, uses, stores and shares your personal information.

Privacy Notice

Data Protection at One Housing Group Limited

Identity and contact details of Controller

One Housing Group Limited (OHGL) is a housing association and a controller of personal information for the purposes of the General Data Protection Regulation (‘GDPR’) and Data Protection Act 2018.

Our contact details for data protection purposes are:

Data Protection Officer
Governance & Compliance Directorate
One Housing Group Limited (OHGL)
Atelier House, 64 Pratt Street, London NW1 0DL.

Email: dpo@onehousing.co.uk.

Telephone: 020 8821 5100.

OHGL is registered with the Information Commissioners Office as a Data Controller. Our registration number is Z687766X.

Under the UK General Data Protection Regulations and the Data Protection Act 2018, OHGL has a legal duty to protect any information we collect from you or have about you from other sources. The legislation lays out the Data Protection Principles as well as a range of obligations on OHGL as the Data Controller.

The legislation also sets out the rights of data subjects whose personal data is processed by OHGL. One of those rights is the right to be informed about how OHGL processes your personal data. This is set out in the privacy information contained in this privacy notice.

How we use and store your personal information

This privacy notice tells you what to expect when OHGL collects and stores personal and sensitive information.

It tells you the purposes for which we will process your personal information and the legal basis for the processing (‘processing’ includes us keeping your personal information). It applies to information we collect about:

Residents, leaseholders, or occupants of our homes

During your residency, we will collect and process information about you and members of your household. We do this to:

  • Be able to contact you and respond to you directly;
  • Assess applications and set up your tenancy or leasehold and carry out any relevant necessary checks;
  • Give effect to and manage your tenancy/leasehold, property, and the OHGL property it relates to (including carrying out maintenance and repairs, notifying utility companies and local authorities);
  • Monitor compliance with the terms of your tenancy or service agreement, investigate and report issues (e.g. tenancy fraud, anti-social behaviour etc.);
  • Share information with other agencies where we have your agreement, are required to do so, or where doing so gives effect to the tenancy/leasehold agreement;
  • Investigate and resolve complaints and queries raised by residents and others;
  • Comply with our safeguarding and health and safety duties;
  • Deliver support for special needs to you or any member of your household;
  • Provide information about additional services we offer, including opportunities to participate in meetings, training, employment services, youth services and events;
  • Complete consultations, facilitate residents’ groups and community grant applications;
  • Conduct transactional surveys in order to monitor and improve our service, for example, repairs and maintenance, complaints, lettings, anti-social behaviour issues and training;
  • Monitor equality and diversity;
  • Provide information about our performance and services through newsletters and email campaigns;
  • Verify your identity so that we can give you access to your MyOneHousing account;
  • Share information with our payment gateways to enable payments to be taken online via the MyOneHousing portal.

Unless we advise you otherwise, we will only collect and process personal information to carry out these functions. For more information on use of CCTV, please see the CCTV section below.

Legal basis for processing personal data

All processing of personal data must have a legal basis. The most common legal bases which apply to the processing described above are:

  • Where we need to take measures to enter into and then perform a contract we have entered into with you (provision of services set out in a tenancy or leasehold agreement);
  • Where we need to comply with legal obligations (e.g. housing regulations, health and safety, safeguarding, tenancy fraud investigation);
  • Where it is necessary for our legitimate interest (or those of a third party) and your interests and fundamental rights do not override those interests (e.g. maintaining security of our property, customer satisfaction surveys and market research).

We may also use your personal data under the following legal bases:

  • Where we have your consent (e.g. provision of additional benefits or services, information gathered through feedback or surveys);
  • Where we need to protect your vital interests (or someone else’s vital interests);
  • Where the processing is necessary in the public interest or for official purposes set out in legislation (e.g. monitoring of diversity and equality, where we work with local authorities etc.)

Processing of sensitive personal data

Some personal data is more sensitive than other data. Special category data (e.g. health, ethnicity, sex life and sexual orientation, religious beliefs, political affiliations, biometric data etc.) and criminal convictions data need additional protections. This includes additional conditions set out in legislation for processing the data.

Where possible we will seek your explicit consent to process sensitive personal data. In cases where consent may not be appropriate the following conditions for processing may apply:

  • Legal obligations relating to social security and social protection (especially where we act on behalf of local authorities);
  • Vital interests (e.g. where your life or that of another individual is in danger and you aren’t able to give your consent);
  • Safeguarding of individuals at risk (including children);
  • Monitoring equality of opportunity or treatment (where the data isn’t used to make decisions on particular individuals);

Examples of where we may need to process your sensitive personal data are to:

  • Process pre-tenancy checks, determine eligibility for special needs housing etc.;
  • Offer aids and adaptions to your property, offer suitable alternative properties where needed;
  • Manage risks (e.g. fire, health and safety);
  • Safely carry out repairs and maintenance;
  • Respond to enquiries and complaints;

To process personal data about criminal convictions or offences we must have both a lawful basis for the processing and either legal authority or official authority for the processing.

Who might we share your personal information with?

Generally we collect personal data directly from you, but we may in some cases also receive personal data from government bodies and local authorities, third party suppliers, other individuals or partner organisations (e.g. where work with other parties to provide services, for investigating a complaint etc.).

Normally, only OHGL staff will be able to see and process your personal information. However, there will be occasions when we will need to share personal information with third parties for the purposes as outlined or where we are legally required to do so.

When sharing personal information, we will comply with all aspects of the GDPR. Special categories of personal data about health, sexual life, race, religion and criminal activity, for example, are subject to particularly stringent security and confidentiality measures.

We also share information:

  • To allow us to tailor our services to you
  • For detecting possible fraud (e.g. as part of the National Fraud Initiative)
  • To deal with rent arrears (e.g. tracing and/or debt collection agencies)
  • To deal with unpaid bills (e.g. utility or council tax bills - we may need to pass on your forwarding address)
  • To help us communicate with you (e.g. we sometimes use external printers, translators etc.)
  • To assist the Police in solving crime and investigating anti-social behaviour.

As part of the government’s reform of welfare benefits, new regulations have been introduced on information sharing. This means we can now share limited information about our residents and their properties with local authorities, for example, name, address and National Insurance Number. The new regulations will help us identify and support those who could be affected by welfare reform.

We will also disclose your personal details, if required to do so, by law or by any Government body.

OHGL contracts external companies to manage certain areas of our business to fulfil our obligations as a landlord. We share limited personal information of our residents with external contractors, such as name, address and telephone number.

Examples include:

  • Repairs and maintenance contractors
  • Out of hours call centre service
  • Health and safety compliance checks (i.e. gas servicing, lifts, asbestos, legionella)

We will only share the minimum information necessary for the contractor to carry out their services on behalf of OHGL. We will also ensure that data sharing agreements are in place, where we are sharing personal data with data processors. If you have any concerns about a company operating on behalf of OHGL, or information that has been shared with an external company, please contact us using the details below.

When you register for the MyOneHousing using your Facebook or Google account, we will collect the name and email address associated with that account and process it for registration purposes. We will not share any personal information with Facebook or Google. However, they may process your information based on the affiliation to One Housing Group. Please see their privacy policies for further information on this.

OHGL will never sell personal information to a third party.

Security and retention

Personal information is stored on our computer systems and/or tenancy files. It is held securely, and we have security measures in place to protect it. We have processes in place to delete your personal information when it is no longer needed. Our main retention periods are as follows and are based on limitations of liability:

  • Personal data relating sale/purchase of property and land – 12 years from end of relationship;
  • Personal data relating to administering tenancies and provision of services relating to residents and occupants – 6 years from end of relationship;
  • Personal data relating to safeguarding etc. – 8 years from end of relationship.

Use the contact details below to ask for more details about our retention periods for your personal data.

Please see below for further information on your data protection rights and how to contact OHGL regarding your personal data.

Contractors, suppliers, partners or agents

We will collect relevant information from you in accordance with our contracts or information sharing agreements. This may include names and qualification information relating to your staff.

Purposes for processing personal data.

The purpose for collecting personal data is to enable you to provide services to our residents on behalf of OHGL.

Legal bases for processing personal data

The legal bases for our processing of personal data are:

  • Where we need to comply with legal obligations (e.g. health and safety);
  • Where it is necessary for our legitimate interest (or those of a third party) and the individual’s interests and fundamental rights do not override those interests (e.g. maintaining security of our property, performing and monitoring the contract).

Data sharing, security and retention

Information will be held centrally by our Procurement Team, on our computer system and by the relevant team/department, in line with our data retention periods (usually 6 years from end of the service for limitation of liability reasons). Personal data is held securely, and we have security measures in place to protect it.

We will share personal data with third parties, including third-party service providers. We require third parties to respect the security of your data and to treat it in accordance with data protection legislation and put in place contractual arrangements for this purpose.

Please see below for further information on your data protection rights and how to contact OHGL regarding your personal data.

Staff and recruitment applicants

We collect and process personal data relating to OHGL’s workforce. This includes staff, contractors, temporary workers and volunteers.

Purposes for processing personal data

We collect and process personal data for the following purposes:

  • Recruitment and appointment, including suitability for the role;
  • Set up employment, volunteering or supply contract;
  • Administration purposes (e.g. for onboarding into OHGL, to operate payroll, pensions, annual and sick leave, workforce management, administering TUPE, bidding for contracts etc.);
  • Managing performance and training, including conducting performance reviews and determining performance and training requirements;
  • Conducting disciplinary and grievance investigations;
  • Offering any necessary support requirements in your role (e.g. disability, health and safety or wellbeing support), including contacting next of kin where necessary;
  • Risk assessing for lone working, where relevant;
  • Complying with legal or industry standards to ensure that your tax and National Insurance contributions are paid, that you are eligible to work in the UK, undertake DBS checks and suitability for the role (where appropriate for the role, e.g. CQC regulated roles), and to meet Health and Safety Requirements. Please note: providing this data will usually be a legal requirement;
  • Conducting transactional surveys to monitor and improve our services (for example, following training courses);
  • For promoting communication and engagement across OHGL (e.g. through the intranet)
  • Monitoring diversity in our applicants and workforce, as recommended by the Equality and Human Rights Commission;
  • Monitoring our premises for security and safeguarding reasons (e.g. access card data, CCTV, email/internet traffic etc).

Unless we advise you otherwise, we will only collect and process personal data relating to you to carry out these purposes.

We take care to protect personal data and that it is held securely. We have physical and IT security measures in place to protect it. Personal data is held centrally by our HR team on our computer systems. Individuals and line managers can access certain personal information through our internal systems (e.g. onboarding, payroll, leave, training data).

Legal bases for processing personal data

All processing of personal data must have a legal basis. The most common legal bases which apply to the processing described above are:

  • Where we need to take measures to enter into and then perform a contract we have entered into with you;
  • Where we need to comply with legal obligations (e.g. employment related, safeguarding, health and safety);
  • Where it is necessary for our legitimate interest (or those of a third party) and your interests and fundamental rights do not override those interests (e.g. maintaining security of our property, internal communications engagement initiatives, workforce planning).

We may also use your personal data under the following legal bases, which are likely to be rare:

  • Where we have your consent (e.g. provision of additional benefits);
  • Where we need to protect your vital interests (or someone else’s vital interests);
  • Where the processing is necessary in the public interest or for official purposes set out in legislation (e.g. monitoring of diversity and equality etc.)

Processing of sensitive personal data

Some personal data is more sensitive than other data. Special category data (e.g. health, ethnicity, sex life and sexual orientation, religious beliefs, political affiliations, biometric data etc.) and criminal convictions data need additional protections. This includes additional conditions set out in legislation for processing the data:

  • Explicit consent (where appropriate and does not conflict with legal obligation or contractual requirements);
  • Vital interests (e.g. where your life or that of another individual is in danger and you aren’t able to give your consent);
  • Obligations relating to employment (e.g. DBS checks);
  • Safeguarding of individuals at risk;
  • Determining eligibility for occupational pensions;
  • Monitoring equality of opportunity or treatment (where the data isn’t used to make decisions on particular individuals);
  • Promoting or maintaining diversity in racial or ethnic origins of senior leaders.

Data sharing, security and retention

Generally we collect personal data directly from you, but we may in some cases also receive personal data from government bodies, third party suppliers (if you are a contractor), other individuals or partner organisations (e.g. for investigating a complaint or grievance etc.).

We will share your data with third parties, including third-party service providers, for example, payroll and pension administration. Where we use recruitment agencies, we may share personal data with them, or they will collect it on our behalf.

We require third parties to respect the security of your data and to treat it in accordance with data protection legislation and put in place contractual arrangements for this purpose.

We have processes in place to delete your personal information when it is no longer needed. Our main retention period is as follows and is based on the general limitation of liability:

  • 6 years (end of financial year) from end of relationship;

Use the contact details below to ask for more details about our more detailed retention periods for your personal data.

Please see below for further information on your data protection rights and how to contact OHGL regarding your personal data.

Care and support customers

When a referral is made on your behalf to OHGL for care or support, we will collect and process personal information about you.

We do this to:

  • Process requests and administer care and support services, including billing and payment plans;
  • Be able to contact you, respond to you directly and verify your identity;
  • Identify your care and support needs and complete our assessments, in order to offer you the most effective service possible;
  • Complete individual risk assessments and investigate any issues or incidents;
  • Update our records of your care and support needs;
  • Share information about your care and support with your family or next of kin;
  • Share information with other agencies where we have your agreement, are required to do so, or where doing so gives effect to our agreement with you;
  • Monitor our premises and maintain a safe environment for residents and staff;
  • Provide information about additional services we offer;;
  • Complete consultations, conduct transactional surveys in order to monitor and improve our service;
  • Provide assistance to the police in the event of a Missing Person case;
  • Monitor equality and diversity;
  • Provide reporting to and carry out audits for local authorities and regulators.

Legal basis for processing

All processing of personal data must have a legal basis. The most common legal bases which apply to the processing described above are:

  • Where we need to take measures to enter into and then perform a contract we have entered into with you (provision of services set out in our agreements with you);
  • Where we need to comply with legal obligations (e.g. as set out by CQC, health care, health and safety and safeguarding legislation);
  • Where the processing is necessary in the public interest or for official purposes set out in legislation (e.g. where we work in partnership with local authorities and the NHS);
  • Where we have your consent (e.g. provision of additional benefits and services);
  • Where we need to protect your vital interests (or someone else’s vital interests);
  • Where it is necessary for our legitimate interest (or those of a third party) and your interests and fundamental rights do not override those interests (e.g. maintaining security and safety of our property, customer satisfaction surveys and market research).

Processing of sensitive personal data

Due to the nature of the services provided by our care and support services, much of the personal data being processed for the purposes set out above will be sensitive personal data.

Sensitive personal data, consisting of special category data (e.g. health, ethnicity, sex life and sexual orientation, religious beliefs, political affiliations, biometric data etc.) and criminal convictions data, need additional protections. This includes additional conditions set out in legislation for processing the data.

Where possible we will seek your explicit consent to process sensitive personal data. In cases where consent may not be appropriate the following additional conditions may apply:

  • Legal obligations relating to social security and social protection (especially where we act on behalf of local authorities or the NHS);
  • Vital interests (e.g. where your life or that of another individual is in danger and you aren’t able to give your consent);
  • Safeguarding of individuals at risk (including children);
  • Monitoring equality of opportunity or treatment (where the data isn’t used to make decisions on particular individuals);

To process personal data about criminal convictions or offences we must have both a lawful basis for the processing and either legal authority or official authority for the processing.

Who might we share your personal information with?

Generally we collect personal data directly from you, but we may in some cases also receive personal data from government bodies and local authorities, third party care and support providers, other individuals or partner organisations.

Normally, only OHGL staff will be able to see and process your personal information. However, there will be occasions when we will need to share personal information with third parties for the purposes outlined above or where we are legally required to do so. When sharing personal information, we will comply with all aspects of the GDPR.

Where authorisation is in place (e.g. Lasting Power of Attorney) we may share personal data with the authorised individuals acting on your behalf. In some exceptional circumstances we need to share care information with relatives/next of kin without authority.

We also share information:

  • To allow us to tailor our services to you;
  • Where we work in partnership with local authorities, the NHS, charities etc. to provide you with care and support services;
  • For detecting possible fraud (e.g. as part of the National Fraud Initiative)
  • To deal with arrears and unpaid bills and put payment plans in place;
  • To help us communicate with you (e.g. we sometimes use external printers, translators, communications specialists etc.)
  • To assist the Police in solving crime and investigating anti-social behaviour.

As part of the government’s reform of welfare benefits, new regulations have been introduced on information sharing. This means we can now share limited information about our residents and their properties with local authorities, for example, name, address and National Insurance Number. The new regulations will help us identify and support those who could be affected by welfare reform.

We will also disclose your personal details, if required to do so, by law or by any Government body.

We may also share limited personal information with external contractors for:

  • Provision of care and support services;
  • Repairs and maintenance;
  • Health and safety compliance checks.

We will only share the minimum information necessary for the contractor to carry out their services on behalf of OHGL. We will also ensure that data sharing agreements are in place, where we are sharing personal data with data processors. If you have any concerns about a company operating on behalf of OHGL, or information that has been shared with an external company, please contact us using the details below.

OHGL will never sell personal information to a third party.

Security and retention

Information is held centrally by our Care and Support teams on our computer system and relevant contact information is held by individual teams in line with our retention periods. Personal data is held securely, and we have security measures in place to protect it. We also assess ourselves against the NHS Data Security and Protection Toolkit.

We have processes in place to delete your personal information when it is no longer needed. Our main retention periods are as follows and are based on limitations of liability or legal obligation:

  • Personal data relating to administering and providing care and support services – 6 years from end of relationship;
  • Personal data relating to general safeguarding and risk assessments etc. – 8 years from end of relationship;
  • Investigations of incidents – 10 years, 20 years (if a serious incident) from end of relationship.

Use the contact details below to ask for more details about our retention periods for your personal data.

Please see below for further information on your data protection rights and how to contact OHGL regarding your personal data.

Surveillance

Care and support services use surveillance as part of service delivery to provide safe care and treatment or to help people stay safe without restricting their activities or movement.

This can be used across a whole service or on an individual need basis and examples include, but are not exhaustive to, technology such as acoustic monitoring, bed sensors and call bell systems such as Tunstall or Nurse Call, and communal CCTV.

Any surveillance that is undertaken within a care and support service, outside the use of communal CCTV usage, is individually risk assessed with each customer and consent clearly recorded.

Usage of surveillance for the provision of care and treatment is managed in line with the Health and Social Care Act, Mental Capacity Act, and guidance on using surveillance published by the Care Quality Commission (CQC) as well as data protection legislation mentioned and guidance or codes of practice issues by the Information Commissioner’s Office.

CQC do not authorise the use of hidden cameras or other hidden recording equipment within private areas of a registered residential service or customers own home. Covert surveillance may only be used in rare circumstances and for a short period of time, for example, to identify a specific allegation.

Under Sections 62 –64 of the Health and Social Care Act 2008, CQC are permitted to have access to information that has been recorded using covert or overt surveillance (or to have access to surveillance systems) where CQC consider it necessary and proportionate to do so to exercise their functions as a regulator.

Members of the public

In some circumstances we collect and process personal data relating to members of the public. For capture of CCTV footage, please see the separate section below.

Purposes for processing personal data

We may collect and process personal information about you for the following purposes:

  • To respond to requests for information regarding our services (e.g. when you submit information for reporting anti-social behaviours);
  • To contact you regarding property you have registered an interest in;
  • To comply with relevant legislation and regulation;
  • To register you for our employment, training and youth services.

Personal information is stored on our computer systems. It is held securely, and we have security measures in place to protect it.

Legal bases for processing personal data

The legal bases for our processing of personal data are:

  • Where we need to take measures to enter into and then perform a contract with you.
  • Because we have your consent (i.e. agreement) to us processing your personal information. You can withdraw your consent at any time. This is explained further below in the section entitled ‘Your rights under GDPR’.
  • Where it is necessary for the purposes of the legitimate interests pursued by OHGL or by a third party to process your information. We can do that as long as we do not interfere with your fundamental rights or freedom.
  • Where processing is necessary to comply with the law or a statutory obligation.

Other reasons we can rely upon to process your personal information under GDPR are as follows:

  • Where we are under a legal obligation or an obligation under a contract to process/disclose the information.
  • Where we need to protect the vital interests (i.e. health and safety) of you or another person.

Processing of sensitive personal data

Some personal data is more sensitive than other data. Special category data (e.g. health, ethnicity, sex life and sexual orientation, religious beliefs, political affiliations, biometric data etc.) and criminal convictions data need additional protections. This includes additional conditions set out in legislation for processing the data:

  • Explicit consent (where appropriate and does not conflict with legal obligation or contractual requirements);
  • Vital interests (e.g. where your life or that of another individual is in danger and you aren’t able to give your consent);
  • Safeguarding of individuals at risk;
  • Monitoring equality of opportunity or treatment (where the data isn’t used to make decisions on particular individuals);

Unless otherwise stated at the point we collect your personal data, providing sensitive personal data will usually be voluntary, e.g. to provide you with additional benefits/services, to monitor equality of opportunity or treatment. However, there may be legal requirements where we need to safeguard individuals at risk, e.g. when volunteering in our care schemes.

Data sharing, security and retention

Generally we collect personal data directly from you, but we may in some cases also receive personal data from government bodies, other individuals or partner organisations.

We may share your data with third parties. This will usually be with third-party service providers. We require third parties to respect the security of your data and to treat it in accordance with data protection legislation and put in place contractual arrangements for this purpose.

We may also need to share your data with other parties in order to respond to a request or where we have a legal obligation or authorisation. Where possible you will usually be notified of this before we do so.

Please see below for further information on your data protection rights and how to contact OHGL regarding your personal data.

CCTV

We survey and monitor our property and buildings, including the areas directly surrounding our buildings, for the following purposes:

  • For security purposes in the public interest (including national security);
  • For the prevention and detection of crime;
  • To prevent and investigate anti-social behaviour and nuisance;
  • To assess property maintenance and assist with estate and property management;
  • To provide safe and secure places of work for employees;
  • For insurance purposes as required;
  • For internal investigations carried out by One Housing in accordance with approved policy (e.g. in response to complaints or disciplinary cases).

We process personal data captured through CCTV footage in line with our CCTV and Surveillance Policy. Unless otherwise stated, we do not carry out live CCTV surveillance. We will take a reasonable and proportionate approach to downloading and viewing of CCTV footage which balances infringement of privacy, seriousness of incident, resource cost and meeting the stated purposes.

Legal bases for processing personal data

The processing is carried out under the following legal bases:

  • Where we need to comply with legal obligations (e.g. provide safe spaces for residents and customers to live, protect the health and safety of our employees);
  • Where it is necessary for our legitimate interest (or those of a third party) and your interests and fundamental rights do not override those interests (e.g. ensuring the security of our properties and assets, insurance purposes, carrying out internal investigations).

Data sharing, security and retention

OHGL will generally not disclose CCTV footage to third parties. However, OHGL will consider requests from the following where there is a legal basis for the disclosure and the footage is necessary for a legitimate purpose:

  • The police or other law enforcement agency and not disclosing the CCTV footage would prejudice the investigation;
  • Regulatory bodies;
  • Insurance companies, for example when acting on behalf of One Housing or an individual affected by a crime for which One Housing holds relevant evidence. In such cases, OHGL will assess whether there is a legal basis for the disclosure and seek assurance that disclosing the CCTV footage is necessary. An administrative fee may be charged to cover costs.

Data captured by CCTV systems will be stored securely. Typically, the data will be retained for 30 days. Data identified as necessary for an investigation or one of the other purposes set out above will be downloaded to secure storage and retained for the retention period relevant to that purpose (e.g. 6 years under limitation of liability).

How we manage your personal information

We process your personal information in accordance with the principles of GDPR.

We will treat your personal information fairly and lawfully and we will ensure that information is:

  • Processed for limited purpose
  • Kept up-to-date, accurate, relevant and not excessive
  • Not kept longer than is necessary
  • Kept secure.

Access to personal information is restricted to authorised individuals on a strictly need to know basis.

We are committed to keeping your personal details up to date, and we encourage you to inform us about any changes needed to ensure your details are accurate.

To help us ensure confidentiality of your personal information we will ask you security questions to confirm your identity when you call us. We will not discuss your personal information with anyone other than you, unless you have given us prior authorisation to do so, doing so is authorised by legislation (e.g. cooperating with law enforcement agencies) or it is necessary to comply with a legal obligation.

International transfers of personal data

Our website is hosted within the UK. Our other systems are generally located on our premises or elsewhere within Europe.

We use third-party service providers, for example, those that provide and host our IT systems, maintenance and repair contractors, etc. We require third parties to respect the security of your data and to treat it in accordance with data protection legislation and put in place contractual arrangements for this purpose.

Where we use third parties to provide storage services, these will usually be stored in the UK or EEA. However, some providers also store personal data in other countries, including the USA (for example, some services used for email campaigns, responding to enquiries regarding our care homes and completing online surveys are located outside of Europe). Where this is the case, we put in place contractual arrangements to safeguard the data in line with the requirements of the UK GDPR.

Where data is transferred outside Europe, we will make sure that transfers are only made to countries in which the European Commission has made an ‘adequacy decision’, or where appropriate safeguards are in place.

How long do we keep information?

We have a data retention schedule, which sets out how long we keep different types of information. We follow legal requirements and best practice based on limitations of liability and guidance set out by the National Housing Federation, CQC and the NHS. Examples of main retention periods are provided in the individual sections above. You can also contact us on the details below should you want further details on our retention periods.

Fraud detection

We may use data disclosed for the purpose of preventing and detecting fraud. This includes information provided on the OHGL website, on the My Account area, or in any other way provided to us online or otherwise.

The data collected may be used for the purpose of data matching and further investigations. This involves comparing the data we hold on you with that held by third parties solely for the purpose of detecting and preventing fraud. We might also use your data to further investigate fraud that we think might have been committed.

This involves checking with various third parties, such as the Land Registry, banks, schools and utility companies.

Your rights under GDPR

You have a number of rights under the GDPR. These are set out below. You can request to exercise your rights using the Privacy Web Form.

We will request photo identification through the form as proof of identity. If you do not have photo identification, you can still submit the form and the Data Protection Team will be in touch following your submission to advise what other proof of identity we accept.

Access to personal information

Under GDPR, you have a right to ask us what personal information we hold about you, and to request a copy of your information. This is known as a ‘subject access request’ (SAR).

You can also use the Privacy Web Form for submitting these requests. Alternatively, you can email us at sar@onehousing.co.uk, or let us know by contacting customer services at 0300 123 9966.

We will respond to your request with all the information we are legally required to provide within 30 days.

Your right to certain information may be restricted. For example, information relating to a third person or information relating to a police investigation.

Rectification

If you need to correct any mistakes contained in the information we hold about you, you can let us know by contacting customer services on 0300 123 9966.

Erasure (‘right to be forgotten’)

You have the right to ask us to delete personal information we hold about you. You can do this where:

  • The information is no longer necessary in relation to the purpose for which we originally collected/processed it
  • You withdraw consent
  • You object to the processing and there is no overriding legitimate interest for us continuing the processing
  • We unlawfully processed the information
  • The personal information has to be erased in order to comply with a legal obligation

We can refuse to erase your personal information where the personal information is processed for the following reasons:

  • To exercise the right of freedom of expression and information
  • To enable functions designed to protect the public to be achieved, e.g. government of regulatory functions
  • To comply with a legal obligation or for the performance of a public interest task or exercise of official authority
  • For public health purposes in the public interest
  • Archiving purposes in the public interest, scientific research, historical research or statistical purposes
  • The exercise or defence of legal claims
  • Where we have an overriding legitimate interest for continuing with the processing.

Restriction on processing

You have the right to require us to stop processing your personal information. When processing is restricted, we are allowed to store the information, but not do anything with it. You can do this where:

  • You challenge the accuracy of the information (we must restrict processing until we have verified its accuracy)
  • You challenge whether we have a legitimate interest in using the information
  • The processing is a breach of the GDPR or otherwise unlawful
  • We no longer need the personal data, but you need the information to establish, exercise or defend a legal claim

If we have disclosed your personal information to third parties, we must inform them about the restriction on processing, unless it is impossible or involves disproportionate effort to do so. We must inform you when we decide to remove the restriction giving the reasons why.

Objection to processing

You have the right to object to processing where we say it is in our legitimate business interests.

We must stop using the information unless we can show there is a compelling legitimate reason for the processing, which overrides your interests and rights or the processing is necessary for us or someone else to bring or defend legal claims.

Withdrawal of consent

If the basis on which we are using your personal information is your consent, we will seek your consent to contact you for non-essential services. 

Examples of this include to gather feedback following community events or permission to use photographs taken (i.e. at events). You have the right to withdraw your consent to us processing your information at any time. We must stop using the information. We can refuse if we can rely on another reason to process the information such as our contractual obligations or legitimate interests.

Visitors to our website

We collect the following information from visitors to our website and My Account:

  1. Details collected through online forms
  2. Surveys and polls about the website
  3. Site usage information from session cookies and log files

Site usage information

You can read more about how we use cookies and log files.

Links to other websites

This privacy notice does not cover links within our website to other websites. We encourage you to read the privacy statements on other websites you visit.

Changes to this privacy notice

We keep our privacy notice under regular review.

We will update it if we undertake any new or amended processing. This privacy notice was last updated on 15 July 2021.

Subsidiary organisations

OHGL has subsidiary organisations who are also registered as Data Controllers with the Information Commissioners Office. A list of these can be found here.

Further information

This privacy notice does not provide details on all aspects of OHGL’s collection and use of personal information. We are happy to provide any further information or explanation if needed.

Please contact us using the information below.

How to contact us

If you want to find out more about this, you can:

  • Email the Group Data Protection Officer at dpo@onehousing.co.uk
  • Write to Data Protection Officer, Atelier House, 64 Pratt Street, London, NW1 0DL.

Alternatively, you can find here other ways to contact us.

Complaints

OHGL aims to meet the highest standards when collecting and using personal information. You can raise a complaint with us if you think that our collection or use of information was unfair, misleading, inaccurate or inappropriate.

If you are still not happy with our response, you have the right to appeal directly to the regulator – the Information Commissioners’ Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Telephone: 0303 123 1113.