Protecting your privacy
1 Who Are we?
Commonweal Housing Ltd. (Commonweal) is a company registered in England and Wales (number 05319765) and registered with the Charity Commission (number 1113331). Our registered address is 2 Babmaes Street, Westminster, London, SW1Y 6HD.
References in this Privacy Notice to ‘Commonweal’, ‘we’, ‘us’ or ‘our’ mean ‘Commonweal Housing Ltd’.
By using our charitable resources, including properties with reduced rents, we test different housing models to find solutions to specific social injustices. We support partners from the very beginning, to help them investigate issues where they think housing could be part of a solution. By providing ongoing support, we are able to learn, develop and adjust ideas to make our projects as effective, relevant, and impactful as possible.
Detailed information about our company and our services can be found on our website.
Commonweal is a ‘data controller’ for the purposes of the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (‘UK GDPR’): we are registered with the Information Commissioner’s Office (ICO), registration number ZB283616.
Our Data Protection Officer (DPO) can be contacted via: email@example.com
We are committed to respecting and protecting your privacy. Please read this Privacy Notice carefully to understand our practices regarding the processing your personal data.
2 What types of information do we collect from you?
In this Privacy Notice, the term “personal data”, means information relating to you that allows us to identify you either directly, or in combination with other information we hold.
When you contact us by email, telephone or via our website, we may collect your personal data including your name, address, telephone number and date of birth (where relevant).
Special Categories of Personal Data
The UK GDPR defines special categories of personal data as information about a person’s race and ethnicity, religious or philosophical beliefs, trade union memberships, political opinions, genetic data, biometric and health data, and information concerning a natural person’s sex life or sexual orientation.
Criminal Offence data
Criminal offence data is data relating to criminal convictions and allegations of criminal activity. This includes information disclosed by the Disclosure and Barring Service (DBS) under the Government’s employment vetting scheme.
The following sections will answer any questions you have but if not, please contact us using any of the methods shown in the section below entitled “How Do I contact you?”.
3 What lawful basis do we use to process your personal data
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever personal data is processed by us:
- Consent: we collect and process your data with your consent. This may include when you agree to receive an email about the ways in which we can support you or how you would like to receive information about us or our services.
- Contract performance: the processing is necessary for the performance of a contract you have with us, or for the purposes of entering into a contract with us.
- Compliance with legal obligation: the processing is necessary for us to comply with the law for tax, social security, and employment purposes etc. This will include sharing with law enforcement agencies details of people involved in fraud or other criminal activity.
- Protection of vital interests: the processing is vital to an individual’s vital interests.
- Public interest: the processing is necessary to perform a task that is in the public interest or for an official function, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for our legitimate interests, or the legitimate interests of a third-party, unless there is a good reason to protect the individual’s personal data that overrides those legitimate interests.
4 Conditions to process special category personal data?
We rely on the following conditions (as appropriate) under Article 9 of the UK GDPR to process special categories of personal data:
- Explicit consent
- Employment, social security, and social protection (if authorised by law)
- Vital interests
- Not-for-profit bodies
- Made public by the data subject
- Legal claims or judicial acts
- Reasons of substantial public interest (with a basis in law)
- Health or social care (with a basis in law)
- Public health (with a basis in law)
- Archiving, research, and statistics (with a basis in law)
We aim to collect the least amount of special category data as possible for our processing purposes.
The processing of special category data is covered by relevant policies and procedures and all processing activities involving the processing of special categories of personal are listed in our ‘Record of Processing Activity’.
Further legal controls are applied to the processing of criminal offence data. Such data is processed under the substantial public interest conditions listed in Schedule 1, DPA 2018.
5 The data processing principles
The law requires us to:
- Process your data in a lawful, fair and transparent way;
- Only collect your data for explicit and legitimate purposes;
- Only collect data that is relevant, and limited to the purpose(s) we have told you about;
- Ensure that your data is accurate and up to date;
- Ensure that your data is only kept as long as necessary for the purpose(s) we have told you about;
- Ensure that appropriate security measures are used to protect your data.
6 Personal data we collect
We collect your information when you complete our forms, email us, or contact us via our website or social media. This includes information provided by you at the time of registering with us to become a member of staff, entering into a contract for our services, supporting or subscribing to our services, requesting materials or to request further services, responding to a survey or visit our website, and/or when you report a problem with any of our communication channels or services.
We may collect personal information from you in the following ways:
- When you make a phone call e-mail us to seek information about our services
- Recruitment and employment, including agents, suppliers and contractors
- When you have donated to us via any method whether directly or indirectly
- You have used our services or benefited from the Charity anyhow including tenancy
- Through your request for publications and other marketing materials
- Through your request for information about our services and related events
- Through your registration for events
- Through your contacting us with enquiries and comments
- Through tickets purchasing
- Through volunteering and event attendance
- ‘Next of kin’ information provided by our staff or tenants
The information we may collect in relation to the foregoing includes but is not limited to:
- Your name, address, email address and other contact information
- Occupation, skills and professional activity, network(s) and interests where relevant
- Other relevant personal details (e.g. age group, interests, subscriptions, and etc.)
- Records of your correspondence with us, meeting notes, attendance at events etc.
- Use of social media relating to us
- Health data
- Protected characteristics
- Donation history
- Records of volunteering
- Financial information
- Details of your visit to the website
- Multimedia files such as photographs and video footages
- Photographs and video through our CCTV system
- Information about your service user experiences and
- Staff details relevant to their employment status with us
- Information about your access to our databases etc.
- Transaction details you provide to us for the fulfilment of your orders; and
- Information provided in the surveys we may ask you to complete.
We also collect any other information that you provide to us when you submit an application for tenancy, such as health information including details of disability and Safeguarding necessities or other circumstantial details.
7 How we use the information about you?
We collect personal data in order to manage our functions across our many activities and locations including, but limited to, the following:
- To provide you with the services you have requested;
- To comply with the Act and the UK GDPR;
- Tor administrative purposes;
- To assess enquiries; and
- To provide you with information about us and our services.
Examples of when we will collect your personal data include, but are not limited to:
- When you seek our support;
- When you apply for a job with us or request information about our vacancies;
- When you are a staff member;
- When you become a registered supporter e.g. a volunteer;
- When you are employed by us as a contractor by us;
- When you visit our premises our attend one of our events;
- When you communicate with us by letter, phone call, email or social media; and
- When you access or engage with our website.
We will only use your personal data for the purpose it was collected. The data we collect could be in an electronic or paper format. If we believe your data is no longer needed for this purpose, we will not process your data any further.
When we interact with you, we may also collect notes from our conversations with you, and the details of any complaints or comments you make.
We may also collect your social media username if you interact with us through those channels so that we can respond to your comments or questions and provide feedback. Data privacy laws allow this as part of our legitimate interest in understanding our audience.
We may send you relevant and personalised communications by post. We will do this on the basis of our legitimate interest but only after certain risk assessments have been undertaken. You are free to opt out of hearing from us by any channels at any time.
8 Personal Data processed for recruitment purposes
We collect personal data on our employees as part of the administration, management, and promotion of our business activities.
Where an individual is applying to work for us, personal data is collected through the application process. Data is often collected through the CVs that are submitted to us.
There are several purposes that personal data for applicants are collected.
- Employment. We process an applicant’s personal data in order to assess their potential employment with us.
- Administration and management. We may also use this personal data in order to make informed management decisions and for administration purposes.
Personal data collected from applicants is held only for as long as necessary to fulfil the purpose for which it was collected, or for a maximum of two years thereafter where the purpose has been fulfilled and retention is no longer necessary.
Our staff handbook further explains how we process the personal data we collect from our staff and partners.
To comply with Covid-19 regulations, carers may be asked for their vaccination / testing status.
10 Surveys and Service Messages
Sometimes we are required to inform you about certain changes. These service messages will not include any fundraising or marketing content and do not require prior consent when sent by email. This ensures that we are compliant with our legal obligations.
We may use your data to send you a survey and feedback requests to help improve the way we communicate. These messages will not include any fundraising requests or marketing and they do not require prior consent when sent by email. It is in our legitimate interest to send these messages as doing so this helps to improve our services and make them more relevant to you. Of course, you are free to opt out of receiving any of these communications at any time.
Surveys help us to improve our services and make them more relevant to you. They are sent using the lawful basis of legitimate interest and you can opt out of receiving survey requests if you do not wish to participate.
Service messages or messages relating to you will not include any marketing or fundraising requests. You do not have to respond to either form of contact.
When you visit our website, we may collect your IP Address, page visited, web browser, any search criteria entered, previous web page visited and other technical information. This information is used solely for web server monitoring and to deliver the best visitor experience.
If, at any time, you do not wish to receive further information about us or our services, contact us at: firstname.lastname@example.org
12 Links to other websites
Our website may also contain links to other websites of interest. Any third-party websites are not covered by this Privacy Notice, and we encourage our users to refer to the privacy policies on the third-party website.
13 SHARING YOUR PERSONAL DATA
We may disclose your personal information to third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply any agreements, or to protect the rights, property, or safety of the organisation, or other individuals. This includes exchanging information with other companies and organisations for the purposes of safeguarding or other statutory regulations we must comply with as well as those organisations with whom you and we have reciprocal agreements for providing services for social care, education or professional development.
14 How long will we hold your personal Data?
We retain your personal data in a live environment for as long as necessary to fulfil the purpose(s) for which it was collected (including as required by applicable law or regulation, typically 7+ years).
We may keep your data for longer to establish, exercise, or defend our legal rights and yours. Where there is a need, personal data is securely archived with restricted access and other appropriate safeguards where there is a need to continue to retain it.
We are required to keep details of financial transactions, including donations, for seven years to meet accountancy and HMRC requirements. We will anonymise or delete personal data if, after a period of seven years, we have not had any contact or communication from you (this will be measured on a rolling seven-year period).
We maintain a data retention criterion to help implement this. This takes account of our legal and accounting obligations, balancing this with what would be considered reasonable.
We may anonymise your personal data (so that you can no longer be identified) for research and analysis purposes in which case we may use this information indefinitely without further notice to you.
15 Security of your personal data
We take the privacy and security of your personal data very seriously. Accordingly, in accordance with the Data Protection Act 2018 and UK GDPR, we have implemented appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
These measures include having clear internal policies and procedures and maintaining the physical security to our premises and IT security technologies to prevent the unauthorised access, damage, and loss of your data.
Additionally, we put in place appropriate security procedures and access controls to ensure the confidentiality of the special categories of personal data that we process. For instance, information relating to the religious beliefs of our residents.
It should be noted that the transmission of information via the Internet is not completely secure, and while we will do our best to protect your personal data, we cannot guarantee the security of any personal data transmitted to our site; any such transmission is at your own risk.
16 Locations of Processing
The data we collect from you is processed on our servers located in the UK. We will ensure that your personal data is provided with adequate protection if it becomes necessary to transfer your personal data to a country that has not been granted a finding of adequacy by the European Commission (EC).
Transfers of personal data outside of the European Economic Area (EEA), to a country that has not been granted a finding of adequacy by the EC, will be carried out using ‘appropriate safeguards’ i.e. Binding Corporate Rules (BCR), Standard Contract Clauses (SCC) (also known as Model Contract Clauses) or in accordance with any approved Codes of Conduct. Alternatively, we will seek your consent (where appropriate), on a case-by -case basis.
17 What at are my data subject rights?
We support your data subject rights in relation to the processing of your information under the Data Protection Act 2018 and the UK GDPR, including your:
- Right to be informed (chiefly via this Privacy Notice)
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision-making including profiling.
You can exercise any of these rights, including your right to request a copy of the information we hold about you (otherwise referred to as a Subject Access request (SAR)), by contacting us using any of the methods shown in the ‘How do I contact you?’ section (see below).
We will respond to your request as quickly as possible. Usually, this will be within one month of receiving your request.
To protect the confidentiality of your information, and in our interests, may sometimes ask you to verify your identity before proceeding with any request for information. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to request such information.
18 Updating my information
You may choose to correct, update, or delete your personal data by contacting us at any time using any of the methods shown in the ‘How do I contact you?’ section (see below).
If you have opted-in to receiving communications form us, your preferences will remain in effect until you tell us that you want to opt-out of receiving any further communications.
You can change your mind at any time by contacting using any of the methods shown below in the ‘How do I contact you?’ section.
19 Withdrawing my consent
Where we process your information based on your consent, you may withdraw your consent at any time. You can do this by contacting us using any of the methods shown in the ‘How do I contact you?’ section (see below).
20 Making a complaint to us
We hope you’ll never have the need to do so, but if you do want to complain about our use of your personal data, or our facilitation of your data subject rights requests, you can contact us using any of the methods shown in the ‘How do I contact you?’ section (see below).
Our Data Protection Officer will investigate your complaint and provide you with an appropriate response as quickly as possible.
21 Making a complaint to the Information Commissioner
You can lodge a complaint with the Information Commissioner at any time. For instance, if you are unhappy with the way in which we are processing your information, or we have failed to facilitate your data subject rights.
The Information Commissioner can be contacted as follows:
By post: Information Commissioner’s Office
By phone: 0844 496 4636 (local rate)
Further information about your data subject rights and how to complain to the ICO can be found here: ICO Make a Complaint
22 How do I contact you?
You may contact us using any of the following methods:
By post: Data Protection Officer
Commonweal Housing Ltd
35 New Broad Street
By phone: 020 7417 1766
By email: email@example.com
23 Changes to this Privacy Notice
We continuously review the content of our Privacy Notice to ensure it accurately reflects what we do with your information.
This Privacy Notice was last updated in March 2022.