Privacy notice reviewed: 16 August 2023
Cottsway is committed to ensuring that your privacy is protected and that any information we have about you is kept secure. Our privacy notice sets out how we use and protect information that you give us and gives an overview of how we collect and use your personal data.
Cottsway Housing are registered with the ICO as a Data Controller under registration number: Z5328763.
You can contact us with any issues regarding the processing of your personal data using the following:
We may update this Privacy Notice from time to time. We will let you know, where practical, of any changes to the ways in which we manage personal data. In some circumstances we may also provide extra privacy information, which will refer to this full notice.
In this notice, whenever you see the words “we,” “us,” “our,” or “Cottsway,” it refers to Cottsway Housing Association Limited.
This notice applies if you are a customer or a resident in one of our properties or use any of our services. It also applies if you visit our website, email, call, contact us via social media message, or webchat, write to us, or visit us in person. Please note that we record incoming and outgoing calls to our Contact Centre.
When using the term “personal data” in this Privacy Notice, we mean information that relates to you and allows us to identify you, either directly or in combination with other information that we may hold.
For the purpose of the Data Protection Act 2018 incorporating the UK General Data Protection Regulation (UK GDPR), the Data Controller of the information we collect about you is Cottsway Housing Association Limited.
The type of personal data we collect depends on what we need. For example, if you contact us, we may only need limited information about you to deal with your query. If you are one of our customers, we need to collect a variety of information about you to make sure we can provide you with appropriate housing, comply with the terms of your tenancy agreement with us, or to provide you with or refer you to appropriate support services. Information we collect may include your contact details, financial information (including the receipt of benefits), or mental or physical health information (including whether you have any disabilities we should be aware of). We may also need to collect certain information to meet our statutory obligations.
We ensure that the personal data we hold about you is only used for the reasons it was obtained for, and only kept for as long as is necessary to provide you with services, deal with your tenancy, or to comply with our other statutory or regulatory obligations. We may need to share some information with third parties, such as local authorities, benefits departments, our repairs and maintenance contractors, social services, other social landlords and government departments as required, and the emergency services.
If you provide us with personal data relating to members of your family, or other people who live with you, please show them this privacy notice.
You have rights in relation to your personal data, including the right to see copies of the personal data we hold about you, or to make a complaint to the regulator, the Information Commissioner's Office (ICO).
Further information about your data protection rights can be found on the Information Commissioner’s Office (ICO) website.
If you feel that your data has not been handled correctly, or if you are unhappy with our response to any requests, you have the right to lodge a complaint with the Information Commissioner’s office.
The rest of this notice is split into sections to make it easier to understand.
If you have any questions about this notice, please contact us.
Depending on our relationship with you, the types of personal data collected and used will vary. We will only collect personal information when we need it. When you provide your information, we will explain why we need it. We will also explain when information is optional and the impact of not providing this. If you choose not to supply the personal information required, then we may not be able to provide some of our support, products and services.
We may collect data in the following ways:
We may take photographs at our events, at our properties, and in our communities to use for general marketing and publicity. However, photographs of individuals will only be used for those purposes with your consent, which is managed by our Communications Team.
Information we collect when you use this site
Information we may automatically collect about you when you visit our site will include:
We use this information to administer our Site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes; and to improve our Site to ensure that content is presented in the most effective manner for you and for your computer.
We collect and hold personal data about:
We may collect and process the following categories of information about you:
Contractors and suppliers
We may collect and process the following categories of information about you:
We may collect and process the following categories of information about you:
We may also collect and use “special category” information:
Under the data protection legislation certain personal data is classified as “sensitive” or "special category" personal data. This includes information relating to racial or ethnic origin, physical or mental health, sex life or sexual orientation, religious or philosophical beliefs, political opinions, membership of a Trade Union, allegations of criminal offences and criminal convictions and offences, along with biometric data such as fingerprints.
We minimise our holding and use of sensitive categories of personal data but, given the services we provide, there are times when we use it to understand customers and their needs better, for example when providing accommodation for disabled persons, or when resolving neighbourhood disputes involving alleged criminal activity.
Children’s personal data
We do not usually process data on children aged under 18, as all our tenants, leaseholders and shared owners are adults. However, we record children’s basic information if they are a resident in one of our properties, including their name and date of birth. This is required for checking the property is not overcrowded and to assess other tenancy management issues where all residents and their ages are required to be known.
We may also receive children’s information if we are involved in the housing and tenancy aspects of a welfare concern, such as safeguarding, or as part of a multi-agency working solution.
How we use your information will depend on our relationship with you and how you interact with our various services, website and customer portals. We may use your personal data for a number of different purposes.
We may use your personal data to:
Enter into, or manage any contract we have with you, including:
Provide you with services in our legitimate interests, including ensuring the proper management of tenancies and providing appropriate support:
Comply with our legal and regulatory obligations, and acting in the public interest, such as:
Under data protection laws we can only process your information where we have one or more legal ground or condition for doing so as set out in the law (a “lawful basis.” We have set out below common “lawful bases” we use when processing your personal data.
Most commonly, we will use your personal information in the following circumstances:
Where we are processing your personal data based on your consent, you have the right to withdraw that consent at any time. This may affect the services that we can make available to you, but this will be explained when we gain your consent.
We may also use your personal information in the following situations, which are likely to be rare:
When the personal information we process about you is classed as sensitive personal information (criminal offences information and ‘Special Category Personal Data’ such as your health, sexual orientation and ethnic origin), we must have an additional lawful basis for such processing.
This lawful basis may be:
Cottsway does not make any decisions based solely on automated processing, including profiling, using the personal data you have given us.
Your personal data will be kept secure and confidential. Our staff, Board members and involved customers have restricted access to personal data on a “need to know” basis.
Sometimes it is in everyone’s best interests for us to share some of the information we have about our customers with other organisations. Sometimes this is because we have a legal obligation to do so and sometimes it is to ensure you get the best service possible, for example we will forward your details on to utility companies to ensure that you’re supplied with energy and water in your home.
We will also share some details with our contractors, so they can contact you if your property needs a repair or is scheduled for improvement work, to arrange a suitable time to visit.
In exceptional circumstances we may feel it is necessary to provide your details to the police or a local authority social services department where there has been a case of criminal activity, a breach of your tenancy agreement, we have been made aware of potentially anti-social behaviour or if we believe it your vital interests of you or those of someone who lives with you.
In the event you do leave us and move to a new landlord we might be contacted for a reference and may provide some of your details to them.
Cottsway will never sell your information to other businesses.
Listed below are the categories of third parties we may share some of your personal information with. Where required we will ensure that any information sharing is supported by GDPR compliant contracts or there are appropriate Information Sharing Protocols in place.
Contractors and suppliers who:
Organisations that support Cottsway, and the services we provide including:
In some cases, we may also have a duty to disclose your information by law to:
Cottsway will not share your information with anyone who claims to represent you or be acting on your behalf unless we have verified you have appointed them or they are acting in some recognised official capacity.
Personal data is stored and managed within a variety of IT software systems which are maintained to achieve a high level of security and confidentiality. We hold information in IT systems which may be copied for testing, backup, archiving and disaster recovery purposes.
We have a process for assessing, managing and protecting new and existing systems which ensures that they are up to date and secure. Your data is protected by multiple layers of security.
Our employees complete mandatory information security and data protection training at the start of their employment, and periodically thereafter to reinforce responsibilities and requirements set out in our policies. Only those staff members and third parties who require access to your information will be able to access it.
When you trust us with your data, we will always keep your information secure to maintain your confidentiality. We use strong encryption when your information is stored or in transit; this minimises the risk of unauthorised access or disclosure, when entering information on our website.
Cottsway are based in the UK, and we store most of our data within the UK, or countries which have similar data protection laws. Where we transfer your personal information outside the United Kingdom, in all cases where personal data is transferred to a country which is deemed not to have the same standards of protection for personal data as the UK, Cottsway have in place appropriate safeguards such as UK regulator approved Standard Contractual Clauses and further contractual, organisational and technical measures (as may be required following an assessment of the risk) have been implemented to ensure that your personal data is protected.
We keep your personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice and in order to comply or demonstrate compliance with our legal and regulatory obligations. Where we can, and it is appropriate, we will minimise personal data or de-personalise data to use for statistical or analytical purposes. We have a Document Retention Policy that controls how long information is kept for.
We typically keep tenancy information for 6 years plus the current year, and former tenancy information is typically kept for 6 years from the end of our relationship with you. In some cases, such as if there is a dispute or a legal obligation affecting the information we may need or be required to keep personal information for longer.
If there is a change to your personal data, for example your contact details, please let us know of this by updating your details online (where this facility is available) or email us at firstname.lastname@example.org or write to us at the address provided at the beginning of this page, so that we can keep your information up to date and accurate.
You can ask us to do various things with your personal information. For example, you can ask us for a copy of your personal information, ask us to correct mistakes, change the way we use your information, or even delete it. We’ll either do what you’ve asked, or explain why we are unable to - usually because of a legal or regulatory issue.
You can make any of the requests set out below using our contact details:
You can find out more about your data protection rights on the Information Commissioner’s Office website.
The right to be informed
This privacy notice informs you of who is obtaining and using your personal information, how this information will be retained, shared and secured and what lawful grounds will be used to obtain and use your personal identifiable information.
The right of access
You have the right to see what data we hold about you. This is commonly called a “Subject Access Request” and is provided free of charge and usually within one calendar month. There are some exemptions, which means you may not always receive all the information we process. You can apply for this in writing or by contacting our customer services team on 01993 890000.
The right to rectification
You can ask us to rectify your personal data if it is inaccurate or incomplete. Please help us to keep our records accurate by keeping us informed if your details change.
The right to erasure
The right to erasure is also known as “the right to be forgotten.” In some circumstances, you can ask us to delete or remove personal data where there is no compelling reason to continue to hold it. This is not an absolute right, and we will need to consider the circumstances of any such request and balance this against our need to continue processing the data, and any legal/regulatory requirements for the data.
The right to restrict processing
You can object and ask us to restrict processing if you feel that we are using your personal information unlawfully and/or holding inaccurate, inadequate or irrelevant personal identifiable information which if used may have a detrimental impact on you and/or has an impact on your rights.
The right to object
You have the right to object to how we use your personal identifiable information in certain circumstances as well as the right to obtain a copy of the personal identifiable information we hold about you.
The right to data portability
For companies such as utility providers (e.g. gas, electricity suppliers), you can request that information you have provided to them, such as meter readings be transferred to another company. If the situation arises where it would be helpful for you to move, copy or transfer personal data we hold about you, across different services, you may be able to ask us to do this.
Rights in relation to automated decision making and profiling
You can ask us to review any decisions that are determined by automated means, and object to our use of your personal data for profiling activities.
This privacy notice was last updated in August 2023 and will be updated to reflect changes either to the way in which we operate or changes to data protection legislation. We will bring any significant changes to your attention but to make sure that you keep up to date, we suggest that you revisit this notice from time to time.