Bank holiday: We are closed on Monday 6 May for the bank holiday weekend. We hope you enjoy the long weekend, but in case of emergencies please call our out-of-hours service on 01993 890000.

Google Translate




Text size





Cottsway's logo Home

Home > About us > Corporate information > Website policies > Protecting your privacy

Protecting your privacy

Privacy notice reviewed: 16 August 2023

Cottsway is committed to ensuring that your privacy is protected and that any information we have about you is kept secure. Our privacy notice sets out how we use and protect information that you give us and gives an overview of how we collect and use your personal data.

Cottsway Housing are registered with the ICO as a Data Controller under registration number: Z5328763.

You can contact us with any issues regarding the processing of your personal data using the following:

We may update this Privacy Notice from time to time. We will let you know, where practical, of any changes to the ways in which we manage personal data. In some circumstances we may also provide extra privacy information, which will refer to this full notice.

Privacy notice

In this notice, whenever you see the words “we,” “us,” “our,” or “Cottsway,” it refers to Cottsway Housing Association Limited.

This notice applies if you are a customer or a resident in one of our properties or use any of our services. It also applies if you visit our website, email, call, contact us via social media message, or webchat, write to us, or visit us in person. Please note that we record incoming and outgoing calls to our Contact Centre.

When using the term “personal data” in this Privacy Notice, we mean information that relates to you and allows us to identify you, either directly or in combination with other information that we may hold.

For the purpose of the Data Protection Act 2018 incorporating the UK General Data Protection Regulation (UK GDPR), the Data Controller of the information we collect about you is Cottsway Housing Association Limited.

This notice (together with our cookie policy and terms of use and any other documents referred to in it) sets out the basis on which we will process any personal data.  

The type of personal data we collect depends on what we need. For example, if you contact us, we may only need limited information about you to deal with your query. If you are one of our customers, we need to collect a variety of information about you to make sure we can provide you with appropriate housing, comply with the terms of your tenancy agreement with us, or to provide you with or refer you to appropriate support services. Information we collect may include your contact details, financial information (including the receipt of benefits), or mental or physical health information (including whether you have any disabilities we should be aware of). We may also need to collect certain information to meet our statutory obligations.

We ensure that the personal data we hold about you is only used for the reasons it was obtained for, and only kept for as long as is necessary to provide you with services, deal with your tenancy, or to comply with our other statutory or regulatory obligations. We may need to share some information with third parties, such as local authorities, benefits departments, our repairs and maintenance contractors, social services, other social landlords and government departments as required, and the emergency services.

If you provide us with personal data relating to members of your family, or other people who live with you, please show them this privacy notice.

You have rights in relation to your personal data, including the right to see copies of the personal data we hold about you, or to make a complaint to the regulator, the Information Commissioner's Office (ICO).

Further information about your data protection rights can be found on the Information Commissioner’s Office (ICO) website.

If you feel that your data has not been handled correctly, or if you are unhappy with our response to any requests, you have the right to lodge a complaint with the Information Commissioner’s office.

The rest of this notice is split into sections to make it easier to understand.

If you have any questions about this notice, please contact us.

Depending on our relationship with you, the types of personal data collected and used will vary. We will only collect personal information when we need it. When you provide your information, we will explain why we need it. We will also explain when information is optional and the impact of not providing this. If you choose not to supply the personal information required, then we may not be able to provide some of our support, products and services.

We may collect data in the following ways:

  • Directly from you – in person, by email, telephone, text message, letter, form, web chat, or social media message
  • By observing how you use our support, products and services from the transactions and operation of your accounts and online services
  • From other organisations such as former housing and support providers, health and social care agencies, law enforcement agencies, debt collectors, energy or utility companies, benefit agencies and/or credit reference and fraud prevention agencies
  • From other people you know and/or are linked to you – for example; a joint tenant, a relative, a person nominated to act on your behalf, your legal representative, or people who live in the same community as you (e.g. those making reports of antisocial behaviour)
  • From monitoring or recording calls as part of quality and complaint monitoring. We record these calls for training and to ensure the safety of our staff. We will not record any payment card details as part of our accounts and payments operations
  • From the CCTV systems for the prevention and detection of crime or to detect damage/ vandalism to our properties and to ensure the safety and security of our staff and individuals obtaining services from us.

We may take photographs at our events, at our properties, and in our communities to use for general marketing and publicity. However, photographs of individuals will only be used for those purposes with your consent, which is managed by our Communications Team.

Information we collect when you use this site

Information we may automatically collect about you when you visit our site will include:

  • Technical information: including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, geographical location browser plug-in types and versions, operating system and platform.
  • Information about your visit: including the full Uniform Resource Locators (URL) clickstream to, through and from our Site (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.
  • Cookies: Our Site uses cookies to distinguish you from other users of our Site. This helps us to provide you with a good experience when you browse our Site and allows us to improve our Site. For detailed information on the cookies, we use and the purposes for which we use them, please see our cookie policy.

We use this information to administer our Site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes; and to improve our Site to ensure that content is presented in the most effective manner for you and for your computer.

We collect and hold personal data about:

  • Visitors: Visitors to our website and our offices, those who email, call, message us via a social media application or our webchat, or write to us, including anyone who makes a complaint or enquiry to Cottsway.
  • Contractors and suppliers (including professionals): Personal data may be held under contracts, agreements and letters of instruction.
  • Customers: This includes current, former and potential customers who live in our properties or access our support and other services and includes members of their family and people associated with them. This also includes leaseholders and shared owners. 


We may collect and process the following categories of information about you:

  • Name and title
  • Email address
  • Social media username
  • Telephone number
  • Address
  • CCTV images
  • A record of your contact with us – including recording of calls to our Contact Centre, any requests or conversations that take place through our live chat functionality and noting any action taken because of your contact with us.

Contractors and suppliers

We may collect and process the following categories of information about you:

  • Name and title
  • Email address
  • Telephone number
  • Mailing address
  • CCTV images
  • Details of our contract, agreement or instructions
  • Business contact information
  • Recording of calls to or from our contact centre
  • Payment information.


We may collect and process the following categories of information about you:

  • Banking details may be held temporarily if we set up a direct debit on your behalf
  • Call recordings to and from our contact centre
  • Caring responsibilities
  • CCTV images
  • Contact details of individuals who you want us to communicate with on your behalf
  • Contact details, including telephone, email or contact address
  • Contact preferences, including whether you have signed up to our mailing list  
  • Correspondence, including letters, emails, web chat conversation and social media messages
  • Date of birth
  • Financial information including, income, expenditure details, benefit, and Council tax information
  • Lifestyle and social circumstance
  • Name
  • National insurance number
  • Nationality
  • Personal details of all household residents
  • Proof of housing eligibility
  • Proof of your identity, including photo ID
  • Relationship status
  • Your needs or preferences so that we can understand them better.

We may also collect and use “special category” information:

  • Health data (including disabilities)
  • Ethnicity
  • Sexual orientation
  • Criminal conviction / offence data  

Under the data protection legislation certain personal data is classified as “sensitive” or "special category" personal data. This includes information relating to racial or ethnic origin, physical or mental health, sex life or sexual orientation, religious or philosophical beliefs, political opinions, membership of a Trade Union, allegations of criminal offences and criminal convictions and offences, along with biometric data such as fingerprints.

We minimise our holding and use of sensitive categories of personal data but, given the services we provide, there are times when we use it to understand customers and their needs better, for example when providing accommodation for disabled persons, or when resolving neighbourhood disputes involving alleged criminal activity.

Children’s personal data

We do not usually process data on children aged under 18, as all our tenants, leaseholders and shared owners are adults. However, we record children’s basic information if they are a resident in one of our properties, including their name and date of birth. This is required for checking the property is not overcrowded and to assess other tenancy management issues where all residents and their ages are required to be known.

We may also receive children’s information if we are involved in the housing and tenancy aspects of a welfare concern, such as safeguarding, or as part of a multi-agency working solution.

How we use your information will depend on our relationship with you and how you interact with our various services, website and customer portals. We may use your personal data for a number of different purposes.

We may use your personal data to: 

Enter into, or manage any contract we have with you, including:

  • Processing applications and requests for: Rental accommodation, home ownership, Garage rental
  • Managing tenancies including collecting rent and service charges 
  • Ensuring compliance with the conditions of any agreement between us
  • Providing repairs, maintenance and adaptions at our properties
  • Providing home ownership products
  • Processing orders and managing our professional relationship, if you are a supplier or contractor

Provide you with services in our legitimate interests, including ensuring the proper management of tenancies and providing appropriate support:

  • Assisting you in the management of account charges, payments and arrears, including through our online portal
  • Providing support services to help customers achieve their goals
  • Keeping in touch with customers to understand your needs and preferences and invite you to events, and to notify you about changes to our service
  • Engaging with customers to make improvements to our products and services
  • Resolving enquiries and complaints

Comply with our legal and regulatory obligations, and acting in the public interest, such as:

  • Preventing and detect crime and resolve disputes
  • Preventing and detect fraud and money laundering
  • Promoting safety and the quiet enjoyment of our neighbourhoods and communities
  • Promoting equal opportunities and fair treatment for all our customers
  • Meeting the obligations we owe to our funders and regulators

Under data protection laws we can only process your information where we have one or more legal ground or condition for doing so as set out in the law (a “lawful basis.” We have set out below common “lawful bases” we use when processing your personal data.

Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform the contract we have entered into with you.
  • Where we need to comply with a legal obligation, such as providing information to HMRC.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where you have given your consent

Where we are processing your personal data based on your consent, you have the right to withdraw that consent at any time. This may affect the services that we can make available to you, but this will be explained when we gain your consent.

We may also use your personal information in the following situations, which are likely to be rare:

  • Where we need to protect your vital interests (or someone else’s vital interests)

When the personal information we process about you is classed as sensitive personal information (criminal offences information and ‘Special Category Personal Data’ such as your health, sexual orientation and ethnic origin), we must have an additional lawful basis for such processing.

This lawful basis may be:

  • Where you have given your explicit consent
  • It is necessary under laws relating to social security and social protection law
  • Where we need to protect your vital interests (or someone else’s vital interests)
  • It is necessary in connection with legal proceedings
  • It is necessary for reasons of substantial public interest (for example: equality monitoring, preventing or detecting unlawful acts, preventing fraud)

Cottsway does not make any decisions based solely on automated processing, including profiling, using the personal data you have given us.

Your personal data will be kept secure and confidential. Our staff, Board members and involved customers have restricted access to personal data on a “need to know” basis. 

Sometimes it is in everyone’s best interests for us to share some of the information we have about our customers with other organisations. Sometimes this is because we have a legal obligation to do so and sometimes it is to ensure you get the best service possible, for example we will forward your details on to utility companies to ensure that you’re supplied with energy and water in your home.

We will also share some details with our contractors, so they can contact you if your property needs a repair or is scheduled for improvement work, to arrange a suitable time to visit.

In exceptional circumstances we may feel it is necessary to provide your details to the police or a local authority social services department where there has been a case of criminal activity, a breach of your tenancy agreement, we have been made aware of potentially anti-social behaviour or if we believe it your vital interests of you or those of someone who lives with you.

In the event you do leave us and move to a new landlord we might be contacted for a reference and may provide some of your details to them.

Cottsway will never sell your information to other businesses.

Listed below are the categories of third parties we may share some of your personal information with. Where required we will ensure that any information sharing is supported by GDPR compliant contracts or there are appropriate Information Sharing Protocols in place.

  • Advocacy partner organisations
  • Banks and financial service providers to process secure payments
  • Charities and voluntary organisations
  • Choice Based Letting partners.

Contractors and suppliers who:

  • Provide services to you, or who provide services on our behalf
  • Allow Cottsway to meet their compliance responsibilities e.g. gas servicing, fire safety, asbestos management
  • Undertake repairs or improvements to your property and neighbourhood
  • Provide technology and telephony software, services and equipment
  • Manage out-of-hours service calls
  • Provide printing and mailing services
  • Credit reference agencies for rental tenants
  • Debt collection agencies
  • External auditors
  • Insurance companies
  • Mediation partner organisations.

Organisations that support Cottsway, and the services we provide including:

  • Local authorities
  • Other housing providers
  • Statutory agencies
  • Support organisations
  • Probation services
  • Professional advisors and consultants
  • Solicitors
  • Social welfare organisations
  • Survey and research organisations
  • Training providers or learning institutions
  • Utility companies.

In some cases, we may also have a duty to disclose your information by law to:

  • Central government departments
  • Courts and tribunals
  • Fire services
  • Health authorities, trusts or medical staff
  • Local authorities
  • Organisations who support crime prevention or detection, the prevention and detection of fraud, and for the purposes of the National Fraud Initiative)
  • Other registered providers of social housing
  • Partner organisations whose purposes are compatible with ours
  • Members of Parliament or local councillors
  • Police
  • Regulators

Cottsway will not share your information with anyone who claims to represent you or be acting on your behalf unless we have verified you have appointed them or they are acting in some recognised official capacity.

Personal data is stored and managed within a variety of IT software systems which are maintained to achieve a high level of security and confidentiality. We hold information in IT systems which may be copied for testing, backup, archiving and disaster recovery purposes.

We have a process for assessing, managing and protecting new and existing systems which ensures that they are up to date and secure. Your data is protected by multiple layers of security.

Our employees complete mandatory information security and data protection training at the start of their employment, and periodically thereafter to reinforce responsibilities and requirements set out in our policies. Only those staff members and third parties who require access to your information will be able to access it.

When you trust us with your data, we will always keep your information secure to maintain your confidentiality. We use strong encryption when your information is stored or in transit; this minimises the risk of unauthorised access or disclosure, when entering information on our website.

Cottsway are based in the UK, and we store most of our data within the UK, or countries which have similar data protection laws. Where we transfer your personal information outside the United Kingdom, in all cases where personal data is transferred to a country which is deemed not to have the same standards of protection for personal data as the UK, Cottsway have in place appropriate safeguards such as UK regulator approved Standard Contractual Clauses and further contractual, organisational and technical measures (as may be required following an assessment of the risk) have been implemented to ensure that your personal data is protected.

We keep your personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice and in order to comply or demonstrate compliance with our legal and regulatory obligations. Where we can, and it is appropriate, we will minimise personal data or de-personalise data to use for statistical or analytical purposes. We have a Document Retention Policy that controls how long information is kept for.

We typically keep tenancy information for 6 years plus the current year, and former tenancy information is typically kept for 6 years from the end of our relationship with you. In some cases, such as if there is a dispute or a legal obligation affecting the information we may need or be required to keep personal information for longer.

If there is a change to your personal data, for example your contact details, please let us know of this by updating your details online (where this facility is available) or email us at or write to us at the address provided at the beginning of this page, so that we can keep your information up to date and accurate.

You can ask us to do various things with your personal information. For example, you can ask us for a copy of your personal information, ask us to correct mistakes, change the way we use your information, or even delete it. We’ll either do what you’ve asked, or explain why we are unable to - usually because of a legal or regulatory issue.

You can make any of the requests set out below using our contact details:

You can find out more about your data protection rights on the Information Commissioner’s Office website.

The right to be informed

This privacy notice informs you of who is obtaining and using your personal information, how this information will be retained, shared and secured and what lawful grounds will be used to obtain and use your personal identifiable information.

The right of access

You have the right to see what data we hold about you. This is commonly called a “Subject Access Request” and is provided free of charge and usually within one calendar month. There are some exemptions, which means you may not always receive all the information we process. You can apply for this in writing or by contacting our customer services team on 01993 890000.

The right to rectification

You can ask us to rectify your personal data if it is inaccurate or incomplete. Please help us to keep our records accurate by keeping us informed if your details change.

The right to erasure

The right to erasure is also known as “the right to be forgotten.” In some circumstances, you can ask us to delete or remove personal data where there is no compelling reason to continue to hold it. This is not an absolute right, and we will need to consider the circumstances of any such request and balance this against our need to continue processing the data, and any legal/regulatory requirements for the data.

The right to restrict processing

You can object and ask us to restrict processing if you feel that we are using your personal information unlawfully and/or holding inaccurate, inadequate or irrelevant personal identifiable information which if used may have a detrimental impact on you and/or has an impact on your rights.

The right to object

You have the right to object to how we use your personal identifiable information in certain circumstances as well as the right to obtain a copy of the personal identifiable information we hold about you.

The right to data portability

For companies such as utility providers (e.g. gas, electricity suppliers), you can request that information you have provided to them, such as meter readings be transferred to another company. If the situation arises where it would be helpful for you to move, copy or transfer personal data we hold about you, across different services, you may be able to ask us to do this.

Rights in relation to automated decision making and profiling

You can ask us to review any decisions that are determined by automated means, and object to our use of your personal data for profiling activities.

This privacy notice was last updated in August 2023 and will be updated to reflect changes either to the way in which we operate or changes to data protection legislation. We will bring any significant changes to your attention but to make sure that you keep up to date, we suggest that you revisit this notice from time to time.

Chat with us