General Data Privacy notice
East Boro Housing Trust (“we” or “us”) is committed to data protection and data privacy. With the General Data Protection Regulation (GDPR) becoming enforceable from 25 May 2018, we have undertaken a GDPR readiness programme to review our entire business, the way we handle data and the way in which we use it to provide our services and manage business operations.
We hold personal data on all our clients to meet legal obligations and to perform vital internal functions. This notice details the personal data we may retain, process and share with third parties relating to your care and vital business operations. We are committed to ensuring that your information is secure, accurate and relevant. To prevent unauthorised access or disclosure, we have implemented suitable physical, electronic, and managerial procedures to safeguard and secure personal data we hold.
We have issued this notice to describe how we handle personal information that we hold about our clients and their advocates’ (collectively referred to as "you"). For the purposes of this notice, the term "client" includes those who receive care on a permanent and temporary basis, consultants, professional advisors, contractors, trainers, work experience/placement students and secondees
We respect the privacy rights of individuals and are committed to handling personal information responsibly and in accordance with applicable law. This notice sets out the personal data that we collect and process about you, the purposes of the processing and the rights that you have in connection with it.
If you are in any doubt regarding this notice, please contact [email protected]
Types of personal data we collect
During your contract of service with us, or when making an application for , we may process personal data about you and your dependents, beneficiaries and other individuals whose personal data has been provided to us.
The types of personal information we may process include, but are not limited to:
- Identification data – such as your name, gender, photograph, date of birth, IDs.
- Contact details – such as home and business address, telephone/email addresses, emergency contact details.
- Tenancy details – such as title/position, location, contractor information
- Background information – such as academic/professional qualifications, education, CV, criminal records data (for vetting purposes, where permissible and in accordance with applicable law).
- Spouse & dependents information, marital status.
- Financial information – such as banking details, tax information, withholdings, salary, benefits, expenses, allowances, stock and equity grants.
- References relating to previous service providers may be undertaken prior to commencement of agreement. We will only gather references from referees provided to us by the client, or prospective client.
Sensitive personal data (‘special categories of personal data’ under the General Data Protection Regulation) includes any information that reveals your racial or ethnic origin, religious, political or philosophical beliefs, genetic data, biometric data for the purposes of unique identification, trade union membership, or information about your health/sex life. Generally, we try not to collect or process any sensitive personal information about you, unless authorised by law or where necessary to comply with applicable laws. In some circumstances, we may need to collect some sensitive personal information for legitimate service-related purposes: for example:
- data relating to your racial/ethnic origin, gender and disabilities for the purposes of:
- equal opportunities monitoring;
- to comply with anti-discrimination laws; and
- for government reporting obligations;
- data relating to your physical or mental health to:
- provide work-related accommodations,
- health and insurance benefits to you and your dependents; or
- to manage personal care plans.
Purposes for processing personal data
We collect and process personal data relating to our clients to comply with our legal obligations. We take the security of your data seriously and are committed to being transparent about how we collect and use that data and to meeting our data protection obligations.
Once you become a client, we collect and use this personal information for managing our personal agreement or working relationship with you – for example, your employment records and contract information (so we can manage our support plans with you), your bank account details (so that we/you can credit/debit us/you), your benefit grants (for plan administration) and details of your spouse and dependents (for emergency contact and support purposes).
Where we process special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is done for the purposes of equal opportunities monitoring. Data that we use for these purposes is anonymised or is only collected with the express consent of clients, which can be withdrawn at any time.
We have policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed without authorisation and only accessed or used for specific legal purposes.
You have some obligations under your agreement to provide the organisation with data. You may also have to provide the organisation with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide this data may mean that you are unable to exercise your statutory rights.
Legitimate business purposes
We may also collect and use personal information when it is necessary for other legitimate purposes, such as to help us conduct our business more effectively and efficiently – for example, for general IT security management, accounting purposes or financial planning. We may also process your personal information to investigate violations of law or breaches of our own internal policies.
The IT Department will record and monitor usage of all our IT equipment, user activity, voice traffic, email and Internet usage as deemed necessary. The IT Department will observe the strictest confidentiality when undertaking these activities. They will make their report directly to Grapevine who will determine the actions that may need to be taken in any particular case.
Our site(s) is/are protected by circuit television (CCTV) systems throughout its premises as deemed necessary and clients should expect all areas (other than those where use would contravene common decency) to be visible on a television monitoring system. Any information obtained from systems will be used with strict adherence to the GDPR. Information will be used for the prevention and detection of crime and to ensure compliance with our policies and procedures and our legal obligations. This may include using recorded images as evidence in disciplinary proceedings.
We may also use your personal data where we consider it necessary for complying with laws and regulations, including collecting and disclosing employee personal information as required by law (e.g. for tax, health and safety, anti-discrimination laws), under judicial authorisation, or to exercise or defend our legal rights.
Legal basis for processing personal data
Our legal basis for collecting and using the personal data described above will depend on the personal data concerned and the way we collect it. We will normally collect personal data from you only where we need it to perform a contract with you, where we have your freely given consent to do so, or where the processing is in our legitimate interests and only where this interest is not overridden by your own interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person.
Any processing based on consent will be made clear to you at the time of collection or use – consent can be withdrawn at any time by contacting [email protected]
Who we share your personal data with
We take care to allow access to personal data only to those who require such access to perform their tasks and duties, and to third parties who have a legitimate purpose for accessing it. Whenever we permit a third party to access personal information, we will implement appropriate measures to ensure the data is used in a manner consistent with this notice and that the security and confidentiality of the data is maintained.
Transfers to third-party service providers
In addition, we make certain personal data available to third parties who provide services to us. We do so on a "need to know basis" and in accordance with applicable data protection and data privacy laws.
For example, some personal data will be available to our client benefit plans service providers and third-party companies who provide us with employment law advice, health and safety support, payroll support services, expenses, tax and travel management services, building and maintenance contractors, and Local Authorities.
Transfers to other third parties
We may also disclose personal data to third parties on other lawful grounds, including:
- To comply with our legal obligations, including where necessary to abide by law, regulation or contract, or to respond to a court order, administrative or judicial process
- In response to lawful requests by public authorities (including for national security or law enforcement purposes)
- As necessary to establish, exercise or defend against potential, threatened or actual litigation
- Where necessary to protect the vital interests of our employees or another person
- In connection with the sale, assignment or other transfer of all or part of our business; or
- With your freely given and explicit consent
Transfer of personal data abroad
We do not transfer data abroad.
Personal data will be stored in accordance with applicable laws and kept for as long as needed to carry out the purposes described in this notice or as otherwise required by law. Generally, this means your personal information will be retained until the end of your contract, application, or working relationship with us plus a reasonable period of time thereafter to respond to enquiries or to deal with any legal matters (e.g. judicial), document the proper termination of your contract or working relationship (e.g. to tax authorities, benefits agencies).
For more information, please see our Data Retention Policy, which outlines our current document retention schedule.
You may exercise the rights available to you under data protection law as follows:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision making and profiling.
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. You can read more about these rights at:
To exercise any of these rights, please contact [email protected]
Issues and complaints
We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
This notice was drafted with clarity in mind. It does not provide exhaustive detail of all aspects of our collection and use of personal information. However, we are happy to provide any additional information or explanation needed.
If you want to make a complaint about the way we have processed your personal information, you can contact the Information Commissioner’s Office in their capacity as the statutory body which oversees data protection law – www.ico.org.uk/concerns.
Updates to this notice
This notice may be updated periodically to reflect any necessary changes in our privacy practices. In such cases, we will inform you by email, company news letter and personal letter. We encourage you to check this notice periodically to be aware of the most recent version.
Please address any questions or requests relating to this notice to [email protected].
We may pass your information to our third party service providers, suppliers, agents, subcontractors and other associated organisations for the purposes of completing tasks and providing services to you on our behalf.
These third party providers will share your information with us which we will use in accordance with this policy.
This notice is only intended as a general example. The utmost care has been taken in preparing it, but you should also take into account any specific advice published by the Information Commissioner’s Office (ICO) when customising this example for your own use. If you are in any doubt please contact the ICO for further guidance.