Introduction and who we are
Eastlight Community Homes Ltd registered office is at Eastlight House, Charter Way, Braintree, Essex, CM77 8FG and we are a company registered in England and Wales under company number IP30124R. We are registered on the Information Commissioner’s Office (ICO) Register registration number Z1122456, and act as the (the “Data Controller”). Our designated person for the organisation is Jane Rothery, who can be contacted at DPA-FOI@eastlighthomes.co.uk
Information about you?
Eastlight Community Homes Ltd gathers and processes your personal information in accordance with this privacy notice and in compliance with Data Protection Laws, (General Data Protection Regulation 2016 (GDPR), Data Protection Act 2018 and the Privacy and Electronic Communication Regulations (2003)).
This notice provides you with the necessary information regarding your rights and our obligations, and explains how, why and when we process your personal data, how we may use it, how long we may retain it for, keep it secure and the limited conditions under which we may disclose it to others.
Eastlight Community Homes Ltd processes your personal information, to meet our legal, regulatory and contractual obligations as a Registered Social Landlord and UK registered company, to manage your tenancy or relationship with us, to provide you with information about our products/services or responding to or managing general enquiries or other information received. This policy also covers employees and those employed by Eastlight Community Homes
We will only collect necessary personal data from you and we will not process your information in any way, other than as specified in this notice or where we advise you before collecting the details from you.
We will normally collect information directly from you. This means that you know what information we have about you and we can be sure you have provided us with accurate and up-to-date information. We may also obtain information about our tenants provided by third parties where this is relevant to their housing circumstances and our obligations as a Registered Social Landlord e.g. from social workers, health professionals or as detailed below.
The information we collect about you
- Tenancy records to manage and support tenancies including where additional support needs are identified;
- Rent, service charge, rent and arrears account and other financial information;
- Profiled information for internal analysis purposes only;
- Repair, maintenance and property adaptation records;
- Customer feedback and satisfaction;
- Records of tenancy changes (e.g. mutual exchange, succession or an application to purchase);
- Information about specific issues affecting our tenants or their household members (e.g. anti-social behaviour, violence and aggression, safeguarding concerns, hoarding, social protection and welfare matters);
- CCTV footage around our properties;
- Information about our membership;
- Details for effective communication of information to tenants and the promotion of social, environmental and economic well-being pursuant to the Neighbourhood and Community Standard 2015 and the Tenant Involvement and Empowerment Standard.
- Information about you that relates to demographic data such as race, religion, ethnicity, sexual orientation, gender, age for regulatory reporting requirements;
- We may also receive information about you from other agencies such as local councils, safety community partnerships, multi-agency relationships for measures designed to protect and individual’s health, safety and welfare for example, from domestic or drug abuse.
We record information in our housing management system to deliver our housing management services. Furthermore, we may also record your telephone calls to us, as some calls to our customer service centre are recorded for training and monitoring purposes to ensure we are delivering an excellent service.
We have a self-service portal that enables our tenants to access their rent records, log repairs, update their personal details, notify us of anti-social behaviour, make a complaint or check their rent statements. We collect information when you log in to our portal, for example, to pay your rent or request a repair. We collect your username, password and email address when you register on our resident portal for an account.
The list is not exhaustive, as we hold records of most of the contact we have with you, or about you, and we process this information, so we can deliver our services to you.
Leaseholders and Freeholders:
- Information about the sale/purchase/assignment of a lease or its extension or about the sale of a freehold;
- Information relevant to a lessee’s mortgage or remortgage application;
- Information relevant to service/repairs/other charges;
- Rent review information;
- Information in connection with managing your business lease/tenancy.
We record information in our housing management system to manage and deliver our services to you.
- Recruitment and employee administration records (e.g. performance / absence management and employee relation matters including occupational health and criminal records checks);
- Contractual and other benefits (such as pay, pension, bonus schemes, maternity and paternity leave) information;
- Payroll records and bank account information;
- Family/next of kin information;
- Nationality/immigration information and criminal background;
- Driving licence/qualifications an insurance information; and
- Information about personal characteristics (e.g. ethnic origin)
- Information obtained from personal development meetings with line managers;
- Details relating to personal vehicles for approved parking onsite or at Braintree Outlet shopping centre
We record information in our HR database to manage and deliver recruitment and employment services to prospective, current and past employees and those expressing an interest in working with us.
Contractors, suppliers and other third parties
Basic contact details and any other information they may share in routine correspondence and enquiries with us.
- We rely on and use CCTV as an effective tool in helping us to achieve our aims and regulatory duties of creating safer communities and spaces in and around our residential properties, community hubs, commercial premises, office buildings and to create safer environments where people want to live and work. We place visible signage where we operate CCTV equipment and where this is operated on our behalf.
- We are obliged to share information with the relevant authorities for the prevention and detection of crime. The request for this information may be made under a police warrant or court order or an information sharing protocol. We may also share CCTV images in safeguarding cases.
- CCTV is collected and stored in and around Eastlight's properties for crime prevention and detection purposes.
- We use Dashcam recordings for maintaining staff safety and the efficiency of fleet vehicles. Dashcam footage may be provided to our insurance companies or the relevant authorities where requested following a road traffic incident. Vehicle tracking information and dashcam images may be used for disciplinary purposes where driving standards fall below acceptable levels.
General enquiries and other information received
This section relates to any information voluntarily sent by the Data Subject and not caught by any other section within this policy.
We will process, store, retain and share personal information where relevant and appropriate to do so for the purposes of responding to or managing any general enquiries or other information received, volunteered or sent to us by the data subject that is or may be connected to any of our activities.
All information is managed in line with your rights and our obligations as detailed under Data Protection Law and the principles contained within this policy.
How we inform you
Eastlight are required to provide certain information in order to make the processing of Personal Data fair, lawful and transparent. We provide this information under a ‘layered approach’ to ensure that we provide you with all the information you require. This is achieved through the following documents:
We will only ask for personal information that is appropriate and relevant to enable us to deliver our services. In some cases, you can refuse to provide your details if you deem a request to be inappropriate. However, you should note that this may impact our ability to provide some services to you or to meet your welfare needs if you refuse to provide information that stops us doing so.
On occasions we would like to contact our residents to see if they would like to take part in the stories that we tell to help promote the work that we do in your community and to share things that we feel may be of interest to our residents. We may use information such as your age, length of tenancy, age of property, type of property or adaptations made to determine whether you may be suitable to contact. There is no obligation to take part and we would not use or publish information relating to you without your consent or what you have not approved for us.
Personal Risk Register:
We will not tolerate any behaviour from a tenant, where their behaviour places the health, safety and welfare of our employees and representatives at risk from harm, assault, threats of violence, aggression, sexual advances or allegations, or any other behaviour assessed to be anti-social or unwarranted, including any discrimination based on race, religion, ethnicity, sexual orientation.
Where such behaviour is witnessed or reported to us, we are obliged to take action to protect the welfare of our employees and representatives, to ensure a safe working environment free from such risks or harassment and the tenant is appropriately supported and encouraged to change their behaviour. This may involve placing the individual under a period of monitoring and stipulating 2-person visits only for purposes of repairs, restricting access to a name contact point, restricting access to the office environment and undertaking investigations. Where the risk(s) faced are sufficiently serious this may warrant notification to the police and other relevant authorities.
The deployment of this measure is strictly governed and managed according to our policy to ensure that this process is fair, transparent, compliant with lawful requirements and that privacy concerns are addressed and safeguarded appropriately.
How will we use your personal data? (legal basis processing)
We will rely on at least one of the following lawful bases for processing your personal information. The lawful basis that we rely upon is detailed within the wider Information Asset Register:
You have given explicit consent for us to process your personal data for a specific purpose. You will have the right to withdraw your consent at any time. For example, where you have consented to us providing you with promotional offers and marketing.
We need to process your data to enter into a tenancy or other contractual agreement with you and to meet our obligations under that contract or because you have asked us, or we need to take specific steps before entering into a contract with you.
The processing is necessary for us to comply with the law. For example, processing your legal status to stay in the UK to check your entitlement to housing or as part of our legal obligation for business accounting and tax purposes, shared with credit reference agency or any other third party who might provide us with financial background checks prior to you commencing your tenancy with us and to comply with health and safety legislation. In addition, we may share information from our CCTV systems with the police as our legal obligation.
The processing is necessary to protect someone’s life. This will only apply to a situation of life and death where it is difficult or practically impossible to get your consent.
Where we process special categories of data such as health data, personal data revealing racial or ethnic origin, sexual orientation and religious or philosophical beliefs, this is done for the purpose of equal opportunities monitoring with a view to enabling such equality to be promoted or maintained. Data that we use for these purposes is anonymized. In addition, we process your data where processing is necessary for the purposes of protecting an individual from neglect or physical, mental or emotional harm or protecting the physical, mental or emotional well-being of an individual. In certain circumstances, such as a serious concern for safeguarding or welfare it may be necessary for us to contact statutory agencies (Police, Social Services & the Mental Health Team) and/or the Local Authority to enable us to support you in sustaining your tenancy. In addition, we may also rely on this lawful basis to gain access to your property (mainly for housing for older people) in situations where we have serious concerns for your safety
The processing is necessary for our legitimate interests, or the legitimate interest of a third party, unless there is a good reason to protect your personal data which overrides those legitimate interests. This may include the processing of information from our CCTV systems for the prevention and prosecution of crime. We may also process your personal data in order to send you our newsletter. Also, your data may be used for direct marketing purposes to keep you updated with products / services and or latest marketing news (We will occasionally send you marketing information where we have assessed that it is beneficial to you as a customer and in our interests. Such information will be non-intrusive and is processed on the grounds of legitimate interests). You can however exercise your right to opt out of receiving any direct marketing or where you don’t wish to be partake in feedback surveys.
You have the right to access and request any personal information that we hold and process about you, including: –
- What personal data we hold about you
- The purposes of the processing
- The categories of personal data concerned
- The recipients to whom the personal data has/will be disclosed
- How long your information will be retained for
If we did not collect the data directly from you, information about the source. You have the right to request a correction of your personal data if it is incorrect or out of date. We will strive to correct it as quickly as possible; unless there is a valid reason for not doing so, at which point you will be notified. You can also send a request on our self-service portal.
You have the right to withdraw your consent for processing your data if the processing was based on consent.
You have the right to request that we delete your data if you feel we should no longer be processing it. Upon receiving a request for erasure, we will confirm whether it has been deleted or the reason why it cannot be deleted for example, because we have a legal obligation to keep the information or we need it for a compelling legitimate business interest.
You have the right to object to processing of your data. You may request that we stop processing information about you. Upon receiving your request, we will contact you and let you know if we are able to comply or if we have legitimate grounds to continue to process your data. Even after you exercise your right to object, we may continue to hold your data to comply with your other rights, legal obligations or to bring or defend legal claims.
You have the right to request that we transfer your data to another data controller if the data is processed by automated means (This only applies to information that you have provided in electronic format, under the legal basis of consent or pursuant to a contract).
You have the right to request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data:
- if you want us to establish the data’s accuracy
- where our use of the data is unlawful, but you do not want us to erase it
- where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims
- you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
You may exercise your rights verbally or in writing. If you make your request verbally, we recommend you follow it up in writing to provide a clear trail of correspondence. It will also provide clear evidence of your actions. You may also email us at DPA-FOI@eastlighthomes.co.uk. If you make your request in writing, please mark it for the Attention of The Data Protection Officer at Eastlight Community Homes Ltd, Eastlight House, Charter Way, Braintree, Essex, CM77 8FG.
We will comply with your request where feasible to do so, within one month of receiving your request and appropriate identification documentations. In certain circumstances, extensions of up to two months may be requested, but we will contact you if this in necessary.
If we receive a request from you to exercise any of the above rights, we may ask you to verify your identity before acting on the request; this is to ensure that your data is protected and only disclosed to the right person.
We recognise and uphold your rights but there may be exemptions made under certain circumstances under data protection laws. Where exceptions have been made, we will inform you of these. Additionally, under certain circumstances charges may apply but again we will advise you if this is necessary.
Sharing and disclosing your personal information
Only relevant information about you will be used across the organisation to ensure you are receiving all services you have requested; ensure your information is accurate and up to date and to promote other products Eastlight offers and/or to keep you updated with the latest news.
We may also share your information with third parties such as (but not limited to):
- suppliers, contractors, and processors to deliver our services;
- building companies, surveyors and defect management;
- for research purposes to enable us to gather your views on the services we are providing;
- the police, local authorities and law enforcement agencies, if relevant to safeguarding concerns or as part of a criminal investigation;
- multi-agency agreements i.e. local authorities, other law enforcement agencies, MARAC;
- the Disclosure and Barring Service and where necessary, providers of services to verify identity documents and provide barred list checks.
On occasion we use third parties to either store personal information or process it on our behalf. Where we have these arrangements, there is always a contract, memorandum of understanding, information sharing protocol or data processing agreement in place to ensure that the organisation complies with data protection laws. All processors acting on our behalf only process your data in accordance with written instructions in the form of a legally enforceable agreement from us. They are also obliged to comply fully with this privacy notice, the data protection laws, confidentiality and implement appropriate technical and organisational measures to ensure security and confidentiality of your information.
We will not sell your information for direct marketing or other commercial purposes. On occasion we may use your personal data for research purposes relating to various topics and services provided by us. Wherever possible, the data will be anonymized to avoid the identification of an individual, unless prior consent has been obtained for the use of the personal data.
We will not share or disclose any of your personal information, other than for the purposes specified in this notice, where there is a legal or regulatory requirement to do so, or there is a public interest or a vital interest to do so, or where we have your prior consent. However, there will be times when we investigate a complaint about a service, we may need to share personal data across the organisation and with other relevant bodies (e.g. those we have commissioned to deliver services(s) on behalf of Eastlight or those we are in partnership with). You can obtain further information on:
- Information Sharing & Partnership Agreements we have with other organisations we work with to deliver our services
- Circumstances where we could pass personal data without your consent (e.g. prevention or detection of crime / fraudulent activity, if there is a serious risk to the public, our staff or to other professionals, to protect a child, to protect adults who are thought to be at risk, for example if they are frail, confused or cannot understand what is happening to them or where there is a risk to you and the risk is sufficiently serious that the need to disclose your information is more important than protecting your confidentiality.
- Where we receive a request for information about you from another data controller who has a legitimate interest in contacting you. For example, we may receive a request for your contact details from utility companies that have or may supply your home with gas, water, electric, telecommunications.
We take your privacy seriously and take every reasonable measure and precaution to protect and secure your personal data whether electronically or in paper format. We work hard to protect you and your information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures in place, including: – measures such as Secure Socket Layer (SSL), Transport Layer Security (TLS), encryptions, filtering, restricted access, IT authentication, firewalls, anti-virus/malware etc. Your personal information will only be made available to those who have right to see them.
- Transfers outside the EU
Personal data in the European Union is protected by the General Data Protection Regulation (GDPR) but some other countries may not necessarily have the same high standard of protection for your personal data. We utilise some products or services (or parts of them) that may be hosted/stored in non-EU countries e.g. the US or a third country, which means that we may transfer any information which is submitted by you through the website outside the European Economic Area (EEA) i.e. website hosting, email servers, marketing database (i.e. MailChimp, Email Server etc.).
Therefore, when you use our website/send us an email/sign up to our newsletter etc. the personal information you submit may be stored on servers which are hosted in non-EU countries. Where data is transferred outside the EEA, then we will ensure that transfers will only be made to countries in respect of which the European Commission has made an “adequacy decision”, or otherwise will only be made with appropriate safeguards, such as the use of standard data protection clauses adopted or approved by the European Commission. You may contact us to enquire about such safeguards so that you may obtain a copy of them or so that we may direct you to them. For example, MailChimp is an online marketing platform operated by The Rocket Science Group LLC, headquartered in the US. MailChimp is a participant of EU-US Privacy Shield Framework which means they have been certified to comply with the necessary security required to safeguard data from the EU.
As noted in the ‘How We Use Your Personal Data’ section of this notice, we may occasionally process your personal information under the legitimate interests’ legal basis. Where this is the case, we have carried out a thorough Legitimate Interests’ Assessment (LIA) to ensure that we have weighed up your interests and any risk posed to you against our own interests, ensuring that they are proportionate and appropriate. We use the legitimate interests’ legal basis for processing for example, for our marketing and research, to carry out satisfaction surveys to help us monitor our performance, for business management and reporting purposes and to improve our services to our customers and to send you our newsletters.
How long we keep your data
We only ever retain personal information for as long as is necessary and we have retention policies in place to guide our retention of personal information in line with the National Federation of Housing guidelines to meet these obligations. Retention periods will differ depending on the processing reason we collected the information for and whether we are legally required to keep personal data for certain periods. For example, we are required under UK tax law to keep financial records for 6 years, plus current year for tax purposes as HMRC can challenge / investigate transactions that far back if they so desire. At the end of that period the records would be destroyed.
Typically, we will keep the data for our tenants for the life of their tenancy with us and for 6 years post tenancy for legal reasons relating to, amongst other things, contracts and tax laws. Where you have consented to us using your details for direct marketing, we will keep such data until you notify us otherwise and/or withdraw your consent. Eastlight may retain information pursuant to the GDPR for archiving purposes, scientific or historic research purposes or statistical purposes.
Special Category Data
Owing to the products, services we offer, we sometimes need to process sensitive personal information (known as special category data) about you, such as ethnic origin, sexual orientation, religious or philosophical beliefs and health data.
Where we collect such information, we will only request and process the minimum necessary for the specified purpose, for example, for the purposes of equal opportunities monitoring. Data that is used is anonymized or used with your explicit consent, which can be withdrawn at any time.
You are free to decide whether you provide such data and there are no consequences of failing to do so. You can request for your data not to be processed for such at any time, which we will act on immediately, unless there is a legitimate, regulatory or legal reason for not doing so.
Where we process special category data, our lawful basis exists under article 9 of the GDPR. For more information, please contact DPA-FOI@eastlighthomes.co.uk
Profiling & Automated Decision Making
Eastlight uses profiling techniques for internal analysis purposes only for the purposes of improving and managing business efficiencies and supporting tenants with managing their tenancies with us. This may include profiling techniques for assessing the likelihood of rent arrears to enable us to provide relevant support for tenants under our wider regulatory duty as a registered social landlord.
Some elements of our recruitment processes include automated decision making, for example, application forms received for job vacancies are automatically sifted on Rights to Work in the UK, if answered ‘No’, this will stop the application process proceeding. If answered ‘Yes’, further sifting can take place on keywords outlined in the essential and desirable criteria required for the role. There may also be automated decision-making dependent on the requirements for the role, for example, a driving licence and use of a car may be required (if suitable for the role).
What are cookies?
A ‘cookie’ is a small piece of data sent from a website and stored on the user’s computer by the user’s web browser while the user is browsing. There are a range of different cookies, some of which are necessary to make the website work properly (e.g those that make a video work). Other cookies may be used for analytical or tracking purposes these enable us to improve the website experiences for all users (e.g. Google analytics). Cookies are widely used to enable the websites to work properly (e.g. ensuring that the right personal information collected is attached to the individual who submitted it) when collecting information, you have provided to the Data Controller. You may delete and block cookies if you wish from this site, however, please be aware that this could affect the experience of our website. If you would like further information relating to cookies and what they do and how to delete them, please visit www.aboutcookies.org or www.allaboutcookies.org.
Visiting our website
When someone visits our website, we collect standard internet log information and details of visitor behaviour patterns, using Google analytics, we do this to find out things such as the number of visitors to the various parts of the site.
We do not make any attempt to find out the identities of those visiting our websites. We will not associate any data gathered from this site with any personally identifying information from any source.
If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
Third Party Cookies
We sometimes embed video content and photos from websites such as YouTube and the embedded content may present cookies from these websites. Similarly, when you use one of the share buttons on our website, a cookie may be set by the service you have chosen to share content through.
You should check the relevant third-party website for more information about these cookies as this policy does not cover links to other websites.
If you do not choose to accept cookies, it will reduce our ability to provide you with the best experience we can. By rejecting / deleting cookies the next time you visit, the website will treat you as a new user and you may be asked to provide information that you have previously submitted
Links to other websites
Lodging a complaint
We only process your personal information in compliance with this privacy notice and in accordance with the relevant data protection laws. If, however you wish to raise a complaint regarding the processing of your personal data or are not satisfied with how we have handled your information or our response, you have the right to lodge a complaint with the supervisory authority. Please see contact details below:
Information Commissioner’s Office
Wilmslow SK9 5AF