How we use Personal Data
Who are we?
Cartrefi Conwy is a ‘Registered Social Landlord’ with over 3800 properties throughout the county of Conwy in North Wales.
This notice explains how we collect, process and store information about people (their personal data), the steps we take to make sure that it is protected, and also describes the rights individuals have in regard to their personal data that we handle.
The use and disclosure of personal data is governed in the United Kingdom by the General Data Protection Regulations and Data Protection Act 2018. For the purposes of this law, the Company Secretary is registered with the Information Commissioner as a ‘data controller’ for Cartrefi Conwy and as such he/she is obliged to ensure that we handle all personal data in accordance with Data Protection law.
1. Why do we handle personal data?
We collect, process, store and share personal data for the broad purpose of providing social housing accommodation and services which include:
- letting, renting and leasing properties
- administering waiting lists
- carrying out research
- administering housing and property grants
- providing associated welfare services, advice and support
- maintaining our accounts and records
- supporting and managing our employees, agents, and contractors
- using CCTV systems to monitor and collect visual images for the purpose of security and the prevention and detection of crime.
2. Whose personal data do we handle?
We only handle personal information where there is good reason to, In order to carry out our tasks as a social landlord and the purposes described in Section 1. We may process personal data relating to a wide variety of individuals including the following:
- Employees including their family and other designated contacts, volunteers, agency, temporary and casual workers
- Tenants, their carers, family and other designated contacts
- applicants for accommodation which include their families and households
- asylum seekers
- board members
- business associates
- local authority employees
- probation officers
- social workers
- spiritual and welfare advisers
- consultants and professional advisers
- survey respondents
- offenders and suspected offenders
- complainants, enquirers and witnesses
- suppliers and service providers, self-employed contractors
- people captured by CCTV images
3. What types of personal data do we handle?
We only handle personal data that is relevant to our role and in order to carry out the purposes in Section 1. We may process personal data relating to or consisting of the following:
- personal details
- goods and services
- supplier details
- financial details
- lifestyle and social circumstances
- compliments and complaints
- education and employment details
- health, safety and security details
- visual images, personal appearance and behaviour
- satisfaction survey results
- CCTV images
4. Where do we get personal data from?
In order to carry out the purposes described in section 1 above, we may obtain personal data from a wide variety of sources, including the following:
- the data subject themselves
- current, past or prospective employers and work colleagues
- family, carers, associates and representatives of the person whose personal data we are processing
- educators and examining bodies
- suppliers and service providers
- financial organisations
- central government
- survey and research organisations
- other housing associations or trusts
- trade unions and associations
- health authorities
- enquirers and complainants
- security organisations
- health and social welfare organisations
- professional advisers and consultants
- probation services
- charities and voluntary organisations
- the police and other law enforcement agencies
- courts and tribunals
- professional bodies
- employment and recruitment agencies
- credit reference agencies
- debt collection agencies
- our own CCTV systems
5. How do we handle personal data?
We have processes in place to make sure personal data is handled securely and lawfully. These cover the information we handle internally as well as how we share information with other relevant organisations.
When handling personal data, we will:
- tell you why we need your information and what we will use it for
- only use your personal information for what we have said we will use it for
- only keep what we need to provide services to you
- keep only the personal information we need to meet our legal obligations
- aim to make sure your personal information is accurate and up to date
- delete or destroy personal information about you when we no longer need it, using our procedures for keeping and deleting information.
6. How do we make sure the personal data is kept secure?
We take the safety and security of all personal information we handle very seriously.
We make sure that appropriate policy, training, technical and procedural measures are in place, including audit and inspection. This is to protect our manual and electronic information systems from data loss and misuse and we will only permit access to them when there is a legitimate or legal reason to do so. We have strict guidelines as to personal data is handled and these procedures are continuously managed and enhanced to ensure up-to-date security.
7. Who do we share personal data with?
In order to carry out the purposes described in Section 1, we may share personal data with a variety of organisations but only where there is clear reason to do so or we have consent. This may include disclosures to organisations such as other Housing Associations, Care and Health providers, Utility companies (such as gas, electricity and water suppliers) the Fire service, the Police and other law enforcement agencies, partner agencies, carers and care agencies working in support of users or prospective users of our services, and to bodies or individuals working on our behalf such as IT contractors or survey organisations.
We may also disclose to other bodies or individuals where necessary to prevent abuse or harm to individuals.
Disclosures of personal data will be made on a case by case basis, using the personal data appropriate to a specific purpose and circumstances, and with necessary controls in place.
Some of the bodies or individuals to which we may disclose personal data may be situated outside of the European Union some of which do not have laws that protect data protection rights as extensively as in the United Kingdom. If we do transfer personal data to such territories, we will take proper steps to ensure that it is adequately protected as required by Data Protection law.
We will also disclose personal data to other bodies or individuals when required to do so by, or under, any act of legislation, by any rule of law, and by court order. This may include disclosures to the Child Support Agency, the National Fraud Initiative, the Home Office and to the Courts.
We may also disclose personal data on a discretionary basis for the purpose of, and in connection with, any legal proceedings or for obtaining legal advice.
8. WHAT ARE THE RIGHTS OF THE INDIVIDUALS WHOSE PERSONAL DATA WE HANDLE?
Data Protection law gives individuals various rights as detailed below. Any requests relating to any of these rights should be sent to the Company Secretary whose contact details can be found in Section 12 below.
THE RIGHT TO BE INFORMED
THE RIGHT OF ACCESS
Individuals have the right to access their personal data; this is commonly referred to as subject access. You can make a subject access request verbally or in writing and we will have one month to respond to a request.
THE RIGHT TO OBJECT
Subject to certain exemptions, an individual has the right to object to the processing of their personal data in certain circumstances. This request can be in writing or verbally and we have one calendar month to respond. This includes using their personal data for direct marketing purposes and covers communication by any means (e.g. mail, email, telephone, door-to-door canvassing) of any advertising or marketing material directed at particular individuals.
RIGHTS IN RELATION TO AUTOMATED DECISION-TAKING
Subject to certain exemptions, an individual has the right to require that we ensure that no decision that would significantly affect them is taken by or on our behalf purely using automated decision-making software. If there is a human element involved in the decision-making the right does not apply.
RIGHT TO RECTIFICATION
An individual has the right to have inaccurate personal data rectified, or completed if it is incomplete. They can make a request for rectification verbally or in writing and we have one calendar month to respond to a request.
RIGHT TO ERASURE
An individual has the right to have personal data erased however the right is not absolute and only applies in certain circumstances. The right to erasure is also known as ‘the right to be forgotten’. Individuals can make a request for erasure verbally or in writing and we have one month to respond to a request.
RIGHT TO RESTRICT PROCESSING
An individual has the right to request the restriction or suppression of their personal data however this is not an absolute right and only applies in certain circumstances. When processing is restricted, we are permitted to store the personal data, but not use it. An individual can make a request for restriction verbally or in writing and we have one calendar month to respond to a request.
RIGHT TO TAKE ACTION FOR COMPENSATION IF THE INDIVIDUAL SUFFERS DAMAGE BY ANY CONTRAVENTION OF THE ACT BY DATA CONTROLLERS
Any individual who believes they have suffered damage and/or distress as a result of any contravention of the requirements of Data Protection law may be entitled to compensation from Cartrefi Conwy where the Association is unable to prove that it had taken such care as was reasonable in all the circumstances to comply with the relevant requirement. Any claim for compensation arising from this provision may be sent to the Company Secretary (see section 12 below).
RIGHT TO REQUEST THE INFORMATION COMMISSIONER TO ASSESS A DATA CONTROLLER’S PROCESSING
Any person can request the Information Commissioner to make an assessment if they believe that they are/have been adversely affected by our handling of personal data. Such requests should be made direct to the Information Commissioner whose contact details can be found below.
Generally if individuals have any concerns regarding the way their personal data is handled by Cartrefi Conwy or the quality (accuracy, relevance, non-excessiveness etc.) of their personal data they are encouraged to raise them with the Company Secretary (see section 12 below).
The Information Commissioner is the independent regulator responsible for enforcing Data Protection law; its office in Cardiff provides a local point of contact for members of the public and organisations based in Wales.
The Information Commissioner’s Office may be contacted using the following:
Information Commissioner’s Office – Wales 2nd Floor, Churchill House, Churchill Way, Cardiff, CF10 2HH Telephone: 016 2554 5297 Email: firstname.lastname@example.org
or alternatively, The Information Commissioner’s Office,
Wycliffe House, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113 Website: www.ico.gov.uk
9. How long do we hold personal data for?
Cartrefi Conwy keeps personal data as long as is necessary for the particular purpose or purposes for which it is held. Personal information which is placed on the Housing Management system and other records containing personal data relating more generally to the activities of Cartrefi Conwy is retained, reviewed and deleted in accordance with agreed retention periods, which may be varied from time to time relevant to the needs of the business.
We may monitor or record and retain telephone calls, texts, emails and other electronic communications received and sent in order to assist the purposes described under section 1 above, and deter, prevent and detect inappropriate behaviour.
We do not place a pre-recorded ‘fair processing notice’ on all telephone lines because of the inconvenience that may be caused through the delay in response to the call.
Cookies are small data files which are stored on a user’s computer or mobile phone by a website and stored on the hard drive of the user’s device. They are helpful because they help to make a website work and often allow the website owners to direct specific content to the user.
On our website, users can manage and/or delete cookies as they wish, however, some cookies are required by the website to function correctly and therefore, not allowing them may prevent the performance and layout of the site. Information about how to do this is provided in the section How to manage cookies.
- ABOUT COOKIES
A cookie is a small amount of data (which often includes a unique identifier) that is sent to a user’s computer or mobile phone from a website and is stored on the hard drive of a device. Each website can send its own cookies to your browser if your browser’s preferences allow it. Many websites do this whenever a user visits their website in order to report on website traffic and frequency of individual’s navigation. Your browser only permits a website to access the cookies it has already sent to you, not the cookies sent to you by other websites.
Cookies on the Cartrefi Conwy website are used in a number of ways. Information on those used can be seen in the list below.
Cartrefi Conwy uses Google analytics to collect information about how people use our site. This helps us make sure our website meets users’ needs and to find out how we can improve.
Analytics cookies store information about what pages people visit, how long they are on the site, how they got there and what they click on. Information supplied by cookies helps Cartrefi Conwy to analyse the profile of visitors and provide them with a better experience.
Analytics cookies do not collect or store users’ personal information (for example, names or addresses), so this information cannot be used to identify individuals.
- STORING YOUR USABILITY AND ACCESSIBILITY SETTINGS
Our website provides settings that allow you to resize text or view different colour options.
If you switch them on, we store the settings in a cookie, so that they apply to each page you look at.
- THIRD-PARTY COOKIES
Third-party cookies are not set directly by Cartrefi Conwy, but by third-party service or functionality providers.
Cartrefi Conwy uses Google Analytics who set cookies on the Cartrefi Conwy website in order to deliver the services that they are providing (for example, website analytics).
Cartrefi Conwy also uses Issuu for the Together newsletter and they collect cookies to deliver the services that they are providing for example, publication statistics.
Cartrefi Conwy does not control the dissemination of these cookies. For more information about the cookies used by these suppliers, including how to opt-out, view their individual privacy policies listed below.
- GOOGLE ANALYTICS
stores the information collected by the cookie on servers in the United States. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. How to reject or delete this cookiehttp://www.google.com/intl/en/privacypolicy.html
- ISSUU – ACCESSING THE TOGETHER NEWSLETTER
12. Contact Us
Any individual with concerns over the way Cartrefi Conwy handles their personal data may contact the Company Secretary as below:
The Company Secretary, Cartrefi Conwy, Morfa Gele, North Wales Business Park, Cae Eithin, Abergele LL22 8LJ
Tel: 0300 124 0040