Privacy Statement

Introduction and who we are

The purpose of this statement is to outline our approach to protecting the personal data we collect, process, hold and share as a Data Controller. We take your privacy seriously and are committed to protecting information through a range of organisational and technical measures to safeguard all personal information under our control. We maintain records of our processing activities, privacy risk assessments and a range of other measures to support our compliance with data protection law. This privacy statement is a key component of our wider Information Security and Governance Framework incorporating our Data Protection and ICT policies.

Eastlight Community Homes Ltd's registered office is at Eastlight House, Charter Way, Braintree, Essex, CM77 8FG and we are a company registered in England and Wales under company number IP30124R. We are registered on the Information Commissioner’s Office (ICO) Register registration number Z1122456, and act as the “Data Controller”. For more information, please contact DPA-FOI@eastlighthomes.co.uk

Information about you

Eastlight Community Homes Ltd gathers and processes your personal information in accordance with this privacy statement and in compliance with Data Protection Laws, (General Data Protection Regulation 2016 (GDPR), Data Protection Act 2018 and the Privacy and Electronic Communication Regulations (2003)).

This notice provides you with the necessary information regarding your rights and our obligations, and explains how, why and when we process your personal data, how we may use it, how long we may retain it for, how we keep it secure and the limited conditions under which we may disclose it to others.

Eastlight Community Homes Ltd processes your personal information to meet our legal, regulatory and contractual obligations as a Registered Social Landlord and UK registered company to manage your tenancy or relationship with us, provide you with information about our products/services, or responding to or managing general enquiries or other information received. This statement also covers those employed by Eastlight Community Homes.

We will only collect necessary personal data from you and we will not process your information in any way other than as specified in this notice, or where we advise you before collecting the details from you.

We will normally collect information directly from you. This means that you know what information we have about you and we can be sure you have provided us with accurate and up-to-date information. We may also obtain information about our tenants provided by third parties, where this is relevant to their housing circumstances and our obligations as a Registered Social Landlord e.g. from social workers, health professionals or as detailed below.

The information we collect about you

Tenants:

  • Tenancy records to manage and support tenancies, including where additional support needs are identified
  • Rent, service charge, rent and arrears account and other financial information
  • Profiled information for internal analysis purposes only
  • Repair, maintenance and property adaptation records
  • Customer feedback and satisfaction
  • Records of tenancy changes e.g. mutual exchange, succession or an application to purchase
  • Information about specific issues affecting our tenants or their household members e.g. anti-social behaviour, violence and aggression, safeguarding concerns, hoarding, social protection and welfare matters
  • CCTV footage around our properties
  • Photographs
  • Information about our membership
  • Details for effective communication of information to tenants and the promotion of social, environmental and economic wellbeing pursuant to the Neighbourhood and Community Standard 2015 and the Tenant Involvement and Empowerment Standard
  • Information about you that relates to demographic data, such as race, religion, ethnicity, sexual orientation, gender, and age, for regulatory reporting requirements
  • We may also receive information about you from other agencies, such as local councils, community safety partnerships and multi-agency relationships for measures designed to protect an individual’s health, safety and welfare e.g from domestic or drug abuse.

Also:

  • We record information in our housing management system to deliver our housing management services. Furthermore, we may also record your telephone calls to us, as some calls to our customer service centre are recorded for training and monitoring purposes to ensure we are delivering an excellent service.
  • We have a self-service portal that enables our tenants to access their rent records, log repairs, update their personal details, notify us of anti-social behaviour, make a complaint or check their rent statements. We collect information when you log into our portal, for example, to pay your rent or request a repair. We collect your username, password and email address when you register on our resident portal for an account.

The list is not exhaustive, as we hold records of most of the contact we have with you, or about you, and we process this information so we can deliver our services to you.

Leaseholders and Freeholders:

  • Information about the sale/purchase/assignment of a lease, or its extension, or about the sale of a freehold
  • Information relevant to a lessee’s mortgage or re-mortgage application
  • Information relevant to services/repairs/other charges
  • Rent review information
  • Information in connection with managing your business lease/tenancy.

Also, we record information in our housing management system to manage and deliver our services to you.

Staff:

  • Recruitment and employee administration records e.g. performance/absence management and employee relation matters, including occupational health and criminal records checks
  • Contractual and benefits information, such as pay, pension, bonus schemes, maternity and paternity leave information
  • Payroll records and bank account information
  • Family/next of kin information
  • Nationality/immigration information and criminal background
  • Driving licence/qualifications and insurance information
  • Information about personal characteristics e.g. ethnic origin
  • Information obtained from personal development meetings with line managers
  • Details relating to personal vehicles for approved parking onsite or at Braintree Outlet shopping centre.

Also, we record information in our HR database to manage and deliver recruitment and employment services to prospective, current and past employees and those expressing an interest in working with us.

Contractors, suppliers and other third parties:

We keep basic contact details and any other information they may share in routine correspondence and enquiries with us.

CCTV

We rely on and use CCTV as an effective tool in helping us to achieve our aims and regulatory duties of creating safer communities and spaces in and around our residential properties, community hubs, commercial premises, office buildings and to create safer environments where people want to live and work. We place visible signage where we operate CCTV equipment, and where this is operated on our behalf.

We are obliged to share information with the relevant authorities for the prevention and detection of crime. The request for this information may be made under a police warrant, court order or an information sharing protocol. We may also share CCTV images in safeguarding cases.

CCTV is collected and stored in and around Eastlight's properties for crime prevention and detection purposes.

We use Dashcam recordings for maintaining staff safety and the efficiency of fleet vehicles. Dashcam footage may be provided to our insurance companies or the relevant authorities, where requested, following a road traffic incident. Vehicle tracking information and dashcam images may be used for disciplinary purposes, where driving standards fall below acceptable levels.

General enquiries and other information received

This section relates to any information voluntarily sent by the Data Subject and not caught by any other section within this statement.

We will process, store, retain and share personal information where relevant and appropriate to do so for the purposes of responding to or managing any general enquiries or other information received, volunteered or sent to us by the data subject that is or may be connected to any of our activities.

All information is managed in line with your rights and our obligations as detailed under Data Protection Law and the principles contained within this policy.

How we inform you

Eastlight are required to provide certain information in order to make the processing of Personal Data fair, lawful and transparent. We provide this information under a ‘layered approach’ to ensure that we provide you with all the information you require. This is achieved through providing a data protection statement at the point of data collection. This informs you of who we are, briefly explains why we are collecting the information, and refers this Privacy Statement. Where we update this statement, we will endeavour to bring this to your attention through a range of measures, including prominently displaying it on our website or customer portal, within e-newsletters, and within other communications from us.

We will only ask for personal information that is appropriate and relevant, to enable us to deliver our services. In some cases, you can refuse to provide your details if you deem a request to be inappropriate. However, you should note that this may impact our ability to provide some services to you or to meet your welfare needs if you refuse to provide information that stops us doing so.

Eastlight stories

On occasion, we like to contact our residents to see if they would like to take part in the stories that we tell to help promote the work that we do in your community, and to share things that we feel may be of interest to you and others. We may use information such as your age, length of tenancy, age of property, type of property or adaptations made to determine whether you may be suitable to contact. There is no obligation to take part and we would not use or publish information relating to you without your consent.

Personal Risk Register

We will not tolerate any behaviour from a resident, where their behaviour places the health, safety and welfare of our employees and representatives at risk from harm, assault, threats of violence, aggression, sexual advances or allegations, or any other behaviour assessed to be anti-social or unwarranted, including any discrimination based on race, religion, ethnicity, sexual orientation.

Where such behaviour is witnessed or reported to us, we are obliged to take action to protect the welfare of our employees and representatives, to ensure a safe working environment free from such risks or harassment. We also want to ensure the resident is appropriately supported and encouraged to change their behaviour. This may involve placing the individual under a period of monitoring, and stipulating two-person visits for the purpose of carrying out repairs. We may also restrict their access to one named contact point, to the office environment and for undertaking investigations. Where the risk(s) faced are sufficiently serious, this may warrant notification to the police and other relevant authorities.

The deployment of this measure is strictly governed and managed according to our Privacy Statement to ensure that this process is fair, transparent, compliant with lawful requirements and that privacy concerns are addressed and safeguarded appropriately.

How will we use your personal data? (legal basis processing)

We will rely on at least one of the following lawful bases for processing your personal information. The lawful basis that we rely upon is detailed within the wider Information Asset Register:

Consent:

You have given explicit consent for us to process your personal data for a specific purpose. You will have the right to withdraw your consent at any time. For example, where you have consented to us providing you with promotional offers and marketing.

Contractual:

We need to process your data to enter into a tenancy or other contractual agreement with you and to meet our obligations under that contract or because you have asked us, or we need to take specific steps before entering into a contract with you.

Legal Obligation:

The processing is necessary for us to comply with the law. For example, processing your legal status to stay in the UK to check your entitlement to housing or as part of our legal obligation for business accounting and tax purposes. We may also shar information with a credit reference agency or other third party who might provide us with financial background checks prior to you commencing your tenancy with us, to comply with health and safety legislation. In addition, we may share information from our CCTV systems with the police, as our legal obligation.

Vital Interest:

The processing is necessary to protect someone’s life. This will only apply to a situation of life and death where it is difficult or practically impossible to get your consent.

Public Interest:

Where we process special categories of data, such as health data, personal data revealing racial or ethnic origin, sexual orientation and religious or philosophical beliefs. This is done for the purpose of equal opportunities monitoring, with a view to enabling such equality to be promoted or maintained. Data that we use for these purposes is anonymized. In addition, we process your data where processing is necessary for the purposes of protecting an individual from neglect or physical, mental or emotional harm or protecting their physical, mental or emotional wellbeing. In certain circumstances, such as a serious concern for safeguarding or welfare, it may be necessary for us to contact statutory agencies (Police, Social Services & the Mental Health Team) and/or the Local Authority to enable us to support you in sustaining your tenancy. In addition, we may also rely on this lawful basis to gain access to your property (mainly for Housing for Older People) in situations where we have serious concerns for your safety.

Legitimate interest:

The processing is necessary for our legitimate interests or the legitimate interest of a third party, unless there is a good reason to protect your personal data which overrides those legitimate interests. This may include the processing of information from our CCTV systems for the prevention and prosecution of crime. We may also process your personal data in order to send you our magazine Also, your data may be used for direct marketing purposes to keep you updated with products/services and/or our latest news (we will occasionally send you marketing information where we have assessed that it is beneficial to you as a customer and in our interests. Such information will be non-intrusive and is processed on the grounds of legitimate interests). You can, however, exercise your right to opt out of receiving any direct marketing or where you don’t wish to be partake in feedback surveys.

Your rights

You have the right to access and request any personal information that we hold and process about you, including:

  • What personal data we hold about you
  • The purposes of the processing
  • The categories of personal data concerned
  • The recipients to whom the personal data has/will be disclosed
  • How long your information will be retained for.

If we did not collect the data directly from you, we will provide information about the source. You have the right to request a correction of your personal data if it is incorrect or out of date. We will strive to correct it as quickly as possible unless there is a valid reason for not doing so; at which point you will be notified. You can also send a request on our self-service portal.

You have the right to withdraw your consent for processing your data if the processing was based on consent.

You have the right to request that we delete your data if you feel we should no longer be processing it. Upon receiving a request for erasure, we will confirm whether it has been deleted or the reason why it cannot be deleted, for example, because we have a legal obligation to keep the information or we need it for a compelling legitimate business interest.

You have the right to object to processing of your data. You may request that we stop processing information about you. Upon receiving your request, we will contact you and let you know if we are able to comply or if we have legitimate grounds to continue to process your data. Even after you exercise your right to object, we may continue to hold your data to comply with your other rights, legal obligations or to bring or defend legal claims.

You have the right to request that we transfer your data to another data controller if the data is processed by automated means (this only applies to information that you have provided in electronic format, under the legal basis of consent or pursuant to a contract).

You have the right to request restriction of the processing of your personal data. This enables you to ask us to suspend the processing of your personal data:

  1. if you want us to establish the data’s accuracy
  2. where our use of the data is unlawful, but you do not want us to erase it
  3. where you need us to hold the data even if we no longer require it, as you need it to establish, exercise or defend legal claims
  4. you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.

You may exercise your rights verbally or in writing. If you make your request verbally, we recommend you follow it up in writing to provide a clear trail of correspondence. It will also provide clear evidence of your actions. You may also email us at DPA-FOI@eastlighthomes.co.uk. If you make your request in writing, please mark it for the Attention of The Data Protection Officer at Eastlight Community Homes Ltd, Eastlight House, Charter Way, Braintree, Essex, CM77 8FG.

We will comply with your request, where feasible to do so, within one month of receiving your request and your appropriate identification documentations. In certain circumstances, extensions of up to two months may be requested, but we will contact you if this in necessary.

If we receive a request from you to exercise any of the above rights, we may ask you to verify your identity before acting on the request; this is to ensure that your data is protected and only disclosed to the right person.

We recognise and uphold your rights but there may be exemptions made under certain circumstances under data protection laws. Where exceptions have been made, we will inform you of these. Additionally, charges may apply under certain circumstances, but, again, we will advise you if this is necessary.   

Sharing and disclosing your personal information

Only relevant information about you will be used across the organisation to ensure you are receiving all services you have requested, that your information is accurate and up-to-date and to promote other products Eastlight offers and/or to keep you updated with the latest news.

We may also share your information with third parties such as (but not limited to):

  • Suppliers, contractors, and processors to deliver our services
  • Building companies, surveyors and defect management
  • The police, local authorities and law enforcement agencies, if relevant to safeguarding concerns or as part of a criminal investigation
  • Multi-agency agreements i.e. local authorities, other law enforcement agencies and MARAC
  • the Disclosure and Barring Service and, where necessary, providers of services to verify identity documents and provide barred list checks.

We may also share your information for research purposes to enable us to gather your views on the services we are providing.

On occasion, we use third parties to either store personal information or process it on our behalf. Where we have these arrangements, there is always a contract, memorandum of understanding, information sharing protocol or data processing agreement in place to ensure that the organisation complies with data protection laws. All processors acting on our behalf only process your data in accordance with written instructions in the form of a legally enforceable agreement from us. They are also obliged to comply fully with this privacy statement, data protection laws and confidentiality, and to implement appropriate technical and organisational measures to ensure security and confidentiality of your information.

We will not sell your information for direct marketing or other commercial purposes. On occasion, we may use your personal data for research purposes relating to various topics and services provided by us. Wherever possible, the data will be anonymized to avoid the identification of an individual, unless prior consent has been obtained for the use of the personal data.

We will not share or disclose any of your personal information, other than for the purposes specified in this privacy statement, where there is a legal or regulatory requirement to do so, there is a public interest or a vital interest to do so, or where we have your prior consent. However, there will be times when we investigate a complaint about a service that we may need to share personal data across the organisation and with other relevant bodies e.g. those we have commissioned to deliver services(s) on behalf of Eastlight or those we are in partnership with. You can obtain further information on:

  • Information Sharing & Partnership Agreements we have with other organisations we work with to deliver our services
  • Circumstances where we could pass personal data without your consent e.g. the prevention or detection of crime/fraudulent activity, if there is a serious risk to the public, our staff or to other professionals, to protect a child, to protect adults who are thought to be at risk, for example if they are frail, confused or cannot understand what is happening to them, or where there is a risk to you and the risk is sufficiently serious that the need to disclose your information is more important than protecting your confidentiality
  • Where we receive a request for information about you from another data controller who has a legitimate interest in contacting you. For example, we may receive a request for your contact details from utility companies that have or may supply your home with gas, water, electric, telecommunications.

Safeguarding measures

We take your privacy seriously and take every reasonable measure and precaution to protect and secure your personal data, whether electronically or in paper format. We work hard to protect you and your information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures in place, including measures such as Secure Socket Layer (SSL), Transport Layer Security (TLS), encryptions, filtering, restricted access, IT authentication, firewalls and anti-virus/malware. Your personal information will only be made available to those who have the right to see them.

Transfers outside the EU

Personal data in the European Union is protected by the General Data Protection Regulation (GDPR) but some other countries may not necessarily have the same high standard of protection for your personal data. We utilise some products or services (or parts of them) that may be hosted/stored in non-EU countries e.g. the US or a third country, which means that we may transfer any information which is submitted by you through the website to outside of the European Economic Area (EEA) i.e. website hosting, email servers and marketing databases, such as MailChimp.

Therefore, when you use our website/send us an email/sign up to our newsletter etc. the personal information you submit may be stored on servers which are hosted in non-EU countries. Where data is transferred outside the EEA, we will ensure that transfers will only be made to countries in respect of which the European Commission has made an “adequacy decision”, or otherwise will only be made with appropriate safeguards, such as the use of standard data protection clauses adopted or approved by the European Commission. You may contact us to enquire about such safeguards so that you may obtain a copy of them or so that we may direct you to them. For example, MailChimp is an online marketing platform operated by The Rocket Science Group LLC, headquartered in the US. MailChimp is a participant of EU-US Privacy Shield Framework which means they have been certified to comply with the necessary security required to safeguard data from the EU.

Legitimate interests

As noted in the ‘How We Use Your Personal Data’ section of this notice, we may occasionally process your personal information under the legitimate interests’ legal basis. Where this is the case, we have carried out a thorough Legitimate Interests’ Assessment (LIA) to ensure that we have weighed up your interests and any risk posed to you against our own interests, ensuring that they are proportionate and appropriate. We use the legitimate interests’ legal basis for processing; for example, for our marketing and research, to carry out satisfaction surveys to help us monitor our performance, for business management and reporting purposes, and to improve our services to our customers and to send you our magazines.

How long we keep your data

We only ever retain personal information for as long as is necessary and we have retention policies in place to guide our retention of personal information in line with the National Federation of Housing guidelines. Retention periods will differ depending on the processing reason we collected the information for and whether we are legally required to keep personal data for certain periods. For example, we are required under UK tax law to keep financial records for six years, plus an additional year for tax purposes as HMRC can challenge/investigate transactions that far back if they so desire.  At the end of that period the records would be destroyed.

Typically, we will keep the data for our tenants for the life of their tenancy with us and for six years post-tenancy for legal reasons relating to, amongst other things, contracts and tax laws. Where you have consented to us using your details for direct marketing, we will keep such data until you notify us otherwise and/or withdraw your consent. Eastlight may retain information pursuant to the GDPR for archiving purposes, scientific or historic research purposes or statistical purposes.

Special Category Data

Owing to the products and services we offer, we sometimes need to process sensitive personal information (known as Special Category Data) about you, such as ethnic origin, sexual orientation, religious or philosophical beliefs and health data.

Where we collect such information, we will only request and process the minimum necessary for the specified purpose, for example, equal opportunities monitoring. Data that is used is anonymized or used with your explicit consent, which can be withdrawn at any time.

You are free to decide whether you provide such data and there are no consequences of failing to do so. You can request for your data not to be processed for such at any time, which we will act upon immediately, unless there is a legitimate, regulatory or legal reason for not doing so.

Where we process Special Category Data, our lawful basis exists under article 9 of the GDPR. For more information, please contact DPA-FOI@eastlighthomes.co.uk

Profiling & Automated Decision-Making

Eastlight uses profiling techniques for internal analysis purposes only to improve and manage business efficiencies, and support tenants with managing their tenancies with us. This may include profiling techniques for assessing the likelihood of rent arrears to enable us to provide relevant support under our wider regulatory duty as a registered social landlord.

Some elements of our recruitment processes include automated decision-making, for example, application forms received for job vacancies are automatically reviewed in accordance with the Rights to Work in the UK standard. If answered ‘No’, this will stop the application process proceeding. If answered ‘Yes’, further checking can take place on keywords outlined in the essential and desirable criteria required for the role. There may also be automated decision-making, depending on the requirements for the role, for example, a driving licence and use of a car may be required.

Cookie Notice

What are cookies?

‘cookie’ is a small piece of data sent from a website and stored on the user’s computer by the user’s web browser while they're browsing. There are a range of different cookies, some of which are necessary to make the website work properly e.g. those that make a video work. Other cookies may be used for analytical or tracking purposes. These enable us to improve the website experiences for all users e.g. Google Analytics. Cookies are widely used to enable the websites to work properly (e.g. ensuring that the right personal information collected is attached to the individual who submitted it when collecting information), using information you have provided to the Data Controller. You may delete and block cookies from this site, if you wish. However, please be aware that this could affect the experience of our website. If you would like further information relating to cookies and what they do and how to delete them, please visit www.aboutcookies.org or www.allaboutcookies.org.

Visiting our website

When someone visits our website, we collect standard internet log information and details of visitor behaviour patterns, using Google Analytics. We do this to find out things like the number of visitors to various parts of the site.

We do not make any attempt to find out the identities of those visiting our websites. We will not associate any data gathered from this site with any personally identifying information from any source.

If we do want to collect personally identifiable information through our website, we will be upfront about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

Third Party Cookies

We sometimes embed video content and photos from websites i.e YouTube and the embedded content may present cookies from these websites. Similarly, when you use one of the share buttons on our website, a cookie may be set by the service you have chosen to share content through.

You should check the relevant third-party website for more information about these cookies, as this Privacy Statement does not cover links to other websites.

Accepting Cookies

If you do not choose to accept cookies, it will reduce our ability to provide you with the best experience we can. By rejecting/deleting cookies the next time you visit, the website will treat you as a new user and you may be asked to provide information that you have previously submitted.

Changes to our Privacy Statement

We will regularly review our Privacy Statement, and any updates will appear here.

Links to other websites

This Privacy Statement only applies to this website and does not cover the links within this site to other websites. So, if you link to other websites, you should read their Privacy/Cookie Statements/Policies.

Lodging a complaint

We only process your personal information in compliance with this Privacy Statement and in accordance with the relevant data protection laws. If, however, you wish to raise a complaint regarding the processing of your personal data or are not satisfied with how we have handled your information or our response, you have the right to lodge a complaint with the supervisory authority. Please see contact details below:

Information Commissioner’s Office
Wycliffe House
Water Lane,
Wilmslow SK9 5AF

Telephone: 03031231113

www.ico.org.uk