Tenant Services: Data Privacy Notice

This Data Privacy Notice covers the processing of data for the following services provided by Tenant Services:

Rent Recovery; Housing Management; Garages; Debt Advice; Universal Support; Housing Revenues; Right to Buy and Leasehold; Welfare Reform; and Sheltered Housing Services.

Identity and contact details of the company

Reading Borough Council, Civic Centre, Bridge Street, Reading RG1 2LU

Contact details of the Data Protection Officer

Nayana George
IGTeam@reading.gov.uk

What personal data is held?

Name, DOB, address, email, telephone number, household members, Income details, nationality, gender, sexuality, religious belief, NINO, relationship status, debt details, next of kin / emergency contact details, employment details, court orders, benefit details, location of payments made via AllPay, bank details on Direct Debit form, mortgage details, bank statements, photo of tenant, photos of the condition of the property including any improvements/alterations made by the tenant, medical/health/disability/GP information.

How will the data be stored?

On secure encrypted laptops and systems. System access is limited to those who require it with users having varying levels of permissions depending on their requirement. Laptops are locked away when not in use. Hard copies of DD and refund forms are kept for a couple of weeks whilst processed and are kept in a locked cupboard.

What is the legal basis for the collection, use and storage of the data?

Necessary to perform a task in the public interest, or for your official functions, and the task or function has a clear basis in law.

i.e. To manage aspects of the tenancy agreement in line with Housing legislation including the Housing Act 1985 and the Localism Act 2011.

Give details of how long the data will be stored and criteria used to determine this?

We will store your data for up to 6 years after the successful closure of your tenancy (ie no arrears due). Whilst you still have a current tenancy with us we will store and process your data accordingly. For any clients without a tenancy then data will be held for up to a maximum of two years.

Who will it be shared with and for what purpose?

We may share your information with:

• Welfare Rights Unit Reading
• Citizen’s Advice Reading
• Housing Associations
• Thames Valley Police
• Berkshire Woman’s Aid
• LaunchPad
• local charities as and when required
• debt support agencies
• Job Centre Plus
• Department of Work and Pensions
• Reading County Court
• St Mungo’s
• all Banks
• NHS eg. Hospitals; GP’s; District Nurses; Paramedics
• NRS – regarding specialist equipment
• Berkshire Fire & Rescue for information required in event of fire and evacuation and referrals made for risk assessment and advice
• Social Services allocated Care Agencies
• Hire of transport for social trips – information limited to mobility issues
• Organisations contracted to monitor and respond to the call monitoring equipment and service

We will also share information internally for the better performance and efficiency of Council Services.

Data is shared either at the request of the tenant or client and/or for the effective sustainment and support of social tenancies (both housing and garages), welfare benefit claims, application to buy social tenancies or to resolve debt issues and in order to fulfil our duties as a landlord.

How can the service user get access to it?

Information on making a Subject Access Request can be found on our data protection page.

State whether any data is to be transferred outside the EU

No

Is processing based on consent?

The processing is necessary for Tenant Services to perform tasks in the public interest and in undertaking its official functions. The way we process your data is exempt from consent through Contractual exemption, this is because you have signed a Tenancy Agreement and we have to process your data to manage your tenancy effectively.

If we process your data that is not covered by a contractual exemption then written consent will be obtained in a specific consent form.

You have a ‘right to be forgotten’ so you can ask for your personal information to be deleted where:

• It is no longer needed for the reason why it was collected in the first place
• You have removed your consent for us to use your information and we do not have to keep your information for legal reasons

If we have shared your personal information with others, we will do what we can to make sure those using your personal information comply with your request for erasure.

We may not be able to delete your personal data if it is needed for legal reasons, for reasons of public health, public interest or for medical purposes.

What other rights does the service user have that we have to make known to them?

You have the right to have your data corrected, the right to have your data deleted and you have a right to put a complaint to the Information Commissioner’s Office (ICO).

State if there will be any automated decision making

There are no automated decision making processes.

Consent

The GDPR sets out a higher standard for consent than the Data Protection Act. The GDPR defines consent as ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’

Consent has to be a positive indication of agreement to personal data being processed. It cannot be inferred from silence, pre-ticked boxes or inactivity. Opt out consent is no longer acceptable under the GDPR. The GDPR is clear that controllers have to demonstrate that consent was given, so a review is best practice in order to ensure there is an effective audit trail.

How should you write a consent request?

Consent requests need to be easy to understand and separate from any other information such as general terms and conditions.

The consent request must include the name of your organisation and the names of any third parties who will rely on the consent.

Your purpose for wanting the data and the processing activities you will be doing with the data need to be included.

The right to withdraw consent at any time and how to do this must be included.