Tenant Services: Data Privacy Notice (Fair Processing Notice)

This Data Privacy Notice covers the processing of data for the following services provided by Tenant Services:

Rent Recovery; Housing Management; Garages; Debt Advice; Universal Support; Housing Revenues; Right to Buy and Leasehold; Welfare Reform; and Sheltered Housing Services.

Identity and contact details of the company

Reading Borough Council, Civic Centre, Bridge Street, Reading RG1 2LU

Contact details of the Data Protection Officer

Nayana George
IGTeam@reading.gov.uk

What personal data is held?

Name, DOB, address, email, telephone number, household members, Income details, nationality, gender, sexuality, religious belief, NINO, relationship status, debt details, next of kin / emergency contact details, employment details, court orders, benefit details, location of payments made via AllPay, bank details on Direct Debit form, mortgage details, bank statements, photo of tenant, photos of the condition of the property including any improvements/alterations made by the tenant, medical/health/disability/GP information.

How will the data be stored?

On secure encrypted laptops and RBC systems – data is stored on secure IT systems known as NEC (database) and NEC-EDMS (document management system) as well as shared drives for which access is restricted to the team for which the data is necessary. This system is internet-based software.

Security

Any information sent externally is sent via a secure email (Global Certs).

Data relevant to the household is held on the council’s own systems (NEC and NEC-EDMS) as well as some monitoring information being held on the shared drive (this information is kept to a minimum).

Restricting access

NEC and NEC-EDMS all have access restriction with the level of access determined through user roles.

Shared drive – access to the relevant areas of the shared drive is restricted to the teams/individuals for which the data is necessary.

Hard copies of DD and refund forms are kept for a couple of weeks whilst processed and are kept in a locked cupboard.

What is the legal basis for the collection, use and storage of the data?

Necessary to perform a task in the public interest, or for your official functions, and the task or function has a clear basis in law.

i.e. To manage aspects of the tenancy agreement in line with Housing legislation including the Housing Act 1985 and the Localism Act 2011.

Give details of how long the data will be stored and criteria used to determine this?

We will store your data for up to 6 years after the successful closure of your tenancy (ie no arrears due). Whilst you still have a current tenancy with us we will store and process your data accordingly. For any clients without a tenancy then data will be held for up to a maximum of two years.

Who will it be shared with and for what purpose?

We may share your information with:

• Other RBC departments including Environmental Health, Housing Benefit, Housing Management and Adult Social Care
• Brighter Futures for Children (Children’s Social Care)
• Welfare Rights Unit Reading
• Citizen’s Advice Reading
• Housing Associations
• Thames Valley Police
• Berkshire Woman’s Aid
• Launchpad
• Local Charities, as and when required
• Debt Support Agencies
• Job Centre Plus
• Department of Work and Pensions
• Reading County Court
• St Mungo’s
• All Banks
• NHS eg. Hospitals; GP’s; District Nurses; Paramedics
• NRS – regarding specialist equipment
• Berkshire Fire & Rescue for information required in event of fire and evacuation and referrals made for risk assessment and advice
• Social Services allocated Care Agencies
• Hire of transport for social trips – information limited to mobility issues
• Organisations contracted to monitor and respond to the call monitoring equipment and service
• Utility companies:
  • Green Energy Switch

We will also share information internally for the better performance and efficiency of Council Services.

Data is shared either at the request of the tenant or client and/or for the effective sustainment and support of social tenancies (both housing and garages), welfare benefit claims, application to buy social tenancies or to resolve debt issues and in order to fulfil our duties as a landlord.

How can the service user get access to it?

Information on making a Subject Access Request can be found on our data protection page.

State whether any data is to be transferred outside the EU

No

Is processing based on consent?

The processing is necessary for Tenant Services to perform tasks in the public interest and in undertaking its official functions. The way we process your data is exempt from consent through Contractual exemption, this is because you have signed a Tenancy Agreement and we have to process your data to manage your tenancy effectively.

If we process your data that is not covered by a contractual exemption then written consent will be obtained in a specific consent form.

You have a ‘right to be forgotten’ so you can ask for your personal information to be deleted where:

• It is no longer needed for the reason why it was collected in the first place
• You have removed your consent for us to use your information and we do not have to keep your information for legal reasons

If we have shared your personal information with others, we will do what we can to make sure those using your personal information comply with your request for erasure.

We may not be able to delete your personal data if it is needed for legal reasons, for reasons of public health, public interest or for medical purposes.

What other rights does the service user have that we have to make known to them?

You have the right to have your data corrected, the right to have your data deleted and you have a right to put a complaint to the Information Commissioner’s Office (ICO).

State if there will be any automated decision making

There are no automated decision making processes.

Consent

The GDPR sets out a higher standard for consent than the Data Protection Act. The GDPR defines consent as ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’

Consent has to be a positive indication of agreement to personal data being processed. It cannot be inferred from silence, pre-ticked boxes or inactivity. Opt out consent is no longer acceptable under the GDPR. The GDPR is clear that controllers have to demonstrate that consent was given, so a review is best practice in order to ensure there is an effective audit trail.

How should you write a consent request?

Consent requests need to be easy to understand and separate from any other information such as general terms and conditions.

The consent request must include the name of your organisation and the names of any third parties who will rely on the consent.

Your purpose for wanting the data and the processing activities you will be doing with the data need to be included.

The right to withdraw consent at any time and how to do this must be included.

Under data protection law, you have rights including:

• your right of access – you have the right to ask us for copies of your personal information
• your right to rectification – you have the right to ask us to rectify personal information you think is inaccurate and to ask us to complete information you think is incomplete
• your right to erasure – you have the right to ask us to erase your personal information in certain circumstances
• your right to restriction of processing – you have the right to ask us to restrict the processing of your personal information in certain circumstances
• your right to object to processing – you have the right to object to the processing of your personal information in certain circumstances
• your right to data portability – you have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances

You have a right to complain to the Information Commissioner’s Office (ICO) if you are unhappy with how your personal information has been handled by RBC. They can be contacted at: 

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Helpline number: 0303 123 1113
ICO website: ico.org.uk