The protection of your personal information is important to bpha.
We respect your privacy and are committed to ensuring your personal data is kept safe and secure and being transparent in how we use it. This notice explains how bpha collects, uses, stores, and shares your personal information.
Identity and contact details of the Controller
bpha Limited is a Housing Association and is a Controller of personal information for the purposes of the General Data Protection Regulation (‘GDPR’) and Data Protection Act 2018.
Our contact details for data protection purposes are:
Data Protection Officer,
Governance and Compliance,
bpha Limited,
Bedford Heights,
Manton Lane,
Bedford,
MK41 7BJ.
Email data.protection@bpha.org.uk.
bpha Limited is registered with the Information Commissioner’s Office as a Controller, and our registration number is Z8574989.
Your information is protected by law and bpha has a legal duty to protect any information we collect from you or have about you from other sources. The GDPR has a set of rules and guidelines we must follow when handling your information. These are referred to as Data Protection Principles.
This privacy notice tells you what to expect when bpha collects and stores personal and sensitive information about you.
It tells you the purposes for which we will process your personal information and the legal basis for the processing (‘processing’ includes us keeping your personal information). It applies to information we collect about:
Residents, leaseholders, or occupants of our homes
During your tenancy, we will collect and process information about you and members of your household. We do this to:
Unless we advise you otherwise, we will only collect and process personal information to carry out these functions.
Personal information is stored on our computer systems and/or tenancy file. It is held securely, and we have security measures in place to protect it.
Contractors, suppliers, partners or agents
We will collect relevant information from you in accordance with our contracts or information sharing agreements.
This may include names and qualification information relating to your staff. The purpose is to enable you to provide services to our residents on behalf of bpha.
Information will be held centrally by our Procurement Team on our computer system and by the relevant team/department in line with our retention periods. It is held securely, and we have security measures in place to protect it.
Employees and recruitment applicants
We collect personal and sensitive personal information relating to our workforce. This includes employees, contractors, temporary workers, and volunteers. We do this for:
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
We may also use your image, in photographs and other media, taken during the course of your bpha employment, for marketing and promotional publicity materials exclusively for bpha. This could include bpha’s intranet and websites; publications, documents and display material produced by bpha; and the media (newspaper and magazine articles and possibly television coverage). You can withdraw your consent for your image to be used in this way at any time by contacting the Data Protection Officer.
We may also use your personal information in the following situations, which are likely to be rare:
Information is held centrally by our HR team on our computer system. Individual and line managers can access certain personal information through our internal systems. Information is held securely, and we have security measures in place to protect it.
We will share your data with third parties, including third-party service providers, for example, payroll and pension administration.
We require third parties to respect the security of your data and to treat it in accordance with data protection legislation.
Unless we advise you otherwise, we will only collect and protect personal information to carry out these functions. Personal data is held securely, and we have security measures in place to protect it.
Board Members and Resident Governance Members
Throughout your appointment as a Board and/or Committee member we will collect and process personal information about you. We do this to:
Information is held centrally by our Governance Team on our computer system and relevant contact information is held by individual teams in line with our retention periods. It is held securely, and we have security measures in place to protect it.
Care and support customers
When a referral is made on your behalf to bpha for care or support, we will collect and process personal information about you. We do this to:
Personal information is stored on our computer systems. It is held securely, and we have security measures in place to protect it.
Information is held centrally by our Care and Support teams on our computer system and relevant contact information is held by individual teams in line with our retention periods. Personal data is held securely, and we have security measures in place to protect it.
Members of the public
We may collect and process personal information about you in the following circumstances:
Personal information is stored on our computer systems. It is held securely, and we have security measures in place to protect it.
We have four main legal bases for processing personal data:
Other reasons we can rely upon to process your personal information under GDPR are as follows:
Some personal information, such as information about health, sexuality, racial or ethnic background, political opinions, religion, beliefs, trade union membership or genetic and biometric data, is considered more sensitive and is treated as special category data needing higher levels of protection. We need to have further justification for collecting, storing, and using this type of personal information. We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data. We may process special categories of personal information in one or more of the following circumstances:
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
We process your personal information in accordance with the principles of GDPR.
We will treat your personal information fairly and lawfully and we will ensure that information is:
Access to personal information is restricted to authorised individuals on a strictly need to know basis.
We are committed to keeping your personal details up to date, and we encourage you to inform us about any changes needed to ensure your details are accurate.
To help us ensure confidentiality of your personal information we will ask you security questions to confirm your identity when you call us. We will not discuss your personal information with anyone other than you unless you have given us prior authorisation to do so.
Who might we share your personal information with?
Normally, only bpha employees will be able to see and process your personal information. However, there will be occasions when we will need to share personal information with third parties for the purposes as outlined or where we are legally required to do so.
When sharing personal information, we will comply with all aspects of the GDPR. Special categories of personal data about health, sexual life, race, religion, and criminal activity, for example, are subject to particularly stringent security and confidentiality measures.
We also share information:
As part of the government’s reform of welfare benefits, new regulations have been introduced on information sharing. This means we can now share limited information about our residents and their properties with local authorities, for example, name, address, and National Insurance Number.
The new regulations will help us identify and support those who could be affected by welfare reform.
We will also disclose your personal details, if required to do so, by law or by any Government body.
bpha contracts external companies to manage certain areas of our business to fulfil our obligations as a landlord.
We share limited personal information of our residents with external contractors, such as name, address, and telephone number.
Examples include:
We will only share the minimum information necessary for the contractor to carry out their services on behalf of bpha. We will also ensure that data sharing agreements are in place, where we are sharing personal data with data processors.
If you have any concerns about a company operating on behalf of bpha, or information that has been shared with an external company, please contact us using the details in How to contact us below.
bpha will never sell personal information to a third party.
Our website is hosted within the UK. Our other systems are generally located on our premises or elsewhere within Europe, but some services used for email campaigns and completing online surveys may be located outside of Europe.
Where data is transferred outside Europe, we will make sure that transfers are only made to countries in which the European Commission has made an ‘adequacy decision’, or where appropriate safeguards are in place.
We have a data retention schedule, which sets out how long we keep different types of information. We follow legal requirements and best practice.
We may use data disclosed for the purpose of preventing and detecting fraud. This includes information provided on the bpha website, on the MyAccount area, or in any other way provided to us online or otherwise.
The data collected may be used for the purpose of data matching and further investigations. This involves comparing the data we hold on you with that held by third parties solely for the purpose of detecting and preventing fraud. We might also use your data to further investigate fraud that we think might have been committed.
This involves checking with various third parties, such as the Land Registry, banks, schools, and utility companies.
You have a number of rights under the GDPR.
Access to personal information
Under GDPR, you have a right to ask us what personal information we hold about you, and to request a copy of your information. This is known as a ‘subject access request’ (SAR).
We have provided a Subject Access Request form which provides further information to help you to submit your request. We may request further identification, or clarification about your request. To make a subject access request, please complete and return the form.
Alternatively, you can email us at data.protection@bpha.org.uk, or let us know by contacting customer services on 0330 100 0272.
We will respond to your request with all the information we are legally required to provide within 28 days.
Your right to certain information may be restricted. For example, information relating to a third person or information relating to a Police investigation.
Rectification
If you need to correct any mistakes contained in information we hold about you, you can let us know by contacting customer services on 0330 100 0272.
Erasure (‘right to be forgotten’)
You have the right to ask us to delete personal information we hold about you. You can do this where:
We can refuse to erase your personal information where the personal information is processed for the following reasons:
Restriction on processing
You have the right to require us to stop processing your personal information. When processing is restricted, we are allowed to store
the information, but not do anything with it. You can do this where:
If we have disclosed your personal information to third parties, we must inform them about the restriction on processing, unless it is impossible or involves disproportionate effort to do so. We must inform you when we decide to remove the restriction giving the reasons why.
Objection to processing
You have the right to object to processing where we say it is in our legitimate business interests.
We must stop using the information unless we can show there is a compelling legitimate reason for the processing, which overrides your interests and rights or the processing is necessary for us or someone else to bring or defend legal claims.
Withdrawal of consent
We will seek your consent to contact you for non-essential services, examples of this include to gather feedback following community events or permission to use photographs taken (e.g. at events).
If the basis on which we are using your personal information is your consent, you have the right to withdraw your consent to us processing your information at any time. We must stop using the information. We can refuse if we can rely on another reason to process the information such as our contractual obligations or legitimate interests.
We collect the following information from visitors to our website and my.bpha account:
You can read more about how we use cookies here.
This privacy notice does not cover links within our website to other websites. We encourage you to read the privacy statements on other websites you visit.
We keep our privacy notice under regular review.
We will update it if we undertake any new or amended processing. This privacy notice was last updated June 2021
bpha has subsidiary organisations who are also registered as Data Controllers with the Information Commissioners Office. They are:
This privacy notice does not provide details on all aspects of bpha’s collection and use of personal information. We are happy to provide any further information or explanation if needed.
Please contact us using the information below.
If you want to find out more about this, you can:
Alternatively, here are other ways to contact us.
bpha aims to meet the highest standards when collecting and using personal information. You can raise a complaint with us if you think that our collection or use of information was unfair, misleading, inaccurate, or inappropriate.
If you are still not happy with our response, you have the right to appeal directly to the regulator – the Information Commissioners’ Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Telephone: 0303 123 1113.