bpha Privacy Notice

The protection of your personal information is important to bpha. We respect your privacy and are committed to ensuring your personal data is kept safe and secure and being transparent in how we use it. This notice explains how bpha collects, uses, stores, and shares your personal information.

Identity and contact details of the Controller
bpha Limited is a Housing Association and is a Controller of personal information for the purposes of the General Data Protection Regulation (‘GDPR’) and Data Protection Act 2018.

Our contact details for data protection purposes are:

Data Protection Officer,
Governance and Compliance,
bpha Limited,
Bedford Heights,
Manton Lane,
MK41 7BJ.

Email data.protection@bpha.org.uk.

bpha Limited is registered with the Information Commissioner’s Office as a Controller, and our registration number is Z8574989.

Your information is protected by law and bpha has a legal duty to protect any information we collect from you or have about you from other sources. The GDPR has a set of rules and guidelines we must follow when handling your information. These are referred to as Data Protection Principles.

How bpha uses and stores your personal information

This privacy notice tells you what to expect when bpha collects and stores personal and sensitive information about you.

It tells you the purposes for which we will process your personal information and the legal basis for the processing (‘processing’ includes us keeping your personal information). It applies to information we collect about:

Residents, leaseholders, or occupants of our homes
During your tenancy, we will collect and process information about you and members of your household. We do this to:

  • Be able to contact you directly.
  • Manage your tenancy and the bpha property it relates to.
  • Monitor compliance with the terms of your tenancy or service agreement.
  • Deliver support for special needs to you or any member of your household.
  • Share information with other agencies where we have your agreement.
  • Conduct transactional surveys in order to monitor and improve our service. For example, repairs and maintenance, complaints, lettings, anti-social behaviour issues and training.
  • Monitor equality and diversity.
  • Provide information about our performance and services through newsletters and email campaigns.
  • Provide information about additional services we offer, including opportunities to participate in meetings, training, and events.
  • Comply with our safeguarding duties.
  • Ensure we meet the regulatory requirements set by the Regulator of Social Housing consumer standards.
  • Deliver Resident Engagement activities which will gather your views and work with you to review and codesign your housing services.
  • Deliver Community Engagement which will allow us to consult with you on the ways we can assist in improving the neighbourhood in which you live.
  • Complete consultations, facilitate residents’ groups, and community grant applications.
  • Verify your identity so that we can give you access to your online my.bpha account.
  • Share information with our payment gateways to enable payments to be taken online via the bpha website.

Unless we advise you otherwise, we will only collect and process personal information to carry out these functions.
Personal information is stored on our computer systems and/or tenancy file. It is held securely, and we have security measures in place to protect it.

Contractors, suppliers, partners or agents

We will collect relevant information from you in accordance with our contracts or information sharing agreements.

This may include names and qualification information relating to your staff. The purpose is to enable you to provide services to our residents on behalf of bpha.

Information will be held centrally by our Procurement Team on our computer system and by the relevant team/department in line with our retention periods. It is held securely, and we have security measures in place to protect it.

Employees and recruitment applicants

We collect personal and sensitive personal information relating to our workforce. This includes employees, contractors, temporary workers, and volunteers. We do this for:

  • Recruitment and appointment purposes, to set up your employment or volunteering contract.
  • Administration purposes (e.g. to operate payroll, pensions etc.).
  • Conducting performance reviews, managing performance and determining performance requirements.
  • Offering any necessary support requirements in your role.
    Compliance with legal or industry standards to ensure that your tax and National Insurance are recorded against your name (e.g. to prove eligibility to work in the UK, to complete DBS checks, where appropriate, and to meet our Health and Safety Requirements).
  • Conducting transactional surveys to monitor and improve our services, for example, following training courses.
  • Risk assessing you for lone working.
  • Monitoring diversity in our applicants and workforce, as recommended by the Equality and Human Rights Commission. The information you give us in this section will not be seen by the hiring manager during the application process, and will not affect applications to work with us or volunteer with us in any way.
  • Monitoring our premises and for safeguarding and security reasons.

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform the contract we have entered into with you.
  • Where we need to comply with a legal obligation.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We may also use your image, in photographs and other media, taken during the course of your bpha employment, for marketing and promotional publicity materials exclusively for bpha. This could include bpha’s intranet and websites; publications, documents and display material produced by bpha; and the media (newspaper and magazine articles and possibly television coverage). You can withdraw your consent for your image to be used in this way at any time by contacting the Data Protection Officer.

We may also use your personal information in the following situations, which are likely to be rare:

  • Where we need to protect your interests (or someone else’s interests).
  • Where it is needed in the public interest or for official purposes.

Information is held centrally by our HR team on our computer system. Individual and line managers can access certain personal information through our internal systems. Information is held securely, and we have security measures in place to protect it.

We will share your data with third parties, including third-party service providers, for example, payroll and pension administration.

We require third parties to respect the security of your data and to treat it in accordance with data protection legislation.

Unless we advise you otherwise, we will only collect and protect personal information to carry out these functions. Personal data is held securely, and we have security measures in place to protect it.

Board Members and Resident Governance Members

Throughout your appointment as a Board and/or Committee member we will collect and process personal information about you. We do this to:

  • Contact you in relation to your role as a Board or Committee Member.
  • Monitor compliance with the terms of your Agreement for Services, Terms of Appointment.
  • Deliver tailored training and support.
  • Monitor Equality and Diversity (the information provided is anonymised and used only for statistical monitoring purposes which help us make improvements).

Information is held centrally by our Governance Team on our computer system and relevant contact information is held by individual teams in line with our retention periods. It is held securely, and we have security measures in place to protect it.

Care and support customers

When a referral is made on your behalf to bpha for care or support, we will collect and process personal information about you. We do this to:

  • Identify your care and support needs and complete our assessments, so we can offer you the most effective service possible.
  • Complete risk assessments.
  • Monitor equality and diversity.
  • Share information about your care and support with your family or next of kin.
  • Provide assistance to the Police in the event of a missing person case.
  • Update our records of your care and support needs.
  • Monitor our premises.

Personal information is stored on our computer systems. It is held securely, and we have security measures in place to protect it.

Information is held centrally by our Care and Support teams on our computer system and relevant contact information is held by individual teams in line with our retention periods. Personal data is held securely, and we have security measures in place to protect it.

Members of the public
We may collect and process personal information about you in the following circumstances:

  • To respond to requests for information regarding our services (e.g. when you submit information for reporting anti-social behaviours).
  • To contact you regarding property you have registered an interest in.
  • To comply with relevant legislation and regulation.
  • To register you for our employment, training and resident and community engagement services.

Personal information is stored on our computer systems. It is held securely, and we have security measures in place to protect it.

Legal basis for processing

We have four main legal bases for processing personal data:

  1. Where it is necessary for the performance of a contract (i.e. provision of services set out in the tenancy agreement)
  2. Where it is necessary for the purposes of the legitimate interests pursued by bpha or by a third party to process your information. We can do that as long as we do not interfere with your fundamental rights or freedom.
  3. Because we have your consent (i.e. agreement) to us processing your personal information. You can withdraw your consent at any time. This is explained further below in the section entitled ‘Your rights under GDPR’.
  4. Where processing is necessary to comply with the law or a statutory obligation.

Other reasons we can rely upon to process your personal information under GDPR are as follows:

  • Where we are under a legal obligation or an obligation under a contract to process/disclose the information.
  • Where we need to protect the vital interests (i.e. health and safety) of you or another person.

Special category data

Some personal information, such as information about health, sexuality, racial or ethnic background, political opinions, religion, beliefs, trade union membership or genetic and biometric data, is considered more sensitive and is treated as special category data needing higher levels of protection. We need to have further justification for collecting, storing, and using this type of personal information. We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data. We may process special categories of personal information in one or more of the following circumstances:

  • In limited circumstances, with your explicit written consent.
  • Where we need to carry out our legal obligations.
  • Where it is needed in the public interest.

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

How we manage your personal information

We process your personal information in accordance with the principles of GDPR.

We will treat your personal information fairly and lawfully and we will ensure that information is:

  • Processed for a limited purpose.
  • Kept up-to-date, accurate, relevant and not excessive.
  • Not kept longer than is necessary.
  • Kept secure.

Access to personal information is restricted to authorised individuals on a strictly need to know basis.

We are committed to keeping your personal details up to date, and we encourage you to inform us about any changes needed to ensure your details are accurate.

To help us ensure confidentiality of your personal information we will ask you security questions to confirm your identity when you call us. We will not discuss your personal information with anyone other than you unless you have given us prior authorisation to do so.

Who might we share your personal information with?

Who might we share your personal information with?

Normally, only bpha employees will be able to see and process your personal information. However, there will be occasions when we will need to share personal information with third parties for the purposes as outlined or where we are legally required to do so.
When sharing personal information, we will comply with all aspects of the GDPR. Special categories of personal data about health, sexual life, race, religion, and criminal activity, for example, are subject to particularly stringent security and confidentiality measures.

We also share information:

  • To allow us to tailor our services to you.
  • For detecting possible fraud (e.g. as part of the National Fraud Initiative).
  • To deal with rent arrears (e.g. tracing and/or debt collection agencies).
  • To deal with unpaid bills (e.g. utility or council tax bills – we may need to pass on your forwarding address).
  • To help us communicate with you (e.g. we sometimes use external printers, translators etc.).
  • To assist the Police in solving crime and investigating anti-social behaviour.

As part of the government’s reform of welfare benefits, new regulations have been introduced on information sharing. This means we can now share limited information about our residents and their properties with local authorities, for example, name, address, and National Insurance Number.

The new regulations will help us identify and support those who could be affected by welfare reform.

We will also disclose your personal details, if required to do so, by law or by any Government body.

bpha contracts external companies to manage certain areas of our business to fulfil our obligations as a landlord.

We share limited personal information of our residents with external contractors, such as name, address, and telephone number.

Examples include:

  • Repairs and maintenance contractors.
  • Out of hours call centre service.
  • Health and safety compliance checks (e.g. gas servicing, lifts, asbestos, legionella).

We will only share the minimum information necessary for the contractor to carry out their services on behalf of bpha. We will also ensure that data sharing agreements are in place, where we are sharing personal data with data processors.

If you have any concerns about a company operating on behalf of bpha, or information that has been shared with an external company, please contact us using the details in How to contact us below.

bpha will never sell personal information to a third party.

International transfers of personal data

Our website is hosted within the UK. Our other systems are generally located on our premises or elsewhere within Europe, but some services used for email campaigns and completing online surveys may be located outside of Europe.

Where data is transferred outside Europe, we will make sure that transfers are only made to countries in which the European Commission has made an ‘adequacy decision’, or where appropriate safeguards are in place.

How long do we keep information?

We have a data retention schedule, which sets out how long we keep different types of information. We follow legal requirements and best practice.

Fraud detection?

We may use data disclosed for the purpose of preventing and detecting fraud. This includes information provided on the bpha website, on the MyAccount area, or in any other way provided to us online or otherwise.

The data collected may be used for the purpose of data matching and further investigations. This involves comparing the data we hold on you with that held by third parties solely for the purpose of detecting and preventing fraud. We might also use your data to further investigate fraud that we think might have been committed.

This involves checking with various third parties, such as the Land Registry, banks, schools, and utility companies.

Your rights under GDPR?

You have a number of rights under the GDPR.

Access to personal information

Under GDPR, you have a right to ask us what personal information we hold about you, and to request a copy of your information. This is known as a ‘subject access request’ (SAR).

We have provided a Subject Access Request form which provides further information to help you to submit your request. We may request further identification, or clarification about your request. To make a subject access request, please complete and return the form.

Alternatively, you can email us at data.protection@bpha.org.uk, or let us know by contacting customer services on 0330 100 0272.

We will respond to your request with all the information we are legally required to provide within 28 days.

Your right to certain information may be restricted. For example, information relating to a third person or information relating to a Police investigation.


If you need to correct any mistakes contained in information we hold about you, you can let us know by contacting customer services on 0330 100 0272.

Erasure (‘right to be forgotten’)

You have the right to ask us to delete personal information we hold about you. You can do this where:

  • The information is no longer necessary in relation to the purpose for which we originally collected/processed it.
  • You withdraw consent.
  • You object to the processing and there is no overriding legitimate interest for us continuing the processing.
  • We unlawfully processed the information.
  • The personal information has to be erased in order to comply with a legal obligation.

We can refuse to erase your personal information where the personal information is processed for the following reasons:

  • To exercise the right of freedom of expression and information.
  • To enable functions designed to protect the public to be achieved, e.g. government of regulatory functions.
  • To comply with a legal obligation or for the performance of a public interest task or exercise of official authority.
  • For public health purposes in the public interest.
  • Archiving purposes in the public interest, scientific research, historical research, or statistical purposes.
  • The exercise or defence of legal claims.
  • Where we have an overriding legitimate interest for continuing with the processing.

Restriction on processing

You have the right to require us to stop processing your personal information. When processing is restricted, we are allowed to store

the information, but not do anything with it. You can do this where:

  • You challenge the accuracy of the information (we must restrict processing until we have verified its accuracy).
  • You challenge whether we have a legitimate interest in using the information.
  • The processing is a breach of the GDPR or otherwise unlawful.
  • We no longer need the personal data, but you need the information to establish, exercise or defend a legal claim.

If we have disclosed your personal information to third parties, we must inform them about the restriction on processing, unless it is impossible or involves disproportionate effort to do so. We must inform you when we decide to remove the restriction giving the reasons why.

Objection to processing

You have the right to object to processing where we say it is in our legitimate business interests.

We must stop using the information unless we can show there is a compelling legitimate reason for the processing, which overrides your interests and rights or the processing is necessary for us or someone else to bring or defend legal claims.

Withdrawal of consent

We will seek your consent to contact you for non-essential services, examples of this include to gather feedback following community events or permission to use photographs taken (e.g. at events).

If the basis on which we are using your personal information is your consent, you have the right to withdraw your consent to us processing your information at any time. We must stop using the information. We can refuse if we can rely on another reason to process the information such as our contractual obligations or legitimate interests.

Visitors to our website

We collect the following information from visitors to our website and my.bpha account:

  1. Details collected through online forms.
  2. Surveys and polls about the website.
  3. Site usage information from session cookies and log files.

Site usage information

You can read more about how we use cookies here.

Links to other websites 

This privacy notice does not cover links within our website to other websites. We encourage you to read the privacy statements on other websites you visit.

Changes to this privacy notice

We keep our privacy notice under regular review.

We will update it if we undertake any new or amended processing. This privacy notice was last updated June 2021

Subsidiary organisations 

bpha has subsidiary organisations who are also registered as Data Controllers with the Information Commissioners Office. They are:

  • bpha Finance Limited
  • Bushmead Homes

Further information

This privacy notice does not provide details on all aspects of bpha’s collection and use of personal information. We are happy to provide any further information or explanation if needed.

Please contact us using the information below.

How to contact us 

If you want to find out more about this, you can:

  • Email the Data Protection Officer at data.protection@bpha.org.uk
  • Write to The Data Protection Officer, bpha Limited, Bedford Heights, Manton Lane, Bedford, MK41 7BJ.

Alternatively, here are other ways to contact us.


bpha aims to meet the highest standards when collecting and using personal information. You can raise a complaint with us if you think that our collection or use of information was unfair, misleading, inaccurate, or inappropriate.

If you are still not happy with our response, you have the right to appeal directly to the regulator – the Information Commissioners’ Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Telephone: 0303 123 1113.