Privacy & Your Right to Know
Privacy Notice
Octavia Housing is a controller of personal information for the purposes of the UK General Data Protection Regulation (UK GDPR). Our contact details for data protection purposes are as follows:
Address: Data Protection Officer, Emily House, 202-208 Kensal Rd, London W10 5BN
Telephone: 0208 354 5500
Email: dataprotection@octavia.org.uk
Octavia Housing and its associated companies: Octavia Hill Limited, Octavia Living Limited, Octavia Development Services Limited Octavia Foundation and Octavia Hill Housing Trust Gift Fund form a part of the Abri Group of companies.
The Octavia Data Protection Officer is responsible for data protection compliance at Octavia and can be contacted using the above contact details.
1 Purpose
1.1 This Privacy Notice tells you what to expect when Octavia processes personal information. It applies to information about applicants, residents, and other service users. It tells you about the purposes for which we may process your personal information and the legal basis for the processing (‘processing’ includes us just keeping your personal information).
2 Scope
2.1 Octavia needs to collect, process and store personal information about you and other household members (when you provide information about household members, we assume that you do so with their full knowledge and consent) in order to operate as a registered provider of housing and deliver efficient and effective services.
3 Aims and objectives
3.1 The information we hold on our records concerns our relationship with you. For example:
- We hold names & dates of birth, photographic ID, and information about your previous housing circumstances to assess housing applications and help prevent tenancy fraud.
- We hold contact details for you so we can communicate with you by your preferred means, and keep you informed about services we offer that may be useful to you.
- We record information about your needs (for example if you have a carer or social worker; if you need adaptations in your home; if you need large print or translated
- and to improve our communications with you.
- We record information to enable us to provide housing management services. For example, we record reports of anti-social behaviour; complaints; change in circumstances (for example when your employment status changes, etc.) and information about housing options (e.g., if you have a medical need which means you need to move).
- We record information to enable us to provide a service as a Charity in delivering services for public benefit.
- We keep financial records about the amount of money you have paid us; any amount(s) outstanding and action taken to recover money you owe.
- We may hold information about you if you are engaged with any additional guidance and support services. For example, in connection with access to training and employment, we may hold information about your job history and skills and experience, or if we support you to improve your financial circumstances, we may hold information about your household income and expenditure.
- We may record your telephone calls to our switchboard for training and monitoring purposes to ensure we are delivering a good service. Any call recordings will be held in accordance with our corporate retention policy before being erased.
- We may capture your image on our CCTV systems if you visit a property, office, or community facility. Any CCTV recordings will be held in accordance with our corporate retention policy before being erased.
- We record the findings of surveys and other research to help us improve our service to customers. The information you provide will be anonymous unless you agree that we can use your details. • To share with our third party for conducting surveys to ensure we are providing an exemplary service.
3.2 This list is not exhaustive, as we hold records of most contacts we have with you, or about you, and we process this information so we can deliver services to you. Generally, the information we hold will have been provided by you (on application or enquiry forms or when we communicate with you), but we may also hold information provided by third parties where this is relevant to your housing circumstances e.g. from social workers and health professionals (such as doctors and occupational therapists).
3.3 We will only ask for personal information that is appropriate to enable us to deliver our services. In some cases, you can refuse to provide your details if you deem a request to be inappropriate. However, you should note that this may impact our ability to provide some services to you if you refuse to provide information that stops us from doing so.
4 Processing Personal Data
4.1 We process your personal information in accordance with the principles of UK GDPR. We will treat your personal information fairly and lawfully and we will ensure that information is:
- Processed for limited purposes.
- Kept up-to-date, accurate, relevant, and not excessive.
- Not kept longer than is necessary.
- Kept secure.
4.2 Access to personal information is restricted to authorised individuals on a strict need-to-know basis.
4.3 We are committed to keeping your personal details up to date, and we encourage you to inform us about any changes needed to ensure your details are accurate.
4.4 To help us to ensure the confidentiality of your personal information we may ask you security questions to confirm your identity when you call us. We will not discuss your personal information with anyone other than you unless you have given us prior written authorisation to do so.
4.5 We will only hold your records during the period of our relationship with you and for a set period afterwards to allow us to meet our legal obligations including resolving any follow-up issues between us.
4.6 Normally, only Octavia staff will be able to see and process your personal information. However, there may be times when we will share relevant information with third parties for the purposes as outlined, or where we are legally required to do so. When sharing personal information, we will comply with all aspects of the UK GDPR. Special categories of personal data about health, sexual life, race, religion, and criminal activity, for example, are subject to particularly stringent security and confidentiality measures.
4.7 Where necessary or required, we may share information as follows:
- To comply with the law (e.g., the police, Inland Revenue, Council Tax Registration Officer, Social Security Fraud Act, National Fraud Initiative) or a court order
- Where there is a clear health or safety risk to an individual or members of the public, evidence of fraud against Octavia, other irregular behaviour or a matter Octavia is investigating
- In connection with court proceedings or statutory action to enforce compliance with tenancy conditions (e.g., applications for possession or for payment of Housing Benefit direct)
- Where Octavia has entered a formal protocol with the police or a local authority department
- Providing the name, address and contact number of a resident to contractors or other agents providing services on Octavia’s behalf
- Providing the name of a resident and the date of occupancy to gas, electricity, and water companies
- Providing information anonymously for bona fide statistical or research purposes, provided it is not possible to identify the individuals to whom the information relates
- Giving the name, address and stated local connection of applicants for housing to parish councils for housing which gives priority to people with a local connection
- Information required by the HCA when monitoring Octavia’s activities in its capacity as the regulator of housing associations.
- Information required by the Charities Commission when monitoring Octavia Foundation's activities in its capacity as the regulator of Charitable Organisations.
- The names of contractors invited to tender for works and the amounts tendered will be made available to residents paying service charges to which the cost of the works will be charged (Section 20 Landlord and Tenant Act 1985, as amended)
- To protect the vital interests of an individual (in a life-or-death situation)
- With our third-party agency who will conduct customer satisfaction surveys on our behalf
4.8 Our services are used by people of all ages. Octavia Foundation may accept website registrations and collect personal information from individuals under the age of 13. If you are under 13, we do not allow you to post information about yourself in any Octavia Foundation forums or community areas. Octavia Foundation accepts no liability if this instruction is ignored.
4.9 Children aged under 13 years must have a parent or guardian's consent before providing personal information to us. We do not wish to collect any personal information without this consent.
4.10 Automated decision-making is a computer-based operation that makes a decision about you based on automated means without any human involvement.
4.11 At present we do not undertake any automated decision-making or large-scale profiling that will have a legal or similarly significant effect on you. Should this change in the future, we will inform you and ensure that any of these operations are in line with our data protection obligations.
5 Legal basis for processing
5.1 We often have three main legal bases for processing personal data. Firstly, where it is necessary for the purposes of the legitimate interests pursued by Octavia or by a third party to process your information. We can do that so long as we do not interfere with your fundamental rights or freedoms.
Secondly, where we are processing your personal data so that we can offer you tenancy and/or care services under your tenancy or extra care agreement with us.
Thirdly, because we have your consent (i.e., agreement) to us processing your personal information. The consent form sets out the organisations and type of organisations we may share personal information about residents with. Under the UK GDPR, consent is a legal basis for processing personal information, sometimes including sensitive (or special category) personal information. You can withdraw your consent at any time. This is explained further below in the section entitled ‘Your rights under UK GDPR’.
5.2 The other reasons we can rely upon to process your personal information under UK GDPR are as follows:
- Where we are under a legal obligation or an obligation under a contract to process/disclose the information.
- Where we need to protect the vital interests (i.e., the health and safety) of you or another person.
- Some personal information is treated as more sensitive (for example information about health, sexuality, ethnic background, and others – see footnote below for a full list). The legal basis for processing these special categories of personal information is more limited. To lawfully process special categories of personal data, we must identify a lawful basis for the processing and meet a separate condition for the processing. The basis we can use these are:
- Where we need to protect the vital interests (i.e., the health and safety) of you or another person.
- Where you have already made your personal information public.
- Where we or another person need to bring or defend legal claims; and/or
- Where substantial public interest grounds apply
5.3 To process personal data about criminal convictions or offences, we must have both a lawful basis for the processing and either legal authority or official authority for the processing.
6 Rights under the UK GDPR
6.1 Access to personal information. Under the UK GDPR, you have a right to ask us what personal information we hold about you, and to request a copy of your information. This is known as a ‘subject access request’ (SAR). We may ask for proof of your identity in order to process your request. We have one calendar month within which to provide you with the information you’ve asked for (although we will try to provide this to you as promptly as possible). In some circumstances, we may extend the statutory deadline of one calendar month by a further two months. This will be done on a case-by-case basis and Octavia will do so if a request is deemed as complex or excessive. Following your SAR, we will provide you with a copy of the information we hold that relates to you. This will not generally include information that relates to your property such as repair logs or details of contractor visits, as this is not considered personal information.
6.2 Rectification. If you need us to correct any mistakes contained in the information we hold about you, you can let us know by contacting the customer contact team on 0208 354 5500 or email info@octavia.org.uk
6.3 Erasure (‘right to be forgotten’). You have the right to ask us to delete personal information we hold about you. You can do this where:
- the information is no longer necessary in relation to the purpose for which we originally collected/processed it
- where you withdraw consent
- where you object to the processing and there is no overriding legitimate interest for us continuing the processing
- where we unlawfully processed the information
- the personal information must be erased in order to comply with a legal obligation.
We can refuse to erase your personal information where the personal information is processed for the following reasons:
- to exercise the right of freedom of expression and information.
- to enable functions designed to protect the public to be achieved e.g., government or regulatory functions
- to comply with a legal obligation or for the performance of a public interest task or exercise of official authority.
- for public health purposes in the public interest.
- archiving purposes in the public interest, scientific research, historical research or statistical purposes.
- the exercise or defence of legal claims; or
- where we have an overriding legitimate interest for continuing with the processing
6.4 Restriction on processing. You have the right to require us to stop processing your personal information. When processing is restricted, we are allowed to store the information, but not do anything with it. You can do this where:
- You challenge the accuracy of the information (we must restrict processing until we have verified its accuracy)
- You challenge whether we have a legitimate interest in using the information
- If the processing is a breach of the GDPR or otherwise unlawful
- If we no longer need the personal data but you need the information to establish, exercise or defend a legal claim.
If we have disclosed your personal information to third parties, we must inform them about the restriction on processing, unless it is impossible or involves disproportionate effort to do so. We must inform you when we decide to remove the restriction giving the reasons why.
6.5 Objection to processing. You have the right to object to processing where we say it is in our legitimate business interests. We must stop using the information unless we can show there is a compelling legitimate reason for the processing, which overrides your interests and rights, or the processing is necessary for us or someone else to bring or defend legal claims.
6.6 Withdrawal of consent. You have the right to withdraw your consent to us processing your information at any time. If the basis on which we are using your personal information is your consent, then we must stop using the information.
6.7 Right to data portability. The right to data portability allows us to obtain and reuse your personal data across different services. It allows us to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way. The right only applies to personal data you have provided to us where the reason we are relying on to use the information is either your consent or for the performance of a contract. It also only applies when processing is carried out by us using automated means.
7 Contact for further information
7.1 For further information on how to request your personal information and how and why we process your information, you can contact us using the details below.
0208 354 5500 /
dataprotection@octavia.org.uk
Octavia 202-204 Emily House, Kensal Road, London, W10 5BN
7.2 The Information Commissioner (ICO) is also a source of further information about your data protection rights. The ICO is an independent official body, and one of their primary functions is to administer the provisions of the GDPR. You have the right to complain to the ICO if you think we have breached the GDPR. You can contact the ICO at:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
0303 123 1113 / http://www.ico.org.uk/
8 Publicising the policy
8.1 We keep our privacy notice under regular review and will place any updates on our website; you will be notified of any major changes to this policy.
9 Governance Consultation |
Michael Coldwell (Assistant Director of Governance, Risk and Assurance) |
Policy category |
Operational |
Approved by |
Sarah Pearson, Group Co Secretary |
Endorsed by |
Abri Data Protection Officer |
Policy Owner |
Data Protection Officer |
Date approved |
03/12/2024 |
Date effective |
03/12/2024 |
Next Review date |
December 2025 |
Revision History
Date of revision |
Author |
Revision detail |
01/05/2020 |
Tolu Omoyele |
Minor Changes |
13/07/2023 |
Laura Geanta |
1. Amended contact email in Intro and Section 7.1 2. Amended Section 6.1 regarding SAR delivery timeframe to inform of potential extensions. 3. Addition to Section 4.7 to add the National Fraud Initiative 4. Addition to section 3.1 and 4.7 to inform of Octavia collaboration with third-party for customer surveys |
02/09/2024 |
Mona Shahid, DPO |
1. Contact details amended to dataprotection@octavia.org.uk |
16/12/24 |
Debra Sullivan, Abri DPO |
1. Changes to lawful basis statement 2. Reference to Abri |