Guidance

Regulator of Social Housing privacy notice

Explains your rights over your data and how the regulator processes and protects your personal information in line with data protection legislation.

• From: Regulator of Social Housing
• Published: 23 May 2018
• Last updated: 7 March 2023 — See all updates

Applies to England

The purpose of this privacy notice

This privacy notice will help you understand how we look after, collect, share, store and use the personal data provided to us (including information that you provide directly), and tell you about your rights and how the law protects you.

Who we are

The Regulator of Social Housing (“the regulator”) is a non-departmental public body that regulates registered providers of social housing to promote a viable, efficient and well-governed social housing sector able to deliver homes that meet a range of needs. Its objectives are set out in the Housing and Regeneration Act 2008 (as amended). The regulator is committed to protecting the privacy and security of your personal data.

As a controller of your personal data we are responsible for looking after it, and processing it in a fair, lawful, and transparent manner.

There is a Glossary available in Annex 1 to help you understand the meaning of some of the terms used in this notice. Any defined terms are written in bold.

When do we collect information about people

In addition to the information below, we have a number of specific notices in place which explain how we process your personal data in the following circumstances. Please click through the documents list below to access the specific notices.

• Privacy notice – Employees contractors and agency workers (ODT, 63.9 KB)
• Privacy notice – Applicants for employment (ODT, 64.1 KB)
• Privacy notice – Former employees (ODT, 62.6 KB)
• Privacy notice – Information governance, complaints, referrals and general enquiries (ODT, 62.1 KB)
• Privacy notice – Employees and residents of registration applicants, registered providers and the wider social housing sector (ODT, 64.3 KB)
• Privacy notice – Visitors to our buildings (ODT, 61 KB)
• Privacy notice – Users of our website and web portals (ODT, 73 KB)
• Privacy notice - Consultation participants (ODT, 49.1 KB)

How do we keep your personal data secure

The regulator takes the security of all the data we hold seriously and adheres to internationally recognised security standards.

We have policies, procedures and training in place covering cyber and data protection to safeguard the confidentiality, integrity and availability of our data.  Additionally, the regulator frequently reviews the suitability of the measures we have in place to ensure the data we hold is appropriately protected.

Who do we share your personal data with

We may share your personal data with third parties including third-party service providers, regulatory bodies, the Police and other Government departments and agencies. Where we do so, we will require all third parties to respect the security of your personal data, to meet the security standards of the regulator in protecting it and to treat it in accordance with the law. We, or our third parties, will only transfer your personal data to other bodies (e.g., sub-contractors) if it is provided with adequate protection in accordance with data protection legislation. For details of third parties, we may share your personal data with please contact our Data Protection Officer (details provided below).

A very small percentage of government records containing personal information are selected for permanent preservation at The National Archives. If records containing personal information are made available by the regulator to The National Archives, they will made available in accordance with the Freedom of Information Act 2000, as amended by the Data Protection Act 2018.

For more information about the purposes for which we may share your data with third parties, please refer to the relevant section of this privacy notice below.

Transfer of personal data outside the UK

We may share your personal data outside of the UK to our suppliers or service providers. Whenever we do this, we will either:

1. transfer your personal data to countries that have been deemed to provide an adequate level of protection, or
2. use appropriate safeguards (for example standard contractual clauses) or
3. otherwise ensure that the transfer is in line with UK data protection legislation.

How long will your personal data be kept for

The regulator will only retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements. For example, we must collect personal data from applicants for employment to check they are entitled to work in the UK. For more details on the specific retention periods for the different types of personal data we process, please contact our DPO (contact details are provided below).

In deciding how long we should keep your personal data we consider a number of factors, such as:

• the amount, nature, and sensitivity of the data
• the potential risk of harm from unauthorised use or disclosure of the data
• the purposes for which we process your personal data
• whether we can achieve those purposes through other means and
• the applicable legal or regulatory requirements.

There is currently a moratorium in place on the destruction of information of potential relevance to the Grenfell Tower Inquiry. This moratorium overrides all relevant retention periods set out in the regulator’s retention and disposal schedule.

Your Data subject rights

As a Data subject, you have the following rights:

• Right to be informed – you have the right to request details of how your personal data is processed. This privacy notice is a proactive document designed to meet this right.
  
  
• Right to request access – you can request copies of the personal data we hold about you. This is commonly known as a “subject access request”.
  
  
• Right to request correction – if you think that some or all of the personal data we hold on you is incorrect or incomplete, you can ask for it to be corrected, although we may need to verify the accuracy of the new personal data.
  
  
• Right to request erasure – you have to right to ask us to delete your personal data, under certain conditions, e.g. if there is no good reason for us to continue processing it.
  
  
• Right to request suspension of processing – this enables you to request we suspend processing your personal data; for example, while we establish the accuracy of the data.
  
  
• Right to object – you have the right to object to the processing of your personal data when we are relying on the lawful bases of public task or legitimate interest.
  
  
• Right to request data portability – you can request that your personal data is transferred to a third party directly in a readable format.
  
  
• Withdraw consent at any time when we are relying on consent to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent.

How to exercise your Data subject rights

If you wish to exercise any of the above rights, please send a written request to the Data protection officer. The availability of these rights depends on the lawful basis relied on and may not always be an absolute right. Contact details for our DPO are provided in the Data protection officer, complaints and queries section below.

You will not have to pay a fee to exercise any of your rights, however we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to confirm your identity. This is a security measure to ensure that personal data is only disclosed to persons who have the right to receive it.

The regulator aims to respond to requests within one month. Please note, however, that it may take us longer than one month if your request is particularly complex or if you have made several requests. If this is the case, we will notify you and keep you updated.

Where we are relying on consent to process your personal data, once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to.

Data protection officer, complaints and queries

If you are unhappy or have any queries regarding any aspect of this privacy notice, or how your personal data is being processed by the regulator, please contact the Data Protection Officer, using the following contact details:

Head of Data Protection, Information Access and Complaints,
Regulator of Social Housing
Level 2
7-8 Wellington Place
Leeds LS1 4AP

By email: enquiries@rsh.gov.uk
By phone: 0300 124 5225

If you remain dissatisfied by the proposed resolution of your complaint by the regulator, you have the right to lodge a complaint with the Information Commissioner’s Office, the UK supervisory authority for data protection issues.

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Tel: 0303 123 1113

Email: casework@ico.org.uk
Website: ico.org.uk

Changes to this privacy notice

The regulator regularly reviews and, where required, updates this privacy notice. This privacy notice was last updated in November 2022.

Annex 1 – Glossary

• Personal Data – Information from which individuals can be identified or are identifiable, e.g. name, contact details, location data, identification number.

• Data Subject – an identified or identifiable individual, from whom or about whom the regulator processes information in connection with our operations.

Special categories of personal data

Personal data revealing race or ethnicity, political opinions, religion or beliefs, trade union membership, health or sex life, sexual orientation, genetic data or biometric data.

• Processing – Any operation(s) performed on personal data, e.g. collection, recording, structuring, storage, alteration, retrieval, use, dissemination.
  
  

• Lawful basis – a lawful ground for processing personal data defined in Article 6 of the UK GDPR and supported by the Framework. There are 6 lawful bases and at least one of these must apply whenever we process personal data: consent, contract, legal obligation, vital interests, public task and legitimate interests.
  
  

• Public Task – As data controller we may process personal data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the regulator.
  
  

• Performance of Contract – processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
  
  

• Comply with a legal or regulatory obligation – processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
  
  

The Special category and criminal offence data processing policy (ODT, 72.4 KB) explains how the regulator applies the data protection principles and links with the specific privacy notices to make it clear what the purpose of the processing activity is.

Third parties

• Professional advisers including lawyers, bankers, auditors and insurers based who provide consultancy, banking, legal, insurance and accounting services
  
  

• Department for Levelling Up, Housing and Communities, who are the sponsor body for the regulator
  
  

• HM Revenue & Customs, regulators and other authorities who require reporting of processing activities in certain circumstances, including those involved in the prevention or detection of fraud and money laundering
  
  

• The Police, HM Treasury, National Audit Office, the Housing Ombudsman and other public authorities with whom we have established a lawful basis for processing your data
  
  

• Registered providers with whom we may share information about customer referrals; Freedom of Information and other requests for information such as subject access requests
  
  

• Suppliers and contractors who process personal data on our behalf, under parameters established by us, to deliver services in pursuit of our public task, or other lawful basis
  
  

• Credit reference, due diligence providers and rating agencies who may help us decide whether to provide you with a service.
  
  

Alternative formats

If you need information on this page or in the specific privacy notices in a different accessible format, please email enquiries@rsh.gov.uk.

Published 23 May 2018
Last updated 7 March 2023 + show all updates

1. 7 March 2023

   Correspondence address updated.

2. 17 January 2023

   Update to the main privacy notice text under Transfer of personal data outside the UK.

3. 17 November 2022

   Main and specialist privacy notices updated. Special category and criminal offence data processing policy updated.

4. 11 October 2021

   Privacy notice for employee or resident of a registered provider updated.

5. 22 July 2021

   Policies updated as of July 2021, with specific policy information for different users.

6. 16 December 2019

   Data protection officer contact details updated.

7. 2 October 2018

   Document updated as the Regulator of Social Housing was established as a standalone organisation on 1 October 2018.

8. 23 May 2018

   First published.