Regulator of Social Housing privacy notice

Explains your rights over your data and how the regulator processes and protects your personal information in line with data protection legislation.

Applies to England

Who we are and the purpose of this notice

The Regulator of Social Housing (“the regulator”) is a non-departmental public body that regulates registered providers of social housing to promote a viable, efficient and well-governed social housing sector able to deliver homes that meet a range of needs. Its objectives are set out in the Housing and Regeneration Act 2008 (as amended). The regulator is committed to protecting the privacy and security of your personal data.

This privacy notice will help you understand how the regulator looks after, collects, shares, stores and uses the personal data provided to us (including information that you provide directly), and tell you about your rights and how the law protects you.

As a controller of your personal data we are responsible for looking after it, and processing it in a fair, lawful, and transparent manner.

There is a Glossary available in Annex 1 to help you understand the meaning of some of the terms used in this notice.

When do we collect information about people?

In addition to the information below, we have a number of specific notices in place which explain how we process your personal data if you are:

An applicant for employment: RSH Privacy notice - applicants for employment (ODT, 64.1 KB)

An employee, contractor or agency worker: RSH Privacy notice - employees, contractors or agency workers (ODT, 69.8 KB)

A former employee: RSH Privacy notice - former employees (ODT, 67.4 KB)

Any person making a Freedom of Information Request, exercising Data Subject Rights, making a complaint, referral or a general enquiry: RSH Privacy notice - anyone making an FOI Request, exercising Data Subject Rights, making a complaint, referral or a general enquiry (ODT, 61.7 KB)

A user of our websites and web portals, including suppliers of goods, services and works: RSH Privacy notice - users of our websites and web portals, including suppliers of goods, services and works (ODT, 69.3 KB)

An employee or resident of a registered provider: RSH Privacy notice - employee or resident of a registered provider (ODT, 74.2 KB)

A visitor to our buildings: RSH Privacy notice - visitors to buildings (ODT, 59.8 KB)

Please click through the links above to access the specific notices.

The Special Category and Criminal Offence Data Processing Policy (ODT, 69.8 KB) is the appropriate policy document which is referred to within the specific notices listed above. This appropriate policy document explains how the regulator applies the data protection principles and links with the specific notices to make it clear what the purpose of the processing activity is.

How do we keep your personal data secure?

The regulator takes the security of all the data we hold seriously and adheres to internationally recognised security standards.

We have policies, procedures and training in place covering cyber and data protection to safeguard the confidentiality, integrity and availability of our data. Additionally, the regulator frequently reviews the suitability of the measures we have in place to ensure the data we hold is appropriately protected.

Who do we share your personal data with?

We may share your personal data with third parties including third-party service providers, regulatory bodies, the Police and other Government departments and agencies. Where we do so, we will require all third parties to respect the security of your personal data, to meet the security standards of the regulator in protecting it and to treat it in accordance with the law. We, or our third parties, will only transfer your personal data to other bodies (e.g. sub-contractors) if it is provided with adequate protection in accordance with data protection legislation. For details of third parties we may share your personal data with please contact our Data Protection Officer (details provided below).

For more information about the purposes for which we may share your data with third parties, please refer to the relevant section of this privacy notice below.

Transfer of personal data outside the UK

We may share your personal data outside of the UK to our suppliers or service providers. Whenever we do this, we ensure equivalent protection of your personal data to the UK by using appropriate safeguards to ensure it is processed in accordance with UK data protection laws.

We only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission; or we transfer your personal data to service providers or suppliers who have agreed to contractual terms approved by the European Commission/ICO, which give personal data equivalent protection as it would have in the UK.

How long will your personal data be kept for?

The regulator will only retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements. For example, we must collect personal data from applicants for employment to check they are entitled to work in the UK. For more details on the specific retention periods for the different types of personal data we process, please contact our Data Protection Officer (contact details are provided below).

In deciding how long we should keep your personal data we consider a number of factors, such as:

  • the amount, nature, and sensitivity of the data
  • the potential risk of harm from unauthorised use or disclosure of the data
  • the purposes for which we process your personal data
  • whether we can achieve those purposes through other means and
  • the applicable legal or regulatory requirements.

There is currently a moratorium in place on the destruction of information of potential relevance to the Grenfell Tower Inquiry. This moratorium overrides all relevant retention periods.

Your Data Subject Rights

As a Data Subject, you have the following rights:

Right to be informed

You have the right to request details of how your personal data is processed. This privacy notice is a proactive document designed to meet this right.

Right to request access

You can request copies of the personal data we hold about you. This is commonly known as a “subject access request”.

Right to request correction

If you think that some or all of the personal data we hold on you is incorrect or incomplete, you can ask for it to be corrected, although we may need to verify the accuracy of the new personal data.

Right to request erasure

You have to right to ask us to delete your personal data, under certain conditions, e.g. if there is no good reason for us to continue processing it.

Right to request suspension of processing.

This enables you to request we suspend processing your personal data; for example, while we establish the accuracy of the data.

Right to object

You have the right to object to the processing of your personal data when we are relying on the lawful bases of public task or legitimate interest.

Right to request data portability

You can request that your personal data is transferred to a third party directly in a readable format.

When we are relying on consent to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent.

How to exercise your Data Subject Rights

If you wish to exercise any of the above rights, please send a written request to the Data Protection Officer. The availability of these rights depends on the lawful basis relied on and may not always be an absolute right. Contact details for our DPO are provided in the Data Protection Officer, Complaints and Queries section below.

You will not have to pay a fee to exercise any of your rights, however we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to confirm your identity. This is a security measure to ensure that personal data is only disclosed to persons who have the right to receive it.

The regulator aims to respond to requests within one month. Please note, however, that it may take us longer than one month if your request is particularly complex or if you have made several requests. If this is the case, we will notify you and keep you updated.

Where we are relying on consent to process your personal data, once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to.

Data Protection Officer, Complaints and Queries

If you are unhappy or have any queries regarding any aspect of this privacy notice, or how your personal data is being processed by the regulator, please contact the Data Protection Officer, using the following contact details:

Head of Data Protection, Information Access and Complaints,
Regulator of Social Housing
Level 1A,
City Tower
Piccadilly Plaza
M1 4BT

By email:

By phone: 0300 124 5225

If you remain dissatisfied by the proposed resolution of your complaint by the regulator, you have the right to lodge a complaint with the Information Commissioner’s Office, the UK supervisory authority for data protection issues.

Information Commissioner’s Office
Wycliffe House
Water Lane

ICO online form

Tel: 0303 123 113


Changes to this Privacy Notice

The regulator regularly reviews and, where required, updates this Privacy Notice. This Privacy Notice was last updated on 22 July 2021.

Annex 1 - Glossary

Personal Data

Information from which individuals can be identified or are identifiable, e.g. name, contact details, location data, identification number.

Data Subject

An identified or identifiable individual, from whom or about whom the regulator processes information in connection with our operations.

Special categories of personal data

Personal data revealing race or ethnicity, political opinions, religion or beliefs, trade union membership, health or sex life, sexual orientation, genetic data or biometric data.

Processing Any operation(s) performed on personal data, e.g. collection, recording, structuring, storage, alteration, retrieval, use, dissemination.

Lawful basis

A lawful ground for processing personal data defined in Article 6 of the UK GDPR and supported by the Framework. There are 6 lawful bases and at least one of these must apply whenever we process personal data: consent, contract, legal obligation, vital interests, public task and legitimate interests.

Public Task

As data controller we may process personal data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the regulator.

Performance of Contract

Means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.

Third parties

  • Professional advisers including lawyers, bankers, auditors and insurers based who provide consultancy, banking, legal, insurance and accounting services.
  • Ministry for Housing, Communities and Local Government who are the sponsor body for the regulator.
  • HM Revenue and Customs, regulators and other authorities who require reporting of processing activities in certain circumstances, including those involved in the prevention or detection of fraud and money laundering.
  • The Police, HM Treasury, National Audit Office, the Housing Ombudsman and other public authorities with whom we have established a lawful basis for processing your data.
  • Registered providers with whom we may share information about customer referrals; Freedom of Information and other requests for information such as subject access requests.
  • Suppliers and contractors who process personal data on our behalf, under parameters established by us, to deliver services in pursuit of our public task, or other lawful basis.
  • Credit reference, due diligence providers and rating agencies who may help us decide whether to provide you with a service.
Published 23 May 2018
Last updated 11 October 2021 + show all updates
  1. Privacy notice for employee or resident of a registered provider updated.

  2. Policies updated as of July 2021, with specific policy information for different users.

  3. Data protection officer contact details updated.

  4. Document updated as the Regulator of Social Housing was established as a standalone organisation on 1 October 2018.

  5. First published.