Our customer portal will be unavailable from 8am on Monday 14 October until 8am Monday 21 October due to maintenance of our systems.
Our overall privacy notice
When we process your personal data Bromford is described as the data controller under data protection law.
Our contact details are:
Bromford Housing Group
Shannon Way
Tewkesbury
Gloucestershire
GL20 8ND
Our data protection officer is Chris Down. You can contact him by calling 01454 821034 or emailing dpo@bromford.co.uk.
Please contact us if you have any questions about this statement, information we hold about you or our overall approach to data protection and confidentiality.
Data protection and privacy policy statement
We are committed to a Privacy by Design approach to personal data which is consistent with our values.
- we believe in privacy by default and we embed privacy into design
- we believe in visibility and transparency and are committed to end-to-end security
- we are proactive not reactive, preventative not remedial. We won’t trade privacy off against other objectives
- we respect user privacy
Who we collect personal information about
Customers - this includes current, former and potential customers who live in our properties or access our support and other services and could also include their family and people associated with them.
Colleagues - this includes current, former and potential colleagues, as well as Board and committee members, apprentices and volunteers.
Anyone who makes a complaint or enquiry and visitors to our website and offices.
Security of information
We operate a range of information and communications systems technologies for efficient operation of the business. Personal information is stored and managed within those systems which are maintained to achieve a high level of Confidentiality, Integrity and Availability (CIA) including following best practice cyber security standards.
We hold information in IT systems which may be copied for testing, backup, archiving and disaster recovery purposes.
Emailing us
We use Transport Layer Security (TLS) to encrypt and protect email traffic in line with government guidance on email security. Most webmail such as Gmail and Hotmail use TLS by default.
We’ll also monitor any emails sent to us, including file attachments, for viruses or malicious software. You must ensure that any email you send is within the bounds of the law.
Phishing
Phishing is the name given to attempts to steal personal details and financial account information from a website user. Phishers use fake or spoof emails to lead users to counterfeit websites where the user is tricked into entering their personal details, such as credit card numbers, user names and passwords. We will never send emails asking you for such details.
Humidity monitoring in customers' homes
When you agree to humidity monitoring in your home the sensor installed will collect data such as current temperature and humidity. This data may be linked to information we ask you for about your lifestyle and will therefore be processed as personal data by us. The lawful basis for processing data relating to humidity and temperature in your home and your lifestyle is legitimate interest.
Transfers of personal data to third countries
Personal data relating to our customers, colleagues and others is usually stored in the UK or in the European Economic Area (EEA) or other jurisdictions recognised as adequate by the UK and the European Union.
If we need to share information with organisations outside the UK, the EEA or a jurisdiction that the European Commission regards as having adequate levels of protections for personal data, we will put in place appropriate safeguards, such as contractual commitments, in accordance with applicable legal requirements, to ensure that your data is adequately protected.
What we will not do
We will not send you unsolicited marketing material. We will not sell your personal data on to third parties.
We will not pass your personal data to unrelated third parties unless we are allowed or required to do so by law, or we have your explicit permission to do so.
We will not keep a record of your card details when you provide them to make a payment for your rent or other service.
Your data, your rights
We are committed to respecting your rights when we deal with your personal data. This is part of our commitment to Privacy by Design.
You have the following rights:
- right to be informed
- right of access
- right to rectification
- right to erasure
- right to restrict processing
- right to data portability
- right to object
- rights in relation to automated decision making and profiling
We only keep your data for as long as it is needed in line with our retention policy .
Changes to our privacy notice
This privacy notice will be updated to reflect changes either to the way in which we operate or changes to the data protection legislation. To make sure that you keep up to date, we suggest that you revisit this notice from time to time.
View our other privacy notices below
How we collect your information
We collect information from customers from a variety of sources, including when you:
- apply for one of our properties or services, you may be asked to undergo a pre-offer assessment
- complete one of our application forms, tenancy agreements, licences or leases
- call us, write to us, email or meet with us
- respond to a survey
- visit our offices or some of our other properties; we operate CCTV systems at our offices and at some of our properties for the detection and prevention of crime
- use our social media sites or websites
Telephone calls
Phone calls to our main telephone numbers may be recorded for training and monitoring purposes.
Calls are not recorded when you give us card details to make a payment.
Photographs
Sometimes we may need to take a photograph in your home, for example where there is damage or where we are planning some improvement works. We will always ensure that any photographs we take do not impact on your privacy.
We may also take photographs at our events, at our properties and in our communities to use for general marketing and publicity. However, we will check with you that you are happy to be photographed for those purposes.
Information we receive from third parties
We may receive information about you from third parties including information from:
- your council, relating to your housing needs
- your benefits office, relating to your benefits
- credit agencies when you apply for the right to buy or the right to acquire your home
- police, welfare or support organisations dealing with you
- councillors, MPs or other representatives acting on your behalf / instruction
- financial institutions when you apply for our services
Residential leasehold properties
When one of our residential leasehold properties, such as a property previously sold by us under the right to buy is sold on the open market, the new leaseholder becomes a customer of Bromford.
The purchaser’s solicitor is required to notify us that a sale has taken place. They are not required to provide any personal information such as date of birth or gender.
What data do we collect from customers?
Our customers include tenants, residential and commercial leaseholders and shared ownership customers. When you apply to become a customer we will ask for:
- your full name and proof of your identity / photo ID
- your date of birth
- your National Insurance number (your unique identifier)
- your contact details such as phone, email, correspondence address
- details of anyone authorised to act on your behalf, if applicable
- basic details, such as the name, gender and date of birth of all household residents
- banking details if you pay your rent by Direct Debit
- proof of your eligibility to housing and if you have any interest or equity in any other property
Whilst you are our customer we may process other personal information to manage your tenancy. This will vary on a case by case basis but may include:
- financial information. We may use this to help resolve arrears payments and optionally to provide welfare, benefits and debt advice as a free service to help you budget and pay your bills.
- red flag information. Where we believe there is a risk to the safety of one of our colleagues, usually where a customer has made threats, we may record this information on your record so that risks to our colleagues can be minimised.
We may also ask for your consent to collect special categories of data as explained below.
If you provide us with personal information relating to members of your family or your associates we will assume that you do so with their knowledge and their consent to the collection and processing of the information.
It is important that you notify us of any changes to your personal information.
How we use personal information and the lawful basis for processing
Contractual necessity
Most of the information we require from you is used to enter into or manage a tenancy, leasehold agreement or other contract between you and Bromford.
Please read your tenancy agreement, lease, licence or contract carefully for specific details as performance of a contract is usually the lawful basis for processing your information as set out in data protection law.
The processing we conduct can be summarised as:
- managing your account charges and payments, including arrears
- managing the repairs, maintenance and adaptations of our properties
- ensuring tenancy (or contract) conditions are complied with, such as dealing with anti-social behaviour or fraud
- complying with relevant legislation and regulation.
Legitimate interests
The other lawful basis for processing your data, as defined in data protection law, that we regularly rely on is legitimate interest, processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
Our legitimate interests may include the need to:
- eliminate discrimination or advance equality of opportunity;
- prevent and detect crime;
- conduct research and statistical analysis to help improve our business processes and the services offered to our customers;
- evaluate our performance against other benchmarks.
When your personal data or information is used for statistical or research purposes it is anonymised or pseudonymised so that you cannot be identified. We conduct surveys regularly and periodically relating to our services in order to gauge satisfaction and make improvements based on feedback.
Consent
We also seek your consent to hold some information about your lifestyle.
We will always give you a prefer not to answer option when we ask for information about your lifestyle. Please note however that this information helps us to improve services.
Other lawful bases
In exceptional circumstances there may be another lawful basis for processing your data for example compliance with a legal obligation or to protect the vital interests of a data subject or another person.
Special categories of data
Under Data Protection law certain categories of personal information are classified as sensitive or special categories of data. These categories are data relating to:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- data concerning health;
- data concerning a natural person’s sex life or sexual orientation
We minimise the use of special categories of personal data but, given the services we provide there are times when we may have a legitimate interest in processing special categories of data and therefore, we may collect and process this data.
Usually we will seek your consent to processing this data by giving you a prefer not to answer option when we ask certain questions. Please note however that if you choose not to provide the information we may not be able to provide all our services to you.
Where we ask for data concerning your health, and this is relevant to your housing needs, the condition for processing is that this is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller (us) or of the data subject (you) in the field social protection law.
Providing us with special categories of data helps us deliver our services when providing accommodation for disabled people (including adaptations), people with substance abuse problems or when helping someone to access care services.
Collecting special categories of data also helps us ensure that we meet the Public Sector Equality Duty. This requires Bromford, as a social housing provider, to give due regard to the need to eliminate discrimination, advance equality of opportunity and foster good relations. This means that we may ask you for information about your ethnicity, religion or belief and so on but our responsibilities under the Public Sector Equality Duty do not over ride your right to privacy.
When we collect specific sensitive data we will notify you of how we will use it, and we will tell you who it may be shared with.
We do not process genetic or biometric data for the purpose of uniquely identifying a natural person.
Information relating to children
We recognise that under data protection law children are identified as vulnerable individuals and deserving of specific protection.
We record some data about children if they are resident in one of our properties, including their name and date of birth. This is required for checking the property is not overcrowded and to assess other tenancy management issues where all householders and ages are required to be known.
We may receive and process data about children if we are involved in the housing and tenancy aspects of a welfare case as part of a multi-agency working solution.
Complaints and enquiries
If you make a complaint or enquiry we may collect and store personal information in relation to it. We will keep your information secure and use it only for the purpose it was collected. When the complaint is resolved, or the enquiry is completed, we will retain the information in accordance with our Data & Document Retention Policy and then destroy it.
CCTV
We operate CCTV systems at our offices and in public areas at some of our properties. Where CCTV systems operate routinely we will place a notice showing that the scheme is in operation and controlled by Bromford.
Our CCTV systems deter crime and promote public safety by helping to identify and prosecute criminal offenders. These systems operate continuously, and recordings are held for one month.
You can ask for a copy of any CCTV images taken of yourself by making a subject access request. See Your Data, Your Rights - the right of access for more details on how to make a subject access request.
We carry out an impact assessment for all locations where we use CCTV. This helps ensure that our use of CCTV is appropriate and proportionate to the issues of crime and public safety we are seeking to address and minimises intrusion into individual rights to privacy.
Noise monitoring
We may authorise the use of noise monitoring equipment where we receive complaints about noise nuisance. We will write to alleged perpetrators of noise nuisance before noise monitoring begins.
Information we collect via our website
When you visit our website we collect standard internet log information, such as your IP address, host name, browser type and operating system.
This information may be used to help diagnose problems with our server and to administer our website, so we can improve your experience of viewing the site. We may also use this information for other purposes deemed reasonable and necessary.
Links to other websites
Our website may contain links to other websites of interest.
If you follow a link from the Bromford website to an external site, we recommend that you check the privacy notice of that site before giving any personal details.
Sharing your information
Your personal information will be kept secure and confidential. Usually we will not disclose personal data without consent, but we may share information between the Bromford group of companies, with contractors or third parties and other agencies we work with, including local authorities, social services, the police, other social landlords and other agencies when Bromford believes it is in yours or the public’s interest to do so, or as required by law.
All one-off requests for data sharing are considered by the Data Protection Officer. In particular, please be aware:
- current or forwarding addresses may be shared with utility companies and Council Tax offices to ensure billing details are correct.
- if you default upon any tenancy/licence conditions information about you may be provided to authorised debt recovery agencies, to enable them to recover the debt. This may affect future applications for tenancies, credit and insurance.
- we may discuss your financial situation, rent payments (including any arrears) and any claims made for welfare benefits with, an external debt advice agency, welfare rights advisor, the housing benefit department or the local authority’s housing advice team.
- we share limited personal data with our contractors who are carrying out services on our behalf. Our contractors are required to comply with the law to ensure data is managed appropriately and for specified purposes, including to run our out-of-hours telephone service or to complete emergency, responsive or planned property repairs.
- we may share your information with a language translation service if it is necessary to translate any information into or from a foreign language for you.
- we may need to share personal information with government departments and agencies, with our regulator and auditors, with utility companies or with other organisations and agencies where we are legally allowed to do so.
- learn more about how your data is used for research and statistical basis by the Ministry of Housing, Communities and Local Government.
- we may need to share information with solicitors, agents, mortgage brokers, financial advisors, court agents, surveyors and valuers relating to a property sale.
- we may need to share information with mortgage lenders if your home is at risk of repossession.
- we may share your information as part of partnership working to reduce Crime, and Anti- Social Behaviour including, drug or alcohol misuse and re-offending.
- in an emergency, we share information on customers via Personal Emergency Evacuation Plans (PEEP’s) and Person-Centred Fire Risk Assessments (PCFRA’s). PEEP’s and PCFRA’s set out the level of assistance a Customer (usually with mobility impairments) may need to safely evacuate a building in the event of a fire.
- We may share information with elected representatives, such as Councillors or MP’s, where they contact us on your behalf. Sharing may proceed on the basis of implied consent when you have raised a housing related matter with an elected representative. However, if special category data, as defined by the UK General Data Protection Regulations, is included, data sharing will only be made with your explicit signed consent, unless exempt under The Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002.
Homelessness - Commitment to Refer
If you are a Bromford customer and you are at risk of losing your home, we may discuss your situation with your local authority’s homelessness and/or housing options team. We do this in line with guidance set out in the Homelessness Reduction Act 2017. Bromford’s approach to the commitment to refer is formed on the basis that our customer’s agree to such referrals being made. If you do not want to receive support from your local authority please let us know that you want to opt out.
In contacting your local authority we will share some of your personal information to help reduce the risk that you become homeless. The legal basis in data protection law for sharing your personal information is known as ‘legitimate interest’. This means that Bromford believes there is a legitimate interest in sharing your information to help prevent you becoming homeless should your tenancy end.
Bromford consulted with the National Housing Federation and the Information Commissioner in adopting this approach.
Our customer portal
Our customer portal allows you to check your rent account whenever you want, wherever you are. Our see my data service is encrypted using SSL security.
SSL stands for Secure Sockets Layer, a global standard security technology that enables encrypted communication between a web browser and a web server. It is used by online businesses and individuals to decrease the risk of sensitive information (e.g. credit card numbers, usernames, passwords, emails, etc.) from being stolen or tampered with by hackers and identity thieves. In essence, SSL allows for a private “conversation” just between the two intended parties.
We want to offer you new ways to contact us and access our services at a time and a place to suit you, on top of the ways you can already contact us. This will include via an improved customer portal where you'll be able to view your account, request a repair and make a payment.
Data matching and analytics
Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information.
Computerised data matching allows tenancy fraud, fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation.
No assumption can be made as to whether there is fraud, error or another explanation until an investigation is carried out.
We may participate in the National Fraud Initiative (NFI) data matching exercise carried out by the Cabinet Office. Our participation in NFI will assist in the prevention and detection of fraud against Bromford and other organisations within the private and public sector.
We participate on a voluntary basis and provide the Cabinet Office with particular sets of data for matching as set out in the Cabinet Office’s guidance.
The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority. It does not require the consent of the individuals concerned under Data Protection law.
Data matching by the Cabinet Office is subject to a Code of Data Matching Practice. Further information on the Cabinet Office’s legal powers and the reasons why it matches particular information is available here.
How we collect your information
When you enquire about becoming a Bromford customer we may collect your personal information in a variety of ways, including when you:
- complete one of our application forms, tenancy agreements, licences or leases. You may be asked to undergo a pre offer assessment (see below)
- call us, write to us, e-mail or meet with us
- visit our offices or some of our other properties (we operate CCTV systems at our offices and at some of our properties for the detection and prevention of crime)
- use our social media sites or websites
Phone calls to our 0330 1234 034 number are recorded for training and monitoring purposes and our recordings are held for a period of six months.
Calls are not recorded when you give us card details to make a payment for your rent or other service.
We may receive information about you from third parties including information from:
- your council, relating to your housing needs
- your benefits office, relating to your benefits
- prior landlords and credit agencies when you apply for housing
- the help to buy service (if you are interested in one of our shared ownership homes)
- Police, welfare or support organisations who are dealing with you
- Councillors, MPs or other representatives acting on your behalf / instruction
- financial institutions when you apply for our services
Commercial leaseholders
If you are applying for a commercial lease for one of our shop or commercial units we may ask for references from your bank or suppliers. We may also require a business guarantor.
Pre-offer assessments
When you apply for a Bromford tenancy we will request proof of identity and carry out a Pre-Offer Assessment for anyone over 18 who will be living at the property. This is a way of profiling prospective customers to help ensure they can afford the property they have applied for. As part of this process we will ask you to provide three months' bank statements and proof of income. Credit checks and references will be requested.
The information you provide will be considered by us to make a decision on your application. We do not use any automated decision making.
What data do we collect?
When you apply to become a Bromford customer, we request and hold on file information necessary to assess your application. This includes:
- your full name (and proof of your identity / photo ID).
- your date of birth.
- your National Insurance number (your unique identifier).
- your contact details (phone, email or correspondence address).
- details of anyone authorised to act on your behalf (if applicable).
- basic details (name, gender and date of birth) of all household residents.
- banking details if you pay your rent by Direct Debit.
- proof of your eligibility housing and if you have any interest or equity in any other property.
Information may be provided by:
- references from other housing providers / private landlords,
- your mortgage lender (if you own/have owned your own home),
- credit reference agencies.
- We may also ask for your consent to collect special categories of data as explained below.
- If you provide us with personal information relating to members of your family or your associates we will assume that you do so with their knowledge and their consent to the collection and processing of the information.
- It is important that you notify us of any changes to your personal information.
How we use personal information and the lawful basis for processing
Contractual Necessity
Most of the information we require from you is used to enter into or manage a tenancy, leasehold agreement or other contract between you and Bromford.
Please read your tenancy agreement, lease, licence or contract carefully for specific details as ‘performance of a contract’ is usually the lawful basis for processing your information as set out in data protection law.
The processing we conduct can be summarised as:
- Managing your account charges and payments, including arrears.
- Managing the repairs, maintenance and adaptations of our properties.
- Ensuring tenancy (or contract) conditions are complied with, such as dealing with anti-social behaviour or fraud.
- Complying with relevant legislation and regulation.
Legitimate Interests
The other lawful basis for processing your data (as defined in data protection law) that we regularly rely on is ‘legitimate interest’ (processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject).
Our legitimate interests may include the need to:
- eliminate discrimination or advance equality of opportunity;
- prevent and detect crime including anti-social behaviour;
- conduct research and statistical analysis to help improve our business processes and the services offered to our customers;
- evaluate our performance against other benchmarks.
When your personal data or information is used for statistical or research purposes it is anonymised or pseudonymised so that you cannot be identified. Bromford conducts surveys regularly and periodically relating to our services in order to gauge satisfaction and make improvements based on feedback.
We also seek your consent to hold some information about your lifestyle.
We will always give you a ‘prefer not to answer’ option when we ask for information about your lifestyle. Please note however that this information helps us to improve services.
Other Lawful Bases
In exceptional circumstances there may be another lawful basis for processing your data for example ‘compliance with a legal obligation’ or to ‘protect the vital interests of a data subject or another person’.
Special categories of data
Under Data Protection law certain categories of personal information are classified as sensitive or special categories of data . These categories are data relating to:
- racial or ethnic origin;
- political opinions,
- religious or philosophical beliefs;
- trade union membership;
- data concerning health;
- data concerning a natural person’s sex life or sexual orientation
We minimise the use of special categories of personal data but, given the services we provide there are times when we may have a legitimate interest in processing special categories of data and therefore, we may collect and process this data.
Usually we will seek your consent to processing this data by giving you a ‘prefer not to answer’ option when we ask certain questions. Please note however that if you choose not to provide the information we may not be able to provide all our services to you.
Where we ask for data concerning your health, and this is relevant to your housing needs, the condition for processing is that this is “necessary for the purposes of carrying out the obligations and exercising specific rights of the controller (us) or of the data subject (you) in the field social protection law”.
Providing us with special categories of data helps us deliver our services when providing accommodation for disabled people (including adaptations), people with substance abuse problems or when helping someone to access care services.
Collecting special categories of data also helps us ensure that we meet the Public Sector Equality Duty. This requires Bromford, as a social housing provider, to give due regard to the need to eliminate discrimination, advance equality of opportunity and foster good relations. This mean that we may ask you for information about their ethnicity, religion or belief and so on but our responsibilities under the Public Sector Equality Duty do not over ride your right to privacy.
When we collect specific sensitive data we will notify you of how we will use it, and we will tell you who it may be shared with.
We do not process genetic or biometric data for the purpose of uniquely identifying a natural person.
CCTV
We operate CCTV systems at our offices and in public areas at some of our properties. Wherever CCTV systems are operating we will place a notice showing that the scheme is in operation and controlled by Bromford.
Our CCTV systems deter crime and promote public safety by helping to identify and prosecute criminal offenders. These systems operate continuously and recordings are held for one month.
You can ask for a copy of any CCTV images taken of yourself by making a subject access request. See Your Data, Your Rights - the right of access for more details on how to make a subject access request.
We carry out an impact assessment for all locations where we use CCTV. This helps ensure that our use of CCTV is appropriate and proportionate to issues of crime and public safety we are seeking to address and minimises intrusion into individual rights to privacy.
Information we collect via our website
When you visit our website we collect standard internet log information, such as your IP address, host name, browser type and operating system.
This information may be used to help diagnose problems with our server and to administer our website, so we can improve your experience of viewing the site. We may also use this information for other purposes deemed reasonable and necessary.
Links to other websites
Our website may contain links to other websites of interest. If you follow a link from the Bromford website to an external site, we recommend that you check the privacy notice of that site before giving any personal details.
Complaints and enquiries
If you make a complaint or enquiry we may collect and store personal information in relation to it. We will keep your information secure and use it only for the purpose it was collected. When the complaint is resolved or the enquiry is completed, we will retain the information in accordance with our Data & Document Retention Policy and then destroy it.
How long we keep information
If you become a Bromford customer, information relating to your tenancy, lease or other contractual agreement will be kept for as long as the agreement is active or where money is owed on the account, and for a period not exceeding six years afterwards. The basic history of who occupied a property and when will be held forever.
If you do not become a Bromford customer information relating to your application will be held for up to five years after your application is withdrawn or refused.
When we dispose of information we do so securely.
Once a person is employed by Bromford we will compile a file relating to their employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment. Once their employment with Bromford has ended, we will retain the file in accordance with the requirements of our Data & Document Retention Policy and then delete it.
What data do we collect from our colleagues?
When you start work for Bromford we will ask for:
- your full name (and proof of your identity / photo ID).
- your date of birth.
- your marital status and gender.
- your National Insurance number (your unique identifier).
- your student loan and tax status
- details of your driving licence (if relevant to your role)
- your contact details (phone, email or correspondence address).
- banking details, so we can pay you
We may also collect your personal data via our CCTV systems or in still photographs. See below for more information.
Sometimes our People Services Team may want to make a voice recording of meetings we have with you. We will always notify you if we would like to make a digital voice recording of the meeting and seek your approval to do so.
We may also ask for your consent to collect special categories of data as explained below.
If you provide us with personal information relating to members of your family, next of kin contact information for example, we will assume that you do so with their knowledge and their consent to the collection and processing of the information.
It is important that you notify us of any changes to your personal information.
How we use personal information and the lawful basis for processing
Contractual Necessity
Most of the information we collect from our colleagues is required as part of your contract of employment or other contract between you and Bromford.
Please read your employment contract for specific details as ‘performance of a contract’ is usually the lawful basis for processing your information as set out in data protection law.
The processing we conduct can be summarised as:
- Managing the employer – employee relationship.
- Arranging to pay your salary, wages, pensions or other benefits;
- Complying with relevant legislation and regulation.
Legitimate Interests
The other lawful basis for processing your data, as defined in data protection law, that we regularly rely on is ‘legitimate interest’ (processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject).
Our legitimate interests may include the need to:
- eliminate discrimination or advance equality of opportunity;
- prevent and detect crime;
- conduct research and statistical analysis to help improve our business;
- track our vehicles to ensure they are driven responsibly;
- monitor, and in some circumstances charge for, the charging of electrical vehicle
- evaluate our performance against other benchmarks.
- Arranging to provide non contractual benefits.
Special Category Data
We may process special category or sensitive personal data relating to your health where this is necessary in connection with employment law and/or for the purposes of preventive or occupational medicine.
We also seek your consent to collect some ‘special category’ information from you. This includes information relating to your religious beliefs, ethnicity and sexual orientation.
We will always give you a ‘prefer not to answer’ option when we ask for this information.
Other Lawful Bases
In exceptional circumstances there may be another lawful basis for processing your data for example ‘compliance with a legal obligation’ or to ‘protect the vital interests of a data subject or another person’.
How long we keep information
Information relating to your employment is normally kept for six years after your employment ends. Where information relates to employees who worked with asbestos or other substances hazardous to health the retention period is forty years after your employment ends.
When we dispose of information we do so securely.
Sharing your information
Your personal information will only be available to relevant leaders and colleagues in the People Services and other relevant teams for the reasons outlined in this privacy notice.
Your personal information will be kept secure and confidential. Usually we will not disclose personal data without consent, but we may share information between the Bromford group of companies, with contractors or third parties and other agencies we work with.
Bromford shares limited personal information with contractors who are carrying out services on our behalf. This includes payroll and pension providers, companies who provide colleague benefits, companies who provide occupational health services and so on. Our contractors are required to comply with the law to ensure data is managed appropriately and for specified purposes.
All requests for ad-hoc sharing are considered by the Data Protection Officer. In exceptional circumstances we may share your personal information with the Police as required by law or where sharing is in your vital interests.
Telephone Calls
Calls with customers and other external parties are recorded in our Customer Services, Income, Lettings and Customer Solutions teams. In addition, internal colleague to colleague calls with these teams may be recorded. Calls are recorded for training, monitoring and performance management purposes and are held for a period of twelve months.
Recording and Transcription of MS Teams Meetings
Bromford colleagues may record Teams meetings where there is a legitimate business reason to do so, for example, where there is a need to share the content of a meeting with colleagues who were unable to attend. The lawful basis for recording, and processing the data of colleagues in the meeting is legitimate interest.
Microsoft Intune
Bromford uses Microsoft Intune to control how devices are used, including mobile phones, tablets, and laptops. Intune allows people to use their personal devices for work. On personal devices, Intune helps make sure your Bromford data stays protected and can isolate Bromford data from personal data.
When you enrol a corporate or personal device with Intune, Intune collects, processes, and shares some personal data to support business operations, conduct business with the customer and to support the service. Required personal data includes identifiable data that may directly identify the end user, or pseudonymized data with a unique identifier generated by the system that's used to deliver the enterprise service to users, support data, and account data.
Intune doesn't collect nor allow an Admin to see the following data:
- An end users’ calling or web browsing history
- Personal email
- Text messages
- Contacts
- Passwords to personal accounts
- Calendar events
- Photos, including those in a photo app or camera.
The lawful basis for processing your personal data for Microsoft Intune, as defined in data protection law, is ‘legitimate interest’. The UKGDPR highlights fraud prevention and network and information security as specific types of processing that are considered legitimate interest.
Windows Hello
Colleagues may be issued with a laptop or other device which has biometric security functionality (fingerprint and facial recognition). This functionality is provided by Microsoft via Windows Hello which is being used by Bromford as part of our information security strategy to keep our laptops and systems secure. Colleagues may asked to set up these new access controls.
Microsoft advise that the biometric data used to support Windows Hello is stripped of any information that could be used to specifically identify you and is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This means that your biometrics are not processed by Microsoft or Bromford as personal data when you log in to our systems.
Personal Use of Bromford IT Services
Where Bromford provides you with an e-mail address, a way of saving documents or any other IT service these are provided for business use. Personal use of these services to send private messages or to save personal data or documents is not recommended as it may be necessary for your manager to be given access to your e-mail account or file storage when you leave or in other circumstances. This access will however only be given when there is a clear business need for the access and will be approved by a director.
Photographs
We may take your photograph for use on your Bromford ID card. We may also take photographs at our events, at our properties and in our communities to use for general marketing and publicity.
In these circumstances the legal basis for processing is legitimate interest as described above. We will however respect your wishes if you do not want your photograph to be used in any marketing or publicity materials.
CCTV
We operate CCTV systems at our offices and in public areas at some of our properties. Wherever CCTV systems are operating we will place a notice showing that the scheme is in operation and controlled by Bromford.
Our CCTV systems deter crime and promote public safety by helping to identify and prosecute criminal offenders. These systems operate continuously, and recordings are held for one month.
You can ask for a copy of any CCTV images taken of yourself by making a subject access request. See Your Data, Your Rights - the right of access for more information on how to make a subject access request. Data Subjects Rights Bromford 2024
We carry out an impact assessment for all locations where we use CCTV. This helps ensure that our use of CCTV is appropriate and proportionate to the issues of crime and public safety we are seeking to address and minimises intrusion into individual rights to privacy.
Door Entry Data
Your Bromford ID card is used to gain access to our offices via access-controlled door entry systems. These systems record the dates and times you access a Bromford office. This data may be reviewed as part of monitoring the effective use of our workspaces and how and where our colleagues are working. The lawful basis for processing data relating to the dates and times colleagues access a Bromford office is legitimate interest.
Data matching and analytics
Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information.
Computerised data matching allows employee and benefit fraud to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation.
No assumption can be made as to whether there is fraud, error or another explanation until an investigation is carried out.
We participate in the National Fraud Initiative (NFI) data matching exercise carried out by the Cabinet Office. Our participation in NFI will assist in the prevention and detection of fraud against Bromford and other organisations within the private and public sector.
We participate on a voluntary basis and provide the Cabinet Office with particular sets of data for matching as set out in the Cabinet Office’s guidance.
The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority. It does not require the consent of the individuals concerned under Data Protection law.
Data matching by the Cabinet Office is subject to a Code of Data Matching Practice. Further information on the Cabinet Office’s legal powers and the reasons why it matches particular information is available here.
Colleague COVID 19 Vaccination Status
Bromford processes data relating to the COVID 19 vaccination status of colleagues who need to enter a registered care home from 11th November 2021. All care home workers and anyone entering the home, will need to be fully vaccinated unless they are exempt under the compulsory vaccination regulations.
We follow the advice issued by the Information Commissioner’s Office in processing data about a colleague’s vaccination status. The lawful basis for processing this data is legitimate interest, as Bromford has a legitimate interest in minimising the risk that Bromford colleagues pass the Covid virus on to clinically vulnerable individuals; and complying with the Department for Health and Social Care Regulations.
Information about a colleague’s vaccination status may need to be shared with the care provider at the care homes you visit.
Disclosure & Barring Service (DBS) and Consumer Credit Checks
Bromford may carry out DBS and consumer credit checks to screen colleagues and candidates for roles. Under data protection law the lawful basis for this processing is “legitimate interest”. Bromford’s legitimate interest is based on the need to safeguard our customers, especially vulnerable customers, in their homes and elsewhere and safeguarding the business from risks to our financial wellbeing and the integrity of business-critical data.
Vehicle Trackers and Fuel Cards
We may track our vehicles to ensure they are driven responsibly in compliance with the Highway Code, road safety and vehicle rules and for other operational reasons. This means that data is processed about our vehicles which may be processed as personal data where it relates to driver behaviour. The tracker allows us to track our vehicles and provides data on:
- Vehicle location,
- Speed,
- Start and end journey times,
- Total travel time,
- Engine idle time,
- Driving behaviours.
The information is used for operational reasons including:
- Enable better awareness of vehicle locations to assist with colleague safety/lone working,
- Protect the vehicle and its contents from theft,
- Pinpoint the location of a colleague to allocate jobs and provide service improvements,
- Check on speed and quality of driving,
- Assist in the investigation of motor insurance claims,
- Monitor out of hours usage and identify private use mileage,
- Supports the Planners when PDA reception is poor and job data isn’t live in the repairs system,
- Support colleagues if there are allegations that no one has been out to carry out a repair etc.
- To investigate or defend claims or allegations relating to vehicle use
- Assist in any monitoring, warning, internal disciplinary hearing or external insurance or legal process.
Vehicle tracker and fuel card data may be used to ensure that
- fuel cards are used as set out in policies and procedures related to vehicle and fuel card usage; and,
- that fuel and other vehicle related purchases relate to Bromford vehicles and travel related to Bromford business.
Tracker data will not be used for day-to-day monitoring of colleagues. Access to tracker data is restricted to colleagues who are required to manage or co-ordinate the fleet and drivers and also to leaders on the emergency out of hours rota.
Working with Recruitment Agencies
Bromford may partner with recruitment agencies when you apply for a job with us. When this happens, the recruitment agency may process your personal data as an independent controller. If this is the case we will let you know and you should check the recruitment agency’s privacy notice or privacy policy to make sure you understand how they will process your data.
Job applicants
Personal information about unsuccessful candidates will be held for 18 months after the recruitment exercise has been completed, it will then be destroyed or deleted. We retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.
Once a person has taken up employment with Bromford we will compile a file relating to their employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment. Once their employment with Bromford has ended, we will retain the file in accordance with the requirements of our Data & Document Retention Policy and then delete it.
Where we receive CV’s from a recruitment agency we will assume that the candidate has consented to the sharing of their personal information with us by the recruitment agency.
CCTV
We operate CCTV systems at our offices and in public areas at some of our properties. Wherever CCTV systems are operating we will place a notice showing that the scheme is in operation and controlled by Bromford.
Our CCTV systems deter crime and promote public safety by helping to identify and prosecute criminal offenders. These systems operate continuously and recordings are held for one month.
You can ask for a copy of any CCTV images taken of yourself by making a subject access request. See Your Data, Your Rights - the right of access for more details on how to make a subject access request.
We carry out an impact assessment for all locations where we use CCTV. This helps ensure that our use of CCTV is appropriate and proportionate to the issues of crime and public safety we are seeking to address and minimises intrusion into individual rights to privacy.
How we use personal information and the lawful basis for processing
Contractual necessity
Most of the information we collect from colleagues is required as part of your contract of employment or other contract between you and Bromford.
Please read your employment contract for specific details as ‘performance of a contract’ is usually the lawful basis for processing your information as set out in data protection law.
The processing we conduct can be summarised as:
- Managing the employer – employee relationship;
- Arranging to pay your salary, wages, pensions or other benefits;
- Complying with relevant legislation and regulation.
Legitimate interests
The other lawful basis for processing your data, as defined in data protection law, that we regularly rely on is ‘legitimate interest’ (processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject).
Our legitimate interests may include the need to:
- eliminate discrimination or advance equality of opportunity;
- prevent and detect crime;
- conduct research and statistical analysis to help improve our business;
- evaluate our performance against other benchmarks.
Consent
We also seek your consent to collect some ‘special category’ information from you. This includes information relating to your health, religious beliefs, ethnicity and sexual orientation.
We will always give you a ‘prefer not to answer’ option when we ask for this information.
Other lawful bases
In exceptional circumstances there may be another lawful basis for processing your data for example ‘compliance with a legal obligation’ or to ‘protect the vital interests of a data subject or another person’.
Data matching and analytics
Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information.
Computerised data matching allows employee and benefit fraud to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation.
No assumption can be made as to whether there is fraud, error or another explanation until an investigation is carried out.
We may participate in the National Fraud Initiative (NFI) data matching exercise carried out by the Cabinet Office. Our participation in NFI will assist in the prevention and detection of fraud against Bromford and other organisations within the private and public sector.
We participate on a voluntary basis and provide the Cabinet Office with particular sets of data for matching as set out in the Cabinet Office’s guidance.
The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority. It does not require the consent of the individuals concerned under Data Protection law.
Data matching by the Cabinet Office is subject to a Code of Data Matching Practice. Further information on the Cabinet Office’s legal powers and the reasons why it matches particular information is available here.
Right to Work Checks
Bromford may carry out right to work checks to screen candidates for roles. Under data protection law the lawful basis for this processing is “legitimate interest”. Bromford’s legitimate interest is based on the need to check details of a job applicant’s right to work in the UK, including the types of work they’re allowed to do and how long they can work in the UK for, if there’s a time limit
Disclosure & Barring Service (DBS) and Consumer Credit Checks.
Bromford may carry out DBS and consumer credit checks to screen colleagues and candidates for roles. Under data protection law the lawful basis for this processing is “legitimate interest”. Bromford’s legitimate interest is based on the need to safeguard our customers, especially vulnerable customers, in their homes and elsewhere and safeguarding the business from risks to our financial wellbeing and the integrity of business-critical data.
How we collect information from you
If you’re not a customer or a Bromford colleague we may still collect information from you. For example when you:
- apply for one of our properties or services (you may be asked to undergo a pre-offer assessment)
- call us, write to us, e-mail or meet with us
- respond to a survey
- visit our offices or some of our other properties (we operate CCTV systems at our offices and at some of our properties for the detection and prevention of crime)
- use our social media sites or websites
Phone calls to our 0330 1234 034 number are recorded for training and monitoring purposes and our recordings are held for a period of six months.
CCTV
We operate CCTV systems at our offices and in public areas at some of our properties. Wherever CCTV systems are operating we will place a notice showing that the scheme is in operation and controlled by Bromford.
Our CCTV systems deter crime and promote public safety by helping to identify and prosecute criminal offenders. These systems operate continuously and recordings are held for one month.
You can ask for a copy of any CCTV images taken of yourself by making a subject access request. See Your Data, Your Rights for more details about how to make a subject access request.
We carry out an impact assessment for all locations where we use CCTV. This helps ensure that our use of CCTV is appropriate and proportionate to the issues of crime and public safety we are seeking to address and minimises intrusion into individual rights to privacy.
Third Party CCTV
Sometimes we receive CCTV or doorbell camera images from customers or others in connection with a complaint or investigation relating to a neighbour or other third party. When we receive these images and we retain them for the purposes of investigation we become the data controller of the images we received. This means that the neighbour or third party whose image is recorded has the right to request a copy of the images we are processing. We will ordinarily allow the neighbour or third party to receive a copy of the images we are processing.
Sharing your information
Your personal information will be kept secure and confidential. Usually, we will not disclose your personal data without consent, but we may share information with other data controllers, including local authorities, the police, other social landlords and others when Bromford believes it is in yours or the public’s interest to do so, or as required by law.
Marketing
We will only contact you for marketing by electronic means (e.g. telephone calls, texts, emails) where you explicitly opt in and consent to this. When you opt in to receive information about properties we are marketing we may send you information about similar properties in the same area. You can opt out of receiving our marketing information at any time, by following the guidance set out in the email or text for example. If you have any difficulty opting out you can contact our Data Protection Officer by emailing dpo@bromford.co.uk .
Information we collect via our website
When you visit our website we collect standard internet log information, such as your IP address, host name, browser type and operating system.
This information may be used to help diagnose problems with our server and to administer our website, so we can improve your experience of viewing the site. We may also use this information for other purposes deemed reasonable and necessary.
Links to other websites
Our website may contain links to other websites of interest.
If you follow a link from the Bromford website to an external site, we recommend that you check the privacy notice of that site before giving any personal details.
Security of information
Bromford operates a range of information and communications systems and technologies for efficient operation of the business. Personal information is stored and managed within those systems which are maintained to achieve a high level of Confidentiality, Integrity and Availability (CIA) including following best practice cyber security standards.
We hold information in IT systems which may be copied for testing, backup, archiving and disaster recovery purposes. All data is held within the European Economic Area.
When we dispose of information we do so securely.
Automatic Number Plate Recognition (ANPR) Camera Controlled Car Parking.
Bromford may partner with Car Park Management Companies at locations where parking is provided for Bromford customers or colleagues and unauthorised parking is a problem.
Where this happens, Bromford will collect and share vehicle registration details with the Car Park Management Company for vehicles that are authorised to use the car park. The Car Park Management Company will also collect and process vehicle registration details via ANPR technology and use this data to enforce parking regulation and collect charges for unauthorised parking.
The Car Park Management Company may process your personal data as an independent controller. If this is the case we will let you know via a notice at the entrance to the car park and you should check the Car Park Management Company privacy notice or privacy policy to make sure you understand how they will process your data.
Customers with a Lasting Power of Attorney
When a customer has a Lasting Power of Attorney in place we will send communications about their tenancy to their designated attorney. We may send communications about all matters related to the customer’s tenancy and their home whether the Lasting Power of Attorney is for property and financial affairs, health and welfare, or both.
This means that Bromford may contact an attorney appointed for health and welfare matters only about property and financial related matters also. This is because Bromford recognises that matters relating to property maintenance, repairs and paying for your home can impact on a customer’s health and welfare. The lawful basis that Bromford relies on for these communications is legitimate interest. This is because Bromford and our customers have a legitimate interest in effective communication about a tenancy to ensure customer welfare.
Changes to our privacy notice
This privacy notice will be updated to reflect changes either to the way in which we operate or changes to the data protection legislation. To make sure that you keep up to date, we suggest that you revisit this notice from time to time.