Privacy Notice

Data Protection at Optivo

Identity and contact details of Controller

Optivo is a Housing Association and is a controller of personal information for the purposes of the General Data Protection Regulation (‘GDPR’)  and Data Protection Act 2018.  Our contact details for data protection purposes are as follows:

Head of Data Protection and Compliance
Optivo
Governance Department
Grosvenor House
Croydon
CR0 9XP

Email: dataprotection@optivo.org.uk

Optivo is registered with the Information Commissioners Office as a Data Controller.  Our registration number is ZA255102.

Under the GDPR Optivo has a legal duty to protect any information we collect from you or have about you from other sources.

The GDPR has a set of rules and guidelines we must follow when handling your information.  These are referred to as Data Protection Principles.

How we use and store your personal information

This privacy notice tells you what to expect when Optivo collects and stores personal and sensitive personal information.

It tells you the purposes for which we will process your personal information and the legal basis for the processing (‘processing’ includes us keeping your personal information). It applies to information we collect about:

During your occupancy of our student and keyworker accommodation we will collect and process information about you.

We do this to:

  • Manage your residence and the Optivo property it relates to
  • Monitor compliance with the terms of your licence agreement
  • Share information with other agencies where we have your agreement
  • Conduct transactional surveys in order to monitor and improve our services, for example repairs and maintenance, complaints and anti-social behaviour issues
  • Monitor Equality and Diversity
  • Provide information about our performance and services through newsletters
  • Comply with our safeguarding duties

Unless we advise you otherwise, we’ll only collect and process personal information to carry out these functions.

Personal information is stored on our computer systems and / or a tenancy file in line with our retention periods. It is held securely and we have security measures in place to protect it.

During your tenancy we will collect and process information about you and members of your household.

We do this to:

  • Manage your tenancy and the Optivo property it relates to
  • Monitor compliance with the terms of your tenancy or service agreement
  • Deliver support for special needs to you or any member of your household
  • Share information with other agencies where we have your agreement
  • Conduct transactional surveys in order to monitor and improve our services, for example repairs and maintenance, complaints, lettings, anti-social behaviour issues and training
  • Monitor Equality and Diversity
  • Provide information about our performance and services through newsletters
  • Provide information about additional services we offer, including opportunities to participate in meetings, training and events
  • Comply with our safeguarding duties

Unless we advise you otherwise, we’ll only collect and process personal information to carry out these functions.

Personal information is stored on our computer systems and / or a tenancy file.  It is held securely and we have security measures in place to protect it.

We will collect relevant information from you in accordance with our contracts or information sharing agreements.

This may include names and qualification information relating to your staff.  The purpose is to enable you to provide services to our residents on behalf of Optivo.

Information will be held centrally by our Procurement Team on our computer system and by the relevant team/department in line with our retention periods.  It is held securely and we have security measures in place to protect it.

Throughout your appointment as a Board and/or Committee member we will collect and process personal information about you.

We do this to:

  • Contact you in relation to your role as a Board or Committee Member
  • Monitor compliance with the terms of your Agreement for Services, Terms of Appointment
  • Deliver tailored training and support
  • Monitor Equality and Diversity (the information provided is anonymised and used only for statistical monitoring purposes which help us make improvements)

Information is held centrally by our Governance Team on our computer system and relevant contact information is held by individual teams in line with our retention periods.

It is held securely and we have security measures in place to protect it.

We collect personal and sensitive personal information relating to our workforce, this includes staff, contractors, temporary workers and volunteers.

We do this for:

  • Recruitment and appointment purposes
  • Administration purposes (e.g. to operate payroll, pensions etc.)
  • Conduct performance reviews, manage performance and determine performance requirements
  • Offer any necessary support requirements in your role
  • Compliance with legal or industry standards (e.g. to prove eligibility to work in the UK and meeting our Health and Safety requirements)
  • Conducting transactional surveys to monitor and improve our services, for example following training courses
  • Monitor Equality and Diversity (the information provided is anonymised and used only for statistical monitoring purposes which help us make improvements)

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • where we need to perform the contract we have entered into with you
  • where we need to comply with a legal obligation
  • where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We may also use your personal information in the following situations, which are likely to be rare:

  • where we need to protect your interests (or someone else’s interests); and
  • where it is needed in the public interest or for official purposes.

Information is held centrally by our HR Team on our computer system.  Individuals and line managers can access certain personal information through MySpace.  Information is held securely and we have security measures in place to protect it.

We’ll share your data with third parties, including third-party service providers, for example payroll, pension administration, training and support.

We require third parties to respect the security of your data and to treat it in accordance with data protection legislation.

Unless we advise you otherwise, we’ll only collect and process personal information to carry out these functions.

During your residency in our care homes we will collect and process information about you, your family members or next of kin.

We do this to:

  • Manage your stay in our care home facilities
  • Provide personalised care and support during your stay through person centred care plans
  • Discuss your care with family members, contact family members or next of kin in the event of an emergency or to protect your interests
  • Provide social activities tailored to your individual needs
  • Monitor Equality and Diversity
  • Comply with our safeguarding duties

We will only use your sensitive personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • To carry out obligations under social security or social protection law
  • To protect your vital interests if you become physically or legally incapable of giving consent
  • For the purposes of preventative or occupational medicine and the provision of health or social care.

We share your data when required with other health professionals (e.g. social services, GP surgeries, dentists and pharmacies) involved in your direct care.

Unless we advise you otherwise, we’ll only collect and process personal information to carry out these functions.

Personal information is stored an electronic database. We store some paper records for the purpose of addressing our Care Quality Commission (CQC) requirements. It is held securely in line with our retention periods and we have security measures in place to protect it.

Legal basis for processing

For care homes and staff data please refer to the sections above.

We have three main legal bases for processing personal data of residents, service users and leaseholders or occupants of our homes, students and keyworkers, contractors, suppliers, partners or agents and Board Members:

Where it is necessary for the performance of a contract (provision of services set out in the tenancy agreement)

  1. Where it is necessary for the purposes of the legitimate interests pursued by Optivo or by a third party to process your information. We can do that so long as we do not interfere with your fundamental rights or freedoms.
  2. Because we have your consent (i.e. agreement) to us processing your personal information. You can withdraw your consent at any time. This is explained further below in the section entitled ‘Your rights under GDPR’.

The other reasons we can rely upon to process your personal information under GDPR is as follows:

  • Where we are under a legal obligation or an obligation under a contract to process/disclose the information
  • Where we need to protect the vital interests (i.e. the health and safety) of you or another person.

Some personal information is treated as more sensitive (specifically: health, sexuality, racial or ethnic background, political opinions, religious beliefs, trade union membership or genetic and biometric data).  The legal basis for processing these special categories of personal information is more limited. To lawfully process special categories of personal data, we must identify a lawful basis for the processing and meet a separate condition for the processing.

The basis we can use are:

  • With your consent
  • Where we need to protect the vital interests (i.e. the health and safety) of you or another person
  • Where you have already made your personal information public
  • Where we or another person needs to bring or defend legal claims; and/or
  • Substantial public interest grounds

To process personal data about criminal convictions or offences, we must have both a lawful basis for the processing and either legal authority or official authority for the processing.

How we manage your personal information

We process your personal information in accordance with the principles of GDPR.

We will treat your personal information fairly and lawfully and we will ensure that information is:

  • Processed for limited purposes;
  • Kept up-to-date, accurate, relevant and not excessive;
  • Not kept longer than is necessary;
  • Kept secure.

Access to personal information is restricted to authorised individuals on a strictly need to know basis.

We are committed to keeping your personal details up to date, and we encourage you to inform us about any changes needed to ensure your details are accurate.

To help us to ensure confidentiality of your personal information we will ask you security questions to confirm your identity when you call us. We will not discuss your personal information with anyone other than you, unless you have given us prior written authorisation to do so.

Who might we share your personal information with?

Normally, only Optivo staff will be able to see and process your personal information. However, there will be times when we will need to share personal information with third parties for the purposes as outlined or where we are legally required to do so.

When sharing personal information, we will comply with all aspects of the GDPR. Special categories of personal data about health, sexual life, race, religion and criminal activity for example is subject to particularly stringent security and confidentiality measures.

We also share information:

  • To allow us to tailor our services to you
  • For detecting possible fraud (e.g. as part of the National Fraud Initiative), and
  • To deal with rent arrears (e.g. tracing and/or debt collection agencies)
  • To deal with unpaid bills, e.g. utility or council tax bills – we may need to pass on your forwarding address
  • To help us communicate with you (e.g. we sometimes use external printers, translators etc.)
  • To assist the Police in solving crime and investigating anti-social behaviour.

As part of the government’s reform of welfare benefits, they’ve introduced new regulations on information sharing.  This means we can now share limited information about our residents and their properties with local authorities.  For example name, address, age and number of bedrooms per property.

The new regulations will help us identify and support those who could be affected by welfare reform.

We will also disclose your personal details, if required to do so, by law or any Government body.

Optivo contracts external companies to manage certain areas of our business, to fulfil our obligations as a landlord.

We share limited personal information of our residents with external contractors.  Such as name, address and telephone number.

Examples include:

  • Repairs and maintenance contractors
  • Out of hours call centre service
  • Health and safety and compliance checks (e.g. gas servicing, lifts, asbestos, legionella).

We’ll only share the minimum information necessary for the contractor to carry out their services on behalf of Optivo. If you have any concerns about a company operating on behalf of Optivo, or information that’s been shared with an external company, please contact us using the details below.

We’ll never sell personal information to a third party.

How long do we keep information?

We have a document retention schedule which sets out how long we keep different types of information for. We follow legal requirements and best practice.

Please contact us if you’d like a copy of the schedule.

Fraud detection

We may use data disclosed to us for the purpose of preventing and detecting fraud.

Any personal data disclosed may be used for the purpose of preventing and detecting fraud.  This includes information provided on the Optivo website, on the MyAccount area, or in any other way provided to us online or not.

The data collected may be used for the purpose of data matching and for further investigations.  This involves comparing the data we hold on you with that held by third parties solely for the purpose of detecting and preventing fraud.  We might also use your data to further investigate fraud that we think might have been committed.

This involves checking with various third parties, such as the Land Registry, banks, schools and utility companies.

Your rights under the GDPR

You have a number of rights under the GDPR:

Access to personal information

Under the GDPR, you have a right to ask us what personal information we hold about you, and to request a copy of your information.  This is known as a ‘subject access request’ (SAR).

We’ve a Subject Access Request form which provides further information to help you to submit your request.  We will also request two forms of identification.

To request a copy of the form please email us or phone us on 0800 121 60 60.

We will respond to your request with all the information we’re legally required to provide within 28 days.

Your right to certain information may be restricted. For example, information relating to a third person or information relating to a police investigation.

Rectification

If you need us to correct any mistakes contained in the information we hold about you, you can let us know by contacting  customer services at 0800 121 60 60.

Erasure (‘right to be forgotten’)

You have the right to ask us to delete personal information we hold about you.  You can do this where:

  • the information is no longer necessary in relation to the purpose for which we originally collected/processed it
  • you withdraw consent
  • you object to the processing and there is no overriding legitimate interest for us continuing the processing
  • we unlawfully processed the information
  • the personal information has to be erased in order to comply with a legal obligation

We can refuse to erase your personal information where the personal information is processed for the following reasons:

  • to exercise the right of freedom of expression and information;
  • to enable functions designed to protect the public to be achieved e.g. government or regulatory functions
  • to comply with a legal obligation or for the performance of a public interest task or exercise of official authority;
  • for public health purposes in the public interest;
  • archiving purposes in the public interest, scientific research historical research or statistical purposes;
  • the exercise or defence of legal claims; or
  • where we have an overriding legitimate interest for continuing with the processing

Restriction on processing

You have the right to require us to stop processing your personal information. When processing is restricted, we are allowed to store the information, but not do anything with it. You can do this where:

  • You challenge the accuracy of the information (we must restrict processing until we have verified its accuracy)
  • You challenge whether we have a legitimate interest in using the information
  • If the processing is a breach of the GDPR or otherwise unlawful
  • If we no longer need the personal data but you need the information to establish, exercise or defend a legal claim.

If we have disclosed your personal information to third parties, we must inform them about the restriction on processing, unless it is impossible or involves disproportionate effort to do so.
We must inform you when we decide to remove the restriction giving the reasons why.

Objection to processing

You have the right to object to processing where we say it is in our legitimate business interests.

We must stop using the information unless we can show there is a compelling legitimate reason for the processing, which override your interests and rights or the processing is necessary for us or someone else to bring or defend legal claims.

Withdrawal of consent

If the basis on which we are using your personal information is your consent. We will seek your consent to contact you for non-essential services.

Examples of this include marketing information about our services, community development activities or employment support.  You have the right to withdraw your consent to us processing your information at any time. We must stop using the information. We can refuse if we can rely on another reason to process the information such as our contractual obligations or legitimate interests.

Automated Decision Making including Profiling

On occasion we profile residents’ data to enable us to tailor the support we provide, specifically to assess the likelihood of residents falling into rent arrears or send targeted communication campaigns.

We use an automated tool to complete an affordability assessment where appropriate.  This is then referred to our Financial Inclusion Team to review.
Optivo does not undertake profiling or automated processing that has a legal or significant effect on individuals.  If you have any concerns about the way Optivo is using your data please contact us using the details below.

Transferring information outside the EU

We may transfer limited personal information to be held on servers in the US as part of contractual arrangements with third party suppliers, in order to fulfil our legal basis for processing as set out above.

Transfers will only be authorised by Optivo where the European Commission has decided the US ensures an adequate level of protection under the Privacy Shield arrangement.  We will not authorise the storing of sensitive personal information outside the EU.

Visitors to our website

We collect the following information from visitors to our website and MyAccount:

  1. Details collected through forms, including web chat, filled in when you contact us online
  2. Surveys and polls about the website
  3. Site usage information from session cookies and log files.

Site usage information

You can read more about how we use cookies and log files .
Links to other websites

This privacy notice doesn’t cover links within our website to other websites.  We encourage you to read the privacy statements on the other websites you visit.

Changes to this privacy notice

We keep our privacy notice under regular review.

We’ll update if we undertake any new or amended processing. This privacy notice was last updated on 14 May 2018.
Subsidiary organisations

Optivo has subsidiary organisations who are also registered as Data Controllers with the Information Commissioners Office.  To view a full list expand the appropriate blue boxes below:
Subsidiary Companies

  • Fresh Visions People Limited
  • Middlesex First

 Community Benefit Society

  • ​CPHA Housing Association

Further Information

This privacy notice does not provide detail on all aspects of Optivo’s collection and use of personal information. We’re happy to provide any further information or explanation needed.

Please contact us using the information below.

How to contact us

If you want to get in touch you can do so online or on the phone – click here to find out how you can contact us.

Write to us at:

Head of Data Protection and Compliance
Optivo
Governance Department
Grosvenor House
Croydon
CR0 9XP

Complaints

Optivo tries to meet the highest standards when collecting and using personal information. We take any complaints we receive seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading, inaccurate or inappropriate.
If you remain unhappy with our response you’ve the right to complain to the Information Commissioners Office by writing to:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF