Privacy notice

Data protection legislation gives individuals the right to be informed about how organisations use their personal data. We process the personal data that we collect for a number of different purposes. This privacy notice gives a general overview of how we use personal data.

Who we are

We are GreenSquareAccord Limited.

Our registered office address is:

2nd Floor
10 Brindleyplace
Birmingham
B1 2JB

This privacy notice covers GreenSquareAccord Limited and its subsidiaries.

We are a ‘data controller’. This means we are responsible for determining, by ourselves, or along with others, the purpose, methods and systems for processing personal data.

Our data protection officer

Our data protection officer is responsible for overseeing what we do with your information and monitoring compliance with data protection laws. The data protection officer is the company secretary of GreenSquareAccord.

If you have any concerns or questions about our use of your personal data, you can contact our data protection officer using the contact details below.

Data Protection Officer/Company Secretary
GreenSquareAccord
2nd Floor
10 Brindleyplace
Birmingham
B1 2JB

Email: data.protection@greensquareaccord.co.uk

Why we process personal data

The personal data you provide will be used to:

  • process applications and maintenance for tenancy, leases and shared ownership;
  • provide a care, support or ancillary service;
  • keep your files/account information up to date;
  • comply with the law for safeguarding, data privacy, financial transactions, health and safety and landlord responsibilities;
  • carry out identity and security checks;
  • conduct research to improve services;
  • investigate complaints, grievances, policy compliance and queries;
  • support physical security, crime deterrence and investigation;
  • make representation during disputes, litigation or conflict resolution;
  • process job applications;
  • manage employees, support workers and contractors; and
  • keep a record of visitors to some business locations.

When we process personal data, it means we collect, record, organise, structure, store, adapt, alter, retrieve, consult, use, disclose, transmit, disseminate, align, combine, restrict, erase or destroy personal data.

Personal data we process

We will only collect personal information when it is essential to do so. The type of information we need from you will vary depending on our relationship with you.

Here are some examples of the personal and special category data we process:

  • Name and title
  • Physical address
  • Email address
  • Telephone and mobile numbers
  • Finance data
  • Date and place of birth
  • Gender and sexuality
  • Ethnicity
  • Marital status
  • Criminal records and records of criminal allegation
  • Health data
  • Audio, video, CCTV and still photographic images
  • Records and references of employment
  • Biometric data
  • Cyberspace identifiers
  • Membership of trade union
  • Religious, political and philosophical beliefs
  • Vehicle registration number
  • Immigration and citizenship data
  • Next of kin, nominated representatives, children and family relationships
  • Location data

The personal data we process is classified into two categories; personal and special. Special category data is more sensitive by nature and requires additional security and confidentiality assurances.

Our sources of personal data

We collect information and personal data from various sources to support our business operations. These sources can include:

  • The data subject or the individual directly, either as an individual or the head of a household
  • Direct friends and family of the individual or data subject
  • Partner agencies or organisations quoted, referenced or connected to the data subject or the individual
  • Local, regional and national government, including but not limited to government departments, agencies and bodies
  • Regulators and the Housing Ombudsman Service
  • Elected representatives and Members of Parliament
  • Academic institutions (depending on the individuals’ circumstances)
  • Specialist care providers and charities
  • Utility providers
  • Interpretation services
  • Insurance services and solicitors
  • Estate maintenance and partner contracting companies
  • Other housing providers and landlords
  • Previous employers
  • Professional/criminal or individual suitability-based disclosure services
  • Members of the public
  • Publicly available data, including personal data

This list is not exhaustive.

Where we do not have a direct legal relationship with an individual, we may store information in a manner that supports our legal, regulatory or contractual obligations.

Some information, including personal data, is processed under strict confidential obligations to provide our social housing and care services.

How we process personal data

‘Processing data’ means collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, transmitting, disseminating, aligning, combining, restricting, erasing or destroying personal data.

Our scope of processing is wide and we commission a range of means to achieve this. They include a range of tools and avenues for initial collection and onward processing while the data is under our control.

Tools:

  • Paper forms and notes
  • Email
  • Telephone, audio and video conferencing applications and CCTV
  • Other special-purpose computer applications
  • Digital fax

Data collecting avenues (direct and indirect data collection):

  • Records you send to us by post, email and digital fax
  • During in-person meetings/interviews and other events
  • When you talk to us over the telephone
  • When you and/or your property are captured on CCTV
  • Personal data received from partner organisations. For example; HMRC, the NHS, local authorities and the police

Our lawful basis for processing personal data

We must have a valid lawful basis in order to process personal data. Throughout processing, we uphold data protection principles of lawfulness, fairness and transparency. Also ensuring that processing remains within the confines of the purpose for collection, as well as making sure data is relevant, limited, accurate, and retained only for a specified period. Finally, we strive to maintain data integrity and confidentiality.

Our lawful basis for processing personal data:

  • Consent – You provide us with consent.
  • Contract – We enter into a contract with you – this includes precontractual processing.
  • Legal obligation – In scenarios where we have to comply with other laws.
  • Vital interests – To safeguard your life or the life of someone else connected to you.
  • Legitimate interest – Where we are pursuing the legitimate interest of the business – however, our legitimate interest cannot override yours.

Our lawful basis for processing special category data:

  • Explicit consent – You provide us with explicit consent.
  • Employment and social protection – We enter into a contract with you – this includes precontractual processing.
  • Vital interests – To safeguard your life or the life of someone else connected to you.
  • Legitimate interest – Where we are pursuing the legitimate interest of the business – however, our legitimate interest cannot override yours.
  • Where you make information public – for example on social media.
  • When we have to mount or defend a legal challenge.
  • Provision of health and social care.

Who we share your personal data with

To provide you with the best service possible, we may share personal information with other data controllers. These third-party controllers are split into two groups. Organisations designated as public authorities and those that are not public authorities.

Public authorities include:

  • The emergency services – fire service, police, ambulance and NHS
  • Local authorities
  • The Home Office, Department for Work and Pension and Her Majesty’s Revenue and Customs
  • Some academic institutions
  • Members of parliament and councillors
  • The courts
  • The Information Commissioner’s Office
  • Other Regulatory Authorities

Organisations not designated as public authorities:

  • Specialist care provider organisations and charities
  • Utility providers
  • Interpretation services
  • Insurance services and solicitors
  • Estate maintenance companies in a contract with us
  • Other housing providers and landlords

How long we keep your personal data for

The purpose for processing your personal data, will determine the length of time it remains under our control. The length of time personal data remains under our control is referred to as the ‘retention period’.

We document retention periods for data processing activities in our retention schedule. If you would like to know how long we keep your personal data for a specific processing activity, please email data.protection@greensquareaccord.co.uk.

How we protect personal data under our control

We use a combination of organisational and technical measures to keep personal data safe.

We do this by:

  • hiring professionals with subject matter expertise to advise, plan, strategise and implement appropriate organisational and technical measures;
  • providing training to persons joining our organisation, to educate them about what to do, why, when and how to do it;
  • investing in digital technology and physical security;
  • conducting data protection impact assessments before procuring new systems or modifying legacy systems;
  • carrying out periodic internal and external audits to assess compliance and security standards;
  • learning from the mistakes of others and past mistakes we have made; and
  • disposing of data and retired hardware responsibly.

Your rights over the personal data under our control

The UK GDPR provides the following rights to individuals:

  • Right to be informed: We have to tell you why, what, how, and with whom we share your personal information.
  • Right of access: You may demand to see your personal information under our control.
  • Right of rectification: If for any reason your personal information under our control is not accurate, you have the right to have it updated.
  • The right to erasure: Under certain circumstances, you can instruct us to erase your personal information. If this right applies to the particular processing, we will delete your personal information from our systems.
  • Right to restrict processing: Sometimes, you might want us to suspend processing for a limited period. For example, you may want us to hold on to your data even after the retention period expires because you envisage a need for it. Our data protection officer will let you know whether your instruction to restrict processing was upheld or not and why.
  • Right to data portability: If you require your personal data to be sent to another controller, or you would like a copy for yourself, this right allows you to request it from us in a digital format.
  • Right to object: When we use legitimate interest as our lawful basis for processing, it cannot be used to override your interests. If we use this lawful basis, you have the right to object to the processing.
  • Rights in relation to automated decision making and profiling: If we use systems that make decisions without human intervention, you may have the right to request for the processing to be carried out in whole or in part by a living person. There are restrictions to exercising this right. One such restriction is when we are processing your personal data with the intent to enter into a contract with you.
  • Right to withdraw consent: If we required your consent before processing your personal data, you have the right to withdraw that consent at any time during processing.

How to exercise your personal data rights

When you exercise any of these rights, we refer to your action as a data subject access request (DSAR). You can make a DSAR through any avenue where we interact with you and collect your personal data. You will usually receive a response within one calendar month.

Whilst you can make your request by any method, you can help us to process your request quickly and efficiently by following the steps below:

  1. Determine the records you want to access and why.
  2. Specify a particular period. For example, the calendar year 2020.
  3. Take note of the service you dealt with. Remembering the location and any business representatives involved will help to retrieve your personal data much quicker.
  4. Find out whether you are entitled to make the request. This is important when making requests on behalf of another person.
  5. Complete a data subject access request (DSAR) form. You can download the form in your preferred format at the bottom of this page.
  6. Forward the completed form to data.protection@greensquareaccord.co.uk or post it to the physical address on the form.

The Information Commissioner’s Office

You have the right to refer unresolved data protection issues to the Information Commissioner’s Office (ICO). The ICO is the data protection supervisory authority in the UK.

Contact the ICO

Online:
https://ico.org.uk/make-a-complaint/

Email:
icocasework@ico.org.uk

Phone:
0303 123 1113

Post:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Frequently asked questions

Am I authorised to make a data subject access request?

The information below will help you determine whether you are authorised to make a DSAR. All DSARs are subject to identity checks, which may include a request to see one or more of the below:

  • A valid or ‘in date’ nationally accepted photo ID – passport, driving licence, citizen or NUS card
  • Correspondence from a public authority dated within the last three months
  • Proof of residence or utility bill dated within the last three months
  • Valid proof of parental rights

Who can make a valid request:

Owner of personal data Who can make a DSAR
For a child under the age of 13 A parent, guardian, foster parent, advocate or legal representative
For a young person between 13-16 years of age The individual, a parent, guardian, foster parent, advocate or legal representative
For a person 16 years of age and older The individual, a nominated person, advocate or legal representative
For a person older than 16 years of age but without capacity to consent (due to ill health or disability) A parent, guardian, advocate or legal representative
For a deceased person Person named in the letter of administration or an executor with grant of probate
What happens if GreenSquareAccord need more information to process my request?

If your request is not clear or it appears excessively demanding and burdensome, we might seek more information from you. If this is required, the team will get in touch via your preferred method of contact. You could be asked to:

  • clarify the reason for requesting access;
  • provide a date or time range; and
  • narrow your request to relevant records only.

When we do this, we will normally allow you 14 days to respond. During these 14 days, the one month calendar countdown will be paused.

Can GreenSquareAccord refuse to process my request?

Yes. A DSAR may be refused when:

  • a requester has made more than two repetitive requests within the current calendar year;
  • our data protection officer judges the request to be manifestly unfounded or excessive in nature; or
  • there are legal prohibitions or safeguarding concerns for the requester or other persons at that particular time.

The team dealing with your DSAR will let you know our decision in good time and in any case no later than one calendar month.

Is GreenSquareAccord compliant with the national data opt-out?

We review all our data processing annually to assess if the national data opt-out applies. We also assess all new processing requirements to see if the national data opt-out applies.

If any data processing falls within scope of the national data opt-out, we use the secure Message Exchange for Social Care and Health (MESH) to check if any of our service users have opted out of their data being used for this purpose.

At this time, we do not share any data for planning or research purposes for which the national data opt-out would apply. We review all the confidential patient information we process annually to see if this is used for research and planning purposes. If it is, then individuals can decide to stop their information being shared for this purpose.

For more about national data opt-out, please visit the NHS website.

How do I make a request for data on behalf of my organisation?

In certain circumstances, in line with this privacy agreement, we will share data and CCTV with public authorities and other organisations. If you would like to request information on behalf of an organisation listed below, you must complete the Third Party Data Disclosure Request Form and submit it to our Data Protection team:

  • The emergency services – fire service, ambulance and NHS
  • Local authorities, government departments, members of parliament and councillors
  • Academic institutions
  • Regulatory authorities
  • Specialist care provider organisations and charities
  • Utility providers
  • Insurance services and solicitors

If you are requesting information on behalf of the police, you must submit police service DP1 form to data.protection@greensquareaccord.co.uk 

Data Subject Access Request Forms

Data Subject Access Request Form (PDF)

- pdf - 108Kb

Data Subject Access Request Form (Word)

- docx - 69Kb