We are committed to protecting your privacy in line with the requirements of the Data Protection Act 2018 (DPA) and General Data Protection Regulation (GDPR).
This privacy notice explains your rights under the legislation and describes how we use, store and share the personal information we collect about you.
Why we are collecting data
We use personal data to discharge our statutory functions under the Housing (Scotland) Act 2010 and other relevant legislation.
We need to process your personal data in order to regulate to protect the interests of tenants, homeless people and others who use the services provided by social landlords.
We use this information to monitor and assess performance of social landlords, identify and understand risks to the interests of tenants and service users and monitor social landlords’ compliance with our regulatory standards.
Legal basis for processing data
We process personal data on the following legal grounds:
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority; or
- The processing is necessary for compliance with our legal obligations; or
We do not routinely process ‘special category’ personal data, such as information relating to health including disability, however on the rare occasion that we require to process such information we do so on the grounds that the processing is necessary for reasons of substantial public interest.
What data we collect
The majority of personal data we hold relates to the organisations we regulate. We process some personal data about tenants and service users, governing body members and staff and statutory appointees of social landlords in Scotland.
We obtain this information directly from tenants and service users or from social landlords.
When delivering our functions, we will process the following data:
- Contact details of social landlord tenants and service users including name, address, email address and telephone numbers
- Contact details of social landlord staff and governing body members, including name, address, email address and telephone numbers
- Employment information relating to social landlord governing body members, staff and statutory appointees including salary and expenses information, length of service and performance related information
- Any other information voluntarily provided to SHR by tenants and service users, landlords or members of the public by correspondence, including complaints, feedback and general comments
How long we keep it
We have a records retention and destruction policy in place in order to comply with the data protection principle that we do not keep personal information for longer than necessary. Generally, we will keep information for between five and ten years, however, information that is of particular corporate value will be retained for a longer period. More information about our retention schedule is available on request.
Who we will share your data with
We may share information with other relevant bodies, such as other regulators and the Scottish Public Services Ombudsman, in the course of carrying out our regulatory functions. The exchange of personal information will be in line with data protection principles, which will be reflected in any Memorandum of Understanding we have with other bodies.
In the event of an appeal against a regulatory decision, we may share personal data with our external, independent appeal panel member. Find out more about our appeals process against regulatory decisions.
We may also share information with relevant departments of the wider Scottish Government, as well as our contractors, suppliers and service providers to allow us to manage and deliver our services.
We require all third parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.
How long we will keep your data
We have a records retention and destruction policy in place in order to comply with the storage limitation data protection principle. Generally, we will keep information for between five and ten years, however, information that is of particular corporate value will be retained for a longer period. More information about our retention schedule is available on request.
Where we store your personal information
Your personal information may be stored inside the UK, inside the European Economic Area (EEA) or outside the EEA.
We may transfer personal information outside the UK or the EEA where our service providers or contractors host, process, or store information outside the UK or the EEA. Where we do this, we ensure a similar degree of protection is afforded to your personal information by ensuring at least one of the following safeguards is implemented:
- The country to which the personal information will be transferred has been deemed to provide an adequate level of protection for personal information by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
- Where we use certain service providers or contractors, we may use specific contracts approved by the European Commission which give personal information the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to non-EU countries.
- Where we use providers based in the US, we may transfer information to them if they are part of the Privacy Shield which requires them to provide similar protection to personal information shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal information out of the EEA.
Our IT system has robust security procedures in place to prevent unauthorised access to personal data. We have a records management policy in place to oversee the secure processing of personal data.
You have certain rights under data protection legislation, namely:
- the right to access the personal information held about you by making a subject access request;
- the right to have your personal information rectified if it is inaccurate or incomplete;
- the right to request to have your personal information deleted in certain specific circumstances;
- the right to request the restriction of the processing of your personal information in certain specific circumstances;
- the right to ask us not to process your personal information for marketing purposes or for purposes based on our legitimate interests (where applicable);
- the right to ask us not to undertake automated decision making or profiling;
- the right to request the transfer of your personal information to you or to a third party. We will provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you;
- where you have provided consent, to request to withdraw such consent at any time; and
- the right to lodge a complaint with the UK Information Commissioner’s Office.
There are some exceptions to the above rights that are permitted under the data protection legislation. Please note that if you choose to exercise your rights to have personal information restricted or deleted, then we may not be able to provide you with certain services.
No fee usually required
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or if you have made a number of requests. In this case, we will notify you and keep you updated.
If you have any questions about anything in this privacy notice or you would like to exercise any of your rights, please contact:
Data Protection Officer