Privacy notice for stakeholders
Curo Group and its associated companies (‘Curo’) is a housing association and house-builder based in Bath providing homes and high quality care and support services across the West of England. Curo is committed to respecting your right to privacy and to processing your personal information in a lawful, fair and transparent way. As a Data Controller, all personal data we hold about you will be processed in line with the General Data Protection Regulations (‘GDPR’) and data protection laws.
The following summarises:
- How we use personal data
- What personal data we need
- Why we need it
- How we use it
- Who we might share it with, and
- How long we will keep it for
It also sets out the rights you have regarding any of the personal data held by Curo. From time to time we may update this Notice, any updates will be posted on our website.
Personal data is any information relating directly or indirectly to a living individual. This information includes ‘identifiers’ such as a name, an identification number, location data, email address or social media name, or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
We only collect personal data for specific, clear and legitimate purposes and we will not process it for purposes that differ from those we have notified you about. We will limit our use of your personal data to what is needed, relevant to, and necessary for, the purposes we have identified. Access to your personal data is given only to those who need to process it for the purposes identified. We will ensure that we keep your personal data accurate and up to date, and will not store it for longer than is necessary.
The types of personal data we collect includes (but is not limited to):
Name, address, phone number(s), email address(es) (including work email addresses), other identifiers (for example social media user names), financial, medical/ health, behavioural, criminal offence/ conviction, religious beliefs, Trades Union Membership or political opinions, images, CCTV, audio recordings, location data, disability information, profiling information and other information such as next of kin, copies of ID documentation.
We collect this information in a number of ways, including (but not limited to):
Information we collect directly from you, for example when you:
- Interact with our website and social media platforms
- Become a business partner or tender for contracts with us
- Provide information to us, including via phone, email or other correspondence
- Generate documents, records and other information in the course of your relationship with us, for example, when carrying out work on our behalf
- Make an application to us, for example applying to work with us or applying for a Curo grant
- Participate in surveys or provide feedback to us
- Attend meetings with us
- Provide services or products to us or deliver services on our behalf
- Raise a complaint or request or are involved in an incident on our premises
- Participate in our events
- Attend any of our premises covered by CCTV surveillance
- Are engaged in a sale or purchase of leasehold, shared ownership or freehold property
- You are a guarantor, next of kin, power of attorney or agent acting on behalf of a Curo customer or stakeholder
We also collect information from third party sources, for example, private and organisational references, the Data Barring Service and the Bath and North East Somerset Homesearch Register.
Our processing of your personal data is necessary for us to provide services to our customers, to maintain relationships with our stakeholders, and to fulfil our business objectives and legal obligations. We use personal data for the following reasons:
- Providing homes and general properties
- Managing properties and delivering home improvements
- Managing tenancies and compliance
- Providing community services
- Health, safety and wellbeing
- Managing enquiries
- Managing our customers’ accounts
- Selling properties
- Supporting out tenants in their homes
- Managing our suppliers and contractors
- Improving customer experience
- The management and governance of our businesses
- Fulfilling our legal obligations
The GDPR gives companies a number of lawful reasons to collect and process personal data. Below are the lawful reasons we rely upon and the types of processing activities that relate to each:
Performance of a Contract:
In some circumstances it is necessary to process your personal data in order to fulfil our contractual obligations with you. Without this information we would not be able to fulfil our business and legal obligations to you. For example:
- Your provision of goods and services to us, or on our behalf, such as making payment to you
- When you make a request for a Direct Let Form
- Using the documents, paperwork and other information given and generated by you during your engagement with us (whether contractual or pre-contractual)
- Tenancy and customer account management, such as contacting family members and householders following the death of a tenant, or when carrying out a success plan
- Completing reservation forms in connection with house purchases
- Administering trade enquiries, including processing information contained in request forms
- Carrying out sub-contractor and supplier company search administration, such as conducting company financial and background checks
- Processing purchase orders
- Carrying out assessments before being housed by Curo
- Providing support to customers in our Enabling Independent Lives schemes, such as providing contact details of a partner organisation support worker to a customer or completing assessments containing third party support worker details
- In the preparation of our company records, such as processing emoluments
- In the preparation of agreements, such as confidentiality agreements
- Processing next of kin details, for example in connection with the creation of tenancies or providing support
- In connection with customer tenancy compliance and management, such as investigating incidents connected with the Housing Management Function
In some circumstances it is necessary to process your personal data so we can comply with our legal obligations. Without this information we would not be able to fulfil our legal obligations to you, the authorities, or regulatory and statutory bodies. For example:
- Recording, investigating and administering health and safety related matters
- Carrying out and administering subcontractor and supplier checks, such as checking appropriate insurance and carrying out fraud checks
- In connection with legal matters, such as disputes, infringements and public liability claims
- For risk and assurance purposes, such as monitoring, investigating and reporting issues and reportable events
- Carrying out Right to Rent checks
- Tenancy management and compliance, including administering and attending multi agency meetings, administering tenancies following the death of a tenant
There are situations where processing your personal data is necessary to pursue our legitimate interests as a business. We have to balance our interests as a business with yours as an individual, so that our legitimate interests do not override your interests, rights or freedoms. For example:
- Administering applications for Curo grants
- Carrying out financial checks on new suppliers and subcontractors
- Maintaining procurement schedules
- Administering next of kin details
- Carrying out surveys, for example to gain opinion on Universal Credit
- Providing support services to our customers, such as processing third party information contained in assessments and other documentation to support Independent Living Service customers
- Managing suppliers and contractors
- Recording images via CCTV or other photographic means and using noise monitoring for security and investigation purposes
- Sharing safeguarding information with the local authority or police
- For targeted media releases
- Maintaining a key contacts list for emergency situations, including details of journalists and partner organisation contacts
- To support tenancy compliance and management, including investigating third party incidents connected with the Housing Management Function and managing risk
- Carrying out risk assessments and impact assessments
- Gathering information relating to planned housing regeneration and refurbishment projects
- In connection with recruitment and candidate selection
- Sending information about Curo services and activities to stakeholders on a business to business basis
- Administering and organising events
- To carry out general administration of our business, including, recording meetings, producing minutes, agendas, distribution lists, contact directories, and general correspondence
- Maintaining our supplier database and records
- Carrying out third party checks, including Data Barring Service and qualifications checks
- Carrying out and administering tender submissions
- Maintaining our CRM, Finance and Housing Management Systems, for example recording information relating to our properties
- Responding to queries and complaints
- Maintaining records relating to suppliers, developers and subcontractors
- Administering sales, including recording progress, completed and withdrawn applications
- Analysing traffic to our website
In some situations, we will ask you for your consent to collect and process your personal data, for example:
- Interacting with us via social media, for example Twitter and Live chat
- Through cookies when interacting with our website
- When attending our events
- Obtaining contact information when purchasing a home from us or making an expression of interest in our properties so we can to send you information about our products and services
- Making a request or notification to us
- Taking photographs for marketing
- Acting as a guarantor, next of kin, power of attorney or other agent
- Administering our Employability and Working Well schemes
- Assessing volunteering viability and linking community support across our Social Prescribing schemes in North East Somerset Community Connect and South Gloucestershire Community Connectors
- Administering general enquiries and requests, such as those received via social media platforms and phone
- Taking photographs for publicity
- Parolee resettlement
- Recording third party permissions
Occasionally, we may need to process your personal data when it is necessary to protect your life, for example, in an emergency situation where you cannot give consent.
Sometimes, we will need to process more sensitive personal data, known as ‘Special Category’ data. This type of information includes personal data about your race, ethnic origin, political opinions, religious beliefs, trade union memberships, biometrics, health/ medical information and sexual orientation. When we collect and process this data we will rely on the following additional purposes to process it:
- Explicit Consent
- Employment, social security and social protection law
- Already made public by you
- Legal Claims
- Public Interest
Sometimes it will be necessary to process personal information relating to criminal prosecutions, proceedings, sentencing or convictions. In those circumstances we will rely on one the additional grounds to process this personal data:
- Protecting vital interests
- Already made public by you
- Legal claims
- Judicial acts
- Substantial public interest
In order to provide you with a service and to fulfil our business objectives and obligations, there are many situations where it is necessary to share your personal data with third parties. In such circumstances we will share your data with the following categories of organisations/individuals:
- Regulatory, legal and compliance, for example legal representatives and auditors
- Suppliers and contractors, such as trades and sites, subcontractors, All Pay
- Referencing and credit checking companies
- Other housing associations
- CCTV, security and safety device providers
- Local authorities, police, our external partners, social services, contract funders, support agencies
- IT service providers and software companies, such as Microsoft, Survey Monkey, Eventbrite and hosted and in-house providers and Google
- Other colleagues, departments and companies within Curo Group
We will only keep your personal data for as long as necessary and for the purpose for which it was collected. When it is no longer necessary to keep your personal data we will delete it. Our policy for deciding how long we keep personal data is based on National Housing Federation best practice guidance and our legal obligations.
- Contracts will be retained for 6 years after the end of the contract
- Emails from members of the public making general enquiries will be kept for as long as necessary to deal with the enquiry and deleted as soon as possible thereafter
Sometimes, we may need to retain data for analytical, statistical or research purposes. In these circumstances we will anonymise or pseudonymise your personal data so you will not identifiable.
Sometimes we use personal data obtained from Greenstone, a third party data gathering organisation, to help us generate customer profiles based on lifestyle and behaviours. We use this information to deliver a more customised customer experience.
We ensure that appropriate security measures are in place when handling your personal data.
Occasionally, we may share your data with third party suppliers outside of the European Economic Area (‘EEA’), for example we use Survey Monkey which has servers in the USA. In such circumstances, we ensure that your personal data will receive the same protection as if it were being shared within the EEU by ensuring that our contracts contain a requirement for suppliers to adhere to the same strict data privacy requirements as us.
You have the following rights over your personal data:
The right to request:
- Access to your personal data free of charge, unless the request is unfounded or excessive.
- Correction of your personal data if it is inaccurate or incomplete.
- To have your personal data deleted or removed where there is no good reason for processing to continue.
- Processing of your data to be restricted, subject to certain criteria.
- Your data is moved, copied or transferred to another platform, subject to certain criteria.
If you make such a request, we will respond to it within one month of your request. In some circumstances we may require an extension to this time period and will notify you of the reasons for this. If we refuse your request, we will inform you of the reason(s) and of your right to complain to the Information Commissioner’s Office (see details below) within one month of your request.
You also have the following rights:
- To object to us processing your personal data where we have relied upon legitimate interests to process, subject to certain criteria.
- Not to be subject to a decision made on the basis of automated profiling, if that decision produces legal or a similarly significant effect on you, subject to certain criteria.
The right to withdraw your consent:
Where you have given consent for us to process your personal data, you have the right to withdraw your consent at any time. Please contact us via the contacts below.
You have the right to object to us processing your personal data for direct marketing purposes. If you would like to stop receiving our marketing communications, please contact us at the email or phone number below.
In order to protect confidentiality we will ask you to verify your identity before responding to any request made under this privacy notice. If a third party makes a request on your behalf, we require proof that you have given your permission for them to act on your behalf.
The Curo Group incorporates the following three companies in England and Wales. Each company and society is a Data Controller:
- Curo Group (Albion) Limited (ICO No. Z659867X)
- Curo Enterprise Limited (ICO No. ZA223885)
- Curo Market Rented Services Limited (ZA236884)
Three charitable registered societies:
- Curo Places Limited (ICO No. Z6598589)
- Curo Choice Limited (ICO No. Z6627936)
- Mulberry Park Community Benefit Society (ICO registration pending)
The registered office for all organisations in the Group is: The Maltings, River Place, Lower Bristol Road, Bath BA2 1EP.
If you have any queries or questions about the data we hold about you, please contact our Data Protection Officer Katy Gullon at firstname.lastname@example.org or phone 01225 366000.
If you are unhappy with the way we have handled your personal data or our response to a request you have made to us, you have the right to complain to the Information Commissioner’s Office:
Information Commissioner's Office details:
0303 123 1113
Curo Stakeholder Privacy Notice. Reference number: G002. Version number 002.