Covid-19 Privacy Notice

We ask that you read this privacy notice carefully as it contains information about how we are collecting information about you relating to the Coronavirus pandemic (Covid-19).

We may collect, process and share your personal data in response to the Covid-19 pandemic to ensure your safety and the well-being of residents, tenants, leaseholders, service users, contractors, our employees and general members of the public. Some of the information we collect will be in relation to your health and will include information required so that we are able to manage and complete essential repairs and servicing to your property.

Any information we collect will be limited to what is proportionate and necessary, taking into account the latest guidance issued by the government, the Information Commissioner’s Office and health professionals, inorder to manage and contain the virus. It will enable us to effectively fulfil our functions and to keep people safe, put contingency plans into place to safeguard those vulnerable and aid business continuity. You may also wish to consider our main Privacy Notice which sets how we process your information.

Who we are

We are a registered charitable Community Benefit Society that provides social housing and support. We are a controller of personal information and collect, use and are responsible for certain personal information about you. When we do so, we are regulated under the General Data Protection Regulation (GDPR) which applies across the European Union (including in the United Kingdom) and the Data Protection Act 2018. Our contact details for data protection purposes are as follows.

Information Governance Team
WDH
Merefield House
Whistler Drive
Castleford
WF10 5HX
Email: informationgovernance@wdh.co.uk

The individual responsible for data protection compliance is our Data Protection Officer, who is contactable using the above details.

What information we need

We may collect the following information.

• Basic details about you including your name, address, contact details, details about your health to identify if you (or those closely linked to you) are in any of the high-risk categories and would be considered vulnerable or have any underlying health conditions.

How we collect your personal data

We may already have some of your personal data that you have provided as an applicant, tenant or an employee and which has been provided for a specific reason. In the current crisis, we may need to share this information for a different reason and it may not always be possible to inform you of this in advance. We may also request further information from you or from a third party which we have not previously collected or processed. If you do not provide the information we need then we may not be able to provide all services to you.

How we will use the information we hold about you

We will use the information you provide to:

• protect the health of our employees and contractors who may have to visit your home to provide an essential service; and
• safeguarding the health and safety of our tenants.

Why we need your personal information

The legal basis for processing the data is that it is in the public interest for us to deal with the outbreak of Covid-19.

The General Data Protection Regulation requires specific conditions to be met to ensure that the processing of personal data is lawful. These relevant conditions are below.

• Article 6(1)(d) – is necessary in order to protect the vital interests of the data subject or another natural person.
• Recital 46 adds that “some processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread”.
• Article 6(1)(e) – is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• Section 8(c) of the Data Protection Act sets out that such a task must be necessary for the performance of a function conferred on a person by an enactment or rule of law.
• The processing of special categories of personal data, which includes data concerning a person’s health, are prohibited unless specific further conditions can be met. These further relevant conditions are below.
  • Article 9(2)(i) – is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.
  • Schedule 1, Part 1(1) – is necessary for the performance or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, eg Health and Safety at Work Act 1974.
  • Schedule 1, Part 1(3) – is necessary for reasons of public interest in the area of public health, and is carried out by or under the responsibility of a health professional, or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law, eg governmental guidance published by Public Health England.

Who we will share your information with

• We will normally only share your information with other partner organisations as part of the response to the Covid-19 outbreak, and where it is necessary and proportionate to do so. We may also share limited personal data with our contractors who are carrying out services on our behalf.

How long we will keep your personal information

• We will only keep your information for as long as it necessary, taking into account government advice and the on-going risk presented by Coronavirus. As a minimum the information outlined in this privacy notice will be kept for the duration of the Covid 19 response

Your rights

Under the GDPR and Data Protection Act 2018 you have a number of important rights free of charge, unless excessive or repetitive in nature. In summary, those include the following.

Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, in response to your request.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms, or that the processing is necessary for the establishment, exercise or defence of legal claims. You also have the right to object where we are processing your personal data for direct marketing purposes.

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:

1. if you want us to establish the data's accuracy;
2. where our use of the data is unlawful but you do not want us to erase it;
3. where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
4. you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format (ie useable on a computer). Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal data.

However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. Also, we may still be allowed to process your data following the withdrawal of consent if another lawful justification for such processing exists.

If you would like to exercise any of those rights, please:

• email, call or write to us;
• let us have enough information to identify you (for example tenancy reference number, Homesearch reference number);
• let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill); and
• let us know the information to which your request relates.

We will respond to all legitimate requests within one month. If it’s going to take us longer than a month because the request is complex, or you have a number of requests we will notify you and keep you updated.

Keeping your personal information secure

Your personal information relating to Covid-19 is stored on our Customer Relationship Management (CRM) system which may be copied for testing, backup, archiving and disaster recovery purposes. Access to your information is limited to those who require it to provide services to you. All data is held within the UK.

Transferring your personal information out of the European Economic Area (EEA)

To deliver services to you, it may be necessary for us to share your personal information outside the EEA, for example if we were to use a cloud service provider based outside the EEA. These transfers are subject to special rules under European and UK data protection law. In such a situation, we will make sure that we have adequate safeguards and security measures in place as required by the GDPR.

How to complain

We hope that we can resolve any query or concern you raise about our use of your information.

The GDPR and Data Protection Act 2018 also gives you the right to complain to a supervisory authority, in particular in EEA state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who can be contacted at Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or by phone on 0303 123 1113.

Changes to this privacy notice

We may change this privacy notice from time to time, when we do we will inform you by an update on our website at www.wdh.co.uk.

How to contact us

Please contact us if you have any questions about this privacy notice or the information we hold about you.

If you wish to contact us, please email informationgovernance@wdh.co.uk or write to our Information Governance Team, WDH, Merefield House, Whistler Drive, Castleford, WF10 5HX or email informationgovernance@wdh.co.uk or call us on 0345 8 507 507.

Do you need extra help?

We are committed to giving everyone equal access to information. If you would like this information in another format please phone us on 0345 8 507 507.