Privacy notice & data protection

Hastoe Housing Association Limited is a controller of personal information for the purposes of the General Data Protection Regulation (GDPR) and Data Protection Act 2018.

Details of how we use your information, how we maintain the security of your information, and your rights to access information we hold on you, can be found below in our privacy notice and procedure for access to information.

This privacy notice tells you what to expect when Hastoe processes your personal information. It applies to information about applicants, residents and other service users. We keep our privacy notice under regular review and the latest version (published on 30 May 2022) can be seen below; residents will also be notified of any major changes to this policy.

How to request your personal information 

Please contact us using the details below:

Will Roberts
Secretariat Department
Hastoe Housing Association Limited
Marina House
17 Marina Place
Hampton Wick
Kingston upon Thames
Surrey KT1 4BH

Tel: 0300 123 2250

Why do we request and store personal information?

Hastoe needs to collect, process and store personal information about you and other household members (when you provide information about household members we assume that you do so with their full knowledge and consent) in order to operate as a registered provider of housing and deliver efficient and effective services.

Legal basis for processing 

GDPR sets out different legal bases for processing personal information. For the majority of its activities Hastoe relies upon the following legal bases for the processing of personal information (‘main’ legal bases). These are:

  • where it is necessary for the purposes of the legitimate interests pursued by us or by a third party to process your information. We can do this so long as we do not interfere with your fundamental rights or freedoms; and / or
  • where we are under a legal obligation or an obligation under a contract to process the information (including disclosing information).

In some circumstances, we can rely upon other legal bases to process your personal information under GDPR. These are:

  • where we have your consent (i.e. agreement) to us processing your personal information. Our residents are asked to sign a data protection consent form when they apply to us for housing, or later if they did not sign one when they first became a resident. We may also seek your consent, if we do not have it, for specific purposes when needed. You can withdraw your consent at any time. This is explained further below in the section entitled ‘Your rights under GDPR’;
  • where we need to protect the vital interests (i.e. the health and safety) of you or another person.

Some personal information is treated as more sensitive (for example information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a person's sex life or sexual orientation). The legal bases for processing this personal information is more limited. The reasons we can use are:

  • with your consent;
  • where we need to protect the vital interests (i.e. the health and safety) of you or another person;
  • where you have already made your personal information public;
  • where we or another person needs to bring or defend legal claims; and / or
  • substantial public interest grounds.

To process personal information about criminal convictions or offences, we must have both a lawful basis for the processing and either legal authority or official authority for the processing.

Information we hold about you and how we use it

The information we hold on our records concerns our relationship with you. For example:

  • We hold names and dates of birth, photographic ID and information about your previous housing circumstances to assess housing applications and help prevent tenancy fraud.
  • We hold your name, date of birth, national insurance number, address history, employment details, financial information and copies of identity documents in connection with your application for one of our shared ownership properties.
  • We hold your name, contact details and proof of identity (where required) to process any requests that you are entitled to make under UK GDPR/The Data Protection Act 2018.
  • We hold contact details for you so we can communicate with you by your preferred means, and keep you informed about services. We may also use these details to keep you informed about other services that we offer which may be useful to you and your household.
  • We may hold your name, contact details and payment details where you are a leaseholder or freeholder and we collect a ground rent or manage your service charge.
  • We record information about your needs (for example if you have a carer or social worker; if you need adaptations in your home; if you need large print or translated text) to ensure that we take account of any support needs in our dealings with you, and to improve our communications with you.
  • We record information to enable us to provide housing management services. For example, we record reports of anti-social behaviour; complaints; change in circumstances (e.g. when your employment status changes etc.) and information about housing options (e.g. if you have a medical need which means you need to move).
  • We keep financial records about the amount of money you have paid us; any amount(s) outstanding and action taken to recover money you owe.
  • We may hold information about you if you are engaged with our additional guidance and support services. For example, in connection with access to training and employment, we may hold information about your job history and skills and experience. Alternatively, if we support you to improve your financial circumstances, we may hold information about your household income and expenditure, and/or information relating to your health.
  • We may record your telephone calls to our switchboard for training and monitoring purposes to ensure we’re delivering a good service. Any call recordings will be held in accordance with our corporate retention policy before being erased.
  • We may capture your image on our CCTV systems if you visit a property or scheme, Hastoe office, or community facility. All Hastoe CCTV systems are operated in-line with a strict policy and procedure and any CCTV recordings will be held in accordance with our corporate retention policy before being erased.
  • We record the findings of surveys and other research to help us improve our service to customers and measure statistics. The information you provide will be anonymous unless you agree that we can use your details.

This list is not exhaustive, as we hold records of most contacts we have with you, or about you, and we process this information so we can deliver services to you. Generally the information we hold will have been provided by you (on application or enquiry forms or when we communicate with you), but we may also hold information provided by third parties where this is relevant to your housing circumstances e.g. from social workers and health professionals (such as doctors and occupational therapists).

We only ask for personal information that is appropriate to enable us to deliver our services. In some cases you have the right to refuse to provide your details if you deem a request to be inappropriate. However, in some cases, this may impact our ability to provide some services to you.

How we manage your personal information

We process your personal information in accordance with the principles of the GDPR.

We will treat your personal information fairly and lawfully and we will ensure that information is:

  • processed for limited purposes
  • kept up-to-date, accurate, relevant and not excessive
  • not kept longer than is necessary
  • kept secure.

Access to personal information is restricted to authorised individuals on a ‘need to know’ basis.

We are committed to keeping your personal details up to date, and we encourage you to inform us about any changes needed to ensure your details are accurate. To do this, please contact us.

To help us to ensure confidentiality of your personal information we may ask you security questions to confirm your identity when you contact us. We will not discuss your personal information with anyone other than you, unless you have given us prior written authorisation to do so.

Periods for which we will store your personal information

We will only hold your records during the period of our relationship with you and for a set period afterwards to allow us to meet our legal obligations including resolving any follow up issues between us. Once this period has expired, your personal data will be destroyed and/or permanently removed from Hastoe’s live systems.

We have a corporate retention policy which we are happy to share with you on request.

Sharing personal information

Hastoe staff will be able to see and process your personal information. However, there will also be times when we will share relevant information with third parties, for the purposes as outlined (see below), or where we are legally required to do so. When sharing personal information, we will comply with the GDPR. Sensitive information about health, sexual life, race, religion and criminal activity, for example, is subject to particularly strict security and confidentiality measures.

Where necessary or required, we may share information as follows:

  • With our contractors, in order to undertake repairs, maintenance or improvement works (both planned and responsive works).
  • With other third party service providers, in connection with services performed on our behalf. Our relationships with such providers are governed by our contracts with them which include strict data sharing and confidentiality protocols.
  • With other housing associations, trusts and landlords, in connection with tenancy references and associated enquiries.
  • With community partners in connection with the delivery of co-ordinated local services.
  • With utility companies and their representatives, in connection with unpaid bills (gas, electricity & water).
  • With credit reference agencies and debt collection agencies, in connection with some housing applications and in relation to any outstanding charges owed once residents leave their Hastoe tenancy.
  • With local authorities and government departments, as necessary for administering justice, or for exercising statutory, governmental, or other public functions (including in connection with statutory action to enforce compliance with tenancy conditions, e.g. applications for possession or for payment of Housing Benefit / Universal Credit direct).
  • With police and other relevant authorities (e.g. Probation Service, Department of Work & Pensions, HM Revenues & Customs) in relation to the prevention or detection of crime and fraud; the apprehension or prosecution of offenders and the assessment or collection of tax or duty.
  • With other statutory organisations where there is considered to be a health or safety risk to an individual or members of the public, e.g. social services & health authorities, as necessary for exercising statutory functions.
  • With our regulator, the Regulator of Social Housing, to comply with our regulatory obligations.
  • Where the names and addresses of tenants are disclosed to PSC Systems, being the company that manufactures and distributes Hastoe rent payment swipe cards and collected payments made with them.
  • The names of contractors invited to tender for works and the amounts tendered will be made available to residents paying service charges to which the cost of the works will be charged (Section 20 Landlord and Tenant Act 1985, as amended).
  • Providing information anonymously for bona fide statistical or research purposes, provided it is not possible to identify the individuals to whom the information relates.

This list is not exhaustive as there are other circumstances where we may also be required to share personal information, for example:

  • to meet legal obligations
  • in connection with legal proceedings (including court orders)
  • to protect the vital interests of an individual (in a ‘life or death’ situation).

We will never knowingly share your information with third parties for the purposes of direct marketing, unless we have obtained your consent (i.e. agreement) to do this.

Your rights under the GDPR

You have a number of rights under the GDPR:

Access to personal information

Under the GDPR, you have a right to ask us what personal information we hold about you, and to request a copy of your information. This is known as a ‘subject access request’ (SAR). SARs may be made in writing (we have a subject access form you can use for this purpose), and we ask that your request is accompanied by proof of your identify. We have one calendar month within which to provide you with the information you’ve asked for, although this may be extended in limited circumstances.

Following your SAR, we will provide you with a copy of the information we hold that relates to you. This will not generally include information that relates to your property, such as repair logs or details of contractor visits, as this is not considered personal information.


If you need us to correct any mistakes contained in the information we hold about you, please contact us to let us know.

Erasure (‘right to be forgotten’)

You have the right to ask us to delete personal information we hold about you. You can do this where:

  • the information is no longer necessary in relation to the purpose for which we originally collected/processed it
  • where you withdraw consent, if and where this is the legal basis we have relied upon for a given purpose
  • where you object to the processing and there is no overriding legitimate interest for us continuing the processing
  • where we unlawfully processed the information
  • where the personal information has to be erased in order to comply with a legal obligation.

We can refuse to erase your personal information where the personal information is processed for the following reasons:

  • to exercise the right of freedom of expression and information
  • to enable functions designed to protect the public to be achieved e.g. government or regulatory functions
  • to comply with a legal obligation or for the performance of a public interest task or exercise of official authority
  • for public health purposes in the public interest
  • archiving purposes in the public interest, scientific research historical research or statistical purposes
  • the exercise or defence of legal claims
  • where we have an overriding legitimate interest for continuing with the processing.

Restriction on processing

You have the right to require us to stop processing your personal information. When processing is restricted, we are allowed to store the information, but not do anything with it. You can do this where:

  • You challenge the accuracy of the information (we must restrict processing until we have verified its accuracy)
  • You challenge whether we have a legitimate interest in using the information
  • If the processing is a breach of the GDPR or otherwise unlawful
  • If we no longer need the personal data but you need the information to establish, exercise or defend a legal claim.

If we have disclosed your personal information to third parties, we must inform them about the restriction on processing, unless it is impossible or involves disproportionate effort to do so.

We must inform you when we decide to remove the restriction giving the reasons why.

Objection to processing

You have the right to object to processing where we say it is in our legitimate business interests. We must stop using the information unless we can show there is a compelling legitimate reason for the processing, which override your interests and rights or the processing is necessary for us or someone else to bring or defend legal claims.

Withdrawal of consent

You have the right to withdraw your consent to us processing your information at any time. If the basis on which we are using your personal information is your consent, then we must stop using the information.

Right to data portability

The right to data portability allows you to obtain and reuse their personal data for your own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way.

The right only applies to personal data you have provided to us where the reason we are relying on to use the information is either your consent or for the performance of a contract. It also only applies when processing is carried out by us using automated means.

Automated decision-making and profiling 

‘Automated decision-making’ is where a decision is made without any human involvement by advanced IT systems (e.g. such as an immediate online decision to award a loan). ‘Profiling’ is the use of personal information to evaluate certain aspects relating to a person, to help predict aspects of that person’s life (e.g. financial situation, interests, shopping habits etc). These concepts / techniques are different but automated decision-making will often involve profiling.

The GDPR restricts Hastoe from making automated decisions, including those based on profiling, that have a significant effect on individuals. Hastoe does not currently undertake any such activities.

Sharing information outside of the EEA

In delivering our services we may, from time to time, use the services of a provider outside the European Economic Area (EEA) (e.g. use of cloud-based software hosted in the United States). This means that your personal information may occasionally be processed outside of the EEA. Where this is the case, under GDPR, we are required to take steps to ensure that extra care is taken to protect your personal information.

For Hastoe, this means that: for companies based in the United States, we check that they are certified against the ‘Privacy Shield’; and for companies based in other countries outside of the EEA, we check that the country is approved by the European Commission (the executive body of the European Union) for data processing.

Procedure for access to information 

  1.  Hastoe complies with the rights of tenants, former tenants, applicants and former applicants for housing to have access to information held on them. Hastoe will be as open and helpful as possible and will respond to requests for information without undue delay. Current and former applicants for housing and current and former tenants will be allowed access to personal information relating to themselves. Information held on computer and information held on file will be made available. Joint applicants and joint tenants will have the same right but will not be given information about each other.
  2. Requesting a copy of personal information that we hold about you is known as a ‘subject access request’ (SAR). SARs ideally need to be made in writing (we have a subject access form you can use for this purpose), though other channels / methods may be acceptable. We have one calendar month within which to provide you with the information you’ve asked for (although we will try to provide this to you as promptly as possible), though this may be extended by a further two calendar months under certain circumstances.
  3. Access to information will be provided, on provision of proof of identity, either: in person, at the regional office by prior appointment; or by post or email, in which case copies will ordinarily be provided within one month of receipt of request (see above). Where required, acceptable forms of proof of identity will include passport, driving licence and utility bill containing your name and address. We may also ask for your National Insurance number and date of birth as verification. When information is requested Hastoe will state whether it is held and if so whether it can be made available under Hastoe’s confidentiality policy. Where access is refused or restricted Hastoe will state the exemptions concerned. In all cases copies of the request and copies of the information and data supplied will be retained by Hastoe in case of challenge.
  4. Hastoe will correct or erase any information which it is satisfied is inaccurate. The document will be marked accordingly and copied to the tenant or applicant. An individual may also request from the controller (ie Hastoe) rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing.
  5. Access will not be given to information about possible action or proposals by the association concerning an individual, for example action concerning arrears of rent or other breaches of tenancy conditions.
  6. Information supplied to Hastoe by third parties or outside bodies, such as housing departments or social services, will only be made available with the explicit agreement of the person or organisation that supplied it. Consent to disclose such information will be sought within 14 days of receiving a request from a tenant or applicant.
  7. Hastoe will not make available information that: Identifies someone who has not consented to the disclosure; concerns an individual’s health, for example from a doctor, and may cause harm; is held for purposes of crime prevention; is subject to legal professional privilege. Hastoe will make no charge for providing access to information as described in this procedure. However, if a request is manifestly unfounded or excessive, particularly if it is repetitive, Hastoe may charge a reasonable fee based on the administrative cost of providing the information. Hastoe may also charge a reasonable fee to comply with requests for further copies of the same information. The Government can set a limit on these fees. At present no fee limit has been set.
  8. Where tenants, former tenants, applicants or former applicants are dissatisfied with a decision to withhold information, or not to amend existing records, they may make a formal complaint to Hastoe or the Information Commissioner’s Office (ICO).
  9. Hastoe will take all possible steps to provide equal opportunities for all people. The Association is opposed to discrimination on any grounds, including race, religion, gender, marital status, sexual orientation, disability, age or other unjustifiable criteria.

Further information: Information Commissioner's Office (ISO)

The Information Commissioner's Office is also a source of further information about your data protection rights. The ICO is an independent official body, and one of their primary functions is to administer the provisions of the GDPR.

You have the right to complain to the ICO if you think we have breached the GDPR. You can contact the ICO at:

Information Commissioner's Office
Wycliffe House
Water Lane
Cheshire SK9 5AF
Telephone: 0303 123 1113

Google translate Google translate
click to choose
Reachdeck Reachdeck
Colour contrast Contrast
Font size Text size