The Centre for Accessible Environments (CAE) is a trading name of Habinteg Housing Association. Habinteg is a controller of personal information for the purposes of the General Data Protection Regulation (GDPR). Our contact details for data protection purposes are as follows:
Head of Governance, Habinteg, Holyer House, 20-21 Red Lion Court, London, EC4A 3EB
Purpose of Privacy Notice
This Privacy Notice tells you what to expect when Habinteg Housing Association and therefore CAE as a department processes personal information. It applies to personal information about our customers, partners and clients. It tells you the purposes for which we may process your personal information and the legal basis for the processing of personal data (‘processing’ includes us just keeping your personal information).
Why do we collect and store personal information?
We need to collect, process and store personal information about you in order to provide our training, research, consultancy and advice services.
We use your personal information to provide advice, products and services in line with the agreed contract or agreement in place. This includes responding to your enquiries and providing services to you via correspondence such as email and phone.
Our legal basis for processing
Habinteg and therefore CAE as a department has a lawful basis for obtaining personal data from customers and clients in accordance with GDPR in order to fulfil our business obligations for our training, research, consultancy and advice services.
Some personal information that we collect about our customers or clients may be classified as “Special Category” personal data, information provided relating to health and disability. The reason for gathering this sensitive information may be for the purposes of delivering effective research, training, and/or consultancy services. Customers and clients can choose whether or not to provide this personal information.
We may collect the following information about our customers under a lawful basis:
- To arrange and deliver training to our customers which may include understanding your access needs to provide reasonable adjustments
- To provide access advice and support
- To provide access consultancy services to our clients
- To carry out accessibility research
- To deliver products purchased by our customers
We use your personal information for providing services including training, research, consultancy and advice services in line with the contract or agreement in place and to respond to your enquiries. We may also use the information to ensure that our services have met your needs or to improve our services.
Sharing your Personal Information
In delivering our services to customers and clients we may be required to share your personal information with our freelance (associates). The sharing of personal information will be minimised and our suppliers, as data processors are required to treat the information confidentially and in line with GDPR.
There may be times when we will share relevant information with third parties for the purposes as outlined to provide CAE services, or where we are legally required to do so. When sharing personal information, we will comply with all aspects of the GDPR. Sensitive information about health, sexual life, race, religion and criminal activity for example is subject to particularly stringent security and confidentiality measures.
Where necessary or required, we may share information as follows:
- Where there is a clear health or safety risk to an individual or members of the public, evidence of fraud against Habinteg, other irregular behaviour or a matter Habinteg is investigating
- To protect the vital interests of an individual (in a life or death situation)
How we manage your personal information
We process your personal information in accordance with the principles of the General Data Protection Regulation (‘GDPR’).
We will treat your personal information fairly and lawfully and we will ensure that information is:
- Processed for limited purposes;
- Kept up-to-date, accurate, relevant and not excessive;
- Not kept longer than is necessary;
- Kept secure.
Access to personal information is restricted to authorised individuals on a strictly need to know basis. We are committed to keeping your personal details up to date, and we encourage you to inform us about any changes needed to ensure your details are accurate.
We will not discuss your personal information with anyone other than you, unless you have given us prior written authorisation to do so.
Periods for which we will store your personal information
We will only hold your records during the period of our relationship with you and for a set period afterwards to allow us to meet our legal obligations.
Your rights under the GDPR
You have a number of rights under the GDPR.
Access to personal information
Under the GDPR, you have a right to ask us what personal information we hold about you, and to request a copy of your information. This is known as a ‘subject access request’ (SAR). SARs need to be made in writing (we have a subject access form you can use for this purpose), to the Risk and Compliance Manager and we ask that your written request is accompanied by proof of your identify. We have one calendar month within which to provide you with the information you’ve asked for (although we will try to provide this to you as promptly as possible).
Information will be provided free of charge, however in regards to excessive or unreasonable requests, a payment may be requested for the costs of providing the information.
If you need us to correct any mistakes contained in the information we hold about you, you can let us know by contacting the Risk and Compliance Manager at the London Office.
Erasure (‘right to be forgotten’)
You have the right to ask us to delete personal information we hold about you.
You can do this where:
- The information is no longer necessary in relation to the purpose for which we originally collected/processed it
- You withdraw consent
- You object to the processing and there is no overriding legitimate interest for us continuing the processing
- We unlawfully processed the information
- The personal information has to be erased in order to comply with a legal obligation
We can refuse to erase your personal information where the personal information is processed for the following reasons:
- To exercise the right of freedom of expression and information;
- To enable functions designed to protect the public to be achieved e.g. government or regulatory functions;
- To comply with a legal obligation or for the performance of a public interest task or exercise of official authority;
- For public health purposes in the public interest;
- Archiving purposes in the public interest, scientific research, historical research or statistical purposes;
- The exercise or defence of legal claims; or
- Where we have an overriding legitimate interest for continuing with the processing.
Restriction on processing
You have the right to require us to stop processing your personal information. When processing is restricted, we are allowed to store the information, but not do anything with it.
You can do this where:
- You challenge the accuracy of the information (we must restrict processing until we have verified its accuracy)
- You challenge whether we have a legitimate interest in using the information
- If the processing is a breach of the GDPR or otherwise unlawful
- If we no longer need the personal data but you need the information to establish, exercise or defend a legal claim.
If we have disclosed your personal information to third parties, we must inform them about the restriction on processing, unless it is impossible or involves disproportionate effort to do so.
We must inform you when we decide to remove the restriction giving the reasons why.
Objection to processing
You have the right to object to processing where we say it is in our legitimate business interests. We must stop using the information unless we can show there is a compelling legitimate reason for the processing, which override your interests and rights or the processing is necessary for us or someone else to bring or defend legal claims.
Withdrawal of consent
You have the right to withdraw your consent to us processing your information at any time. If the basis on which we are using your personal information is your consent, then we must stop using the information. We can refuse if we can rely on another reason to process the information such as our legitimate interests.
Protecting Personal Information
Personal information held by Habinteg is held securely in accordance with our data protection, confidentiality and information security policies and procedures.
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.
These cookies are used to collect information about how visitors use our websites. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited.