Customer Privacy Notice
Curo Group and its associated companies (‘Curo’) is a housing association and house-builder based in Bath providing homes and high quality care and support services across the West of England. Curo is committed to respecting your right to privacy and to processing your personal information in a lawful, fair and transparent way. As a Data Controller, all personal data we hold about you will be processed in line with the General Data Protection Regulations (‘GDPR’) and data protection laws.
The following summarises:
- How we use personal data
- What personal data we need
- Why we need it
- How we use it
- Who we might share it with, and
- How long we will keep it for
It also sets out the rights you have regarding any of the personal data held by Curo. From time to time we may update this Notice. Any updates will be posted on our website.
What is personal data?
Personal data is any information relating directly or indirectly to a living individual. This information includes things such as a name, an identification number, location data, online identifier or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
What personal data do we process?
We only collect personal data for specific, clear and legitimate purposes and we will not process it for purposes that differ from those we have notified you about. We will limit our use of your personal data to what is needed, relevant to, and necessary for the purposes we have identified. Access to your personal data is given only to those who need to process it for the purposes identified. We will ensure that we keep your personal data accurate and up to date, and will not store it for longer than is necessary.
The types of personal data we collect includes (but are not limited to): Name, address, phone number(s), email address(es), other identifiers (for example social media user names), financial, medical/health, behavioural, criminal offence/conviction, religious beliefs, trades union membership or political opinions, images, CCTV, audio recordings, location data, disability information, profiling information and other information such as next of kin and copies of ID documentation.
We collect this information in a number of ways, including (but not limited to):
Information we collect directly from you, for example when you:
- interact with our website and social media platforms
- become a customer
- access your account online
- call our customer contact department
- make an enquiry
- book a repair
- participate in surveys
- attend meetings with us
- purchase services or products from us
- raise a complaint or request
- participate in our events
- attend our business premises covered by CCTV
- We also collect information from third party sources, for example, credit referencing agencies, landlord and other references, data analysis companies and local authorities.
Why do we process personal data?
Our processing of your personal data is necessary for us to provide services to you, maintain our relationship with you and to fulfil our legal obligations. We use personal data for the following reasons:
- Finding you a suitable home
- Managing your property and delivering home improvements
- Managing tenancies and compliance
- Providing community services
- Health, safety and wellbeing
- Managing enquiries
- Managing your accounts
- Selling properties
- Supporting you in your home
- Managing our suppliers and contractors
- Improving customer experience
- The management and governance of our businesses
- Fulfilling our legal obligations
How do we process your personal data?
The GDPR gives companies a number of lawful reasons to collect and process personal data.
Below are the lawful reasons we rely upon and the types of processing activities that relate to each:
Performance of a Contract: In some circumstances it is necessary to process your personal data in order to fulfil our contractual obligations with you. Without this information we would not be able to provide a service to you. For example:
- Setting up and administering leasehold, shared owner and freehold accounts
- Pursuing overdue payments
- Managing and delivering repairs
- Issuing notices
- Administering customer accounts
- Administering grants
- Managing tenancies and Estates queries
- Property sales
- Delivering services to support independent living
- Making payments to customers and suppliers
- Tenancy compliance and management
- Administering resident involvement groups
- Creating and administering tenancy agreements and lettings
- Trade enquiries and requests and managing subcontractors/suppliers
In some circumstances it is necessary to process your personal data so we can comply with our legal obligations. Without this information we would not be able to fulfil our legal obligations to you, the authorities, or regulatory and statutory bodies. For example:
- Service of notices in connection with commercial property management
- Supplier/subcontractor compliance
- Preparation of legal matters
- Administering public liability claims
- Sharing benefit payment information with the relevant authority
- Risk and assurance, including fraud monitoring and investigation
- Tenancy/lettings management and administration, for example processing ID for Right to Rent and Direct Lets
- Home Safety compliance and complaint resolution
- Providing support to and protection of customers, for example administering safeguarding procedures
There are situations where processing your personal data is necessary to pursue our legitimate interests as a business. We have to balance our interests as a business with yours as an individual, so that our legitimate interests do not override your interests, rights or freedoms. For example:
- Planning and delivering home improvements
- Delivering health and safety standards
- Conducting surveys and reports including customer feedback surveys and quality assurance
- Managing our properties and tenancies
- Administering customer accounts and properties
- Providing customer support, for example texting customers about rent statements and referring to other agencies
- Receiving and recording enquiries from the public, customers and suppliers and administration
- Recording calls for monitoring, training, complaint and auditing purposes
- Recording images via CCTV or other photographic means and noise monitoring for security and investigation purposes
- Housebuilding project work
- Supplier and subcontractor checks and administration
- Carrying out and administering suitability assessments and reports in relation to the Independent Living Service
- Generating records in the course of carrying out our business activities, including notes, meeting minutes and associated documentation, general correspondence
- Organising, planning and administering events
- Processing details of properties and tenants on Curo’s ICT systems
- Customer segmentation analysis
- Sending customers and stakeholders information about Curo services via email, text, social media and letter
- Providing customers with translations and interpretations
- Carrying out audits, quality assurance and maintaining databases
- Investigating, monitoring and reporting issues and reportable events
- Managing complaints and enquiries
- Lettings management, for example administration of credit checks and referencing
- Tendering and procurement processes
- Management of resident involvement groups
- Risk assessment and social value monitoring
- Case management
- Risk flag management
- Business continuity and emergency
- Progressing open market sales
- Analysing traffic to our website
In some situations, we will ask you for your consent to collect and process your personal data, for example:
- When you interact with us via our website and social media, for example Twitter and Livechat
- Through cookies when interacting with our website
- Attending events
- Contact information when purchasing a home from us or making an expression of interest in our properties
- Administering our Working Well and Employability schemes
- Parolee resettlement
- Requests from customers
- Taking photographs for publicity
- Customer support in connection with tenancy compliance
- Recording third party permissions
Occasionally, we may need to process your personal data when it is necessary to protect your life, for example, in an emergency situation where you cannot give consent.
Special category data
Sometimes, we will need to process more sensitive personal data, known as ‘Special Category’ data. This type of information includes personal data about your race, ethnic origin, political opinions, religious beliefs, trade union memberships, biometrics, health/medical information and sexual orientation. When we collect and process this data we will rely on the following additional purposes to process it:
- Explicit consent
- Employment, social security and social protection law
- Already made public by you
- Legal claims
- Public interest
Sometimes it will be necessary to process personal information relating to criminal prosecutions, proceedings, sentencing or convictions. In those circumstances we will rely on one the additional grounds to process this personal data:
- Protecting vital interests
- Already made public by you
- Legal claims
- Judicial acts
- Substantial public interest
Who we share your personal data with
In order to provide you with a service and to fulfil our business objectives and obligations, there are many situations where it is necessary to share your personal data with third parties. In such circumstances we will share your data with the following categories of organisations/individuals:
- Regulatory, legal and compliance, such as the Department for Work and Pensions, NHS, legal representatives, auditors
- Suppliers and contractors such as, mortgage advisors, trades and sites, Sirona, subcontractors, trades or organisations tendering for work, All Pay, MailChimp
- Referencing and credit checking companies
- Utilities companies
- Other housing associations
- CCTV, security and safety device providers
- Local authorities, police, our external partners, social services, contract funders and support agencies, such as Virgin Care, to fulfil our contractual or legal obligations
- ICT service providers and software companies, such as Microsoft, Survey Monkey, Eventbrite and hosted and inhouse providers and Google
- Other colleagues, departments and companies within Curo Group
How long will we keep your personal data?
We will only keep your personal data for as long as necessary and for the purpose for which it was collected. When it is no longer necessary to keep your personal data we will delete it. Our policy for deciding how long we keep personal data is based on National Housing Federation best practice guidance and our legal obligations. Examples:
- When we obtain your bank details to make a refund we will destroy the personal data once the refund has been processed
- Personal data collected from credit checks is kept until the start of a tenancy or acceptance of it
- Tenancy agreements will be retained for six years after the end of the tenancy to comply with our legal obligations and industry guidance
Sometimes, we may need to retain data for analytical, statistical or research purposes. In these circumstances we will anonymise or pseudonymise your personal data so you will not identifiable.
Sometimes we use personal data obtained from Greenstone, a third party data gathering organisation, to help us generate customer profiles based on lifestyle and behaviours. We use this information to deliver a more customised customer experience.
Security and sharing your personal data outside the EEA
We ensure that appropriate security measures are in place when handling your personal data. Occasionally, we may share your data with third party suppliers outside of the European Economic Area (‘EEA’), for example we use Survey Monkey which has servers in the USA. In such circumstances, we ensure that your personal data will receive the same protection as if it were being shared within the EEA by ensuring that our contracts contain a requirement for suppliers to adhere to the same strict data privacy requirements as us.
Your data rights
You have the following rights over your personal data:
The right to request:
- Access to your personal data free of charge, unless the request is unfounded or excessive.
- Correction of your personal data if it is inaccurate or incomplete.
- To have your personal data deleted or removed where there is no good reason for processing to continue.
- Processing of your data to be restricted, subject to certain criteria.
- Your data is moved, copied or transferred to another platform, subject to certain criteria.
If you make such a request, we will respond to it within one month of your request. In some circumstances we may require an extension to this time period and will notify you of the reasons for this. If we refuse your request, we will inform you of the reason(s) and of your right to complain to the Information Commissioner’s Office (see details below) within one month of your request.
You also have the following rights:
- To object to us processing your personal data where we have relied upon legitimate interests to process, subject to certain criteria.
- Not to be subject to a decision made on the basis of automated profiling, if that decision produces legal or a similarly significant effect on you, subject to certain criteria.
The right to withdraw your consent:
Where you have given consent for us to process your personal data, you have the right to withdraw your consent at any time. Please contact us at the email or phone number below.
You have the right to object to us processing your personal data for direct marketing purposes. If you would like to stop receiving our marketing communications, please contact us at the email or phone number below.
In order to protect confidentiality we will ask you to verify your identity before responding to any request made under this privacy notice. If a third party makes a request on your behalf, we require proof that you have given your permission for them to act on your behalf.
Contact Details for Further Information
The Curo Group incorporates the following three companies in England and Wales. Each company and society is a Data Controller:
- Curo Group (Albion) Limited (ICO No. Z659867X)
- Curo Enterprise Limited (ICO No. ZA223885)
- Curo Market Rented Services Limited (ZA236884)
Three charitable registered societies:
- Curo Places Limited (ICO No. Z6598589)
- Curo Choice Limited (ICO No. Z6627936)
- Mulberry Park Community Benefit Society (ICO registration pending)
The registered office for all organisations in the Group is: The Maltings, River Place, Lower Bristol Road, Bath BA2 1EP.
If you have any queries or questions about the data we hold about you, please contact our Data Protection Officer Katy Gullon at firstname.lastname@example.org or phone 01225 366000.
Contacting the Information Commissioner’s Office
If you are unhappy with the way we have handled your personal data or our response to a request you have made to us, you have the right to complain to the Information Commissioner’s Office:
Information Commissioner's Office details: