South Lakes Housing Privacy Policy

1        Introduction

2        About Us

3        Management Responsibility

4        Information we collect and what we do with it

5        Data Relating to Children

6        Fair and Lawful Processing

7        Personal Information and the Internet

8        Data Accuracy and Updates

9        Data Enrichment

10           Electronic Marketing

11           Data Retention

12           Information Rights

13           Access to Data

14           Cookies

15           Sub-Processors

16           Information Disclosures

17           Information Sharing

18           Transfers of Information outside Europe

19           Information Security Arrangements

20           Data Processing Equipment and Media

21           Destroying Data, Media, and Equipment

22           Incidents

23           Training and Awareness

24           Information Risk Management

25           Audit and Management Reporting

26           Changes to the Privacy Policy

27           How to Contact Us


1        Introduction

1.1       South Lakes Housing is a Co-Operative & Community Benefit Society registered in England with the Financial Conduct Authority Mutuals Register (number 31419R), VAT registration number 829983759 and whose registered office is at Bridge Mills Business Centre, Stramongate, Kendal, LA9 4BD. The term you refers to the user or viewer of this Privacy Policy.

1.2       This Privacy Policy explains what information we collect, how we may use it, and the steps we take to ensure that it is kept secure. It also explains the right an individual has in respect of their personal information and how to contact us.

1.3       This Privacy Policy is to be read in conjunction with the companies Terms and Conditions of Use.  All definitions used in the Terms and Conditions of Use shall apply to this Privacy Policy unless otherwise stated.

1.4       This Privacy Policy is part of a formally documented information governance system and is subject to periodic review.

1.5       We can be contacted by using the contact details at section 27.

2        About Us

2.1       South Lakes Housing is an independent, not for profit housing association established in March 2012. SLH is the largest provider of affordable rented housing in South Lakeland, Cumbria managing over 3,000 homes.

2.2       We recognise our responsibilities as a provider of services which involve the processing of personal information and we take great care to protect the personal information that we process. We operate and maintain a comprehensive information governance management system comprising several policies and procedures, a record keeping system, document management system, internal audits and periodic external audits.

2.3       We are registered as a data controller in the United Kingdom and our registration number is ZA007139.  Refer to the Information Commissioners Office (ICO) website  Register of Data Controllers for further information.

3        Management Responsibility

3.1       The  Director of Business Improvement has overall responsibility for our privacy and data protection compliance.  The Head of Governance & Risk carries out the Data Protection Officer role. The Systems & Change Lead is responsible for the application of our privacy and information security arrangements.  At governance level, the Audit and Risk Committee is responsible for ensuring compliance with the Data Protection and Data Privacy Policy.

4        Information we collect and what we do with it

4.1       We collect a wide variety of personal information from a wide range of sources in order to run our business activities.  We maintain a register of data collection activities and perform periodic reviews of our data collection activities and processes in order to test that they conform to our expectations.  We aim to only collect information that is necessary for us to perform our business operations efficiently and effectively.  We periodically review our data collection arrangements.

4.2       We aim to provide any person whose information we are collecting with sufficient information so that they know who is collecting their information and what we intend to do with it.  If this information is not obvious from the data capture mechanism, we may choose to provide this information in the form of a Privacy Statement on the SLH website or in Tenancy Agreements and Rent Statements.

4.3      Below are listed some of the data sources we use, the nature of the data we collect and the reasons why we collect and process it.

  • letting, renting and leasing properties
  • administering waiting lists
  • carrying out research including customer satisfaction surveys
  • administering housing and property grants
  • providing associated welfare services, advice and support
  • maintaining our accounts and records
  • supporting and managing our employees, agents, and contractors

4.4       Customer Data.  The primary reason for us holding and using information about you is to enable us to fulfil our obligations to you set out in your tenancy agreement with us.  The tenancy agreement is a contract we have with you and this forms the legal basis for us to process your data for this purpose.  The data processing activities we undertake in pursuit of this purpose include: handling rent payments, arranging for repairs and maintenance on your property, providing customer services to you.

We also undertake other data processing activities related to the purpose of managing our relationship with you including: keeping documents such as emails, notes, reports etc. from/to, or about you, recording telephone calls for customer service and employment training, managing rental arrears and chasing debt, sharing data with third parties such as utility companies to ensure that you receive services such as power and water to your property.  Clearly our tenancy agreement with you does not require us to handle your data in this way and we undertake these processing activities in pursuit of our own legitimate interests as a professional organisation.

We will not share your personal information or use it to contact you if you ask us not to.  However, we sometimes share this information with other third parties for the purposes of crime prevention and the prosecution of offenders.

The types of sources of information include;

  • Housing application form
  • Pre-tenancy assessment forms
  • Tenancy agreement sign-up form
  • Equality and diversity monitoring forms
  • Income and expenditure / financial assessments
  • Direct debit forms
  • Electronic systems Housing & Asset Management Systems, handheld devices, computer desktops anddatabases
  • Case notes and opinions on tenant behaviour

SLH also collects other documentation, including;

  • Universal Credit and other benefit information
  • Proof of income
  • Bank statements
  • ID and proof of residence documents
  • Housing benefit information
  • Letters from DWP, Money Advice etc
  • Medical letters

Information for social services, police, health professionals etc

4.5       Financial Information.  We use your financial information to process payments for services that are purchased from us and for fraud detection and prevention.

4.6       Employee Data.  As an employer we collect and process information about applicants for jobs and details about the people that we employ.

Other Data Collection

4.7       We use cookies on our web sites that allow us to recognise returning system users and customise their experience. Cookies can collect and use data. Please see section 14 below for full details of the type of cookies we use, why and how we obtain your consent to use them.

4.8       We operate CCTV systems at our office which collect data to help us to maintain a safe environment within our offices.  We also use the CCTV information for the purposes of security and crime prevention.

4.9   We use the entire collected data set to analyse customer behaviour to help us to improve our products and services, to build a profile for each customer, and to predict customer interest/behaviour.

5        Data Relating to Children

5.1       We know that the organisation will gather information related to children and young people and that we collect and process their personal information through the course of our activities.  We attempt to collect date of birth information on data capture forms to allow us to identify young people and to treat data relating to young people and adults separately.  We encourage young people to obtain the consent of their parents or legal guardian before submitting their personal information to us.

6        Fair and Lawful Processing

6.1       Our policy is to process personal information in a fair, transparent and lawful manner.

6.2       In general, we aim to only process personal information with the consent of the data subject.  In most cases people will complete a data collection form and submit it to us.  We aim to provide sufficient information regarding how we will use the data at the point data is collected to allow the person who is completing the form to make an informed choice whether or not to give us their personal information.

6.3       In exceptional circumstances we may process personal information without the consent of the data subject and will rely on the exemptions set out in the Data Protection Act 2018 (the Act) and General Data Protection Regulations that allow for this or on our legitimate interests to process personal information as a business.  In the latter case we would always seek to consider our interests with the rights of individuals in order to make a balanced judgement whether to process personal information without the consent of a data subject.

7        Personal Information and the Internet

7.1       South Lakes Housing operates one website and a customer portal (called My Account). The information that we collect from the web is used to maintain a list of registered users and ability for you to view information regarding your tenancy agreement with SLH (or Lune Valley Rural Housing Association).

8        Data Accuracy and Updates

8.1       It is our policy to expect those who provide us with their personal information to keep us informed of any changes to the information that we may hold about them.  If data subjects bring inaccuracies to our attention we will apply corrections to the data that we hold about them.

9        Data Enrichment

9.1       On occasions we attempt to enrich the data that we have collected through our own activities with information from other sources to help us to more accurately profile our customers and prospects.

10     Electronic Marketing

10.1    We maintain a computer-based preference centre system to manage the contact preferences of our customers in order to satisfy our obligations under the Privacy and Electronic Communications Regulations 2003.

10.2    Where you have given your consent, we will use the information you provide to send you information and offers relating to, and/or from the organisation.

10.3    Each data collection activity will normally contain a mechanism for customers to opt out of SLH contacting them with marketing information.  Customers may change their preferences by contacting us at via the contact details at section 27 below.

11     Data Retention

11.1    We maintain a Records Management Policy in which our retention periods are defined in general we retain personal information for as long as is necessary to fulfil the purposes for which it was collected and/or in order to comply with our legal obligations.  Once personal information passes its retention deadline it is deleted and destroyed in accordance with our Records Management Policy.

12     Information Rights

12.1    We are aware of the rights of individuals as set out in the Act and in the General Data Protection Regulations. The ICO website provides more detail about your rights.

12.2    You have the right to:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right to withdraw consent
  • Rights in relation to automated decision making and profiling

12.3    SLH does not charge people requesting to see a copy of the information that we hold about you (known as a subject access request).  SLH will respond to requests within 30 calendar days. For further information about our information governance regime or to exercise any of your information rights please write to us as set out at the address below or email

13     Access to Data

13.1    We control access to data on a need-to-know basis to ensure that our employees and agents only have access to the information that they need to perform their job/function.  Employees are required to sign an Acceptable Use Policy before they are allowed to use the organisations IT assets and process SLHs data.

14     Cookies

14.1    In common with many other website operators, we may use standard technology called cookies on the website. Cookies are small pieces of information that are stored by the browser on a computers hard drive and they are used to record how people use and navigate websites.

14.2    Cookies do not attach to your system or damage your files.  Our cookies are used to enable us to develop our website to reflect your interests and by noting which pages and advertisements you have visited, how frequently particular pages are visited and determining the most popular areas of our website. We may use cookies to enrich your experience of using the website by allowing us to tailor what you see to what we have learned about your preferences during your visits to the website.

14.3    We use the following categories of cookies on the website:

  • Category 1: Strictly Necessary Cookies

These cookies are essential in order to enable you to move around the website and use its features. Without these cookies, services you have asked for such as remembering your login details or raising repair items cannot be provided.

  • Category 2: Performance Cookies

These cookies collect anonymous information on how people use the website. For example, we use Google Analytics cookies to help us understand how customers arrive at the website, browse or use the website and highlight areas where we can improve areas such as navigation and marketing campaigns. The data stored by these cookies never shows personal details from which your individual identity can be established.

  • Category 3: Functionality Cookies

These cookies remember choices you make such as the country you visit the website from, language and search parameters such as size, colour or product line. These can then be used to provide you with an experience more appropriate to your selections and to make the visits more tailored and pleasant. The information these cookies collect may be anonymised and they cannot track your browsing activity on other websites.

  • Category 4: Targeting or Advertising Cookies
  • Category 5: Social Media Cookies

These cookies collect information about your browsing habits in order to make advertising more relevant to you and your interests. They are also used to limit the number of times you see an advert as well as help measure the effectiveness of an advertising campaign.  The cookies are usually placed by third party advertising networks.  They remember the websites you visit and that information is shared with other parties such as advertisers.

These cookies allow you to share what youve been doing on the website on social media such as Facebook and Twitter. These cookies are not within our control.  Please refer to the privacy policy for the relevant social media platform(s) for how their cookies work.

14.4    Most browsers automatically accept cookies, but you can usually change your browser to prevent cookies being stored. Please note, if you do turn cookies off this will limit the service that we are able to provide to you and may affect your visitor experience.

14.5    For further information on cookies and how to switch them off see:

15     Sub-Processors

15.1    Where we use third parties to process personal information we do so only within the framework of a written agreement setting out the responsibilities and obligations of each party.  We undertake appropriate due diligence prior to appointing any sub processors which may involve us inspecting their data processing site and arrangements.  We require all of our sub processors to maintain a high level of governance in respect of any data that we are responsible for.

16     Information Disclosures

16.1    We are sometimes asked to disclose personal information as a one-off exercise and we maintain a policy on information disclosures.  In the case of a data subject requesting information about themselves we may treat this as a subject access request and we will follow our subject access request procedure.

16.2    Where we are requested to disclose personal information by third parties (e.g. a public authority) we will follow our Data Protection and Data Privacy  Policy.

16.3    It is our policy to log all information disclosure requests that we receive.

17     Information Sharing

17.1    We routinely share some of the information that we collect with third parties and maintain an Data Sharing Policy. A privacy risk assessment process is maintained to enable us to objectively consider information sharing requests.  Information sharing is only carried out under the scope of an information sharing agreement binding on all relevant parties.

17.2    Sensitive personal information is generally not shared unless there is a compelling and lawful reason to share such information.

17.3   SLH undertakes customer satisfaction surveys and may contract with a third party to undertake surveys and / or research. This is done to improve services in the future. Customers are normally selected at random. Contracts are awarded to organisations who provide assurances that data will be collected, stored and processed safely and then destroyed in accordance with GDPR.  Data Sharing Agreements are in place and can be inspected.

17.4    Information is reported on social housing lettings and sales to the Ministry for Housing, Communities and Local Government (MHCLG) via CORE (Continuous REcording of social housing lettings and sales) for statistical purposes. The dataset does not contain direct personal identifiers but when taken as a whole the data allows social housing tenants to be identified. Information is shared in accordance with the law. More information is available here.

17.5    Some information that we collect is shared with external third parties such as United Utilities, Maintenance companies, Riverside Group, Police and South Lakeland District Council for them to present relevant information to you.

17.6    Some third parties share data that they collect with us.  Unless we are bound by the terms of a data sharing agreement with any such third party this Privacy Policy and our information governance arrangements to data shall apply.

18     Transfers of Information outside Europe

18.1    As a matter of policy we aim to not to transfer any personal information that we are processing outside of the European Union unless (i) it is to a territory approved by the European Commission, (ii) it is to an organisation in the United States of America which is Safe Harbor accredited, or (iii) we have satisfied ourselves that the person with whom we are sharing information is able to uphold privacy and data protection principles to at least the same standard as the United Kingdom.  We have a process for assessing the risk posed to the privacy of our data subjects of any overseas processing.  The physical location of our data assets is recorded in our Data Asset register.

19     Information Security Arrangements

19.1    We maintain an Information Security Policy which sets out the measures that we use to protect personal data that we are processing and the privacy of our data subjects.  The Policy sets out technical measures that are deployed to identify, classify and protect data and assets, access controls used to restrict access to information, testing arrangements, incident logging and management reporting.

20     Data Processing Equipment and Media

20.1    We maintain an asset log of all of our IT equipment including network devices, servers, and PCs, and we also maintain an asset log of our data assets (e.g. key individual databases).  We only use equipment of an appropriate specification and quality.  We maintain appropriate technical measures to protect data that we process both in respect of storage and transit as set out in our Information Security Policy.

21     Destroying Data, Media, and Equipment

21.1    Once data is no longer required we ensure that it is securely and permanently deleted.  We maintain a Records Management Policy which specifies the method(s) that we use to destroy data.

21.2    When storage media becomes retired it is securely destroyed.  Our Data Destruction Policy sets out the method(s) that we may use to clean and destroy storage media.

21.3    When computers and other data processing equipment is no longer required we ensure that it is appropriately disposed of in accordance with our Information Security Policy.

22     Incidents

22.1    We maintain a policy of logging and investigating all information security incidents and near misses.  Our Data Protection & Data Privacy Policy sets out the scope of what we log, how we investigate issues, and the circumstances under which we might report or notify any third parties about such issues.  Our aim is to learn from these issues in order to enable us to continually improve our information handling. All incidents that are notifiable to the ICO will be investigated within 72 hours.

23     Training and Awareness

23.1    We undertake regular staff training about data protection and privacy. All new employees receive data protection training as part of their induction and all other staff are required to attend periodic refresher training.  We maintain records of all training that we undertake.  We also undertake regular data protection and privacy awareness activities to keep the matter front of mind for all of our staff including newsletters.

24     Information Risk Management

24.1    We have a policy of applying a risk assessment process to any major decisions we are considering that affect the data we are processing (e.g. changing supplier or major platform functionality).  We maintain a log of privacy impact assessments.

25     Audit and Management Reporting

25.1    We undertake periodic internal audits and an annual external penetration testing using a specialist consulting firm.  All audit reports are logged and maintained in a register audit actions are logged, actioned, and verified as complete.  The IT Manager is responsible for the application of our privacy and data protection arrangements.

26     Changes to the Data Protection & Data Privacy Policy

26.1    We aim to meet high standards and our policies and procedures are therefore constantly under review. From time-to-time we may change our security and privacy policies. We maintain version control over all of our information policies and procedures to enable anyone who is interested in privacy policy and information governance arrangements to note changes.

26.2    This Privacy Policy is periodically reviewed and was last updated on 11 October 2022

27     How to Contact Us

Please contact us using the details below if you wish to discuss any aspect of this Privacy Policy:

Director of Business Improvement

South Lakes Housing

Bridge Mills Business Centre


Cumbria, LA9 4BD

Tel: 01539 717703

Email: Click the following link

Lune Valley Rural Housing Association Tenants: Privacy Policy

A Management Services Contract exists between Lune Valley Rural Housing Association (FCA registration number 26654R) and South Lakes Housing (as the ‘Managing Agent’). There is a clause that states that both parties will comply with all applicable requirements of the Data Protection Legislation. Lune Valley is the ‘controller’ and South Lakes Housing is the ‘processor’. Lune Valley’s registered office is the same as that used in paragraph 27.

The above privacy statement applies to Lune Valley as well – paragraphs 3 to 27.

Only authorised personnel will have access to Lune Valley data, and data is transferred to third party processors e.g. contractors via existing Data Sharing Agreements.