Midland Heart Ltd makes records from our contact with you, including personal information that is subject to the General Data Protection Regulations (GDPR). We also collect information about you from third parties.

We will always protect the privacy of any personal information we hold about you. We will comply with current data protection legislation.

This Privacy Notice describes the categories of personal data we process and the reasons why we do this. We are committed to collecting and using data in accordance GDPR.

If you wish to know more about our approach to Data Protection please read this Privacy Notice:

  • Introduction
    • We take your privacy seriously and you can find out more here about your privacy rights and how we collect, use, share and secure your personal data. This includes the personal data we already hold and the further personal data we might collect in the future, either from you or from a third party.
    • We obtain your personal data in order to conduct our normal business operations as a registered social housing and care provider. How we use your personal identifiable information depends on the products and services we provide to you.

    • Our Data Protection Officer (DPO) provides help and guidance to make sure we correctly apply the law to the processing and protection of your personal data. If you have any questions about how we use your personal data our DPO can be reached by email at dataprotection@midlandheart.org.uk or by post to Midland Heart, Company Secretary Team, Data Protection, 20 Bath Row, Birmingham, B15 1LZ.

    • This Privacy Notice updates any previous information about how we use your personal data. We may change this Notice from time to time in accordance with the changes at the Midland Heart Ltd or to reflect changes to regulation or legislation. Please check this page regularly to ensure that you’re happy with any changes

  • Who we are
    • Midland Heart Limited is a society registered under the Cooperative and Community Benefit Societies Act 2014, number 30069R. Our registered office is at 20 Bath Row, Birmingham, B15 1LZ, United Kingdom.
    • Midland Heart Limited is registered as a ‘Data Controller’ on the Public Register of Data Controllers maintained by the Information Commissioner’s Office under number Z9424056.

  • Your privacy rights

    In brief, you have the right to be informed who is obtaining and using your personal data, how this data will be retained, shared and secured and what lawful grounds will be used to obtain and use your personal data. You have the right to object to how we use your personal data in certain circumstances. You also have the right to obtain a copy of the personal data we hold about you.

    In addition, you can ask us to correct inaccuracies, delete or restrict the use of some of your personal data or to ask for some of your personal data to be provided to someone else. You can make a complaint if you feel that we are using your personal data unlawfully and/or holding inaccurate, inadequate or irrelevant personal data which may have a detrimental impact on you or your rights.

    If the information we hold about you is inaccurate and you would like us to rectify it or to enforce your above rights, please let us know at dataprotection@midlandheart.org.uk. If you are dissatisfied with this response please let us know so that we can address any concerns.

    We would always ask that you contact us first if you have any complaints about the way we are processing your personal data. If you have contacted us and you are still unhappy about the way we are using your data, you can submit a complaint the UK Information Commissioner’s Office at https://ico.org.uk.

    To make enquires for further information about exercising any of your rights in this Privacy Notice, please contact Midland Heart’s Data Protection Officer, whose contact details are detailed in the Introduction above.

    For further information about your rights, please visit the ICO’s website via the link ico.org.uk.


  • What types of personal data we process

    We use a variety of personal data depending on the services we deliver to you. For all services, we need to use some or all of the following information about you and any occupants of your home:

    Personal data

    • Contact details - name, address (current and previous), email, home and mobile telephone numbers, e-mail address;

    • Date of birth, marital status, gender and other identification information - to allow us to check your identity;

    • Nationality – information and support in the UK;

    • Credit information – to ensure that customers can afford the properties we offer to them or to identify the need for added management to help customers sustain their tenancies;

    • Photograph or film images – to record and verify your identity;

    • Online computer identification (IP address) – information recorded when you engage with us by email;

    • National Insurance numbers – to allow us to carry out universal credit, to check your eligibility for housing and/or supporting people contracts and for the detection and prevention of housing and benefits fraud;

    • Your education, skills and qualifications – to allow us to assist you with tenancy management and money advice when necessary or requested by you;

    • Welfare and financial information – to enable us assist you with and to process welfare payments and to detect and prevent welfare benefit fraud;

    • Next of kin’s name, date of birth, gender, contact details – to contact them in an emergency or when we have been unable to contact you through other methods and need to address any concerns we have about the conduct of your tenancy and / or risks to our property.

    Special categories of personal data

    • Health, medical conditions, support and vulnerability needs - to support our housing and care functions in respect of vulnerable customers;

    • Race – optional, based on your consent, and solely to support our equality and diversity monitoring;

    • Ethnic origin – optional, based on your consent, and solely to support our equality and diversity monitoring;

    • Religion – optional, based on your consent, and solely to support our equality and diversity monitoring;

    • Sexual life or sexual orientation – optional, based on your consent, and solely to support our equality and diversity monitoring;

    • Convictions – to enable us to carry out risk assessments of new customers for the purposes of allocation; for tenancy management purposes and where we need to ensure that the action we take in relation to the tenancy is adequate and proportionate; to aid the detection and prevention of housing fraud.

    In the majority of cases we will not be able to provide some or all of our housing or support services to you without having access to your personal data. For example we need certain personal data in order to deliver our obligations under your tenancy agreement, your support or care plan or to process your housing application.

    We also need to process your personal data in order to meet our legal or regulatory duties for processing housing applications, equality monitoring and government or housing regulator reports.

  • How we gather your personal data

    We obtain personal data by various means; this can be by face-to-face contact, email, telephone, written correspondence or receiving this information from others, for example: a local MP who represents you, the Police, health or social care agencies, benefit agencies. We can also receive information about you from other people who know you or are linked to you, for example: relatives, persons nominated to act on your behalf or your legal representative.

    Some further examples of how we may gather your personal data are set out below:

    • Directly from you, for example: when you fill out an application, transfer or mutual exchange form or as part of your right to buy application;
    • By observing how you use our housing, support, products and services, for example: from the transactions and operation of your accounts and on-line services;
    • From other organisations such as former housing and support providers, health and social care agencies, law enforcement agencies, debt collectors, energy or utility companies, benefit agencies and/or credit reference and fraud prevention agencies;
    • From other people who know you including joint tenants and people you are linked to or live in the same community as you, for example with regard to reports of anti-social behaviour;
    • From monitoring or recording calls as part of quality and complaints monitoring. We record these calls for training and to ensure the safety of our staff. We will not record any payment card details as part of our accounts and payments operations;
    • From our CCTV systems for the prevention and detection of crime or to detect damage/vandalism to our properties and to ensure the safety and security of our staff and customers;
    • From matching and updating mobile telephone numbers with Reid Group, which allows us to contact customers with rent arrears in order to prevent escalation to legal action.
  • The lawful basis which allows us to process your personal data

    We only collect and process personal data about you where we have the lawful basis to do so. The majority of personal data we hold and processes for you is based on:

    • The operation of your Tenancy Agreement or (where applicable) your Support Plan. For example we share some of your personal data with maintenance contractors or support agencies; or
    • A legal obligation, that we need to comply with. For example we share information with the Police or the Department of Welfare and Pensions or the Regulator of Social Housing; or
    • In pursuance of our “legitimate interests”, provided that such processing does not outweigh your rights and freedoms. For example, we collect and process your National Insurance number for the purposes of housing fraud detection and prevention. We also pass on certain personal details to Experian in order to track former customers who owe us rent or service charges and we have not been able to contact them.
    • Based on your consent, which is in a limited number of occasions and in such cases we expressly ask you to give us your consent in writing. Where you have given your consent, you have the right to withdraw it later. We will let you know how to do this at the time we gather your consent.

    Special protection is given to certain kinds of personal data which is particularly sensitive. This is information about your health status, racial or ethnic origin, political views, religious or similar beliefs, sex life or sexual orientation, genetic or biometric identifiers, trade union membership or criminal convictions or allegations.

    We will only use this kind of personal information where:

    • We have a legal obligation to do so (for example to protect vulnerable people);
    • It is necessary for us to do so to protect your vital interests (for example if you have a severe and immediate medical need whilst on our premises);
    • It is in the substantial public interest;
    • It is necessary for the prevention or detection of crime;
    • It is necessary for insurance purposes; or
    • You have specifically given us ‘affirmative’ consent to use the information.

    For more detailed information on the lawful basis we rely upon to process your personal data Please see our Customers’ Personal Data Register

  • Automated decision-making

    In a limited number of cases we use your personal identifiable information in automated processes to make decisions about you. These are:

    • Our Homes Direct website uses automation in order to search, decide and provide our potential customers with information on suitable homes based on the information you provide.

    • We carry out credit checks for new customers – to ensure that customers can afford the properties we offer to them or to identify the need for added management to help customers sustain their tenancies.
  • Sharing your personal data with or getting your personal data from others

    We use a number of data processors who act on our behalf to process personal data. All of these organisations are subject to the same legal rules and conditions for keeping personal confidential data secure. We ensure that our partner agencies have contracts / information sharing agreements which outline that your information is processed under strict conditions and in line with the law. Who we share your personal data with depends on the services we provide to you and the purposes for which we use your personal data. For most services we will share your personal data with our service providers such as our maintenance contractors or IT Suppliers, with credit reference agencies and fraud prevention agencies.

    We need to do this in order to:

    • Provide you with services pursuant to your tenancy agreement or support plan or other services you have requested from us;
    • Allow you to access our services
    • Assist in the allocation of housing
    • Assist in the allocation of care, support and safeguarding
    • Develop our services and conduct research

    We also share information about you with third parties or when required by law for the following reasons:

    • Where we are legally required to disclose your information to assist government enforcement agencies
    • To assist with the detection and prevention of fraud
    • To assist in the allocation of housing
    • To assist with the allocation of benefit payments
    • To assist in the allocation of care, support and safeguarding
    • To enforce our agreements with you
    • To investigate and defend ourselves against any third party claims or allegations
    • As part of any corporate reorganisation such as merger

    Categories of third parties who we share your personal data with

    Our Suppliers, such as:

    • Maintenance contractors
    • Gas contractors
    • Suppliers of IT products and services used by Midland Heart to support its IT infrastructure

    Authorities and Agencies:

    • Police
    • HMRC
    • Local Authorities and elected representatives
    • Ombudsman
    • Social Services
    • Debt collection agencies
    • Benefit agencies
    • GPs and hospitals
    • Utility companies
    • Schools
    • Probation services
    • Tracing agencies
    • Auditors/Commissions/quality assessment agencies
    • Department of Works and Pensions
    • Drug & alcohol services
    • Emergency services

    If you would like to have more specific information on who we share your data with or have a question please contact our data protection team – the contact details are in the Introduction section above.

  • Transfers outside the UK

    We do not transfer your information outside the European Union

  • How long we keep your personal data for

    How long we keep your personal data for depends on the services we deliver to you. We will never retain your personal data for any longer than is necessary for the purposes for which we need to use it and/or as is required by law.

    For more detailed information on our information retention periods please read our Customers’ Personal Data Register.

  • Keeping you up to date

    We will communicate with you about products and services we are delivering using any contact details you have given us - for example by post, email and text message.

    Where you have given us consent to receive marketing, you can withdraw consent, and update your marketing preferences by contacting our data protection team. Their contact details are in the Introduction section above.

  • Your online activities

    We use cookies to track your use of our websites midlandheart.org.uk and homesdirect.org.uk.

    Find out more about cookies here.

  • Job Applicant Consent

    As part of any recruitment process, we collect and processes personal data relating to job applicants.

    We are committed to being transparent about how we collect and use that data and to meeting our data protection obligations.

  • Security

    We are committed to ensuring that your information is secure. All of our staff have contractual obligations of confidentiality, enforceable through disciplinary procedures. All staff receive appropriate training on confidentiality of information.

    We take relevant organizational and technical measures to ensure the information we hold is secure, such as holding information in secure locations and restricting the access of information to authorised personnel. We protect personal and confidential information held on equipment such as laptops and hand-held devices with encryption. However, the transmission of information via the internet is not completely secure and so we cannot guarantee the security of data sent to us electronically.

This policy was last updated on 14 March 2019