Your information

At Bolton at Home (BH), we are committed to maintaining the trust of our customers, tenants, workers and job applicants. In particular, we want you to be confident that we are handling your personal data in accordance with the Data Protection Act 2018 (DPA) and UK General Data Protection Regulation (UK GDPR).

We are registered as the data controller with the Information Commissioner's Office under ZA304342 as we will decide how and why we process your personal data.

If you would like to know when and why we collect your personal data, how we use it, the limited conditions under which we may disclose it to others and how long we may keep it for, please read on.

We may collect your personal data and / or special category personal data from you. Personal data are any information that can directly or indirectly identify you. This could include your name, date of birth, IP address and other identifiable data. Special category personal data are any information about your biometrics, ethnic or racial origin, genetics, health, political opinions, religion, sex life, sexual orientation and trade union membership.#

Where you do not provide this personal data and / or special category personal data below, we may not be able to fulfil the corresponding purposes and this may adversely impact on the Services that we are able to provide to you.

We may carry out profiling for the purposes of our Careline service, debt enforcement and recovery, marketing, money advice, property maintenance and repair, recruitment of Board members, tenancy applications and sign up and terminations, and workers’ development and training.

We may share your personal data in certain circumstances with one or more of the following: BH subsidiaries such as Maxmedia Communications Ltd., British Gas, DBS check providers, educational and training organisations, external auditors, external property valuers, external service providers, financial organisations, health and social welfare organisations including NHS agencies, care providers, companies directly involved with the provision of food parcels, Support Groups for people who are enlisted to provide emergency responses to vulnerable groups, Home Swapper, insurance companies, local and national government bodies, other employers regarding job references, other housing associations or landlords, pension providers, prison service, regulatory authorities, research organisations, solicitors, the media, trade unions, Trustmarque, and where required by law, with other bodies such as the courts and the police. 

We may keep your personal data for no longer than necessary and for a period of up to 15 years in order to provide our Services to you and to fulfil legal, contractual and regulatory requirements.

We are supporting computerised data matching. It is part of the Cabinet Office’s National Fraud Initiative (NFI) and will help us to identify fraudulent claims and payments.

Data matching works by comparing sets of computer records held within or between organisations. This is usually personal data. Where records are found to be inconsistent, the reason needs to be investigated.

The Cabinet Office carries out the NFI data matching exercise. By volunteering our data for this, we are taking action to protect ourselves and others against fraud.

We provide specific sets of data, including details of our creditors, as set out in their guidance.

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require your consent under the DPA and GDPR.

Data matching by the Cabinet Office is also subject to the Code of Data Matching Practice.

For further information on the Cabinet Office’s legal powers and the reasons for matching particular information, you may wish to consider their Privacy Notice.

We have implemented appropriate technical and organisational measures to protect the confidentiality, integrity and availability of your personal data against unauthorised, unlawful or accidental loss, destruction or damage, including:

• mandatory and ongoing training and awareness for BH workers to help them understand the importance of information security;
• conducting a Data Protection Impact Assessment (DPIA) when the intended processing of your personal data is likely to result in a high risk to your rights and freedoms;
   
• restricting access to your personal data;
   
• contracts and data sharing agreements with other organisations to help them understand what they are allowed to do with your personal data;
   
• use of secure email;
   
• regular system back-ups; and
   
• secure deletion and / or shredding when your personal data are no longer required.

You have rights, subject to exemptions, under the DPA and GDPR:

• to be informed via this Privacy Notice about our collection and use of your personal data;
• to withdraw your consent at any time, where we are relying on your consent as a basis and / or condition for processing;
• to make a subject access request for a copy of your personal data;

• to request that we correct your personal data if it is inaccurate or out of date;
• to request that we erase your personal data where it is no longer necessary for us to retain it;
• to request a restriction is placed on further processing where there is a dispute in relation to the accuracy or processing of your personal data;
• to request that we provide you with your personal data and where possible, transmit that data directly to another data controller;
• to object to the processing of your personal data;
• to not be subject to automated decision making including profiling; and
• to lodge a complaint with the Information Commissioner's Office by writing to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or casework@ico.org.uk.

You may be able to exercise these rights on behalf of other individuals with their express permission.

However, information about a deceased person does not constitute personal data and is not subject to the DPA and GDPR. Therefore, we are not obliged and we will not respond to, requests under the DPA and GDPR in respect of the information of deceased individuals (regardless of your relationship to them) as a matter of course. 

If you would like to make a subject access request to Bolton at Home, please tap here to complete the online request form.

Please ensure that you follow the instructions within the form, such as the requirement to provide proof of your identity, as failure to do so may delay our processing of your request.

You can also contact us using the details below if you have any questions or complaints about how we handle, or you would like to exercise your other rights in respect of, your personal data:

Send an email to:

IG@boltonathome.org.uk. 

Write to:

Bolton at Home
Information Governance Team
Valley House,
98 Waters Meeting Road,
Bolton BL1 8SW

We are a charitable Community Benefit Society. We do not constitute a public authority under the Freedom of Information Act 2000 (FOIA) and Environmental Information Regulations 2004 (EIR), and therefore, we are not obliged and we will not respond to, requests under such legislation as a matter of course.

However, you are able to consider corporate information that we have chosen to make publicly available in the 'About us' section of our website.

If you would like independent advice in regard to our status under the FOIA and EIR, you may wish to contact the Information Commissioner's Office, which is the regulator for this legislation, by writing to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or casework@ico.org.uk.

We will review this Privacy Notice annually, or sooner if required. The last date of review for this Privacy Notice was 05 February 2024.

We use DocuSign to allow tenants and prospective tenants to securely sign:

• tenancy agreements
• tenancy variations
• direct debit instruction
• declarations and other housing-related documents 

DocuSign allows us to:

• obtain legally valid electronic signatures
• confirm the identity of signatories
• reduce delays, errors, and security risks associated with paper processing
• maintain a tamper-evident audit trail for legal and compliance purposes

You may sign documents on your own device or on one of our managed mobile devices used by staff for in-person appointments.

When using DocuSign, we may process:

Personal data contained in tenancy documents

• Name
• Address and contact details
• Date of birth
• Tenancy details (property address, rent, charges, tenancy type)
• Bank details (e.g., direct debit forms)
• Household details (where relevant)
• Any other information included in tenancy documents

Data generated by DocuSign

• Email address used for sending envelopes
• IP address
• Time and date of each action (e.g. opened, viewed, signed and all other actions)
• Authentication method used
• Unique envelope ID and transaction ID

Certificate of Completion, which records:

• identity and email address of signers
• date/time of signing
• IP address
• signing events and status
• audit log and integrity checks

We rely on the following lawful bases under the UK GDPR:

• Article 6(1)(b) – Performance of a contract

Processing is necessary to prepare, issue, and enter into your tenancy agreement.

If you sign documents using one of our staff-issued laptops, tablets, or mobile devices:

• The device is securely managed using enterprise controls (encryption, access restrictions, remote wipe).
• No documents are permanently stored on the device.
• Your signature is entered directly into DocuSign’s secure platform.

We use DocuSign Inc. as a data processor under a Data Processing Agreement.

Signed tenancy documents are stored in our secured document management system.

We may also share signed documents with:

• Local authorities (e.g., housing benefit / council tax)
• Utility partners (where lawful and necessary)
• Internal teams who require access for tenancy management
• Auditors or regulators (where legally necessary)

We never sell your data.

In DocuSign:

Completed envelopes and audit logs are kept only temporarily:

We retain documents in DocuSign for 30 days after completion to allow processing and quality checks. They are then automatically deleted.

In our internal systems:

Signed tenancy agreements and supporting documents are retained according to our corporate retention schedule, typically:

• 6 years after tenancy end (contract limitation)

Certificates of Completion are stored alongside the agreement in our internal systems for the same period.

Under the UK GDPR, you have the right to:

• access your data (Subject Access Request)
• correct inaccurate information
• request deletion (where applicable)
• restrict or object to processing (in certain cases)
• receive your data in a portable format (where applicable)

To exercise these rights, contact:

• IG@boltonathome.org.uk 

Right to Complain:

If you are unhappy with how we handle your data, you can contact the Information Commissioner’s Office (ICO):

• www.ico.org.uk
• 0303 123 1113