Privacy notice - COVID-19

Collection of tenant and household information in response to COVID-19.

This privacy notice is to provide you with more information about how Loretto is collecting information about you in relation to the unprecedented challenges we are all facing during the Coronavirus pandemic (COVID-19).

We may collect and process your personal data in response to the recent outbreak of Coronavirus, which is above and beyond what would ordinarily be collected in order to ensure your safety and the well-being of our employees and contractors.

Such information will be limited to what is proportionate and necessary, taking into account the latest guidance issued by the Government, the Information Commissioner’s Office and health professionals, in order to manage and contain the virus. It will enable us to effectively fulfil our functions and to keep people safe, put contingency plans into place to safeguard those vulnerable and aid business continuity.

Loretto will be the "data controllers" of the personal information that you provide.

Loretto forms part of Wheatley Group. The Registered Social Landlords within Wheatley Group includes GHA, Dumfries and Galloway Housing Partnership, Dunedin Canmore, Cube Housing Association, Loretto Housing, West Lothian Housing Partnership and Barony Housing Association.

Our Data Protection Officer is Ranald Brown who can be contacted on

What we need

Basic details about you including name, address, telephone number and email address. We will also collect details about your health to identify if you (or those closely linked to you) are in any of the high-risk categories and would be considered vulnerable, if infected with Coronavirus.

How we collect your personal data

We may receive this information from you or from a third party. If you do not provide the information we need then we may not be able to provide all services to you.

How we will use the information we hold about you

We will use the information you provide to:

  • protect the health of our employees and contractors who may have to visit your home to provide an essential service
  • connect you to support in the community as part of the COVID-19 response.

Why we need your personal information

The legal basis for processing the data is that it is in the public interest for us to deal with the outbreak of Covid-19.

The General Data Protection Regulation requires specific conditions to be met to ensure that the processing of personal data is lawful. These relevant conditions are below:

  • Article 6(1)(d) – is necessary in order to protect the vital interests of the data subject or another natural person.
  • Recital 46 adds that “some processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread”.
  • Article 6(1)(e) – is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Section 8(c) of the Data Protection Act sets out that such a task must be necessary for the performance of a function conferred on a person by an enactment or rule of law.
  • The processing of special categories of personal data, which includes data concerning a person’s health, are prohibited unless specific further conditions can be met. These further relevant conditions are below:
    • Article 9(2)(i) – is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.
    • Schedule 1, Part 1(1) – is necessary for the performance or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, e.g. Health and Safety at Work Act 1974.
    • Schedule 1, Part 1(3) – is necessary for reasons of public interest in the area of public health, and is carried out by or under the responsibility of a health professional, or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law, e.g. Governmental guidance published by Public Health England.

Who we will share your information with

We will normally only share your information with other partner organisations as part of the response to the Covid-19 outbreak.

We will not share your information with anyone else unless required to do so under additional legal requirements, for example to assist the government in containing the spread of Covid-19. This may be where we are required to do so by law, to safeguard public safety, and in risk of harm or emergency situations.

We will share limited personal data with our contractors who are carrying out services on our behalf.

Our contractors are required to comply with the law and our own Data Processing Agreement or Data Processing Clauses within our contracts to ensure data is managed appropriately and for specified purposes.

Any information which is shared will only be shared on a need to know basis, with appropriate individuals. Only the minimum information for the purpose will be shared.

How long we will keep your personal information

We will only keep your information for as long as it necessary, taking into account of Government advice and the on-going risk presented by Coronavirus. At a minimum the information outlined in this privacy notice will be kept for the duration of the COVID-19 response.

Information provided in relation to this outbreak of Coronavirus will not be used for any other purpose, including to be held within files ‘just in case’ it may be needed again.

When the information is no longer needed for this purpose, it will be securely deleted.

Your rights

You can exercise any of the following rights by writing to us at

Your rights in relation to your personal information are:

  • you have a right to request access to the personal information that we hold about you by making a 'subject access request';
  • if you believe that any of your personal information is inaccurate or incomplete, you have a right to request that we correct or complete your personal information;
  • you have a right to request that we restrict the processing of your personal information for specific purposes; and
  • if you wish us to delete your personal information, you may request that we do so.

Any requests received will be considered under applicable UK Data Protection Legislation. If you remain dissatisfied, you have a right to raise a complaint with the Information Commissioner's Office at

We seek to ensure that our information collection and processing is always proportionate. The accuracy of our information is important to us - please help us keep our records updated by informing us of any changes to your personal information.

How we protect your personal information

Your personal information relating to COVID-19 is stored on our Customer Relationship Management (CRM) system which may be copied for testing, backup, archiving and disaster recovery purposes. Access to your information is limited to those who require it to provide services to you. All data is held within the UK.

If any of your personal information is transferred outwith the EU or the European Economic Area by any of our contractors we will ensure that there are adequate safeguards in place to protect your personal information in accordance with the General Data Protection Regulations and applicable UK Data Protection Legislation.

Changes to our privacy notice

This privacy notice is regularly kept up to date and this version was updated on 26 March 2020.