Heathfield Data Security Statement

Data processing flowchart

When do we collect data from you?

How we handle your data

1. How does new data arrive, where is it stored and how is it protected?

This is how personal data is handled at different stages in the flowchart.

The application form asks you to give us explicit consent to handle your data. It also makes it clear that you can withdraw your consent at any time, and tells you how to do this. 

You need to be aware that if you withdraw your consent, we will not be able to proceed to drawing up a contract for you to come and live at Heathfield. 

Digital data

Stage 2: You provide us with personal data when you complete an application form. The data is stored in Flamingo Inmail on our website, where it is protected by password. It is also sent (encrypted) via email to David Patey and Sarah Patey. Each of us uses email protected by password. 

Stage 5: Once you confirm you would like to live at Heathfield, you data is uploaded to MailChimp, where it is secured by 2-factor authentication.

Stage 6: We forward your application form to HomeLet. They will ask you to complete their own application form, which focuses on the legal and financial documentation required for the tenancy. 

Stage 7, 8 & 9: HomeLet incorporate the application data in their proprietary property management system LetMC, which is protected by password. Data is stored in Microsoft OneDrive, which is protected by password. HomeLet systems are accessible only to authorised uea(su) staff.

Printed data

Stage 2: One copy of your application form is printed out and is stored in a locked filing cabinet. 

Stages 8 & 9: The tenancy agreement is stored in a locked cabinet. 

Stage 10: In order to comply with the law, we ask you on arrival at Heathfield to let us take a photocopy of a document proving your right to rent in the UK (usually, a passport or another form of ID), and a document proving your student status (offer letter, student ID card). The documents are returned to you, and the photocopies are kept in a locked filing cabinet. We need to retain these pieces of evidence for a certain length of time, as described in section 3 below.

2. What personal data do we collect, and why?

Full name: for room allocation and to draw up the contract

Current address: to know where you are visiting/arriving from

Email: to communicate with you

Phone number: to communicate with you

Gender: because Heathfield has a flat reserved for women only

Month of birth: to ensure a good mix in the flats

Studying at/applying to: to ensure a good mix in the flats

Course title: to ensure a good mix in the flats

Level of study: to ensure a good mix in the flats

When accommodation needed: for room allocation and to draw up the contract

Accommodation requirements: for room allocation (e.g disabled)

Forwarding address (collected as residents leave): to forward post

3. Who processes personal data on Heathfield applicants and residents?

The joint Data Controllers for your personal data at Heathfield are David and Sarah Patey. At HomeLet, the Data Controller is xxxxx.

The Data Protection Officer at Heathfield is Sarah Patey.

All digital processing is carried out on machines with current virus protection that is regularly updated.

At Heathfield

Students complete the online application form on the website. It is made clear that applicants must tick the checkboxes to demonstrate consent for Heathfield and HomeLet to process the personal data collected. The application is stored in Flamingo Inmail in the website. Access to the website is secured by strong password.

David and Sarah Patey each receive a copy of the application form as an email.

Sarah’s email data is stored on her PC, which is protected by password and encrypted.

David’s email data is in Gmail, which is protected by password and encrypted. The application information is printed out and stored in a locked cabinet.

Sarah Patey emails application forms to HomeLet when a student confirms by email that they want to live at Heathfield.

David Patey takes photocopies of right to rent and student status documents when students move in. These copies are needed in order to comply with the law and to demonstrate exemption from council tax. They are stored in a locked filing cabinet.

Application information is kept for a certain period before shredding (information on paper) or secure deletion (digital information):

  • for 3 years in the case of those who do not opt to live at Heathfield, in case they decide to reapply subsequently during their studies
  • for 7 years in the case of those who do opt to live at Heathfield, as the information forms part of the business’s financial records.

At HomeLet

Applications are sent to HomeLet by Sarah Patey, who forwards the original emailed application. Email is encrypted.

HomeLet request applicants complete an online application and information is stored within LetMC (property management software), which is password protected and accessed by authorised HomeLet staff only. 

HomeLet take copies of ID for Right to Rent checks and UEA campus cards or proof of UEA affiliation and these are scanned to Microsoft OneDrive. Paper copies are destroyed after scanning. Access to Microsoft OneDrive is restricted to authorised uea(su) staff only. 

HomeLet also holds information on each student’s guarantor, where applicable. Guarantor information is stored within LetMC and confirmation of consent to complete a credit check is scanned, stored within Microsoft OneDrive and any paper copies destroyed. 

HomeLet issue tenancy agreements as an attachment to an email sent via a Microsoft Outlook account. This account is password protected. A copy of the tenancy agreement is also printed and stored in a locked filing cabinet. 

Once a tenancy has ended, records are kept for 6 years before shredding.

HomeLet also holds information on each student’s guarantor, where applicable.

4. Your rights when we hold your data

When we hold your data, we process it in accordance with the General Data Protection Regulation.

You are entitled at any time to see the information we hold, and if it is inaccurate/incomplete, you are entitled to request that it be corrected/completed.

You are entitled at any time to withdraw consent for Heathfield and HomeLet to process your data. If you do this, we shall not be able to enter into contract with you.

To withdraw consent, please email live@heathfieldnorwich.co.uk