Data Protection

1.0    Introduction

1.1     The Hyelm Group (“The Group”) needs to process personal data to enable it to pursue its legitimate business activities.

1.2     The Group understands its responsibility to do all that is reasonably practicable to lawfully manage this personal data.

1.3     This policy, and others, if requested, are available in different formats, such as languages, large print and recorded form.

2.0    Policy Objectives

2.1     This policy sets out The Group’s commitment to comply with its obligations as they relate the data collection, storage and processing in accordance with the Data Protection Regulation (“GDPR”) by all staff, agents and members of the Board.

3.0    Scope

3.1     Data protection relates to living identifiable persons. This policy applies to all aspects of The Group’s work covering current past and future records of staff, Board members, members of Hyelm and residents. It also applies to other stakeholders and members of the public where The Group processes information.

3.2     The Group controls and processes personal data, all of which falls under the scope of the GDPR.

3.3     This policy extends to personal data whether it is held on paper or by electronic means.

3.4     Where The Group works in partnership with external providers, and there is an exchange of personal data, this policy applies in relation to the obligations of the ‘controllers’ and ‘processers’ in maintaining and processing of the personal data.

4.0    Requirements

4.1     The Group is responsible for, and will be able to demonstrate, compliance with the data protection principles set out in the GDPR. Namely that personal data shall be:

  • processed lawfully, fairly and in a transparent manner in relation to individuals;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

5.0    Data Sharing

5.1     There are a number of occasions where it will be necessary for The Group to share personal data collected.

5.2     Under the GDPR, The Group will explain to all individuals how it will use personal data which is collected and shared.

6.0    Exemptions

6.1     In some circumstances it may be appropriate to disclose information held by The Group to specific third parties, for example to prevent a criminal offence from being committed or to prevent the continuation of a criminal offence or to protect vital interests such as the prevent loss of life.

7.0    Data Retention

7.1     Personal data must only be kept for the length of time necessary to perform the process for which it was collected. This applies to both electronic and non-electronic data.

7.2     Data collected will be stored in line with the guidelines issues by the National Housing Federation. In exceptional cases other timescales will be used and the reasons recorded.

7.3     Under the GDPR a person has the right to be forgotten. Individuals can request the deletion of certain types of information held about them where one of a number of circumstances apply. These are:

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
  • When the individual withdraws consent.
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
  • The personal data was unlawfully processed.
  • The personal data has to be erased in order to comply with a legal obligation.

8.0    Subject Access Requests

8.1     Individuals have a right of access to the personal information held by The Group if they are the ‘data subject’ of that information.

8.2     Requests for such information must be made in writing, signed by the data subject and addressed to the Company Secretary, Hyelm – Old Street, 43 New North Road, London N1 6JB

8.2     There is no charge for requesting the information (other than a reasonable administrative fee for providing additional copies of information, unless the request can be said to be ‘manifestly unfounded or excessive’, for example where repetitive requests are made. In those rare cases The Group may choose to refuse the request entirely or comply the subject to pay a reasonable administrative fee.

8.3     The Group will normally provide this data by providing remote access to a secure self-service system within a month of the request being made.

9.0    Reporting Data Breaches

9.1     Personal data breaches reportable under the GDPR will be reported, where feasible, to the relevant supervisory authority with the 72 hours of The Group becoming aware of the reportable breach.

9.2     Data breaches which are likely to result in a high risk of adversely affecting an individual’s rights and freedoms will also be reported to the individual without undue delay.

9.3     The Group keeps a record of any personal data breaches which are reported to the Board on a regular basis.

10.0 Responsibilities

10.1   The Group’s Data Protection Officer (DPO) is the Company Secretary.

10.2   The Group’s Accounting Officer (AO) is the Hyelm Board.

The AO has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level.

Information risks are handled in a similar manner to other major risks such as financial, legal and reputational risks.

10.3   The Group’s Senior Information Risk Owners (SIRO’s) are the members of the Executive Management Team.

The SIRO’s have responsibility for managing the information risks and provide the AO with assurance that information risks are being managed appropriately and effectively across the organisation and with partnership organisations with which personal data is shared.

10.4   The Group’s Information Asset Owner’s (IAO) are the Scheme Managers.

The IAO’s have a responsibility to understand what information is held, what is added and what is removed, how information is moved and who had access and why. As a result they are able to understand, manage and address risks to the information assets they ‘own’ and provide assurance to the SIRO’s on the security and use of the assets.

10.5   The Group’s Information Asset Administrator’s (IAA’s) are the Duty Managers and Finance Officer.

The IAA’s ensure that policies and procedures are followed, recognise actual or potential security incidents and consult with the IAO’s & SIRO’s on incident management.

10.3   Staff are provided with training, support and guidance to support compliance with the Regulation.

11.0 Further information

11.1   Further information can be obtained from the Information Commissioner’s Office at

12.0 Commitment to Review

12.1   The Group is committed to continuously improving its practice in the direct work that it does with its residents. It is a learning organisation and where it is identified that policies or procedures could be improved, it will change them.

12.2   The Group values and responds to feedback received from residents, partner agencies and all other stakeholders, particularly in relation to good practice. This policy will be reviewed every three years or sooner where any changing legislation or workplace activity has an impact.

12.3   The next review of this policy is due in July 2021.

13.0 Glossary of Terms

13.1   Personal Information

         Any information that relates to a living individual who can be identified by this data.

         Data Subject

         The living individual that the personal data is about.

         Data Controller

The company that decides the purpose for and the way in which any personal data is processed.

Data Processor

Any company that carries out activities with personal data on behalf of the data controller.

Special Category Data

Means personal data consisting of a persons race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation.

Processing of personal data in relation to criminal convictions or offences requires both a lawful basis under Article 6 and either a legal authority or official authority for the processing under Article 10.

Confidential Information

Includes, but is not limited to financial, pricing, administration & information systems and information about residents and staff (including contractual details, remuneration and bonus figures).


This can be information covering both facts and options held on computer, paper or any other accessible record (e.g. email, electronic devices).

Are you eligible?

74 of the 125 bed spaces are reserved for key workers. If you are a key worker, you can find out more and register your interest using the London Mayor’s Share to Buy website.

To be eligible for one of the remaining 51 places, you must meet the following criteria.

Please select all that apply. 

You don't meet all our criteria, but we want to hear more from you. The next step is complete this short form.

Tell us more

You meet the eligibility criteria, the next step is to complete our application form to make sure we are a good fit and book a tour.

Apply now