- Who we are
- How we collect personal data
- What we use personal information for
- What type of data do we collect?
- Legal basis for processing
- Retention of Data
- Sharing of Data
- Your Data Protection Rights
- Data Protection Queries and Complaints
The Approved Housing Bodies Regulatory Authority (AHBRA) are an independent authority, established in February 2021. Our organisation is tasked with providing the regulation of Approved Housing Bodies (AHBs) for the purposes of protecting housing assets provided or managed by such bodies.
In carrying out our statutory functions and activities under the Housing (Regulation of Approved Housing Bodies) Act 2019 (“the Act”), AHBRA engages with and may process personal data relating to external parties, both individuals and businesses. In particular, AHBRA obtains data from AHBs, members of the public, third parties, Government Departments, State bodies, regulatory authorities and other organisations, which may include personal data of individual contacts or officers of such entities. AHBRA also obtains personal data where an individual submits a complaint or query to us.
This Privacy Statement aims to provide an overview of how AHBRA will collect, use and store personal data, and the rights data subjects have in relation to the protection of their personal data. The Privacy Statement will be updated periodically, and as functions and powers of the Act are commenced.
2. Who we are
AHBRA is the data controller of personal data we collect relating to our statutory functions. AHBRA have responsibility for overseeing the effective governance, financial management and performance of all AHBs, in accordance with the legal framework set out in the Act. Our contact details are as follows:
- For general queries contact email@example.com
- For Data Protection queries, please contact firstname.lastname@example.org
- Address: AHBRA, 4th Floor Grattan House, 67-72 Mount Street Lower, Dublin 2, D02 H638
All data processed by AHBRA is processed in accordance with applicable Irish data protection and privacy laws and the General Data Protection Regulation (‘GDPR’) and the Law Enforcement Directive (‘LED’) (where applicable) to ensure we properly protect personal data.
3. How we collect personal data
We may collect personal data when carrying out our statutory functions, as outlined below. The following non-exhaustive methods of data collection are an indication of ways in which we may obtain personal information:
- Directly from you, your organisation, your legal representatives, or any other representative on your behalf.
- Using publicly available information obtained through online searches, including websites, state and/or industry registers, and media outlets.
- Through data sharing (in accordance with the Act) between Government departments, regulators, agencies, investigatory bodies, local authorities, housing bodies, or the Gardaí.
- Through concerns received from third parties, which may include AHB staff and board members, tenants, members of the public, or other statutory bodies.
- While conducting our investigations, personal data may also be obtained from external sources including, but not limited to, individuals, businesses, publicly available information, Government Departments, State bodies, regulatory authorities, and other organisations which hold personal data relevant to the issue being investigated.
- Through queries from various stakeholders of AHBRA, which may include the general public, members of the Oireachtas, or the media.
4. What we use personal information for
AHBRA uses personal information for the purposes of performance of our key functions as set out in Section 9 of the Act, which include the following:
- To establish and maintain a register of AHBs
- To register persons as AHBs
- To prepare draft standards for approval by the Minister and publish
- To monitor and assess compliance by AHBs
- To carry out investigations under Part 5 (of the Act)
- under Part 6 (of the Act), to protect tenants and AHBs and cancel the registration of AHBs
- To encourage and facilitate the better governance, administration and management including corporate governance and financial management, of AHBs
- To promote awareness and understanding of the Act
- To collect such information concerning AHBs as the Regulator considers necessary and appropriate for the purposes of the performance of the Regulator’s functions,
- To publish such information (including statistical information) concerning AHBs as the Regulator considers appropriate.
In line with our above functions under the Act, personal data may be used for the purposes of legal proceedings, including any appeals or other legal action concerning our decisions or procedures or acts of AHBRA. Personal data may also be used for law enforcement purposes to prevent, investigate, detect or prosecute criminal offences under the Act.
Furthermore, AHBRA may process personal data for corporate purposes (including the procurement and payment of services, to comply with financial regulations and other relevant laws and regulations, or in relation to our offices and premises, to ensure security of our offices and premises, to enable us to investigate incidents that occur there, and for human resource purposes relating to employment with or appointment to the Board or a Committee of AHBRA).
5. What type of data do we collect?
AHBRA will only process such personal data as is reasonable and necessary in order to perform its functions under the Act and in performance of the tasks it carries out in the public interest. Please be aware that it is our aim to collect only personal data which is required to perform a task. AHBRA processes the following categories of personal data:
- Contact data including name, address, email, telephone numbers.
- Personal data relating to an AHB’s Board of Directors or members of staff, volunteers, and current or former advisors. This includes name and contact details, job title, role or place of work.
- Contact details from concern-raisers (including Board of Directors or members of staff, volunteers, tenants, current or former advisors, members of the public, media, and staff of other state bodies).
- Personal data for the purposes of education and awareness, including contact data, queries from media, and queries from stakeholders.
- Personal data for the purposes of reviewing the performance of our services, including stakeholder feedback, customer complaints and cookie data.
- Personal data of service providers and suppliers, which may include identifiers, contacts and characteristics (for example, name and contact details, job title, role or place of work, bank details, CCTV footage).
- Limited amounts of special category data, including concerns submitted in relation to health and safety.
It is important that the information provided to AHBRA is up to date and accurate. As outlined in Section 9 of this statement, if the personal data we hold is inaccurate or incomplete, please contact us and we will endeavour to update the data, as appropriate.
6. Legal basis for processing
The legal basis for the processing of personal data by AHBRA depends on the purpose for which the processing is being carried out. The main legal bases under the GDPR upon which AHBRA relies for the purposes of processing personal data are Article 6 (1) (c) and/or 6 (1) (e): that is,
- Article 6 (1) (c): processing is necessary for compliance with a legal obligation to which the controller is subject.
- Article 6 (1) (e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The majority of processing by AHBRA is set out in legislation which provides AHBRA with the authority, and the obligation, to carry out the functions set out above. The main legislation is the Housing (Regulation of Approved Housing Bodies) Act 2019.
In addition, the following Articles of the GDPR may be relevant to some processing:
- Article 6 (1) (a): where the data subject has given consent to the processing of his or her personal data for one or more specific purposes. Where the lawful basis for the processing of Personal data is based on the consent or, where necessary, the explicit consent of the Data Subject, that consent can be withdrawn at any time. Where consent is withdrawn, it will not affect the lawful basis for processing up until that time.
- Article 6 (1) (b): Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of a data subject prior to entering into a contract.
For certain processing activities which it carries out, AHBRA is a ‘competent authority’ for the purposes of Part 5 of the Data Protection Act 2018 and therefore these processes are subject to the LED. The legal basis for AHBRA to process personal data as a ‘competent authority’ is Section 71(2) of the Data Protection act 2018 which provides that the processing of personal data (for the purposes of the LED) shall be lawful where, and to the extent that “the processing is necessary for the performance of a function of a controller for a purpose specified in section 70(1)(a) and the function has a legal basis in the law of the European Union or the law of the State”
7. Retention of Data
Any personal information we collect will not be kept for any longer than it is necessary to carry out the specific purpose. The length of the retention period depends on how long we need to process personal data. In certain circumstances, we are legally obliged to retain personal information for longer, such as accounting or regulatory purposes. The criteria we use to determine data retention periods for personal data includes the following:
- Retention in case of queries; we will retain it for a reasonable period after the relationship between us has ceased;
- Retention in case of legal claims; we will retain it for the period in which it may be enforced (this means we will retain it for 10 years in some instances); and
- Retention in accordance with legal and regulatory requirements; we will consider whether we need to retain it after the period described above because of a legal or regulatory requirement.
8. Sharing of Data
We may share personal data with other parties in the course of our duties. When this is done, we adhere to the following principles:
- The transfer is based on a legal obligation or the performance of a contract.
- Where data is transferred to another party, we ensure appropriate technical and organisational safeguards are in place to protect personal data.
- Where we engage a third party to provide a service to us, we require them to take appropriate steps to protect personal data, and only to use the personal data for the purpose of performing those specific services.
While the parties we engage may change occasionally, we believe it is important that individuals are aware of the types of parties we share data with. The categories and types of third parties outlined below is a non-exhaustive list but provides an indication of the parties we share data with.
- Your Representatives: These may include any party you have provided permission for us to contact, representatives associated with your AHB.
- Our Representatives: These may include AHBRA representatives such as employees, agents, contractors, legal representatives, and companies who provide services to us, for example, data storage, IT and IT security, audit, third parties who may improve our processes and services (such as consultants).
- Government Departments, Bodies or Agencies: AHBRA is legally obligated to share personal data with state bodies as outlined under the Act and the Data Sharing and Governance Act (2019). Recipients of this data may include Government departments (for example, the Department of Housing Local Government and Heritage), state bodies and investigatory bodies, (for example, the Charities Regulator), local authorities, the Gardaí and members of parliament (upon request and on a case by case basis).
AHBRA, as a data controller, will not sell personal data to any third party.
9. Your Data Protection Rights
Under data protection law, data subjects have certain rights. Subject to certain restrictions, which are set out in Article 23 of the GDPR and Sections 59, 60 and 61 of the Data Protection Act 2018, you can exercise these rights in relation to your personal data that is processed by AHBRA.
The data subject rights are:
- The right to be informed about the processing of your personal data;
- The right to access your personal data;
- The right to rectification of your personal data;
- The right to erasure of your personal data;
- The right to data portability;
- The right to object to processing of your personal data;
- The right to restrict processing of your personal data;
- Rights in relation to automated decision making, including profiling.
Further information in relation to Data Subject Rights can be found here on the Data Protection Commission’s website.
If you wish to exercise one of your data subject rights outlined above, enquire about any of the information contained in this privacy notice or request further information, please do not hesitate to contact the Data Protection Officer (DPO) at the contact information provided below. The DPO will respond to you as soon as possible and will aim to fulfill any exercise of your rights within one calendar month.
10. Data Protection Queries and Complaints
If you are unhappy with the way we handle your personal data and wish to complain, or if you simply require further information about the processing of personal data by AHBRA, please contact the Data Protection Officer using the details outlined below:
- Email: email@example.com
- Post: Data Protection Officer, AHBRA, 4th Floor Grattan House, 67-72 Mount Street Lower, Dublin 2, D02 H638
Please note, you have the right to lodge a complaint with the Data Protection Commissioner in relation to the processing of your personal data. Further information can be found here.