Scottish Housing Regulator Data Protection Policy 2023-25


07 February 2023

We were created to safeguard and promote the interests of current and future tenants of social landlords, people who are or may become homeless, and people who use housing services provided by registered social landlords (RSLs) and local authorities.

Our functions are to:

  • keep a publicly-available register of social landlords; and
  • monitor, assess and report regularly on (and, where appropriate, to make regulatory interventions relating to):
    • social landlords’ performance of housing activities; and
    • RSLs’ financial well-being and standards of governance.

As a regulator, we collect, review and analyse a wide range of information about organisations. In the course of our work we also have access to personal information. Personal information which we acquire, hold and use must be dealt with properly, whether on paper, in a computer, or recorded on other material. The UK General Data Protection Regulation (GDPR) lays down safeguards to ensure this.

Our privacy policy explains in further detail why we collect personal information, how we use it, who we may share it with, how we keep it secure, what your rights are and how to exercise them.

We are committed to ensuring that the requirements of the UK GDPR are fully complied with. We regard the lawful and correct treatment of personal information as very important to the success of our work, and to maintaining confidence between those with whom we deal and ourselves. We are committed to ensuring that we treat personal information lawfully and correctly.

The UK GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier.

We fully endorse and, in all relevant circumstances, will adhere to the principles of data protection as embodied in the UK GDPR, specifically, that personal data:

  • be processed lawfully, fairly and in a transparent manner in relation to individuals;
  • be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • be accurate and kept up to date;
  • be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
  • be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
  • not be transferred to other countries without adequate protection.

Individuals have the right to access their personal data and supplementary information.

Under the UK GDPR, individuals have the right to obtain:

  • confirmation that their data is being processed;
  • access to their personal data; and
  • other supplementary information

We must provide the information without delay and at the latest within one month of receipt. We can extend this period by a further two months for complex or numerous requests.

We may share information with other relevant bodies, such as other regulators and the Scottish Public Services Ombudsman, in the course of carrying out our regulatory functions. An exchange of personal information will be in line with data protection principles, which will be reflected in any Memorandum of Understanding we have with other bodies. We will review this policy statement by March 2025 at the latest. 

If you have any questions please contact:

Lorna Clark

SHR Data Protection Officer