Who we are

Our website address is: https://www.pfha.co.uk.

People First Housing Association (also referred to as we/us/our) provides community support services, including ‘drop-ins’ to individuals aged 18 to 65 identified with support needs meeting the eligibility criteria of our funders. To enable us to do so and in fulfilment of our obligations under the support agreement we collect and process data on service users. We are “Data Controllers” of the personal data that service users provide to us and are committed to protecting all individual’s rights of freedom and privacy and meeting the requirements of the General Data Protection Regulation 2018 (GDPR).

This privacy notice explains in detail:

  1. How and when we collect personal data;
  2. why we collect your personal data;
  3. what we collect and process;
  4. the legal basis for doing so;
  5. who we may share it with;
  6. what information we receive from third parties;
  7. where we process your personal data;
  8. how long we keep it;
  9. how we protect your personal data;
  10. what your rights are in relation to the personal data and how to contact us; and
  11. how to contact the Information Commissioners Office (ICO) if you have any questions or complaints.
  12. How and when do we collect your personal data?

In most cases the information we hold is provided voluntarily by you, in person, on the telephone or by email. How you interact with us, determines when we collect personal data. Examples include:

  • Contacting us for information about community support;
  • Expressing an interest in our support services’;
  • Making an application for support services’;
  • In the course of receiving support services:
    • booking a visit to your home or appointment at the office
    • contacting the office to discuss your support needs
    • completing electronic and paper forms, assessments and other documentation in relation to receipt of support and related services
    • making a complaint or providing other feedback
  • Why do we collect personal data?

The main reason we collect and process your personal data is to enable us to provide, evaluate and improve the delivery of our support services’ and to meet our obligations as set out in the support agreement, which forms a contract with People First.  

We limit the collection of personal data to enable us to meet these obligations. We do not sell your personal data to any third parties. 

  • What personal data do we collect and process?

If you are receiving our support services, have made an application for support services’ or are in the process of making an application we collect the following types of personal data: 

  • Personal information: name, address
  • Contact details: home phone number, mobile phone number, email address
  • Details of carers as applicable: name, address, contact details and relationship
  • GP details and any other agency involvement: name and contact numbers
  • Sensitive personal information:
    • gender, ethnicity, disability information, medical details, marital status, sexuality
    • support needs: for example, mental/physical health, housing, employment/education, welfare benefits, debt management
    • NI number, date of birth
  • Any other information you provide for advisory assistance

We will record further, factual information in the course of providing support services so that we have a record of our contacts with you and how well your needs are being met. This will include:

  • Records correspondence: phone conversations, emails, letters and such like
  • Records created during support sessions/meetings: notes, assessment forms, support plans, risk assessments
  • Records of any accidents/incidents
  • Complaints records and any other feedback provided
  • Records of attendance at service user events, e.g. photographs
  • What legal basis do we rely on to process your personal data?

The lawful basis for processing personal data are set out in the GDPR, there are six grounds and at least one of these must apply whenever we are processing data.  Below is a list of the legal basis we rely on:

Consent:  We rely on your consent to process your personal data in very limited circumstances. For example, use of any photos taken of you during service user events in our promotional literature/website.  You have the right to withdraw your consent at any time. 

Contract:  Most of the personal data we process is necessary to perform our obligations under a contract (i.e. the support agreement) we have with you.  We can only provide support services to you, if you provide us with the personal data necessary to perform the contract (as set out above in point 3). 

Legal Obligations:  In some instances we process your personal data to comply with the law (not including contractual obligations):

  • Providing information to commissioners who have funded the service, for example the local authority
  • Providing information to Social Services in relation to any safeguarding concerns
  • Providing information to the Police in relation to criminal investigations
  • Providing information to the Home Office if we have good reason to believe that a support user is an illegal immigrant

Legitimate Interests:  In some situations, we process your personal data to pursue our legitimate interests as a business.  We will only process your personal data if our legitimate interests do not materially impact your interests, fundamental rights, or freedoms. Examples include:

  • If you are a service user, using your email address or home address to send you newsletters, informational publications, service updates and feedback questionnaires.

Public task: In certain circumstances we will process your personal data to comply with our obligations under public task. For example:

  • Providing information to Social Services if we believe you, or a member of your household is at risk
  • Providing information to the police in relation to criminal activities
  • Processing sensitive data (special category data) for example in relation to ethnicity, religion, gender etc. under Article 9 (d) to ensure compliance with equality legislation
  • Who do we share your personal data with?

We consider your personal data confidential and do not share it with others except as described in this Privacy Notice. There are limited circumstances that require us to disclose your personal data to others in order to deliver services, or to meet our legal obligations or legitimate business interests. Examples include: 

Subcontractors and other agents: we employ or contract with other companies and individuals to perform functions on our or your behalf. Depending upon the type of service they are providing, we may share sensitive personal data only as appropriate and necessary for the performance of the service. Examples include:

  • Survey companies – undertaking service users satisfaction surveys on our behalf
  • SASSHA, our IT consultant who manage our IT systems

Regulatory/Government/funding bodies: for example

  • Commissioners of the service, as part of their quality assurance testing and eligibility criteria
  • Adult safeguarding team, if we have concerns about risks to you or others
  • GP/health practitioner, if we have concerns about risks to you or others
  • Other organisations that are working with you, with your consent or on a ‘need to know’ basis

If we share your information as described above all parties are under contractual/legal obligations to use your personal data only as directed by us and as needed to perform their functions. 

Business Transfers: People First deliver support services’ under contract. These contracts may be tendered periodically which means other providers can bid to deliver the services. If we were unsuccessful in our bid or for some reason didn’t bid for the service, this means that another provider could deliver the service you receive. In that eventuality, personal data relevant to the operation of the service may be transferred to the new provider.

Meet Legal Requirements: We share personal data if required by law/regulations or as we reasonably determine to be necessary to protect our rights or the rights of others for example, to prevent harm to children.  This means we may be required to disclose personal data for national security or law enforcement purposes.

  • Information from third parties:

People First may receive information from third parties, for example:

  • To support the regulatory obligations/investigations of Government agencies for example, the local authority safeguarding teams.
  • In relation to your support/care for example, from your GP or community mental health worker.
  • Where do we process and store your personal data?

Electronic Information: Personal data may be held on electronic storage data systems. This is processed and stored in the United Kingdom (UK).  

Hardcopy Information: The hardcopy of personal information we collect remains in the UK. We do not transfer data outside the UK

  • How long do we keep your personal data?

Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected and as required under law. At the end of that retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.

  • How do we protect your personal data?

We utilise appropriate technical, administrative and physical safeguards to protect the personal data we collect in both hardcopy and electronic format. We provide training to our staff and conduct periodic quality assurance audits. However, no computer system or information can ever be fully protected against every possible hazard. As a result we cannot guarantee the security and privacy of the information you provide to us.

  1. What rights do you have over your personal data?

All service users have the right to request:

  • Access to your personal data and copies. In most cases this will be free.
  • Rectification /correction of any information that we hold that you believe is inaccurate and the completion of any information you believe is incomplete.
  • Erasure of your personal data, under certain conditions.
  • Restrict our processing of your personal data, under certain conditions.
  • Object to our processing of your personal data, under certain conditions.
  • Data portability/transfer of the data we have collected to another organisation, or directly to you, under certain conditions.

If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact People First:

  • Email: admin@pfha.co.uk
  • Tel: 0161 235 6900
  • Address: 1 City Road, City Road East, Manchester M15 4PN

In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.

To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.

  1. How to contact the Information Commissioner’s Office

If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with:


When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymised string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service Privacy Policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.


If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.


If you leave a comment on our site you may opt in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.


Who we share your data with

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.