Skip to content

Privacy Policy

Orbit Group Ltd are the ‘controllers’ of the information (‘personal data’) that we collect about you, our ‘data subjects’, which means we are responsible for how your data is processed. The word ‘process’ covers what can be done with personal data, including collection, storage, use, sharing and deletion. This privacy policy explains why and how we process your personal data, and explains the rights you have, including amongst others, the right to access your data or to object to the way it is processed. Please see the section on ‘Your rights as a data subject’ for more details on your rights and how to exercise them.

Summary

Why? The main reason we need to process your data is so that we can offer you the best service available whether you are a customer, colleague or anyone else that we work with.

What? We use your contact details, financial information and other personal information relating to our interactions with you to provide you with our services. This includes handling enquiries and complaints, and working to improve our services, which sometimes involves sharing data with our trusted partners such as local authorities and other housing providers contractors and the authorities if required.

How? We handle your data carefully, and have appropriate controls in place to protect it from breaches. We also work to ensure that data is accurate, only kept as long as is necessary, and that we uphold your rights around how we handle your data.

Contact us

Our contact details are:

Address:

Orbit
Garden Court
Harry Weston Road
Binley Business Park
Binley
Coventry
CV3 2SU

Telephone number: 0800 678 1221

If you have any queries about this policy or anything related to data protection, you can contact our Data Protection Officer (DPO) at Garden Court, Harry Weston Road, Binley Business Park, Binley, Coventry, CV3 2SU or by email informationgovernance@orbit.org.uk

Personal Data

‘Personal data’ is any information that relates to a living, identifiable person. This will usually include your name, address, contact details, and other information we collect as part of our relationship with you.

It can also include ‘special categories’ of data, which is the official term for information about a person’s race or ethnic origin, religious, political or other beliefs, physical or mental health, trade union membership, genetic or biometric data, sex life or sexual orientation.

The use of this type of data, and of information about criminal convictions and offences, is subject to strict legal controls.

We only process data if we need to for a specific purpose, as explained below. Most often, we collect your personal directly from you, through our contact with you. Sometimes we will obtain data about you from other sources, such as when you are given a reference, if your details are provided as an emergency contact for someone else, or when we work with local authorities, other housing providers or the police or other authorities to carry out tasks in the public interest, including looking after the safety and wellbeing of individuals and communities.

How we store your data

Your personal data is held in both hard copy and electronic formats.

Electronic data, including emails, is stored on Orbit’s servers and on our software suppliers’ servers, which are located in the European Union.

Where we contract with a software supplier who stores data outside of the EU, only minimal data is processed, for example for carrying out feedback surveys, and we ensure appropriate safeguards are in place.

How long we keep your data

Some of our retention periods are based on legal requirements, and others are based on the practical reasons we need to keep the data for a certain period of time. Information about how long we hold your data for can be found in our Data Retention Schedule, which can be requested from our DPO.

Once we reach the retention period, we will securely delete the relevant data, unless:

  • we are legally required to keep it longer, or
  • there are lawful reasons why we need to keep it longer

Your rights as a data subject

As a data subject, you have the following rights in relation to your personal data:

  • be informed about how and why your personal data is processed, including the information we provide through this Privacy Notice;
  • ask for copies of the personal data we hold about you, which is sometimes known as making a Data Subject Access Request, or DSAR or SAR;
  • ask for any errors or inaccuracies in your personal data to be corrected;
  • ask to have some, or all, of your personal data erased (also known as the right to be forgotten) and we will erase your data on request where we have no lawful reason for retaining it;
  • ask us to restrict our processing of your personal data, in some circumstances, which means you can ask us to stop using it but not erase it;
  • object to your personal data being processed in some circumstances (see below for more details);
  • have personal data that you have provided to us provided back to you in a format which can easily be transferred to another party, where the data is being processed based on your consent or for a contract, and is being processed by electronic means;
  • the right not to be subjected to a fully automated decision-making process (i.e. a system generated decision without any human input), where the outcome has a legal or similarly significant effect on you.

If you wish to exercise any of these rights, please contact us in your preferred way, either in writing (including email) or verbally.

For more information about these rights, please contact our Data Protection Officer (DPO) at Garden Court, Harry Weston Road, Binley Business Park, Binley, Coventry, CV3 2SU or by email to informationgovernance@orbit.org.uk

You can also find information about your rights on the ICO’s website: https://ico.org.uk/

Your right to object to processing

You have the right to object to the processing of your personal data when the purpose of the processing is to deliver direct marketing to you. We will always stop the processing as soon as possible.

You have the right to object where the legal basis for the processing is that it is necessary for a task in the public interest or the exercise of official authority, or if the processing is necessary for our legitimate interests or another party’s legitimate interests.

If you object to processing for these purposes, we will ask you for your specific reasons for objecting which should be based upon your particular situation. In these cases, we will carefully consider your objection and let you know if we are going to fulfil your request.

Please be aware that we can refuse a request if we can demonstrate compelling legitimate reasons for the processing, which, on balance, override your interests, rights and freedoms, or if the processing is for the establishment, exercise or defence of legal claims.

Withdrawing consent

If we are relying on your consent to process your data, you may withdraw your consent at any time by contacting us in your preferred way

Complaints

Please let us know if you have any complaints about the way your personal data has been handled.

You also have a right to complain to the Information Commissioner's Office (ICO) about the way in which we process your personal data. You can make a complaint on the ICO’s website https://ico.org.uk/.

Your data and how and why we process it

Orbit processes your data so we can:

  • manage and support our relationship with you;
  • comply with legal and regulatory obligations;
  • protect individuals and our communities;
  • monitor and improve equality of opportunity and treatment;
  • improve our services;
  • achieve our legitimate business aims.

The information below gives more details about the ways we process your data, including who we share data with and the legal basis for each type of processing.

Processing Purpose

Legal basis for Processing

Applications for rented properties

When you apply to live in an Orbit home, we collect information directly from you and from relevant third parties, about you and your household, in order to assess your eligibility and suitability for the application you have made.

We receive your contact details and housing need information from the Local Authority if you have been nominated by them and we take up references from former landlords

Some decisions are made automatically about your eligibility, based on the answers you provide in your application, but you will always be given the opportunity to challenge the decision.

This processing is necessary for being considered for, and for signing up to, a tenancy agreement, which means entering into a contract with us. We need to know that you are eligible, and that you can afford the property, and/or sustain your tenancy, and we may need to offer you additional support as part of your tenancy.

If you provide us with special categories of data, such as health, in your housing application, we will process this data only as far as it is necessary for us to manage your application and ensure you are housed appropriately and safely, in line with our legal and statutory obligations as a housing provider and employer.

In some cases, we will process information about criminal offences and convictions, where it is necessary to do so in order to protect the safety and wellbeing of individuals and our communities.

When we ask for information about race/ethnic origin, religion, health, or sexual orientation, this is where it is necessary for us to monitor and improve equality of opportunity and treatment, in the substantial public interest, and it is optional for you to provide this information.

Shared Ownership applications

When you apply to purchase a share of an Orbit home, we collect information directly from you and from relevant third parties, about you and your household, in order to assess your eligibility and suitability for the application you have made.

We will communicate with your solicitor and mortgage provider to facilitate the purchase.

This processing is necessary for entering into a purchase agreement with us. We need to know that you are eligible and can afford the property.

In some cases, we will process information about criminal offences and convictions, where it is necessary to do so in order to protect the safety and wellbeing of individuals and our communities.

When we ask for information about race/ethnic origin, religion, health, or sexual orientation, this is where it is necessary for us to monitor and improve equality of opportunity and treatment, in the substantial public interest, and it is optional for you to provide this information.

Outright Sales

When you apply to purchase a share of an Orbit home, we collect information directly from you and from relevant third parties, about you and your household, in order to assess your eligibility and suitability for the application you have made.

We will communicate with your solicitor and mortgage provider to facilitate the purchase.

This processing is necessary for entering into a purchase agreement with us. We need to know that you are eligible and can afford the property.

In some cases, we will process information about criminal offences and convictions, where it is necessary to do so in order to protect the safety and wellbeing of individuals and our communities.

When we ask for information about race/ethnic origin, religion, health, or sexual orientation, this is where it is necessary for us to monitor and improve equality of opportunity and treatment, in the substantial public interest, and it is optional for you to provide this information.

CORE reporting

So that the Ministry of Housing, Communities and Local Government (MHCLG) can produce statistical information, we report information to them about our lettings and shared ownership sales via the CORE (Continuous Recording) system. The information provided does not include your name or full address, but it does contain special categories of data.

The processing of this information by the MHCLG is necessary for the performance of a task in the public interest and so far as the data includes special categories, the MHCLG states that the processing is necessary for reasons of substantial public interest. The data is used to compile statistics on the use of social housing, including reviewing equality of opportunity and treatment.

Please see the CORE website for more details.

Orbit customers

When you are an Orbit customer, we will collect information from our interactions with you, including any complaints or allegations that are made by you, or about you, and we process this information to allow us to manage our relationship with you, collect your rent, and provide you with tenancy or sales related services, and appropriate support services, and to manage any complaints or alleged ASB or similar issues.

This will involve sharing information with, and receiving information from, third parties, as explained below.

Where crimes have been committed or alleged, we share information with the police and other agencies with investigative and prosecution powers;

Where we have concerns about anyone requiring safeguarding for any reason or requiring protection from financial abuse due to a mental or physical health issue, we share information with the relevant authorities in order to help the people concerned.

We share rent information with local authorities for the purposes of administration of appropriate benefits;

Where local authorities require information for council tax, we confirm tenancy information to allow the correct tax to be paid.

We share information with debt collection agencies so they can collect debts on Orbit’s behalf.

We sometimes share information with utilities companies so they can collect debts on bills

Personal data is shared between teams internally at Orbit, but is only shared, accessed and used on a need to know basis, to enable relevant teams to carry out their tasks

Most of the information we collect and use as part of our ongoing interactions with you is necessary for the performance of your contract, and is linked to ensuring both you and Orbit are complying with the requirements of the contract.

We have a legal obligation to keep business and financial transaction records as appropriate.

We will offer you further support based on both our legitimate interests to enable you to sustain your relationship (tenancy/shared ownership relationship) with us to the best of your ability.

If we contact you by email or text to let you know about our services, we will do so based on either our legitimate interests of keeping you updated about the services you receive from Orbit, or based on your consent where we are contacting you about new services.

If we refer you to an external agency for further support, we will do so only with your consent to pass your details onto them, unless we believe there is an overriding lawful basis for the referral without your consent.

When we share information for the reasons explained, we will do so on the basis of the fact it is necessary to protect individuals and communities, is for a task in the public interest (crime, benefits and tax payment) or for the legitimate interests of debt collection.

Our support services

Orbit does not just provide housing, we also provide support to people who need it, through our specialist services, some of which are linked to your tenancy and some of which are standalone, for example help with money management, getting back into work, or more general day to day support.

We process your data as part of providing this support on the basis of our contract with you, where it is tenancy-linked support, or on the basis of it being necessary for complying with our legal obligations or carrying out a task in the public interest.

Where we process special categories of data, or criminal information, about you as part of providing this support, we do this where it is necessary to protect individuals in line with our legal and statutory obligations as an employer and as a housing and support provider. Where this (or another) basis is not appropriate, we will ask for your consent.

Emergency situations

Unfortunately, there will always be emergency situations that negatively impact on our customers, employees and wider communities, and we will respond as appropriate and as quickly as possible in order to protect people and property. Whether we are responding to fire, flood, crime, safeguarding issues, pandemic, or any other emergency situation, Orbit will treat people’s health and wellbeing as a priority, which we acknowledge includes protecting personal data and ensuring it is handled lawfully and securely.

Processing of data in the immediate response to emergency situations is done only where it is necessary to protect individuals and communities, on the basis that we are acting under employment or social protection law, or in the public interest / substantial public interest.

Equality of treatment and opportunity

Orbit is dedicated to treating everyone fairly and providing equal opportunities, regardless of differences in race or ethnic origins, religious or philosophical beliefs, physical or mental health or sexual orientation. In order to monitor and improve performance in this area, we collect information about race, beliefs, health and sexual orientation from customers and employees, if you are happy to provide this information.

The processing of these special categories of data is necessary for a task which is in the substantial public interest, specifically for the purposes of identifying and monitoring equality of opportunity and treatment between different groups of people, with a view to enabling equality to be promoted or maintained.

Sharing your data with our ‘Processors’

When Orbit uses other companies to supply goods or services on our behalf, sometimes we need to share relevant information with those suppliers and contractors so they can carry out that work. They are known as our ‘Processors’ and are legally bound by contract to act only on our instructions regarding your personal data, and not use it for their own purposes.

The relevant legal basis for each Processor we use will be dependent on the type of work they are carrying out for us, and our legal basis for undertaking the processing that is linked to that work.

For example, we carry out emergency repairs work on the basis of our contract with you, and in some circumstances the repairs may be contracted out to contractors who need your address etc. in order to carry out the repair. This makes the contractor our Processor.

The contracts we use with Processors comply with Article 28 of the General Data Protection Regulation (GDPR), which rules how Processors are appointed, and sets out their relevant responsibilities.

Sharing your data with other contractors

Sometimes, we share personal data with suppliers, contractors or consultants where they process the data on the basis of their own knowledge and expertise, not just acting on our instructions. For example, solicitors. In these cases they are not our Processors, but instead are Data ‘Controllers’ in their own right.

As Data Controllers these organisations have their own legal obligations and responsibilities to handle your data lawfully and safely, and are also bound by contract to comply with their data protection obligations.

We share information with contractors etc. who are Controllers only when it is necessary for us to carry out our tasks in the public interest, to carry out our legal obligations, or for our legitimate interests of outsourcing the provision of some services and of providing appropriate support, to enable us to run the business efficiently. We do not share your data with any Controllers that we are not confident will protect your data, and therefore we protect your rights, freedoms and interests.

Insurance

If you are an Orbit insurance customer, we will process your information so we can provide you with a policy, and to manage any claims you make, which may involve sharing information with third parties about the circumstances in order to assess the claims.

This processing is necessary for the performance of your insurance contract. If it suspected that a claim is not legitimate, we will process information to protect our business from fraudulent claims, which breach the insurance contract.

Complaints

In order to investigate and respond to complaints or allegations against Orbit or an employee or customer of Orbit, or complaints and allegations made about neighbours, or any other topic, we will usually require contact details and information about the complaint from you or your representative. We will request the minimum amount of information from you, and only use it for the purposes of the investigation.

Customer complaint related processing is done on the basis of it being necessary for us complying with the terms of your contract with us. For complaints from non-customers, depending on the nature of the complaint, the processing is necessary for us to comply with our legal obligations or for carrying out our tasks in the public interest. If special categories of data are processed (including health, race, religion, sexual orientation) it is on the basis of being necessary for defending a legal claim or for acting in the substantial public interest. This includes responding to elected representatives such as MPs, who have raised a matter on your behalf.

General contacts

For members of the public who are not customers but come into contact with Orbit in another way, such as to make an enquiry, we will collect information from our interactions with you, so that we can provide you with the information you have requested.

We process this information on the basis that it is necessary for our legitimate interests of responding to your enquiry, complaint or allegation, as appropriate. If we need to process any special categories of data in order to handle the issue, we do so with your explicit consent, or on the basis of it being necessary for a task in the substantial public interest, such as reviewing equality of opportunity and treatment.

Business contacts

Contact details for people, organisations and companies we work with is personal data and we treat it accordingly. We will use it only as part of our relationship with your organisation, whether we work in partnership or have a customer/supplier relationship.

This processing is based on our legitimate interests of managing business relationships appropriately. We use the data only for the purposes explained, keep the data secure and safe, and protect your rights, freedoms and interests.

Surveys and feedback

In order to understand our customers’ experiences and improve our services and products, we will contact you at various “touch-points” during our relationship with you and ask you to complete a survey and give us feedback, by email, text or over the telephone. We contract with specialist companies to carry out surveys on behalf of Orbit, which involves sending them your contact details and they gather your responses for us. You can opt out of this sort of contact if you prefer.

Orbit, and the specialist companies we work with, process data in order to ask for your feedback, based on our legitimate interests of improving our customer services and products.

Marketing

We will send you information that we think will be useful or of interest to you about the services we provide, whether they are paid for services or free of charge. We will sometimes make decisions about what information to send based on your profile, for example your age if we are letting people know about age-related services such as our over 55s schemes.

Orbit will send you hard copy marketing materials on the basis of our legitimate interests of increasing our customers’ knowledge of other relevant services and products. We will only send you emails or texts (electronic direct marketing) with this type of information if we have your consent to do so. For commercial services or products, which includes where you have bought, or entered into negotiations with us, for a similar service or product, this is regarded by the law as implied consent. However, every time we send an email or text you will have the option to unsubscribe from similar marketing messages.

Exercising of Data Protection Rights

If you approach us about exercising any of your Data Protection rights, such as accessing copies of your data, or objecting to the way your data is being processed, we need to obtain relevant information from you in order to identify that you are the data subject in question, or acting on their authority.

When we fulfil requests such as these, specialist staff members will review the documents in question in order to fulfil the request lawfully, which will include redacting information about third parties.

The information processed to check your identity and to fulfil your request is only used for these purposes and is kept securely.

This processing is carried out as necessary for us to carry out our legal obligations of upholding your Data Protection rights.

Recruitment

If you apply for a job with Orbit, we collect information about your suitability via our trusted recruitment partner organisations.

Most of this processing is on the basis that it is necessary for an employment contract, or entering into an employment contract, with Orbit.

Employees

We collect and process information about current and former employees as part of managing your relationship with Orbit.

Most of this processing is on the basis that it is necessary for managing your employment contract with Orbit, and for us to fulfil our legal obligations under employment law in relation to current and former employees.

Please see the Employee Privacy Notice on the Orb for more details

Telephone Calls

Phone calls to our main telephone number are recorded so that we can monitor the quality and content of calls.

This processing is on the basis of our legitimate interest of providing good customer service, as well as protecting our colleagues and other people from any problems or issues arising from ambiguity in phone call conversations.

CCTV

Orbit uses CCTV in our offices and in some of our housing/schemes for the safety and security of premises, colleagues, customers and any third parties. CCTV footage can be disclosed to those organisations acting on official authority, including the police.

We process data from CCTV for the purposes of our legitimate interest of protecting our premises, and for carrying out tasks in the public interest/substantial public interest by protecting our people and supporting investigations into crim and fraud, for example.

Video Conferencing

Please see the information on MS Teams.

Website

We collect information you submit through our website, and through the use of Cookies. Please see the Cookies section for more details.

This information is processed for our legitimate interests of responding to any enquiries you make through our website, and to help us understand and analyse the effectiveness of our website.

Cookies

Visiting our Website

When someone visits our website, we collect standard internet log information and details of visitor behaviour patterns, using Google analytics. We do this to find out things such as the number of visitors to the various parts of the site.

We do not make any attempt to find out the identities of those visiting our websites. We will not associate any data gathered from this site with any personally identifying information from any source.

What are Cookies

Cookies are text files placed on your computer by websites you visit. These are widely used to enable the websites to work properly (e.g. ensuring that the right personal information collected is attached to the individual who submitted it) when collecting information that you have provided to the Data Controller. You may delete and block cookies if you wish from this site, however, please be aware that this could affect the functioning of this website.

To find out more about cookies, including what they do, how to see what cookies have been set and how to manage or delete them please visit www.aboutcookies.org or www.allaboutcookies.org.

To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout.

How we use cookies

The table below explains the cookies we use and why. Most web browsers allow some control of most cookies through the browser settings.

Cookie

Name / Purpose

Type / Expiry

More Information

Website cookie acceptance

CookiesAccepted - This cookie is used to record if a user has accepted the use of cookies on the website

 

Find out how to withdraw your consent after accepting this cookie at www.aboutcookies.org

CFID

Linked information is the username. When a user logs in, maintains authentication state

Persist 2 hours

First party cookie

CFTOKEN

This cookie helps to uniquely identify a client device (browser) to enable the site to maintain user session variables.

 

Persist 2 hours

First party cookie

JSESSIONID

SessionSession – determines the end of the session by a user

Expires at the end of the session 

First party cookie

VOPECRA

Anonymous – remembers when a user has elected to accept cookies

Persist Never

First party cookie

Google Analytics

_utma

_utmb

_utmc

_utmz

These cookies are used to collect information about how visitors use our websites. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they have visited

Persist 2 years

30 mins

End of session

6 months

Click here for an overview of privacy at Google

Third party cookie

Google Translate

googtransSession – stores your chosen language (if you decide to change if from English). This means that you do not have to select your chosen language every time that you load a new page

End of session

Click here for an overview of privacy at Google

Third party cookie

Google Maps

PREF

NID

These cookies are used to remember Google maps preferences

Persist

6 months

Click here for an overview of privacy at Google

Third party cookie

The table below explains some of the other cookies we use and why.

Name Format Expires Reason
o-alert Alphanumeric String Session Alert message to user
font-size Alphanumeric String 6 months Selected website font size
colour-theme Alphanumeric String 6 months Selected website theme
o-area Alphanumeric String 10 years Selected local area
contour_XXX Alphanumeric String 1 month Form submissions
pagesRatedCookie Alphanumeric String 1 month Page ratings
yourAuthCookie Alphanumeric String Session Scheme locator search
yourAuthCookie Alphanumeric String Session Protected area

Third party cookies

We sometimes embed video content and photos from websites such as YouTube and Flickr. Pages with this embedded content may present cookies from these websites. Similarly, when you use one of the share buttons on our website, a cookie may be set by the service you have chosen to share content through. You should check the relevant third party website for more information about these cookies.

We sometimes use third party services to provide additional features such as social sharing options which may present cookies. You can use the YourOnlineChoiceswebsite to manage how your data is shared with the following third parties that we use:

Accepting cookies

For this site to function properly you will need to accept cookies. Please bear in mind that if you do not accept cookies, certain personalised features of this website cannot be provided to you.

Orbit Privacy Policy for use of ‘Microsoft Teams’

Introduction

Orbit provides staff with access to ‘Microsoft Teams’ software (MS Teams), to enable video calls, video meetings, chat and collaboration while working remotely from other colleagues. MS Teams will only be used when it is the most appropriate method of communication, not for all communication. When it is appropriate to use video calling, MS Teams will be used rather than any other software options.

The use of MS Teams involves collecting and processing information (‘personal data’) about the users. That data is kept secure, but users should be aware that it is stored and can be accessed by those with system administration rights.

This Privacy Policy explains how personal data is collected, processed and stored when MS Teams is used, who processes that data, and what rights you have when your data is processed in MS Teams, including amongst others, the right to access your data, and to object to the way it is processed in some circumstances.

Summary

Orbit Group Ltd are the ‘controllers’ of the personal data collected about users of MS Teams on the Orbit network. People whose personal data is processed are referred to as ‘data subjects’ and the word ‘process’ covers everything that can be done with personal data, including collection, storage, use, sharing and deletion. Microsoft operates MS Teams and are the ‘processors’ of the personal data in MS Teams, on behalf of Orbit. In this Policy ‘we’ refers to Orbit.

If you have any queries that this Policy does not provide the answer to, about Orbit’s use of MS Teams and the processing of your personal data, please contact InformationGovernance@orbit.org.uk

Why? Your data is processed via MS Teams is so that we can provide effective work-related communication, while colleagues are working remotely from each other and other contacts. This is on the legal basis of Orbit’s legitimate business interests to ensure we can continue to work and provide our services to the best of our ability, wherever colleagues are working from. Where necessary, MS Teams personal data will also be processed for the purposes of staff performance management, on the legal basis that it is necessary for the management of employment contracts.

What? Through the use of MS Teams, the personal data that will be processed includes your work-related contact details, and information you share in chat messages or in a video call/meeting that is recorded. The use of cameras will not always be appropriate and recording of video calls/meetings will be by exception only, and users should always be made aware when a video is being recorded.

How? Your data is processed by Microsoft, who keep it secure and store it in the EU. It can be accessed only by Orbit colleagues with system administration rights, who will share it only with authorised staff, for legitimate business needs including performance management. Data will be kept in line with the Data Storage & Retention section below, and we will support you to exercise your rights over your personal data. Please see the section on Your Rights below.

Your Data and why we process it

Purpose of Processing

Legal Basis

Your work contact details are used to provide you with a log in to MS Teams, so you can use it to contact colleagues and other contacts, and so you can be contacted by colleagues, so we can communicate while working remotely. This is necessary for the legitimate interests of Orbit to operate our business and provide our services effectively even when working remotely. This is not considered to adversely affect the rights and interests of users as contact details are intended to be used for this purpose.
MS Teams has the ability to allow video calls and meetings, using your device’s camera, to allow ‘face to face’ meetings while working remotely. We recognise that it is not always appropriate, nor is it usually necessary, to use the camera for calls/meetings, so this will be optional in most cases. When the camera is used, it will be on the basis of being necessary for the legitimate interests of Orbit to enhance communication and collaboration, only where it does not adversely affect the rights and interests of users to not be on camera. There may be exceptional circumstances where it is required that video is used, such as during disciplinary procedures, or senior level meetings, but these should be assessed on a case by case basis to establish the need and the appropriate legal basis.
MS Teams video calls and meetings can be recorded by the host, to be referred back to where necessary. This should only be done where it would not be unusual for the equivalent meeting to be recorded if carried out in person. Recording of Orbit colleagues will only be done by exception, where it is necessary for the legitimate business interests of Orbit, and only with the full awareness of all participants, and allowing them the option to not be recorded.
One example where internal calls/meetings could be recorded is training sessions, so they can be accessed at a later time for those who could not attend live, or for a refresher.
If recording calls or meetings with external attendees (i.e. non-Orbit colleagues), which should be rare, this will be on the basis of consent being sought and there should be an audit trail of the consent, in the form of an email before recording begins.
By default, chat messages are stored by the system. Chat is another communication method for colleagues and contacts to use, where appropriate, to keep in touch without filling up email inboxes. It can be used more informally than email, but it should always be used in a professional and polite manner. It is optional for users to use chat, and where it is used, it is on the basis of the legitimate business interests of Orbit to provide efficient communication between colleagues, only where it does not adversely affect the rights and interests of the users.

Data Storage and Retention

Orbit’s tenant is provisioned in the United Kingdom and therefore makes use of both the Cardiff and London datacentres. Furthermore, Microsoft stores the following customer data at rest only within that location:

  • Teams chats, team and channel conversations, images, voicemail messages, and contacts
  • SharePoint Online site content and the files stored within that site
  • Files uploaded to OneDrive for Business

Below is a table to indicate how data is stored:

Entity Storage Further Information
Files

Files shared within a Team: SharePoint

Files shared within a private chat: OneDrive

Files (including OneNote and Wiki) that somebody shares in a channel are stored in the team’s SharePoint site. Files shared in a private chat or a chat during a meeting or call are uploaded and stored in the OneDrive for the Business account of the user who shares the file
Meeting Recording

Microsoft Stream

When a meeting recording starts, Teams shows a notification to all participants on the Teams desktop, web, and mobile apps, as well as to people who joined via phone. Guests or federated users cannot record meetings or calls.
Voicemail and Contacts

Voicemails are stored in Exchange.

Contacts are stored in Exchange-based cloud data store.

Voicemails are stored in Exchange. Contacts are stored in Exchange-based cloud data store. Exchange and the Exchange-based cloud store already provide data residency in each of the worldwide datacentre geos. For all teams, voicemail and contacts are stored in-country for Australia, Canada, France, Germany, India, Japan, the United Arab Emirates, the United Kingdom, South Africa, South Korea, Switzerland (includes Liechtenstein), and the United States.
Chats, Channel Messages and Team Structures

Hidden folder within the user’s mailbox.

Every team in Teams is backed by a Microsoft 365 Group and its SharePoint site and Exchange mailbox. Private chats (including group chats), messages sent as part of a conversation in a channel, and the structure of teams and channels are stored in a chat service running in Azure. The data is also stored in a hidden folder in the user and group mailboxes to enable Information Protection features.
Images and Media

Stored in a separate media store on Azure

Media used in chats (except for Giphy GIFs which aren't stored but are a reference link to the original Giphy service URL, Giphy is a non-Microsoft service) is stored in an Azure-based media service that is deployed to the same locations as the chat service.

Your Rights

As a data subject, you have rights in relation to your personal data, which are explained in more detail in the main Privacy Notice:

  • To be informed about how your data is handled;
  • To gain access to your personal data;
  • To have errors or inaccuracies in your data changed;
  • To have your personal data erased, in limited circumstances;
  • To object to the processing of your personal data for marketing purposes or when the processing is based on the public interest or other legitimate interests;
  • To restrict the processing of your personal data, in limited circumstances;
  • To obtain a copy of some of your data in a commonly used electronic form, in limited circumstances;
  • Rights around how you are affected by any profiling or automated decisions.

If you wish to exercise any of these rights, please contact: informationgovernance@orbit.org.uk

For more information about these rights, please

  • refer to the ICO’s website https://ico.org.uk/ or
  • contact our Data Protection Officer (DPO) at Garden Court, Harry Weston Road, Binley Business Park, Binley, Coventry, CV3 2SU or by email : informationgovernance@orbit.org.uk

Withdrawing consent

If we are relying on your consent to process your data, you may withdraw your consent at any time by contacting us.

Complaints to the Information Commissioner

You have a right to complain to the Information Commissioner's Office (ICO) about the way in which we process your personal data. You can make a complaint on the ICO’s website https://ico.org.uk/