Navigating Data Protection Compliance for the Housing Sector
Navigating Data Protection Compliance for the Housing Sector
Housing Organisations and Registered Providers have always been significantly exposed to the processing of personal data, both as part of:
The article outlined several common themes in complaints from residents who have been failed by poor data protection practices from their housing association, company or landlord, with complaints relating to:
Is compliance with data protection requirements an area of focus/prioritisation for senior leadership? Is the data protection compliance function appropriately resourced? Lack of investment in time and resources is a common root cause for organisations struggling to embed data protection compliance into business as usual.
Third party assurance - do you have oversight of your third-party data sharing exposures?
Housing organisations invariably share personal data with third parties. UK Data Protection legislation requires that organisations to have complete oversight of third-party data processor and joint controller relationships, to ensure that contracts are in place, which include the relevant data processing provisions - and to ensure oversight of international transfers of personal data (outside of the UK and/or EEA) where additional safeguards must be considered.
It is common for the role of data protection compliance to be ‘tagged on’ to an existing role, even if the assigned individual does not have the time, resource or experience required.
Awareness – are employees familiar with the process in the event of a data breach or data subject rights request, where strict time limits apply?
Employee awareness was specifically cited in the recent ICO article, highlighting the need for employees to receive data protection training on an on-going basis, to maintain knowledge of key data protection processes to ultimately ensure that residents are able to trust that their personal data is being managed appropriately.
UK Data Protection legislation requires organisations to report certain types of data breach to the ICO within 72 hours of discovery, and in some instances, the affected individuals must also be notified, without undue delay.
Are data subject rights processes robust?
Larger Housing organisations typically receive a higher number of subject access requests, which can be time and resource intensive to process, especially for organisations which are reliant on manual tools and systems. This means that the one-calendar month time limit for processing requests can be a challenge, so robust processes need to be in place.
Is personal data retained for longer than reasonably required, thus increasing your exposure in the event of a data breach?
Do you have technical and organisational security measures in place?
In an evolving technological landscape, information security is likely to be a key organisational priority to reduce the risk and impact of a cyber-attack. Are IT security defences regularly tested, and do you have processes in place in the event of a cyber-security incident?
1. https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2023/12/how-data-protection-law-can-prevent-harm-in-the-housing-sector/
- Core business; when considering the tenancy lifecycle, on-going activities such as managing anti-social behaviour (ASB), running Tenant Resident Associations, administering repairs and responding to complaints/queries; and
- Day to day operations; through the employee lifecycle, including recruitment and on-going employee management.
The article outlined several common themes in complaints from residents who have been failed by poor data protection practices from their housing association, company or landlord, with complaints relating to:
- Lack of understanding of data protection law;
- Poor record-keeping, and necessary repairs being refused due to a misunderstanding about data sharing;
- Inappropriate disclosures of personal data; and
- Issues with data accuracy.
- Defining and documenting data processing activities – in-keeping with Article 30 of the UK GDPR and ensuring that this remains up to date on an on-going basis
- Data retention and deletion – defining and operationalising defined retention periods, in-keeping with the storage limitation principle, on an on-going basis
- Oversight of third-party data sharing - including an exposure to any international transfers of personal data and ensuring that relevant contract and data processing provisions are in place
- Managing data subject rights requests - which can be time consuming to manage for larger registered providers, which typically receive a higher number of requests
Strategy, Leadership and Governance
What is the tone the top?Is compliance with data protection requirements an area of focus/prioritisation for senior leadership? Is the data protection compliance function appropriately resourced? Lack of investment in time and resources is a common root cause for organisations struggling to embed data protection compliance into business as usual.
Third party assurance - do you have oversight of your third-party data sharing exposures?
Housing organisations invariably share personal data with third parties. UK Data Protection legislation requires that organisations to have complete oversight of third-party data processor and joint controller relationships, to ensure that contracts are in place, which include the relevant data processing provisions - and to ensure oversight of international transfers of personal data (outside of the UK and/or EEA) where additional safeguards must be considered.
People
Do the individuals assigned with responsibility of data protection compliance have the appropriate skills?It is common for the role of data protection compliance to be ‘tagged on’ to an existing role, even if the assigned individual does not have the time, resource or experience required.
Awareness – are employees familiar with the process in the event of a data breach or data subject rights request, where strict time limits apply?
Employee awareness was specifically cited in the recent ICO article, highlighting the need for employees to receive data protection training on an on-going basis, to maintain knowledge of key data protection processes to ultimately ensure that residents are able to trust that their personal data is being managed appropriately.
Process
Are internal data breach reporting processes robust?UK Data Protection legislation requires organisations to report certain types of data breach to the ICO within 72 hours of discovery, and in some instances, the affected individuals must also be notified, without undue delay.
Are data subject rights processes robust?
Larger Housing organisations typically receive a higher number of subject access requests, which can be time and resource intensive to process, especially for organisations which are reliant on manual tools and systems. This means that the one-calendar month time limit for processing requests can be a challenge, so robust processes need to be in place.
Technology
How robust is your retention policy?Is personal data retained for longer than reasonably required, thus increasing your exposure in the event of a data breach?
Do you have technical and organisational security measures in place?
In an evolving technological landscape, information security is likely to be a key organisational priority to reduce the risk and impact of a cyber-attack. Are IT security defences regularly tested, and do you have processes in place in the event of a cyber-security incident?
Looking forward
The ICO recently set out the key priority areas for 2024, which are;- Children’s data – there is a recognition that children are the most vulnerable in our society, and their personal data warrants a higher degree of protection.
- Advertising Technologies – Housing Associations and Registered Providers should be aware that the ICO is focusing on website cookie compliance, with the principle that cookies should be ‘as easy to accept as they are to reject.’ Following a recent hackathon, the ICO is looking to monitor and regulate cookie compliance at scale.
- Artificial Intelligence (AI) – given the transformative power of AI, the ICO is focusing on ensuring that AI technologies are implemented in a way that complies with the principles of the UK GDPR.
Next steps
The themes highlighted in this article are based on our experience of working within the Housing sector, recent changes in the UK Data Protection landscape and further analysis of recent ICO publications. For further information, or if you have any questions, please reach out to Christopher Beveridge, Managing Director of Privacy and Data Protection, or Louise Sadler, Senior Manager, Privacy and Data Protection.1. https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2023/12/how-data-protection-law-can-prevent-harm-in-the-housing-sector/