Information Commissioner's Office
How data protection law can prevent harm in the housing sector
Blog posted by: Helen Raftery, Head of Data Protection Complaints, 05 December 2023.
Housing organisations require personal data to provide services and support to their residents – this could be anything from contact details to medical records. Anyone who processes personal data has a responsibility to protect it under data protection law. Failure to do so in this sector can put residents at risk, which could have serious consequences such as distress, discrimination, identity theft, or physical harm.
We have received a number of complaints from residents who have been failed by poor data protection practices from their housing association, company or landlord - whether that’s inaccurate record-keeping, leading to anxiety, or necessary repairs being refused due to a misunderstanding about data sharing. Poor data protection practices are also more likely to harm residents who require extra support from their housing associations, due to factors such as language barriers, health or history as a victim of domestic abuse.
Our complaints data suggests that there is a lack of understanding about data protection law by some organisations in the UK housing sector. Additionally, the recent report from the Housing Ombudsman Service (HOS) into Rochdale Boroughwide Housing also identified record-keeping and data accuracy as key areas for improvement.
We want to remind housing organisations of their obligations under data protection law and bust some data sharing myths that might mistakenly prevent an organisation from safeguarding its residents. By highlighting common issues and how these could be prevented through case studies, we want to help housing organisations to understand how they can improve their own practices.
Common issues in the housing sector
Inappropriate disclosures of personal data
Personal data must only be disclosed when it is necessary and appropriate. Mr A* raised a complaint with his housing association regarding a neighbour. The housing association shared information relating to Mr A’s health with a legal advisor who was considering the merit of the complaint. The housing association did not consider whether there was a good reason, or lawful basis, for sharing the data. When Mr A complained to the ICO, we determined that it was not necessary for the housing association to disclose his health information in order to assess the complaint.
The housing association issued guidance to all staff and contacted Mr A to resolve the matter. However, Mr A was so distressed by the experience that he felt he could no longer trust the housing association and had to seek accommodation elsewhere. If the housing association had already had appropriate staff training in place this situation could have been prevented - for example, staff could have considered this checklist to determine whether sharing this data was justified.
Data protection law as a framework for responsible sharing
Data protection law provides a framework for making decisions about sharing data appropriately; it is not a barrier to sharing information to support residents when this is needed. Ms B* made a request to her housing association for factual information relating to a repair, following a leak in a neighbouring flat. The request was refused, with staff citing data protection law, and Ms B was unable to carry out the repairs to her property in a timely manner which resulted in additional damage and expense. However, this information should have been provided as Ms B did not request any personal data, only information that would allow her to plan her own repairs. This situation could have been prevented by a better understanding of personal data – we have resources to help you understand what constitutes personal data. Remember that personal data can be shared if necessary and we also provide resources to help organisations make the right decision, including this checklist.
Failure to keep accurate records
Good records management can help to avoid issues for both your organisation and your residents. Ms C* reported damp and mould in her property which was damaging her personal belongings. The landlord stated it would investigate but did not do so within the agreed timeframe and did not respond to or keep a record of Ms C’s additional complaints. Investigations were done eventually but no outcome was communicated to Ms C and her request to be compensated for her ruined belongings was also ignored. In this case, the HOS ordered the landlord to pay compensation to Ms C.
To help you to feel confident that you can process and share residents’ personal information lawfully, we have set out some practical steps:
- Prioritise staff training. You must ensure that all staff are properly trained so that they are aware of their organisation’s data protection obligations. You must also ensure that all staff are aware of internal processes for handling any queries about personal data. This will ensure that residents can trust that their data is managed appropriately and support you to handle issues in a timely manner.
- Practice good records management. Keeping an accurate record of contact with residents will help you to address issues and provide an appropriate level of service to those residents that may require additional support. Remember that residents can also make a subject access request for the information you hold about them and accurate records will make it easier to do this.
- Be open about what you do with your residents’ personal data. Residents should be informed about what information about them is being collected and understand the purposes for which this might be used. Our guidance on transparency can help to achieve this.
- Appoint a Data Protection Officer if required. You must have a Data Protection Officer if you are a public authority under FOI law or process certain types of data. We have guidance on if you need to appoint a DPO.
- Access our data sharing resources. There are situations where it may be necessary to share personal information about residents with third parties and you should have an appropriate system in place. Our data sharing code of practice provides guidance, alongside practical tools, to help organisations be confident they can share data within the law. Our data sharing information hub has many helpful resources including myth-busting facts, case studies, FAQs and checklists.
The ICO is here to help both housing organisations and residents
Any housing organisation that needs help to process or share personal information can find further guidance on our website or contact us for advice. Our regional offices can be contacted at firstname.lastname@example.org, email@example.com, and firstname.lastname@example.org. We are also here to support the public and ensure their data protection rights are respected. If anyone is concerned about how their data is being handled by an organisation, they can make a complaint to us here.
* names have been anonymised in case studies.
Latest News from
Information Commissioner's Office
Information Commissioner’s Office tells platforms to respect information rights when moderating online content16/02/2024 12:25:00
The Information Commissioner’s Office (ICO) is working to support people's information rights online by ensuring organisations understand their data protection obligations when seeking to make their platforms safer.
Practical tips for small beauty and wellbeing businesses this Valentine’s Day14/02/2024 13:15:00
Show your customers you care – about their information rights – this Valentine’s Day.
ICO approves legal services certification scheme14/02/2024 10:20:00
The Information Commissioner’s Office (ICO) has approved a certification scheme aimed at legal service providers who process personal data.
ICO responds to Home Office’s draft regulations to the immigration exemption13/02/2024 10:25:00
The Information Commissioner's Office has welcomed proposed government changes to provide clearer safeguards around how people in a potentially vulnerable position within the immigration system are able to access the information held about them.
ICO urges all app developers to prioritise privacy09/02/2024 10:15:00
The Information Commissioner’s Office (ICO) is reminding all app developers to ensure they protect users’ privacy, following the regulator’s review of period and fertility apps.
ICO warns organisations to proactively make advertising cookies compliant after positive response to November call to action31/01/2024 15:20:00
Last November we wrote to 53 of the UK’s top 100 websites, warning that they faced enforcement action if they did not make changes to advertising cookies to comply with data protection law.
New ICO campaign promotes sharing data to safeguard children30/01/2024 09:10:00
The Information Commissioner’s Office is partnering with education, law enforcement and social service organisations to raise awareness about responsible data sharing to protect children from harm.
South Tees Hospitals NHS Foundation Trust reprimanded for “serious, harmful” data breach25/01/2024 16:20:00
The Information Commissioner’s Office (ICO) has today announced it has reprimanded South Tees Hospitals NHS Foundation Trust for a data breach which resulted in a disclosure containing sensitive information to a unauthorised family member.
ICO fines financial services company £50k for spam text messages19/01/2024 14:10:00
Financial services company LADH Limited has been fined £50,000 by the Information Commissioner’s Office (ICO) for sending tens of thousands of spam text messages, in breach of Privacy and Electronic Communications Regulations (PECR).