Helen Raftery: How data protection law can prevent harm in the housing sector
Helen Raftery, head of data protection complaints at the Information Comissioner’s Office (ICO), discusses the importance of data protection in the housing sector, highlighting common issues like inappropriate data disclosures and failures in record-keeping, and offers guidance to housing organisations for lawfully managing and sharing residents’ personal data.
Housing organisations require personal data to provide services and support to their residents – this could be anything from contact details to medical records. Anyone who processes personal data has a responsibility to protect it under data protection law. Failure to do so in this sector can put residents at risk, which could have serious consequences such as distress, discrimination, identity theft, or physical harm.
We have received a number of complaints from residents who have been failed by poor data protection practices from their housing association, company or landlord - whether that’s inaccurate record-keeping, leading to anxiety, or necessary repairs being refused due to a misunderstanding about data sharing. Poor data protection practices are also more likely to harm residents who require extra support from their housing associations, due to factors such as language barriers, health or history as a victim of domestic abuse.
Our complaints data suggests that there is a lack of understanding about data protection law by some organisations in the UK housing sector. Additionally, the recent report from the Housing Ombudsman Service (HOS) into Rochdale Boroughwide Housing also identified record-keeping and data accuracy as key areas for improvement.
We want to remind housing organisations of their obligations under data protection law and bust some data sharing myths that might mistakenly prevent an organisation from safeguarding its residents. By highlighting common issues and how these could be prevented through case studies, we want to help housing organisations to understand how they can improve their own practices.
Common issues in the housing sector
Inappropriate disclosures of personal data
Personal data must only be disclosed when it is necessary and appropriate. Mr A raised a complaint with his housing association regarding a neighbour. The housing association shared information relating to Mr A’s health with a legal advisor who was considering the merit of the complaint. The housing association did not consider whether there was a good reason, or lawful basis, for sharing the data. When Mr A complained to the ICO, we determined that it was not necessary for the housing association to disclose his health information in order to assess the complaint.
The housing association issued guidance to all staff and contacted Mr A to resolve the matter. However, Mr A was so distressed by the experience that he felt he could no longer trust the housing association and had to seek accommodation elsewhere. If the housing association had already had appropriate staff training in place this situation could have been prevented - for example, staff could have considered this checklist to determine whether sharing this data was justified.
Data protection law as a framework for responsible sharing
Data protection law provides a framework for making decisions about sharing data appropriately; it is not a barrier to sharing information to support residents when this is needed. Ms B made a request to her housing association for factual information relating to a repair, following a leak in a neighbouring flat. The request was refused, with staff citing data protection law, and Ms B was unable to carry out the repairs to her property in a timely manner which resulted in additional damage and expense. However, this information should have been provided as Ms B did not request any personal data, only information that would allow her to plan her own repairs. This situation could have been prevented by a better understanding of personal data – we have resources to help you understand what constitutes personal data. Remember that personal data can be shared if necessary and we also provide resources to help organisations make the right decision, including this checklist.
Failure to keep accurate records
Good records management can help to avoid issues for both your organisation and your residents. Ms C reported damp and mould in her property which was damaging her personal belongings. The landlord stated it would investigate but did not do so within the agreed timeframe and did not respond to or keep a record of Ms C’s additional complaints. Investigations were done eventually but no outcome was communicated to Ms C and her request to be compensated for her ruined belongings was also ignored. In this case, the HOS ordered the landlord to pay compensation to Ms C.
To help you to feel confident that you can process and share residents’ personal information lawfully, we have set out some practical steps:
- Prioritise staff training. You must ensure that all staff are properly trained so that they are aware of their organisation’s data protection obligations. You must also ensure that all staff are aware of internal processes for handling any queries about personal data. This will ensure that residents can trust that their data is managed appropriately and support you to handle issues in a timely manner.
- Practice good records management. Keeping an accurate record of contact with residents will help you to address issues and provide an appropriate level of service to those residents that may require additional support. Remember that residents can also make a subject access request for the information you hold about them and accurate records will make it easier to do this.
- Be open about what you do with your residents’ personal data. Residents should be informed about what information about them is being collected and understand the purposes for which this might be used. Our guidance on transparency can help to achieve this.
- Appoint a Data Protection Officer if required. You must have a Data Protection Officer if you are a public authority under FOI law or process certain types of data. We have guidance on if you need to appoint a DPO.
- Access our data sharing resources. There are situations where it may be necessary to share personal information about residents with third parties and you should have an appropriate system in place. Our data sharing code of practice provides guidance, alongside practical tools, to help organisations be confident they can share data within the law. Our data sharing information hub has many helpful resources including myth-busting facts, case studies, FAQs and checklists.
Helen Raftery is head of data protection complaints at the Information Comissioner’s Office. Names have been anonymised in case studies.