Online library

The Ministry of Justice is responsible for data protection and data sharing, both within this country and internationally. The DPA governs how organisations may use the personal information they hold, including how they aquire, store, share and dispose of it. There is balance to be struck between the benefits of public organisations sharing information and maintaining safeguards and privacy for the individual. The DPA also allows you to find out what information is being held about you.

The Ministry of Justice is responsible for data protection and data sharing, both within this country and internationally. The DPA governs how organisations may use the personal information they hold, including how they aquire, store, share and dispose of it. There is balance to be struck between the benefits of public organisations sharing information and maintaining safeguards and privacy for the individual. The DPA also allows you to find out what information is being held about you.

Everyone also has the right to request information held by public sector organisations on any subject. Unless there is a good reason not to, the organisation must provide it. The FOI ensures this and determines how it is done.

Data protection is, literally, the system of legal control exerted over the processing of and access to personal information stored is any system of storage. In the UK, until 2018 it has been primarily governed by the Data Protection Act 1998 (DPA).

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission have strengthened and unified data protection for all individuals within the European Union (EU).

The GDPR aims to give control back to citizens and residents over their personal data and to simplify the regulatory environment by unifying the regulation within the EU.

The GDPR is EU legislation  that we have chosen to keep beyond Brexit governing the processing of data.

The principles which underpin the GDPR are largely the same as the DPA. If you are complying with existing regulations, you are unlikely to have to make fundamental changes to your processes.

However, the GDPR requires businesses to formalise certain processes and to pay more attention to the policies of third-parties employed as part of their lettings business such as agents, contractors, and referencing agencies.

For the majority of landlords, the main noticeable difference will be a tightening of existing rules concerning the way they operate as data controllers, and a greater responsibility for the actions and policies of data processors employed on their behalf.

There is also likely to be a step-change in the level of enforcement activity and sanctions applied in the event of a breach.

If you take any personal information from a tenant, you probably need to register as a “data controller” with the Information Commissioner’s Office, ICO.

You can request to see a tenant’s ID and any “reasonable amount” of personal information and its OK to store paper copies of this information too, as long as you keep them secure.

deciding what data is held and how it is processed mean you are a data controller. If you just process data and don’t make the decisions you will be a data processor. Agents will obviously be data controllers (they will decide to contract the tenant about rent arrears and process data by emailing or phoning the tenant). On other occasions the agent may only act as the data processor, where for example the landlord ask the agent to sent the detail details to the solicitor for court action.

Landlords will also be data controllers as they will possibly hold the tenant data, on tenancy agreements for example. However, even a landlord who held no data is likely to be a controller as they can decide what to do with the data the agent holds

Those holding data are required to ensure the data is secure. This means it is not stolen, but also means it is not lost. Consider a hard disc crash without a back up. This is losing tenant data and is technically data processing without consent.

A data controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

This is an important role, and as such means that data controllers are largely responsible for ensuring that a business meets its obligations in respect of data protection legislation.

In the context of being an agent, this means that you are responsible for making sure that any information you hold about your landlords and tenants is kept safe and secure – and is only used and held for purposes for which you have a legal right to carry out.

As a data controller you are responsible for determining:

• What personal data you need to collect,
• Your legal basis for collecting it,
• How you will use the data,
• How long you need, and are allowed, to keep the data,
• Whether you need to pass the information on to a data processor; and
• If any third party processors have a proper data handling process in place.

When selecting third party companies with which to do business (contractors, agents, referencing companies etc.) it is crucial to understand how they will manage any of your tenants’ data provided in order for them to carry out relevant activity on your behalf.

As a data controller it is your responsibility to ensure that any data processor working on your behalf complies with their responsibilities under GDPR.

You should always ask for a copy of any contractor’s data management and/or privacy policy before engaging their services. In respect of existing relationships you should check with current contractors and discuss their plans to ensure compliance.

As a data controller, it is every agents’ responsibility to ensure that a legal basis for processing a subject’s data exists and is documented.

There are six lawful bases for processing personal data. Selecting the most appropriate will depend on the relationship between the the data controller and subject – in this case the agent, landlord and tenant.

The basis upon which data processing will be based should be determined and documented, this should be made clear to your tenants – ideally as part of a privacy or fair processing notice. There is no definitive ‘right’ answer to which basis should be relied upon, as this will depend on the specific circumstances. However, some are more likely to be considered appropriate than others.

The six bases are:

Consent

As you would expect, consent requires that the data subject freely provides permission for you to process their data.

Consent is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. However, if this is not the case consent is unlikely to be appropriate.

If you make consent a precondition of a service, i.e. a tenancy will only be granted if consent is granted, it is unlikely to be the most appropriate lawful basis.

Consent should only be relied on if no other basis of processing can be found and remember, if processing is based on consent the data subject can at any time withdraw consent.

Contract

Contract is a valid lawful basis if you have a contract with the data subject and you need to process their data in order to comply with your obligations as part of that contract.

It is also valid prior to establishing a contract, but where it is necessary to process data in order to reach an agreement – for instance when referencing a tenant.

Processing the tenant’s data to arrange a periodic visit would fall into the category of contractual fulfilment. In order to fulfil the tenancy agreement it is necessary to process their data. This basis of processing will cover a large amount of the work agents do.

Legal obligation

Legal obligation is relatively straightforward, this applies where data processing is required in order to comply with a legal requirement. For instance an agent in England must process certain immigration information in order to comply with Right to Rent.

Vital interest

Vital interest is likely to apply if the processing of data is necessary in order to protect the essential interests of the individual, for instance in the context of providing medical assistance. This is unlikely to be relevant to most agents.

Public task

Public task is limited to public authorities carrying out data processing as part of the performance of their duties when exercising official authority. Again, public task is unlikely to be relevant for most landlord and tenant matters.

Legitimate interest

Legitimate interest is a valid lawful basis for the processing of data where it is necessary for the purposes of of the legitimate interests pursued by the data controller. It is similar in concept to having a contractual basis for data processing, but may potentially cover additional activity provided it is made clear from the outset.

Legitimate interest also requires that certain ‘tests’ are met. the ICO categorises these as:

• the ‘purpose test’ – are you pursuing a legitimate business interest?
• the ‘necessity test’ – could you carry out your business without the data?
• the ‘balancing test’ – can you balance your need with the rights and freedoms of the individual?

These should satisfy that the processing is carried out for a legitimate reason, is necessary and balances the needs of the data controller and the interest of the individual.

The ICO suggests that to rely on legitimate business interest, you should complete the following checklist:

☐ We have checked that legitimate interests is the most appropriate basis.

☐ We understand our responsibility to protect the individual’s interests.

☐ We have conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that we can justify our decision.

☐ We have identified the relevant legitimate interests.

☐ We have checked that the processing is necessary and there is no less intrusive way to achieve the same result.

☐ We have done a balancing test, and are confident that the individual’s interests do not override those legitimate interests.

☐ We only use individuals’ data in ways they would reasonably expect, unless we have a very good reason.

☐ We are not using people’s data in ways they would find intrusive or which could cause them harm, unless we have a very good reason.

☐ If we process children’s data, we take extra care to make sure we protect their interests.

☐ We have considered safeguards to reduce the impact where possible.

☐ We have considered whether we can offer an opt out.

☐ If our LIA identifies a significant privacy impact, we have considered whether we also need to conduct a Data Protection Impact Assessment (DPIA).

☐ We keep our LIA under review, and repeat it if circumstances change.

☐ We include information about our legitimate interests in our privacy information.

In many cases agents may have the option to rely on more than one legal justification for processing data, as some data must be collected to comply with statute, some is essential to the performance of the tenancy agreement, and they have a legitimate interest in processing data which is in balance with their tenants’ interests and privacy. Agents may even have more than one lawful basis of process for the same piece of data. For example, the tenant’s phone number might be used for contractual fulfilment processing (periodic visits) but also for legal obligations (gas safety checks).

In most instances an agent letting and managing residential property will have a legitimate interest to process the personal information of his or her tenants.

When collecting new data.

It is inevitable that landlords will collect new personal data from time-to-time; when dealing with new tenants, establishing tenancies or even just updating existing contact details. As such it is essential that you determine the legal basis to collect and process their personal data. This justification must be explained clearly and must be documented.

When obtaining personal information you provide the following information:

• Your name, company name, and the name of any third-parties who may be required to to carry out relevant work on your behalf,
• The purpose for collecting the data and legal basis,
• What it will be used for, how you collect it, where it is stored, who it will be shared with,
• How any relevant consent for it to be processed by you or any third-party processors may be withdrawn,
• Contact details for the Information Commissioner’s office.

The most straightforward way to do this is by adopting a standard privacy policy, illustrated by a privacy or fair processing notice.

With existing data.

The principles underlying your approach to new data must also be applied to all of the data you already hold.

In order to get ready for the implementation of GDPR landlords should audit all of the personal data they hold, with a view to ascertaining:

• What personal data is being held,
• Is it accurate,
• Where it originated,
• When collected did you determine a legal basis for its processing,
• Do you still need it; and
• How would you securely delete it?

Crucially, having answered the above points, it is essential to have appropriate and documented legal basis to hold and use any personal data.

If you plan to rely on consent but do not have, or are unable to demonstrate that you have appropriate consent you need to obtain it.

At this point treat the data subjects as if you were dealing with them for the first time and issue them a copy of your privacy policy, explaining why you need their data, how it will be used and stored, and how they may rescind their consent for processing (if it relied upon).

Sanctions for non-compliance with Data Protection under GDPR vary depending on the type of contravention, but fines are permitted equivalent to up to €20,000,000 (or 4 per cent of worldwide turnover, whichever is greater).

Whilst the majority of private landlords are highly unlikely to receive multi-million Euro fines, a ‘proportionate’ financial sanction may be a possibility.

Perhaps of more pressing importance for landlords is the possibility of action taken by tenants who believe that their personal data has not been properly managed.

In addition to the administrative fines imposed by supervisory authorities, the GDPR imbues citizens with additional rights concerning their data. As a result a tenant may sue their landlord for compensation if they believe the GDPR has not been adhered to.

Landlords could therefore face being ordered to pay compensation for damages arising from the harm caused by a ‘data breach’ – or failure to conform to the requirements of GDPR – in addition to the possibility of administrative fines. The level of any such compensation would be dependent on the harm judged to have befallen the data subject.

It is also important to note that the GDPR introduces an enhanced duty to report data breaches to the Information Commissioner’s Office (ICO). Failure to report a breach which is later discovered to have occurred could result in an additional fine – beyond any sanctions related to the breach itself.

The FOI gives anyone the right to ask any public body for all the information they have on any subject. There are no restrictions on who can make a request. Unless there’s a good reason, the organisation must provide the information within a month. You can also ask for all the personal information they hold on you, although this may be dealt with under the DPA.

The FOI gives anyone the right to ask any public body for all the information they have on any subject. There are no restrictions on who can make a request. Unless there’s a good reason, the organisation must provide the information within a month. You can also ask for all the personal information they hold on you, although this may be dealt with under the DPA. In practice it doesn’t really make any difference for you which act is used.

You can ask for any information at all – but some information might be withheld to protect various interests which are allowed for by the Act. If this is case, the public authority must tell you why they have withheld information.

Scotland has its own Freedom of Information Act, which is very similar to the England, Wales and Northern Ireland Act. If the public authority you want to make a request to operates only in Scotland then your request will be handled under the Scottish Act instead.

Public sector bodies covered by the Act, include:

• government departments and local assemblies


• local authorities and councils


• heath trusts, hospitals and doctors’ surgeries


• schools, colleges and universities


• publicly funded museums


• the police


• lots of other non-departmental public bodies, committees and advisory bodies

To make a request, you just have to write to (or email) the public authority that you think holds the information you want. You should make sure that you include:

• your name


• an address where you can be contacted


• a description of the information that you want

You don’t have to mention the Freedom of Information Act, but there is no reason not to if you want to. You should try to describe the information you want in as much detail as possible: for example, say ‘minutes of the meeting where the decision to do X was made’, rather than ‘everything you have about X’. This will help the public authority find the information you need.

All public authorities must manage their information in accordance with a publication scheme which describes the ‘classes’ or ‘kinds’ of information held (such as minutes or reports). It is worth bearing this in mind when you make your request.

Public authorities must comply with your request promptly, and should provide the information to you within 20 working days (around a month). If they need more time, they must write and tell you when they will answer, and why they need more time.

Most requests are free. You might be asked to pay a small amount for making photocopies or postage.

If the public authority thinks that it will cost them more than £450 (or £600 for a request to central government) to find the information and prepare it for release, then they can turn down your request. They might ask you to narrow down your request by being more specific in the information you’re looking for.

In addition to the rights mentioned above, if you request information about the environment it cannot be refused just because of what it would cost the public authority to comply. This includes information about the air and atmosphere, water, soil, land, landscape, substances, energy, noise, radiation or waste, emissions, discharges and so on, as well as information about policies which affect these things.

How you receive the information, your right of appeal and how the Information Commissioner handles your case if you are dissatisfied are all laid down. Further details can be found on the websites listed in the Additional Resources section.