Landlord's guide to Data Protection Legislation
The General Data Protection Regulations come into force in May 2018. They impose a new EU wide system of regulating data protection and the UK Government has made it clear that, despite Brexit, the UK will be adopting these Regulations so that they will remain in force even after we leave the EU.
These Regulations strengthen existing UK Data Protection Legislation and build on it. They make significant changes around obtaining consent to process data and more stringent requirements about privacy notices, in particular. More stringent record keeping would be needed. The need to register/notify the Information Commissioner that you are processing personal data will, however, disappear. Higher penalties are imposed for non compliance.
As May of next year approaches, we will keep members updated on the changes. There is nothing to stop you implementing the changes now. This Guidance sets out the current position but you need to be aware that major changes are pending.
Landlords need to be aware of their responsibilities in relation to data protection. This involves safeguarding tenant's data, making sure that you only pass it on if you are legally entitled to do so, and not retaining it for longer than necessary. However, there are circumstances where you can legitimately pass over data and indeed on occasion may be compelled to do so because of the legal obligation. It may well be necessary to give your tenants a privacy notice to tell them what can be done with data which you hold and how you could use it
Landlords should notify (register with) the Information Commission’s office if they are holding/processing data - see below under Notification and Exemption from Notification.
Landlords should provide their tenants with a privacy notice explaining how they process/use data which they collect on their tenants - see below under privacy notices.
What is personal data?
Under data protection legislation "personal data" is protected. This is a very broad definition. The first question is whether an individual can be identified from the data or from the data you hold when this is looked at in conjunction with other data. If the information you hold "relates" to an identifiable living individual it will be personal data where it is relevant to the family life, business or profession of the individual in question. More information is given below under Personal Data.
Common situations affecting landlords
The Information Commissioner's Office (responsible for the regulation of data protection) has published advice on housing for landlords and tenants. This gives information regarding common situations. In some of these it is permissible to part with data but you have to tell the tenant that you are doing so. This can be done by a privacy statement or in some other way, e.g. it could be included in the tenancy agreement.
Scope of Data Protection Legislation and definitions
Data Protection Legislation (DPA) applies to the 'processing' of 'personal data', both of which terms are very widely defined. It includes simply holding data. This means that practically any business such as landlord or letting or managing agent operating in the UK which holds information about individuals (whether tenants, prospective tenants, employees, customers or anyone else) is affected by the DPA. Since breaches of data protection laws can result in criminal prosecution as well as civil liability (not to mention adverse publicity, which is increasingly the likely result of non-compliance), no organisation can afford to ignore its data protection obligations. This is not always easy given the complexity of the DPA and the number of obligations it imposes on those who process or both personal data.
The key definitions contained in the DPA are summarised below.
All of the obligations under the DPA fall on the data controller. This is defined as the person who determines the purposes for which and the manner in which any personal data is, or is to be, processed. For example, a landlord will be the controller of the data processed relating to his/her tenants, as well as letting/managing agents. Someone may still be a data controller even if the information concerned is held by a third party (for example, where payroll administration or records is outsourced to a third party.
The DPA applies only to personal data. This is very widely defined - see above under what is “personal data”. Data is defined as information which is being processed by means of equipment that operates automatically in response to instructions given for that purpose, or is recorded with the intention that it should be processed by means of such equipment. The DPA therefore applies to automated data, such as that stored on a computer. It also extends to certain manual records if kept in an organised form.
Personal data is data relating to living individuals who can be identified from that data, or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller. Personal data includes, for example:
- Telephone numbers
- Job titles
- Dates of birth
- Records of rent payments
- Credit searches
- Utility Bills
- Bank Statements
- National Insurance Number
The information does not have to be confidential. A simple list of tenants on a computer will constitute personal data under the DPA. Even a number, such as a telephone extension number, may qualify as personal data when an individual can be identified from that number, for example, where that number may be linked to his name in another database.
The definition of personal data also includes expressions of opinion and any indication of the intentions of the data controller or any other person in respect of the individual concerned. Data which is anonymous will not come within this definition if there is no way of linking so far as you can identify living individuals.
The person to whom the data relates is called the data subject.
Latest guidance from the Information Commissioner on personal data
In August 2007, the Commissioner (ICO) issued a technical guidance note on what constitutes personal data for the purposes of the DPA. According to the guidance, information is only likely to constitute personal data under the DPA if:
- A living individual can be identified either from the information alone, or with other information which is in the possession of the data controller, or is likely to come into its possession. In cases where it is not immediately obvious whether a person can be identified, the question whether or not the person is nonetheless identifiable will depend on the means the data controller is likely reasonably to use to identify that person.
- The information relates to the person in his/her personal or family life, business or profession. This is the case when it is either obviously about that person or if it is linked to that person so that it provides particular information about him/her.
- The information is used to inform or influence actions or decisions affecting that person.
- The information focuses or concentrates on the individual as its central theme rather than on some other person, or some object, transaction or event.
- The information impacts or has the potential to impact on an individual, whether in a personal, family, business or professional capacity.
The DPA applies only to data which relates to individuals and so will not apply to data relating to companies or other legal entities. However, the processing of, for example, the contact details of individuals within a company may be covered by the DPA.
The DPA imposes additional rules in respect of the processing of 'sensitive personal data'. This includes information about someone’s health.
The DPA imposes obligations on those who process personal data. Processing is broadly defined to include obtaining, recording, holding, using, disclosing or erasing data. In effect, any activity involving personal data will fall within its scope. Just holding it is sufficient.
Data controllers must notify (register with) the ICO before processing. The information to be provided in the notification includes:
- The data controller's name and address.
- A description of the personal data being or to be processed by or on behalf of the data controller, and a description of the category or categories of data subject to which they relate (for example, contact or financial details relating to tenants or prospective tenants).
Failure to notify where required to do so under the DPA is a criminal offence.
Notification is a fairly straightforward process, although it will often require an understanding of the data processing operations carried on the Data Protection Act.
Registration can be effected online in the UK. The appropriate fee must be paid (currently normally £35.00) to the ICO.
Notifications are renewable annually.
Notification is only one of a series of obligations imposed on data controllers under the DPA. This means that data controllers must comply with the remaining obligations of the DPA even if they are exempt from, or have failed to comply with, the notification obligations.
Exemption from notification
You are only exempt from notification if you only process data for:
- Staff Administration (including payroll)
- Advising marketing and public relations (for your own business activity).
- Accounts and records.
- Where you do not use a computer for the processing.
Data protection principles
The DPA applies to many different types of data and a wide range of processing activities, and imposes a range of obligations on data controllers to ensure that data is processed properly. The DPA sets out a number of data protection principles, which require that:
|1||Data must be processed fairly and lawfully.|
|2||Data must be obtained only for specified lawful purposes and not further processed in a manner which is incompatible with those purposes.|
|3||Data must be adequate, relevant and not excessive in relation to the purposes for which it is processed. In practice, this means that data controllers must keep existing data under review.|
|4||Data must be accurate and, where necessary, kept up to date. Generally, controllers are required to update all databases unless they constitute a static archive.|
|5||Data must not be kept for longer than is necessary.|
|6||Data must be processed in accordance with the rights of data subjects under the DPA.|
|7||Appropriate technical and organisational security measures must be taken to prevent unauthorised or unlawful processing, accidental loss of or destruction or damage to personal data.|
|8||Personal data must not be transferred outside the EEA (the European Union and certain other countries such as Norway) unless the destination country ensures an adequate level of protection for the rights of the data subject in relation to the processing of personal data.|
Some of the most important principles are discussed below:
First data protection principle - fair and lawful processing
The first data protection principle, requiring fair and lawful processing of personal data, is probably the most important of all of the data protection principles. Processing will not be lawful where, for example, the processing relates to information contained in a stolen document. However, the fairness requirement is harder to define. Processing will clearly not be fair where the data subject is misled, and may not be fair where any pressure or inducements are applied when collecting data. Otherwise, the Commissioner has indicated that the first consideration in assessing fairness will be given to the consequences of the processing to the interests of the data subject.
In addition to the general fairness requirement, certain criteria are prescribed under the first principle as a pre-condition to legitimate processing. Most importantly, data will be processed fairly as required by the first principle only if at least one of the following conditions is satisfied:
- The individual has consented to the processing.
- The processing is necessary to perform a contract with the individual, or for taking steps to comply with a request made by the individual with a view to entering into a contract (for example to process a tenancy application).
- The processing is necessary to comply with a legal obligation of the data controller (other than a contractual obligation).
- The processing is necessary to protect the vital interests of the individual (for example, to protect the life of the data subject).
- The processing is necessary for the administration of justice, or for the exercise of any function conferred by statute.
- The processing is necessary for the legitimate interests of the data controller or a third party to whom the data is disclosed, except where it is unwarranted because it is prejudicial to the individual.
Normally the consent condition will be relied on but consent is not always necessary particularly due to the last of the conditions or the fact that you are required to process data to comply with the contractual or legal requirements. In such a case you can process data even if you do not hold a consent, e.g. to comply with a court order or legal obligation.
These criteria relate to the processing of all personal data. Where the controller processes sensitive personal data, additional criteria will also need to be complied with.
Data controllers should also be aware that, even where one or more of these grounds for processing can be satisfied, there is still an obligation to ensure that the processing is otherwise fair.
Fifth data protection principle - retaining data
The fifth data protection principle requires the data controllers to put procedures in place to delete data which is no longer required to fulfil the purposes for which it was originally collected (for example, where data is collected for a specific tenancy, once the tenancy has ended, you need to consider whether the data should be deleted). The DPA does not set out specified time limits for the retention of data or guidance on the application of this principle, leaving the onus on data controller to determine what is "necessary" in any particular circumstances. Retaining data once a tenancy has ended would be permissible to deal with any issue which might arise once a tenancy ends but not indefinitely.
Seventh data protection principle - security
The seventh data protection principle places one of the most onerous duties on a data controller under the DPA and poses particular problems in respect of data held on mobile devices like laptops and hand-held devices. Security of data is vital. For example, personal password protection is needed.
The DPA also applies to information recorded in a 'relevant filing system'. This is defined as a set of information relating to individuals to the extent that the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible. This means that the DPA will apply to certain types of manual data contained in structured files, card indexes and microfiches as well as to data held on a computer.
The DPA contains a number of exemptions from the data protection principles. These provisions confer rights on the data subjects, and alter the notification requirements under the Act. These include exemptions for data used by an individual, only for the purposes of that individual's personal, family or household affairs, including recreational purposes. This means that the exemption will apply to an electronic personal diary or a file with details of family and friends.
You should provide tenants with a privacy notice explaining how data will be processed. If you have a website, you can make this available on your website. The RLA has prepared a sample notice applicable to renting residential accommodation. However, you may need to adapt it depending on what you hold/process data for and the nature of your business.
The best way of ensuring that you comply with your obligations where you pass data onto a third party regarding a tenant (or any resident in the property) is to obtain their written consent. Consent must be freely given and needs to be fully informed. This is why it is also important to provide a privacy notice because it explains what you do with the data which you collect. For example, if you share data with others such as local authority and utility companies you should get your tenant’s consent to do so.
Likewise, if you need to obtain information about your tenants/residents from others, then you can ask tenants/residents to give their consent to this being done.
When you obtain the consent you should obtain a separate signature or other confirmation (such as a tick box). You must not rely simply on including a clause in your tenancy agreement. Data protection consents need to be signed for separately.