General Data Protection for landlords and agents
From May 25th 2018, the General Data Protection Regulation (GDPR) will form the new standard by which landlords and agents deal with personal information about their tenants and clients. It replaces the Data Protection Act and introduces a number of significant changes to the way you should be processing personal information.
The intention of this guide is to help prepare landlords and agents for these changes.
What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) is a European Union (EU) wide set of standardised rules for the handling and storage of personal information within the EU. This will apply to anyone who is controlling the information of an EU citizen or processing it on their behalf, even if the processor or controller are based outside of the EU.
When does it come into force?
May 25th 2018
Will it be affected by Brexit?
No, it will still apply after the UK leaves the European Union.
I am already compliant with the Data Protection Act 1998, will I still need to make changes to my policies?
Yes, while the GDPR retains much of the existing data protection framework, it makes a number of significant changes as well. It will probably be easier for those who are already familiar with the terminology of the Data Protection Act to make adjustments however.
What terminology do I need to understand?
|Personal information||Information about the identity of an individual||date of birth, email address, national insurance number, car registration number, passport number, IP addresses, etc|
|Sensitive personal information||
Personal Information that reveals racial or ethnic origin (not nationality), political opinion, religious or philosophical belief or trade union membership, genetic data biometric data, data concerning health, or sexual orientation.
Special restrictions apply to this category of information and landlords/agents should avoid taking it where possible.
|NHS number, requests for improvements to the property to accommodate a disability.|
|Data processing||Using the personal information of another individual in a variety of ways, including collecting, recording, organising, structuring, storing, adapting, altering, consulting, using, disclosing, erasing or destroying the data||Storing a photograph of a tenant's passport to comply with right to rent legislation, or keeping a copy of the tenancy agreement with the tenant's details on it, etc|
|Data controller||Person or organisation who decides how, why and when someone else's personal information will be processed||The landlord as well as the agent|
|Data subject||The person to whom the personal information relates||The tenant or residents|
|Data processor||A third party who perform data processing tasks for the data controller (not an employee of the controller's organisation)||Referencing services, cloud storage hosts, email account providers, etc|
Do I need to register with the Information Commissioner's Office (ICO)?
Yes, although this is not provided for by the GDPR this is a requirement under UK legislation unless you qualify for one of the exemptions. This means that you will have to register with ICO. From May you will also have to pay a yearly fee for this. The fee is broken down by turnover and number of staff into 3 tiers.
|1 - Micro organisations||Maximum turnover of £632,000 for the financial year or no more than 10 members of staff.||£40|
|2 - Small and medium organisations||Maximum turnover of £36 million or no more than 250 members of staff||£60|
|3 - Large organisations||More than £36 million turnover and more than 250 staff||£2900|
ICO will presume your organisation falls into tier 3 unless you show that you fall into tiers 1 or 2.
Certain exemptions do exist though it's unlikely they will apply to a landlord or agent. There is no requirement to register if you do not use any electronic equipment to process data but even use of a smart phone or call recording system would trigger the requirement. Non-profit making organisations are also exempt from having to register.
What are the penalties for non-compliance?
Fines are up to 20 million euros or 4% of turnover (whichever is higher) so ensure you comply!
Complying with the GDPR
Complying with the GDPR is best viewed as a stage by stage process. Someone intimately familiar with the workings of the organisation (ie the landlord or a designated data protection officer) should perform an assessment to see whether they:
- need to comply
- have fully mapped out what personal information is held, how it used and who it is shared with
- have a lawful basis for processing personal information and where consent is needed, you have a high enough standard for it
- have a data protection policy with enough regard to the data protection principles and the rights of the individual
- have investigated whether or not their third party data processors are compliant with GDPR.
- have a satisfactory privacy notice
Good record keeping of the decision making process is essential for the GDPR so ensure you keep a record of the whole process including any decisions made during it.
A full data protection process, specific to your organisations needs, should then be written up outlining the compliance with these points, making any amendments necessary to bring the business up to the level required while being mindful of the data subject's right. This shows compliance with the accountability portion of the GDPR, provides the materials to train any staff on complying with the GDPR, and is the basis for mitigating any fines as a result of data protection breaches.
1. Do I need to comply with GDPR?
In short, yes, you will almost certainly need to comply with the GDPR requirements. This is because even an organised manual filing system brings you within GDPR. You should however still keep a record of working through this stage as part of the assessment.
You will have to comply if you answer yes to the following 4 questions.
|Question||Landlord/agent example response|
|Are you offering goods or services (including accommodation), with or without payment?||Yes, we provide accommodation in exchange for payment|
|Do you hold personal information?||Yes, we hold personal information|
|Do you process personal information?||Yes, we process/use personal information for a variety of reasons|
Are you processing personal data wholly or partly my automated means?
If automated means are not involved at all, are you using an organised manual filing system?
Yes, we process the personal data using our computers, smart phones and call recording software
Yes in all likelihood
Once you have established this applies to you, then you should also ask the following question:
If you are processing personal data is it sensitive personal data?
If you answer yes to this then additional restrictions apply and this should be considered when performing the follow up stages.
2. Mapping the way the data is used
Landlords and agents may be surprised at the amount of personal information they receive from their data subjects, i.e. prospective tenants, tenants and residents and just how far it may be shared with third parties.
The responsible person (or persons for large organisations) should audit the organisation to map as fully as possible all the ways that personal information flows into the business, what that personal information is, whether it is sensitive personal information, how it is held, who it is shared with, how long it is held for and how it is disposed of. The RLA will provide a sample audit, with guidance, closer to the GDPR launch date. In the meantime you may wish to follow the example below:
|Personal Information flowing into company||
|How is it collected?||
Online tenancy application form at <weblink>
|How is it used?||
Stored for contacting tenant along with contact number, email address, postal address.
Shared with third parties for referencing the tenant, property management companies of leasehold properties for amending the lease, and sold to marketing companies.
|How is it stored inside the organisation?||
Information duplicated and stored on <name of case management software>
|Is it shared with any data processors?||
Information provided to <name of referencing company>, <name of property management company> and given to <marketing company>
Application form is also stored on <cloud storage software>
|Are any processors based outside of the EU?||
<Cloud storage software> servers are based in the USA
Other processors are based in the EU
|Is it sensitive information?||
|How long is it held for?||
e.g. for up to one year after a failed tenancy application.
e.g. for up to 7 years after the expiry of the tenancy agreement if accepted.
|How is it disposed of?||
Deleted from <case management software> upon expiry of the time frame.
Once you have completed this audit for all the information flowing in and out of the organisation you will be in a position to move on to the next stages.
3. Lawful basis for processing information
Once you have identified the personal information you process you must then identify whether or not you are allowed to do this.
There are a number of different 'gateways' available to landlords and agents who wish to establish their lawful basis for processing information. Data controllers should not default to getting the consent of the data subject, as in many cases it easier to use a different gateway. They should look instead at all the available gateways to compliance.
Consent - if you have the consent of the data subject then you may process the information. Consent should be avoided as the gateway where possible however.
For the performance of a contract - if the data being processed is necessary to carry out the landlord's part of a letting contract then this will be sufficient.
This covers much of the data processing that a landlord or agent would do while managing a tenancy.
Legal requirement - if a landlord or agent is legally required to hold this information then they have a lawful basis for processing the information.
This would cover data processing around the right to rent legislation or gas safety requirements for example. It also covers the requirement in the area covered by Welsh Water to provide details to them of who occupies prproperties.
Vital interests - if the information is required to protect the vital interests of the data subject or another person. Essentially this only relates to life threatening situations or cases of potential serious injury/major illness.
Legitimate interests pursued by the data controller or a third party can be used as the lawful basis provided they are mentioned in the privacy notice provided to the data subject. Examples of this include:
- passing the names of new tenants to utility companies
- seeing references which were provided to letting/managing agents
- disclosing details of a tenant who has left leaving rent arrears to a tracing agent or debt collector to help them recover money owed
- passing on forwarding addresses of former tenants to utility companies
- providing tenant's contact details to repairers in work needs to be carried out
- using CCTV to monitor communal areas (but only with appropriate signage warning the occupants of the CCTV)
- notifying other joint tenants of any rent arrears owed by another tenant
- informing the guarantor where the tenant has failed to pay rent
This could cover disclosure of certain information to outside agencies by a landlord, such as credit checks for example.
As we can see, there a number of available gateways to use for landlords and agents, though consent and the performance of a contract and legitimate interests will be most common, thus avoiding the need for consent. The data controller should keep a record of which gateways they have chosen for the processing of data.
Returning to the example in the previous section, the tenant's name is stored with the organisation, and shared with 4 third parties. We need to identify the lawful basis for all 5.
|Personal information held by||Lawful basis for holding or processing the information?|
|Landlord||Can be held on the basis of performance of a contract as well as for pursuing the legitimate interests of the data controller. No consent needed.|
|Property Management||Company Can be shared to amend the lease so that the landlord may perform their part of the contract. No consent needed.|
|Cloud storage software||The tenant volunteered this information so a contract could be formed. No consent needed.|
|Referencing company||The landlord used this information to establish whether or not a contract could be performed but also because they had to protect their legitimate interests in obtaining regular rent payments. No consent needed.|
|Marketing Company||No lawful basis for this. Must be removed or consent obtained from tenant before providing the information to the company.|
Using consent as your lawful basis
Despite the other options available, you may still have to resort to getting the data subject's consent. The GDPR has introduced a number of changes to the way consent works for data protection. As such, pre-existing consent forms may need to be changed if they are not comprehensive enough to meet the new requirements.
What are the main principles of consent?
Data controllers should be mindful that any consent must be:
- Obviously given
- Freely given.
This consent can be given in writing, online via internet checkboxes, or verbally as long as it is a clear affirmative statement. It may also be inferred from the actions of the data subject provided the information taken is not sensitive personal information.
If you are using consent as your lawful basis for processing, the RLA recommends you prepare a written document for consent however as it will make your record keeping responsibilities significantly easier. You will need to explain why you are asking for consent and explaining that there is a right to cancel/withdraw consent - see below.
Is a blanket consent form enough?
Data controllers may be keen to simplify getting the consent of the data subject but it will not be appropriate to provide a form that consents to all kinds of data processing.
Instead, the consent should be layered, with the data subject being able to actively consent to different forms of data processing. The boxes must not be pre-ticked to comply with the principles of giving consent. All parties including third parties like referencing services must be named on the consent form. The consent should form should also include why you want the data, what you will do with it and how to withdraw their consent.
It is likely you will need to periodically refresh this consent over time by getting the data subject to re-sign for consent.
What records should I keep
Along with the name of the data subject, the data on which they consented, whether or not they have withdrawn consent and what they were told at the time must be recorded. Most of this should be recorded on a well written consent form. Date and time records of oral consent must be kept otherwise.
Can the data subject withdraw their consent?
Yes, they must be allowed to withdraw consent at any time. Data controllers must keep records to demonstrate what the individual has consented to, including what they were told, when and how they consented. This must include telling people that they have a right to withdraw their consent at any time and how they can do this. Withdrawal of consent does not invalidate anything already done in reliance to anything done prior to its withdrawal.
Are there any issues with consent once an appropriate form has been drafted?
Yes, the GDPR indicates that consent may not be sufficient where there is a power imbalance between the data processor and subject. This would normally apply to employers and local authorities, but there is a question as to whether that power imbalance extends to the relationship between landlords/agents and a tenant as well. As such, you should try to establish a different lawful basis where appropriate such as having a legitimate interest or requiring the data as a pre-condition of the contract.
4. Evaluating / developing your data protection policy
Once you have successfully established your basis for processing the personal data you must ensure that the way you process it complies with the GDPR requirements on record keeping as well as the data protection principles for personal data. These are explained below. In addition, you must pay specific attention to whether the proposed data protection policy sufficiently safeguards the rights of the data subject.
This will have a limited impact for most landlords because full record keeping is only needed if you employ more than 250 people.
Under the GDPR, data controllers have a responsibility to maintain written records showing how they have formulated their data protection policies. This should include what decisions have been made around data protection and how they adhere to the data protection principles, the rights of the data subject and guidance from ICO. This would include any necessary steps taken to secure the data, as they are responsible for this. It also records decisions which have been made where you are relying on your own legitimate interests or those of a third party to process data.
In addition to this, data controllers are expected to put in place comprehensive and proportionate measures for the ongoing governance of the data. This should include measures performing impact studies on the data collected to ensure it meets the principles of privacy by default such as:
- Data minimisation - collect as little information as possible and use it sparingly.
- Pseudonymisation /anonymisation
- Allowing individuals affected to monitor processing
- Creating and improving security features on an ongoing basis
Depending on the size of your organisation you may need to keep internal records of data processing. For companies with less than 250 staff, the data controller is required to keep records of activities relating to processing of high risk data such as sensitive personal information or material that could affect the freedom of their data subjects. For most landlords this would likely come from information relating to tenants with a disability. If this does occur then that record should contain the:
- name and details of the organisation.
- purpose of the processing.
- description of categories of individuals and categories of personal data.
- categories of recipients.
- details of transfers to third countries.
- retention schedules.
- description of technical organisations and security measures.
The Information Commissioner's Office can require to see these records so ensure you keep this material after you have performed the check
Data protection principles
The GDPR makes data controllers responsible for compliance with the data protection principles. These are:
Personal data must be must be processed fairly. The main elements of fair use include:
- using the data in a way the person would reasonably expect
- thinking about the way you use the data and whether or not it would have an adverse effect on the data subject.
- ensuring the data subject knows how the information would be used by being open and transparent (ie through a privacy notice)
It must be collected for specified explicit and legitimate purposes. It must not be processed beyond the original purpose for landlords and agents except for statistical purposes.
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes to which the data is processed
Data processors must ensure the information is accurate and up to date. Inaccurate information should be erased or altered
It must be stored so that storage is time limited. This means the data should be kept in a form which allows identification of data subjects no longer than is necessary for the purposes for which the personal data is processed (including collected and stored).
Date should be processed in a way which ensures appropriate security for the personal data, including protection against unauthorised processing, accidental loss destruction or damage. Data controllers should consider their computer security in particular, such as their email storage, password strength, etc.
The data controller should identify any areas that are currently out of sync with these principles and amend their policy accordingly.
Example - the landlord holds photos of passports relating to right to rent for 6 years after the tenancy ends on his phone's cloud storage option which automatically loads on opening his phone screen. He has identified that his lawful basis for holding this information is that he is legally required to hold the documents for up to a year after the tenancy ends. He does not inform people of the length of time it is held for.
Going through the list of principles we can see there are issues with principles 1, 5 and 6.
For principle 1, he does not inform people how this information will be stored. This should be written clearly in the privacy notice.
For principle 5, the data is kept for much longer than necessary. The legal requirement is 1 year after the tenancy ends while he keeps it for 6 instead. The policy should be changed to match the legal requirement.
For principle 6, safeguards should be in place to make sure the documents are stored securely. If the passport photo is accessible automatically when opening the phone then it is not secure. In addition, cloud storage software may be based outside the EU causing additional problems. The landlord should store it somewhere else within the EU and adding password security to any attempts to access these files.
They should ensure they keep a record of these decisions and any changes made on file in case ICO wishes to see them.
5. Preparing a Privacy notice
Once you have established what information you hold, what your basis is for processing it, you can move on to preparing a privacy notice.
Under the GDPR it will be the data controller's responsibility to provide a privacy notice to any data subject the data controller wishes to process the information of. What must go into a privacy notice is quite detailed and you as data controller should ensure you are meeting the requirements in the below table.
|What information must be supplied?||Data obtained directly from data subject||Data not obtained directly from data subject|
|Identity and contact details of the controller and where applicable (the controller's representative) and the data protection officer|
|Purpose of the processing and the legal basis for processing|
|The legitimate interests of the controller or third party, where applicable|
|Categories of personal data|
|Any recipient or categories of recipients of the personal data|
|Details of personal data transfers to third country county (a country outside the EU) and safeguards|
|Retention period for the data or criteria used to determine the retention period|
|The existence of the data subject's rights|
|The right to withdraw consent at any time, where relevant|
|The right to lodge a complaint with a supervisory authority|
|The source the personal data originates from and whether it came from publicly accessible sources|
|Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data|
|The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences|
The privacy notice is especially important for those data controllers relying on the contractual or legitimate interests gateways as their legal basis for data processing. As these are the two key gateways for landlords and agents, it is absolutely crucial you as data controller have a comprehensive privacy notice.
Privacy notices for children
While it is unlikely that landlords or agents will have reason to hold the personal information of children under 18, if that is the case then specific requirements are placed on the data controller. The privacy notice must be designed in such a way that it is easy to read by children as well as adults.
Help from the RLA
The RLA is preparing model documentation to help you with this process which will be provided in April 2018. This is based on assuming that you collect information about your tenants using the RLA's Tenancy Information Form. The model documents we will provide are:
- Data Audit - this enables you to check and assess what data you hold and use.
- Privacy Notice.
We would stress that these are model documents and they need to be adapted to your own circumstances. In particular you need to check whether you handle other items of data over and above those which are listed out, because they need to also be referred to in your privacy notice. The privacy notice is a vital document. This information is provided for landlords; not agents.
The rights of data subjects
An individual, i.e. the data subject, has a number of rights under the GDPR and any record keeping performed by the data controller should show consideration of these rights. Explanations of how the data subject can exercise these rights should also be made clear to them, usually via the privacy notice.
|Individual right||Steps the data controller should take|
|The right to be informed.||
A privacy notice must be provided.
|The right of access.||
This is a right to obtain confirmation that data has been processed and to have access to your personal data and the right to information that should be provided with the privacy notice.
This must now be provided free of charge.A reasonable fee can be charged but only where a request is manifestly unfounded or excessive, especially if it is repetitive.
Information must be provided without delay and at the latest within one month, although this period can be extended to up to three months where the requests are complex or numerous.
You will need to verify the identity of the person using reasonable means to do so.
If the request is made electronically you will need to provide the information in an electronic format.
|The right to rectification.||
Where a mistake is made in the data processing then the individual can have it rectified.
The data controller must inform any third parties who have received the data of the rectification
The data controller may also have to inform the individual of any third parties used.
The time frame for making the corrections is one month, though it may extend to three months for more complex requests.
|The right to erasure. (Right to be forgotten)||
Individuals can request the right to have personal data erased and to prevent processing in specific circumstances:
For landlords and agents acting as data controllers, they must comply unless they intend to retain it because:
|The right to restrict processing.||
The data controller must restrict the processing of data where the data subject requires the material to bring/defend legal claims after it is of no use to the data controller. Data subjects can contest the accuracy of a statement, or the lawfulness of the processing as well
Alternatively, a temporary restriction must be placed where the data controller is considering whether the legitimate interest in the data overrides the individual's right.
When a restriction is in place, it is up to the data controller to inform their third parties of this.
|The right to data portability.||
This allows individuals to obtain and reuse their personal data for their own purposes across different services, allowing them to move or copy or transfer personal data easily. Data controllers should consider the format in which they hold and store data as to whether it is easily transferable.
|The right to object. (Opt out)||
Where the data subject objects to direct marketing, holding the data for legitimate purposes, or holding it for historical, scientific or statistical purposes, the data controller must stop the use of the material until they can establish a legitimate reason for its processing.
For direct marketing the data controller must comply as there are no legitimate grounds to refuse this objection.
|Rights in relation to automated decision making/profiling.||
This should not affect many landlords or agents but if a data controller engages in automated statistical profiling or decision making, then they should obtain the explicit consent of the data subject to use their material in this manner.
Additional requirements/conditions for sensitive personal information/special category data
Alongside the standard requirements for all personal information, if sensitive personal information (e.g. medical records) is taken, then the data controller must make sure they have met one of the additional requirements for being allowed to process sensitive personal information. For landlords and agents this would usually be
- They have the explicit consent of the data subject to process the information.
- The data subject has manifestly made public the sensitive personal information (ie volunteered it to the public at large)
- Where processing is necessary for establishing the exercise or defence of legal claims
In practice landlords and agents would be best advised avoiding taking this information unless strictly necessary.
Restrictions on Marketing
There are specific requirements surrounding using personal data for direct marketing that data controllers must follow and ensure that their data processors also follow.
Direct marketing is communication (by whatever means) of any advertising or marketing material directed at a particular individual. This does not limit itself to material that is solely for marketing purposes but also includes communication where some marketing is present but it is not the main purpose of the communication.
This is distinct from the sending of marketing material at the request of the data subject where no restrictions apply. This only operates in relation to specifically requested marketing material, not where the marketing is unsolicited. For example, if a landlord is requested by a tenant to send details of a particular property this is marketing which is requested and is not unsolicited.
If you are planning to directly market to data subjects by email or text then you must ensure you have the active consent of the subject. This consent be withdrawn at any time and it the consent must be clearly and specifically worded so the data subject is in no doubt how the personal information will be used and which communication methods will be used for this direct marketing (email, phone, text, etc).
If a data subject does object or withdraws consent, then they must be removed from your marketing database and no longer used from that point onwards.
Further, if you are planning to campaign via live phone calls then you must screen against the Telephone Preference Service to ensure nothing on the database is subject to call screening, unless you have consent for marketing in this way.
Specific consent must be obtained if you wish to sell or share the marketing details with other parties.
Requirement to notify where data security is breached
Data controllers are required to notify the ICO in the event of a personal data breach. This is a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of or access to personal data.
If the breach would lead to the rights and freedoms of the individual being affected landlords and agents must contact the ICO within 72 hours or face a potential fine. For landlords and agents this may be the risk of identity theft for instance or their website being hacked and security login details being accessed for an unspecified number of clients.
In some cases you may also have to notify the data subject themselves. This would only be if there is a higher risk of there rights and freedoms being affected. For example if it was clear that the data subject's information had been taken and could be used for the purposes of identity theft.
6. Ensuring Data processors are compliant
Data processors are those who process data on behalf of the data controller. It could be an agent acting on behalf of the landlord, for example.
The data controller is ultimately responsible for ensuring that any data processors used on their behalf are compliant with the GDPR. They should seek out assurances from external companies to ensure they are compliant with these regulations as well. In particular they should be investigating the likelihood of transferring the information to third countries (i.e. outside the EU), and the likelihood of accidental or unlawful destruction, loss, alteration, or authorising disclosure of or access to personal data
Contractual arrangements for third parties
The arrangement between the data controller and the data processor must be laid out in a contract which sets out the the subject matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
The contract must provide that the processor:
- Processes the personal data only on documented instructions from the controller (including in relation to transfers to third countries).
- Ensures persons authorised to process the personal data have committed themselves to confidentiality.
- Complies with requirements for the security of processing.
- Must assist the controller by implementing appropriate technical organisational measures to allow the data controller to respond to requests by a data subject to exercise their rights.
- To assist the data controller ensuring that the data controller can comply with requirements to notify personal data breaches to the ICO and to data subjects.
- When required by the data controller deletes or returns all data to the data controller after the end of the contract and deletes existing copies unless required by law to retain these.
- Makes available to the data controller all information necessary to demonstrate compliance with the obligations imposed on data processes, including audits and inspections on behalf of the data controller.
Obligations on the data controller and processor
Data controllers and processors must take steps to ensure that they meet an appropriate level of security requirements for data processing relative to the risk of the information being breached. This may include:
- Ability to ensure ongoing confidentiality, integrity, availability and resilience of the systems involved.
- Ability to restore availability in a timely manner in the event of an incident.
- Readily testing and assessing the effectiveness of the technical and organisational measures.
Agents, who may also act as data processors on behalf of landlords must also ensure they are informing the data controller if they think an instruction is a potential breach of the GDPR. In addition, if they employ a third party to perform a service they must ensure a contract is in place for the use of the data or they retain liability for any breaches..
Transfer of data to third countries
Third countries are currently classed as countries outside of the EU. The GDPR puts strict restrictions on the transfer of data to these third countries. Landlords and agents would be wise to check the location of any servers they, or their third parties, use for cloud storage of data. Moving this storage to an EU based served if that is the case.
Accurate as of March 28th 2018.