Housing organisations "must improve data protection compliance": ICO

Social housing organisations need to improve their compliance with the Data Protection Act in a number of key areas, the Information Commissioner’s Office has warned.

The ICO report, based on nine advisory visits and four audits carried out over the past three years, found that organisations could improve in areas such as:

  • Data sharing: “Housing associations often have a requirement to regularly share personal data with other organisations. Often this is in relation to normal course of business disclosures such as maintenance contractors. But it may also include information that needs to be shared, for instance, in order to chase unpaid bills, or for legal proceedings where property is damaged. Unfortunately, they tend not to have formal policies and procedures to mandate that sharing”;
  • Data retention: “Housing organisations often do not have formal retention schedules in place for personal data….Where there are retentions schedules implemented they are often only applied to physical records”;
  • Homeworking: where remote or homeworking was used, it often wasn’t formalised;
  • Training: there were varying levels of data protection training in housing organisations;
  • Secure printing: many of the organisations visited did not implement secure printing solutions;
  • End point controls: there were examples where housing organisations had not restricted access to USB ports and DVD/CD drives. These solutions allow large amounts of data to be removed immediately and allow the transfer of malware onto the organisation’s systems;
  • Monitoring: there was “little evidence” that housing organisations had monitoring of policies and procedures in place;
  • System access: there were organisations where adequate access controls were not in place;
  • Leadership: most housing organisations did not have a data protection lead; and
  • Maintaining a records inventory: housing organisations often failed to do so.

However, the watchdog recorded good practice in areas such as role-based access, fair processing of information, encryption – though not all housing organisations implemented such methods – and the physical security of office buildings.

The report, which can be viewed here, also highlighted two additional areas of concern for housing organisations: subject access requests; and the accuracy of personal data.

John-Pierre Lamb, ICO Group Manager in the Good Practice team, said: “Over two million people live in social housing organisation accommodation, many of them from vulnerable groups such as the disabled and the elderly. Social housing organisations have to handle vast amounts of sensitive personal information so it is critical they understand their responsibilities under the Data Protection Act. 

“Clear policies and procedures along with appropriate training and high staff awareness are the cornerstones of good data protection and will help prevent future breaches.”