Information watchdog warns housing organisations on compliance with data protection obligations
The Information Commissioner’s Office (ICO) has issued a reminder to housing organisations of their obligations under data protection law, and sought to “bust some data sharing myths” that might mistakenly prevent them from safeguarding their residents.
The ICO said it had received a number of complaints from residents who had been failed by poor data protection practices from their housing association, company or landlord. These included inaccurate record-keeping, and necessary repairs being refused due to a misunderstanding about data sharing among others.
Poor data protection practices were more likely to harm residents who required extra support from their housing associations, due to factors such as language barriers, health or history as a victim of domestic abuse, the ICO said.
In a blog entry, Helen Raftery, Head of Data Protection Complaints at the ICO, said the watchdog’s complaints data suggested that there was a lack of understanding about data protection law by some organisations in the UK housing sector. Additionally, the recent report from the Housing Ombudsman Service into Rochdale Boroughwide Housing had identified record-keeping and data accuracy as key areas for improvement.
Raftery said common issues in the housing sector were:
Inappropriate disclosures of personal data
"Personal data must only be disclosed when it is necessary and appropriate. Mr A raised a complaint with his housing association regarding a neighbour. The housing association shared information relating to Mr A’s health with a legal advisor who was considering the merit of the complaint. The housing association did not consider whether there was a good reason, or lawful basis, for sharing the data. When Mr A complained to the ICO, we determined that it was not necessary for the housing association to disclose his health information in order to assess the complaint.
"The housing association issued guidance to all staff and contacted Mr A to resolve the matter. However, Mr A was so distressed by the experience that he felt he could no longer trust the housing association and had to seek accommodation elsewhere. If the housing association had already had appropriate staff training in place this situation could have been prevented - for example, staff could have considered this checklist to determine whether sharing this data was justified."
Data protection law as a framework for responsible sharing
"Data protection law provides a framework for making decisions about sharing data appropriately; it is not a barrier to sharing information to support residents when this is needed. Ms B made a request to her housing association for factual information relating to a repair, following a leak in a neighbouring flat. The request was refused, with staff citing data protection law, and Ms B was unable to carry out the repairs to her property in a timely manner which resulted in additional damage and expense. However, this information should have been provided as Ms B did not request any personal data, only information that would allow her to plan her own repairs. This situation could have been prevented by a better understanding of personal data – the ICO have resources to help authorities understand what constitutes personal data. Remember that personal data can be shared if necessary and the ICO provide resources to help organisations make the right decision, including this checklist."
Failure to keep accurate records
"Good records management can help to avoid issues for both the organisation and its residents. Ms C reported damp and mould in her property which was damaging her personal belongings. The landlord stated it would investigate but did not do so within the agreed timeframe and did not respond to or keep a record of Ms C’s additional complaints. Investigations were done eventually but no outcome was communicated to Ms C and her request to be compensated for her ruined belongings was also ignored. In this case, the Housing Ombudsman ordered the landlord to pay compensation to Ms C."
Raftery added that the ICO had additionally issued the following key points of advice to assist authorities to feel confident in processing and sharing residents’ personal information lawfully:
- Prioritise staff training. You must ensure that all staff are properly trained so that they are aware of their organisation’s data protection obligations. You must also ensure that all staff are aware of internal processes for handling any queries about personal data. This will ensure that residents can trust that their data is managed appropriately and support you to handle issues in a timely manner.
- Practice good records management. Keeping an accurate record of contact with residents will help you to address issues and provide an appropriate level of service to those residents that may require additional support. Remember that residents can also make a subject access request for the information you hold about them and accurate records will make it easier to do this.
- Be open about what you do with your residents’ personal data. Residents should be informed about what information about them is being collected and understand the purposes for which this might be used. Our guidance on transparency can help to achieve this.
- Appoint a Data Protection Officer if required. You must have a Data Protection Officer if you are a public authority under FOI law or process certain types of data. We have guidance on if you need to appoint a DPO.
- Access our data sharing resources. There are situations where it may be necessary to share personal information about residents with third parties and you should have an appropriate system in place. Our data sharing code of practice provides guidance, alongside practical tools, to help organisations be confident they can share data within the law. Our data sharing information hub has many helpful resources including myth-busting facts, case studies, FAQs and checklists.
Harry Rodd