In light of the upcoming EU Data Protection Regulation (“the Regulation”) and a recent crackdown by the Information Commissioner’s Office on data protection compliance by housing associations, data protection should be a key issue within the social housing and private rented sector (PRS) industries.
Identified below are some of the key changes brought about by the Regulation and the relevance to the housing industry. The Regulation will replace the current 1995 Data Protection Directive and of particular note is the fact that the Regulation will be directly effective in member states, without the need for national implementing legislation.
Changes to the Rights of Individuals and how this applies to landlords and agents:
- Under current UK law, data subjects (individuals) can request limited information and the data controller (for these purposes the housing association) can charge a fee to provide the information. However, the Regulation provides that the data subject will be able to request additional information held about them, such as the length of time their personal data has been, and will be, stored, and an explanation of the significance and consequences of the processing of such personal data. Further, under the new Regulation it is unlikely that housing associations will be able to charge a fee, and time-scales for responding to subject access requests will be reduced from 40 calendar days to one month.
- The Regulation will provide greater protection for data subjects in relation to the correction and removal of personal data; individuals will have ‘the right to be forgotten’, i.e. the removal of his or her personal data from any systems.
- The right of ‘data portability’ will be introduced. This will allow a direct transfer of data subjects’ personal data, for example, from one housing association or landlord to another. In addition data subjects will have the right to receive a copy of such information which they themselves can transfer.
While these changes provide extended and improved rights for data subjects, there remains concern amongst commentators that the Regulation will mislead individuals, by giving them the inaccurate impression that they have particular rights or levels of protection that, in reality, cannot be delivered.
New Data Protection Impact Assessments (“DPIAs”) for where processing is likely to create specific risks:
In their most recent recommendation, the European Data Protection Supervisor (“EDPS”) have suggested DPIAs are to be necessary only where the data processing creates a high risk for the rights and freedoms of individuals. They have identified such risk where processing is likely to lead to discrimination, identity theft, financial loss or reputational damage. Due to the vast (and often ‘sensitive’) information processed by landlords, letting agents and housing associations, these businesses and organisations may well be required to carry out these DPIAs.
The DPIAs will then be reviewed by the relevant Data Protection authority to ensure that risks have been identified and adequately mitigated. Further, if an impact assessment suggests risks posed by the processing are too great, then the supervising authority will have the power to prohibit the intended processing.
Consent: The Regulation imposes stricter obligations on data controllers to ensure that they have received explicit consent to process personal data and seeks to address the imbalance between individuals and large data controllers by restricting the reliance on the implied consent of the data subject. The EDPS have been keen to remove ‘coercive tick boxes’ where the processing of data is unnecessary. In light of this it is advisable for landlords, agents and social housing providers and others in the industry to conduct a review of paper and website processes to ensure that explicit consents from data subjects are obtained clearly and fairly.
Landlords and agents should ensure that their tenancy application forms clearly explain how tenant’s personal data will be used in the assessment process and that in certain circumstances it may be shared with relevant third parties.
This part of the Regulation is cumbersome for businesses, in particular SMEs with more limited resources.
Stricter Enforcement: The Regulation provides that fines of up to 5% of the annual turnover of a business may be awarded for failure to comply with data protection requirements. Historically businesses have viewed compliance with data protection policies as an unnecessary expense; however the imposition and increase of fines of such amount makes these policies a worthwhile investment.
Summary: The likely result of the Regulation is that data controllers will need to allocate further resources to ensure that they meet these additional data protection obligations. Housing associations in particular, which process large amounts of personal data, but also landlords and letting agents need to ensure that they have the necessary procedures and processes in place to avoid falling foul of the Regulation and incurring prohibitive fines.
Author: Loren Hodgetts from Wright Hassall LLP – www.wrighthassall.co.uk – assists in advising a range of businesses, organisations and authorities on commercial matters.