The General Data Protection Regulation (GDPR) is a Europe (EU) initiative, a new legal framework in the EU, and of course this along with other EU legislation this will be ported across to the UK, post Brexit.
GDPR has similarities with the existing UK Data Protection Act 1998 (DPA), but it goes deeper into what constitutes personal data. For example, even an IP address can be classed as personal data under this new definition. The more expansive GDPR definition provides for a wider range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – i.e. the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, and landlords, agents and reference agencies will be, it is likely that you will also be subject to the GDPR.
The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
Currently the Information Commissioners Office under DPA Schedule 1 lays down these basic Data Protection Principles for handling data, but the GDPR will go further:
- Personal data shall be processed fairly and lawfully
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under this Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
There are two types of data:
- Personal data – such as things that will identify someone, and
- Sensitive personal data – which tells you something personal about the individual, for example, sexual preference.
What is Sensitive Personal Data?
Sensitive personal data includes information on an individual which contains details of their:
- racial or ethnic origin;
- political opinions;
- religious beliefs or other beliefs of a similar nature;
- membership of a trade union;
- physical or mental health and conditions;
- sexual life;
- commission or alleged commission of an offence;
- proceedings for any offence committed or alleged to have been committed;
- disposal of such proceedings or the sentence of any court in such proceedings.
Again, landlords, agents and reference agencies will be involved in collecting at least some of this sensitive personal data. Details of ethnic origin, financial data, personal references, payment histories, credit scores, bank accounts, National Insurance numbers, passports and drivers’ licenses, personal photos, telephone numbers, debt records (CCJs) and sensitive information on a range of medical, welfare or social service issues and possibly even criminal records will almost certainly be involved if tenants are being checked out properly.
Is it legal to hold this data?
Yes, it is not illegal per se to hold this data, so long legitimately required for the purpose and as it is dealt with in a proper and lawful way. For example, these instances would be unlawful:
- Posting data on public forums, blogs, facebook etc, about an individual
- Refusing to give it to those lawfully entitled to it, e.g. Local Authorities*
- Losing it through leaving laptops in taxis or being hacked (where prevention was possible)
*Obtaining Data on Individuals
Sections 29 35(2) of the DPA, allow others to apply for personal information on an individual in some circumstances. For example, a landlord may request personal information about a subject from a local authority. If you are asked for personal information in this way about a tenant you should seek legal advice before supplying it.
Section 29 allows for the disclosure of personal data if this disclosure is necessary for:
- the prevention of crime
- the apprehension or prosecution of offenders
- the assessment or collection of any tax or duty or similar
- and where not disclosing the information would be likely to prejudice any of these purposes in the particular circumstances of the case.
Section 35(2) allows for the disclosure of personal data if that disclosure is:
- necessary for the purpose of or in connection with any legal proceedings of any nature (including prospective legal proceedings)
- necessary for the purpose of obtaining legal advice
- necessary in order to establish, exercise or defend any legal right.
Landlords and Data Protection
There are a lot of myths and misconceptions about data protection.
For example, landlords are entitled to be shown references obtained on their behalf by agents, though the tenant must have agreed to this sharing of data with relevant persons when they signed the tenancy application form (electronic signatures are now legal).
You can retain data when asked to delete it if you have a lawful reason for keeping it. For example, landlords are entitled to keep data about tenancies for up to six years in case they are sued and therefore tenants cannot destroy a landlord’s defence to a claim by requiring that their defence data be deleted.
All landlords will be covered by the Data Protection rules both under DPA and GDPR.
The fact that you may only have one rented property is irrelevant. However, if you are a genuine “not for profit” you could be exempt?
The GDPR is coming!
You should already know and be complying with the rules above. However, from 25 May 2018 the new rules are in force.
There are massively increased fines for non-compliance which can be up to the greater of 4% of turnover or 20 million Euros, obviously the latter for very large organisations, but well worth taking seriously.
The main effect of these new rules is that if you keep information it needs to be used only for the specific purpose it was provided by the individual. So if you obtain information about someone because they are a tenant this does not mean you can send them mailings trying to sell them something else.
All this is perhaps not hugely significant for landlords provided they do not hang on to data too long. However, it is going to be very significant for agents who may no longer be able to rely on, for example, purchased mailing lists.
Preparing for GDPR
- If you use mailing lists, you need to use the time we have before 25 May next year to ensure that everyone on your list has opted into the type of mailings you are sending to them.
- You need to make sure that you are not retaining information inappropriately and have a proper privacy notice.
- You need to ensure, if your data is held by another organisation, that where appropriate they delete their data also.
If you are involved with large amounts of personal data, the best way to deal with all this is to carry out a Privacy Impact Assessment – there is guidance on the ICO website on how to do this.
Thanks to Tessa Shepperson’s Newsletter for some of this content: www.landlordlaw.co.uk