Frequently, housing associations often find that carrying out a periodic update serves as a checklist for other required actions.
The record must contain information on:
- The purposes for which personal data are processed (which can lead to a cross-check of privacy statements to confirm if they have been notified to tenants)
- The categories of personal data being processed (which should be verified against tenancy application forms and databases in use)
- Third-party recipients of personal data (which should be used to confirm proper data sharing agreements are in place)
- Retention periods (which should inform an audit of historic data to check deletion arrangements are working)
- Technical and organisational security measures being used (which should prompt regular internal compliance audits)
Apart from mitigating the risk of ICO enforcement action, having in place good data protection measures makes it much easier to demonstrate compliance to tenants. It is in the earliest stage of a relationship with a prospective tenant – a tenancy application form – that a social housing provider can show good practice.
A tenancy application form should be written in plain English, state what personal data is required from applicants and why, make clear if a prospective tenant’s consent is required for any processing (and collect that consent if it is), and include all of the other ‘fair processing’ information required under GDPR.
“Only by giving data protection compliance sufficient prominence in their operations can housing associations and social landlords avoid the sort of costly enforcement action to which breaches now lead”
After the application stage, ongoing engagement with tenants – whether through scrutiny panels, tenants’ bodies, or informal consultation – will help an organisation comply with its transparency obligations.
This is particularly the case where a housing association recognises an obligation to conduct a data protection impact assessment because it wants to start using personal data it holds in a new way; the opportunity for tenant engagement in those assessments can significantly improve outcomes.
The strong focus on data protection many housing associations and social landlords had in the run-up to GDPR coming into force in 2018 should not slip now.
The ICO is clear that its expectations on all organisations are increasing, and data protection compliance must be an ongoing part of organisations’ operations, not a one-off matter.
Only by giving data protection compliance sufficient prominence in their operations can housing associations and social landlords avoid the sort of costly enforcement action to which breaches now lead.
Ed Hayes, legal director, TLT