Data Protection Act 1988 (DPA): Gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is managed to protect the subject’s privacy.
Data Sharing: this term covers a wide range of circumstances in which personal data is transferred from one organisation to another.
Data controller: This is an individual or an organisation that determines the manner and purpose of how personal data is processed.
Data processor: This is usually an individual or an organisation that processes personal data on behalf of and under instructions from the data controller.
EEA: the European Economic Area and includes all the European Union territories plus Norway, Iceland, and Liechtenstein.
Personal Data: this is information about a living individual who can be identified from that information or information and other information that the data controller
already has. It can include expressions of opinion about a data subject.
Big Data: These are things like “high-volume, high-velocity and high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making”.
Privacy Notice: This written notice can be a bit confusingly as it is known by several names which are:
• Fair Processing Notice (FPN) or Statement
• Privacy Notice or Statement
• Data Protection Notice.
The Notice should contain the ‘Fair Processing’ information required to be given to data subjects like:
- The identity of the data controller
- The purpose or purposes for which the data are intended to be processed
- Any other information that is necessary to enable the processing to be fair to the data subject. This could include the identity of anyone else with whom the data subject’s information is likely to be shared and how long the personal data is expected to be held.
Processing: anything that can
be done to personal data, although the most well-known processing operations are disclosed (share), retain/store, edit, and delete/erase/destroy.
Sensitive Personal Data: this is personal data relating to:
racial or ethnic origin.
- Sexual life.
- Political opinions.
- Religious belief or similar.
- Trade union membership.
- Physical/mental health or condition.
- Proceedings for any offence, disposal of proceedings or sentence.
- Commission or allegation of an offence.
The Information Commissioner’s Office (ICO): the independent body responsible for regulating the DPA. Its remit is to promote good practice, supply information to individuals and organisations, and take enforcement action where there has been a breach of the DPA.
What is GDPR?
GDPR is an abbreviation of the General Data Protection Regulation. It refers to the new Data Protection rules, which came into force on 25 May 2018. GDPR is essentially a privacy protection law that safeguards all of us to some extent.
Is GDPR something that affects landlords?
In short, yes! GDPR was not initially intended for private landlords. It was drafted to deal with some of the more outrageous uses of personal data by tech like Google and Facebook.
Many high-profile cases with flagrant breaches of privacy rights have been cited in recent years.
However, a landlord has contractual obligations to a tenant and time to time need to exchange information with service providers.
What landlords need to do to comply with GDPR?
GDPR can affect landlords in several ways if you are letting a property. Landlords have legal requirements so they can discharge their obligations as a landlord. This 2021 landlord GDPR guide will help you to have a better understanding of what you need to do.
The General Data Protection Regulation (GDPR) is a legal framework. It sets guidelines for landlords or agents collecting and processing personal information from their tenants, guarantor, or other occupants.
It can include next of kin information like email addresses, contact details I.D documents etc.
How to manage your tenant’s information
Landlords to be registered with ICO for GDPR and be fully compliant especially when processing personal data.
When we think about GDPR computers and cloud-based storage comes to mind. But ledger with tenants’ information like names, telephone numbers, email addresses, I.D like passports and bank details are things to consider for GDPR purposes.
How can I manage data more securely?
That depends on how, where and by what method you store and access the tenant’s information. Let’s look at some basic things to make sure you are complying with the GDPR law.
a) Physical safety & security of the tenants’ information is locked and in a safe secure place. This includes things like tenancy documents, hard drives, USB memory sticks and anything else that carries tenants’ personal data or information.
b) Digital Security & safety – This means protecting passwords to protect desktop PC, Laptops, iPad and mobile phones and other devices. It is equally important your Wi-Fi network is password protected and has good security.
c) You must keep track of your tenant’s data and make a habit of permanently deleting data that is not required. Previous tenants can under GDPR request that you delete the information that you may have.
How landlords use tenants’ personal information
You can only process the tenant’s personal information in a lawful manner as set out under the GDPR legislation. In the past, a simple clause in the tenancy agreement where the tenant consents to their data being processed by the landlord or agent.
This may not be sufficient for GDPR purposes. Although a landlord must get consent as one way to lawfully process the tenants’ data. It is not recommended to rely on this ground alone a landlord-tenant relationship.
GDPR and new Tenancy Agreement
Processing a prospective tenant’s personal information is inevitable when creating a tenancy agreement or licence with the tenant. Processing a prospective tenants tenancy application may include checking creditworthiness and fraud prevention,
Examples of personal information that you will rely on for this ground include:
- Their home address
- personal contact details for communication: email address, postal address
- Their bank details to get credit check & references.
- Details of their previous landlord, for reference purposes
- Utility companies
- Regulatory obligations
- actual live tenants
This ground is likely to cover many of your data processing needs while managing a tenancy.
GDPR and Existing tenancies
In short, the answer is that most landlords should already be registered with the ICO and pay a fee under current data protection laws. Still, many may think they are exempt as they do not see themselves as a business and rely on their letting agents to hold this registration.
Those who are not and currently hold or process personal data, such as their tenants’ details, need to contact the ICO, register and pay the necessary fee to be compliant. It’s a straightforward process and very necessary.
It requires you to provide the office with details including your name, address, trading name, number of employees and turnover.
If you purely process data manually, then you are exempt from registration. However, this is unlikely to apply as most landlords will process data via their PC, mobile phones, or tablets.
Lawful basis of processing tenant Data
To process personal information, landlords must have a “lawful basis” also referred to as “Legal Basis” to process the tenant’s information. Processing includes storing, using, sharing, and deleting the information as required.
Let’s summarise the main bases for processing:
- legitimate interest – where you use the tenants’ data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing which can include a commercial interest.
- contractual fulfilment – where you use their data for fulfilling the contract, for example, passing details to a contractor to conduct a repair.
- legally required – often landlords are legally required to process data, for example, in deposit prescribed information, right to rent checks etc.
- Consent – not commonly used for landlord’s but would include, for example, speaking with housing benefit or Universal Credit.
Following the audit and understanding the lawful bases, you can process the information. You are required to inform the tenant how you intend to use the information.
The usual practice was to have clauses in the tenancy for landlords to deal with privacy and consent.
This is no longer acceptable and is not sufficient for landlords to fully comply with their legal obligation under GDPR.
The relevant part of GDPR guidance for landlords says that anything which requires consent should be an express document. meaning it should not be part of the tenancy agreement.
The reason for this is: The consent should not form part of the main contract (tenancy agreement). It needs to be a separate consent document that can be withdrawn as easily as when consent was given.
Processing Tenants personal information
If you’re processing the data under one of the lawful bases:
Then it is straightforward. The area of caution for landlords should be “Consent”. The lawful basis of “consent” is the main area for landlords when it comes to GDPR.
Having said that as eluded above, generally landlords do not need consent under the new GDPR rules. This is because landlords have a legitimate interest, are fulfilling duties under the tenancy or are legally required to be processing the data.
Mandatory grounds where landlords have to disclose Data
In the following situation, a landlord may have no choice but to comply. Not doing so may result in the landlord facing legal action.
A third party makes a request under a mandatory legal ground. The landlord must seek legal advice before parting with any data.
The landlord should seek clarification from the requestor on what legal basis they are requesting disclosure?
You should request the person/authority to provide the relevant legislation and the particular section/clause relied upon.
A court order is served on a landlord. This should provide clear evidence of the need to comply.
However, landlords should seek legal advice if they are unsure about the legal reasons relied on by the requester. To check if they oblige the landlord to release the information requested.
Landlord Disclosure of information to the police
Where the police contact a landlord requesting disclosure of a tenant’s personal data. This kind of disclosure can be made at the landlord’s discretion unless, for example, the police produce a court order. After which, the disclosure will be mandatory.
In such cases, the request may come as part of a police investigation. The police grounds for disclosure may be prevention and/ or detection of crime. Or the apprehension or prosecution of offenders.
An exemption under the DPA means that the landlord does not need to inform tenants if the landlord chooses to make the disclosure.
Disclosure is exempt from many of the other data protection principles, but only to the extent to which adhering to the DPA principles (e.g. informing the tenant) would prejudice the police investigation.
In addition, tenants would not exercise their subject access right to obtain details of what was passed to the police if this might prejudice the police investigation.
Landlords need to remember that they choose whether to make such a disclosure and whether they wish to apply for the exemption.
The exemption must be applied on a case by case basis. The use of the exemption requires the landlord to consider the risk of prejudice to the tenant’s rights against the risk of prejudice to the police investigation carefully if the disclosure is made.
The tenant generally has no right to object to this kind of processing.
Landlords should document their reasons for the application of the exemption to this disclosure carefully.
How can a tenant sue a landlord for breach of GDPR?
If a tenant feels their rights under GDPR have been breached. Crucially if they have been affected by the use of their personal data, they can:
• Complain to the landlord or letting agency and use the landlord’s formal complaints procedure.
• Complain to the ICO and request an investigation. This should only be done if the complaint has not been resolved by the landlord.
• Issue court proceedings through the civil courts for compensation. However, the tenant must positively demonstrate how they have suffered harm as a result of a breach.
Landlords should ensure they have written policy procedures to deal with the tenant’s subject access requests. This should include the situation where a tenant’s personal data is processed by a third party on the landlord’s behalf.
Why are the new GDPR rules important for landlords?
GDPR was not originally intended for landlords, it was due to the likes of Facebook and Google and the violation of privacy. However, GDPR does now apply to landlords small and large, private, or corporate landlords.
The GDPR keeps a check on landlords and letting agents ensure the information held regarding a tenant, guarantor or next of kin are kept safe and the information is not abused or ill-used.
What do landlords need to do about a privacy notice?
It is essential to follow this list of things to do:
- Make sure you are registered with ICO.
- Make a list of the type of data that you hold.
- You will hold personal details about your tenants.
- If you are a letting agent, you will have details about your landlords.
- You may also hold details about ‘prospects’, e.g., your mailing list if you regularly send information or promotional emails or letters to prospective landlords or tenants.
- Make a list of the places where it is held.
- Check that those places are GDPR compliant.
- Check that you have permission from people to use their data in the way that you are using it.
- Do a ‘privacy notice’ or have a ‘privacy page’ on your website.
- Appoint a Data Protection Officer
What lawful basis do landlords have to process data?
Landlords may need to process tenant’s information to Legally process data like:
Deposit prescribed information.
right to rent checks.
consent to speak to housing benefit or Universal Credit departments.
Do landlords need to register with the Information Commissioner’s Office?
Yes! Some landlords think they are exempt as they have Letting Agents acting for them. This is incorrect they will still process and store some data that is sensitive, so they should register with ICO.
Why do landlords need to ensure they are GDPR compliant?
Yes! It is the law; not to comply means you could end up with a fine. You register online, and the process is simple.
How does GDPR affect small landlords?
GDPR does not just affect small landlords; it affects all landlords, small and big. All landlords need to ensure they comply with the GDPR.
How can landlords comply with GDPR?
This list of things above is what you will need to do to comply with. However, privacy protection legislation and guidance may change so you should ensure you visit the ICO website.
The British Landlords Association is a free national landlords Association, why not join us today for free?
Top read blogs: