Data Protection

Landlords, Agents & Data Protection

What do I need to do about Data Protection?

The new GDPR data protection regime, and the scary sounding fines that this could impose on any business in breach, certainly needs your attention as a landlord or agent.

However, for most people and businesses, landlords and agents included, not that much has changed. If you complied with the data protection principles before the GDPR, then you are 90 per cent there.

If you operate a website and/or collect personal information, your statements at collection and your Privacy Policy should be updated with respect to GDPR.

If you have had a continuous relationship with clients / tenants / other businesses, then any communications with them, such as emails, need no special permission. However, email recipients should be directed to a compliant privacy policy and allow simple straightforward unsubscribing from your list.

After four years in the preparation and debate, the GDPR was finally approved by the EU Parliament on 14 April 2016 and enforcement commenced 25th of May 2018.

The EU’s General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC. It was designed to harmonize data privacy laws across Europe, including the UK’s Data Protection Act 1998 as amended by the 2018 Act, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy. The EU rules will continue to apply in the UK even though we are leaving the EU.

In the case of the private rented sector both landlords and letting agents hold data on people, mainly tenants, and this is often shared with other organisations, so it is important that the GDPR is taken into account.

In reality though, for landlords and agents, not much has changed from before as they have always been under an obligation to protect personal data when acting as “data controllers” under the Data Protection Act 1998.

Any private landlord letting a property without an agent will need to register with the Information Commissioner’s Office (ICO) as a “Data Controller” and pay their annual fee, currently £40. Those landlords who use an agent will be relying on the agent to handle the private data around the tenancy and therefore will not need to register.

Under the GDPR landlords and agents need to identify the correct legal basis they rely on to collect, hold and use personal data, including information about their tenants, and in accordance with the eight data protection principles (Data Protection Act 1998):

Landlords and agents need a valid lawful basis in order to process personal data.

There are six available lawful bases for processing. ICO say no single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.

The Lawful Basis for Processing

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

If you have a website your privacy notice should include your lawful basis for processing as well as the purposes of the processing.

The Data Protection Principles (Data Protection Act 1998)

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless
   1. at least one of the conditions in Schedule 2 is met, and
   2. in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The heavy fines myth.

Although the new fine figures being bandied about for GDPR are really scary, there has always been a heavy fine regime in place under the Data Protection Act 1998, in the region of £500,000. But no fine has ever been imposed anywhere near that figure.

The ICO have no intention of hounding small and medium sized businesses with heavy fines, and any minor breaches of the rules would no doubt start off with a warning.

Nevertheless, it is very important to make sure you are complying fully with the GDPR and the main principles applying to the processing of personal data.

Landlords and Letting Agents are under a legal obligation to handle, store and dispose of personal consumer information sensibly and securely and to abide by the eight principles of the Data Protection Act 1998.

The Data Protection Act does not guarantee personal privacy at all costs. It aims to strike a balance between the rights of individuals and the sometimes competing interests of those with legitimate reasons for using personal information.

The Act applies to paper records as well as computer records.

Data Protection Checklist

This checklist should help you comply with the Data Protection Act.

If you can answer ‘yes’ to every question, this does not guarantee compliance, but it does indicate you are making every effort to do so:

• Do I really need this information about an individual?
• Do I know what I’m going to use it for?
• Do the people whose information I hold know that I’ve got it, and are they likely to understand what it will be used for?
• If I’m asked to pass on personal information, would the people about whom I hold information expect me to do this?
• Am I satisfied the information is being held securely, whether it’s on paper or on computer?
• Is my website or on-line data base data secure?
• Is access to personal information limited to those with a strict need to know?
• Am I sure the personal information is accurate and up to date?
• Do I delete or destroy personal information as soon as I have no more need for it?
• Do I dispose of personal information securely?
• Do I have a Data Protection Policy and have I trained staff in their duties and responsibilities under the Act, and are they putting them into practice?
• Do I need to notify the Information Commissioner and if so is my notification up to date?

Safe Disposal of Personal Information

Landlords and letting agents must take reasonable measures for proper disposal of personal information included in credit reports, tenancy applications and tenancy agreements, based on the sensitivity of the information.

Disposal practices that are reasonable and appropriate to prevent unauthorised access or use of sensitive information might include:

• Destroying or erasing electronic files so that the consumer information cannot be read or be reconstructed. When disposing of old computers, you should destroy their hard drives.
• Shredding or burning paper documents so that consumer information cannot be read or reconstructed.
• Hiring a certified contractor specialising in document destruction, after performing due diligence on the company’s operations and security policies.

Data Sharing – Permission from Applicants

Landlords and letting agents must ensure that all Applicants have given permission for Credit Checks and Referencing to be carried out on them, and that their personal data may be shared among relevant third parties. This means that this information can be shared between Landlord and Agent, including the results of Credit Checks. This is achieved by having them sign an Application form which includes a statement to this effect. See our Tenancy Application Forms

More Information at the Information Commissioner’s Web site: www.ico.org.uk

©LandlordZONE® – legal content applies primarily to England and is not a definitive statement of the law, always seek professional advice.