Taken from our members’ magazine the Residential Property Investor (RPI) comes the experts’ views on the role of data protection for private landlords: Landlords have legal responsibilities when it comes to their tenant’s data. RLA Policy Director Richard Jones and Ben Jackson explain.
Landlords need to be more aware of their responsibilities in relation to data protection. This involves safeguarding tenants’ data, making sure that you only pass it on if you are legally entitled to do so, and not retaining it for longer than necessary.
However, there are circumstances where you can legitimately pass over data, and indeed on occasion may be legally compelled to do so.
It may well also be necessary to give your tenants a privacy notice to tell them what can be done with data which you hold and how you could use it.
Under data protection legislation, ‘personal data’ is protected. This has a very broad definition. The first question is whether an individual can be identified from the data or from the data you hold in connection with other data. If the information you hold ‘relates’ to an identifiable living individual, it will be personal data where it is relevant to the family life, business or profession of the individual in question.
Common situations affecting landlords
The Information Commissioner’s Office, which is responsible for the regulation of data protection, has published advice on housing for landlords and tenants. This gives information regarding common situations. In some of these it is permissible to part with data, but you have to tell the tenant that you are doing so. This can be done by a privacy statement or in some other way: for example, it could be included in the tenancy agreement.
Scope of Data
Protection Legislation Data Protection Legislation (DPA: Data protection Act) applies to the ‘processing’ of ‘personal data’, both of which terms are very widely defined.
This means that practically any business such as a landlord or letting or managing agent operating in the UK which holds information about individuals (whether tenants, prospective tenants, employees, customers or anyone else) is affected by the DPA.
Since breaches of data protection laws can result in criminal prosecution as well as civil liability (not to mention adverse publicity, which is increasingly the likely result of non-compliance), no organisation can afford to ignore its data protection obligations. This is not always easy, given the complexity of the DPA and the number of obligations it imposes on those who process or hold personal data.
The key definitions contained in the DPA are summarised in the box to the left. In August 2007, the Information Commissioner’s Office (ICO) issued a technical guidance note on what constitutes personal data for the purposes of the DPA. According to the guidance, information is only likely to constitute personal data under the DPA if:
- A living individual can be identified either from the information alone, or with other information which is in the possession of the data controller, or is likely to come into their possession. In cases where it is not immediately obvious whether a person can be identified, the question whether or not the person is nonetheless identifiable will depend on the means the data controller is likely reasonably to use to identify that person.
- The information relates to the person in his/her personal or family life, business or profession. This is the case when it is either obviously about that person or if it is linked to that person so that it provides particular information about him/her.
- The information is used to inform or influence actions or decisions affecting that person.
- The information focuses or concentrates on the individual as its central theme rather than on some other person, or some object, transaction or event.
- The information impacts or has the potential to impact on an individual, whether in a personal, family, business or professional capacity.
The DPA applies only to data which relates to individuals, and so will not apply to data relating to companies or other legal entities. However, the processing of, for example, the contact details of individuals within a company may be covered by the DPA.
The DPA imposes additional rules in respect of the processing of ‘sensitive personal data’. This includes information about someone’s health.
The DPA imposes obligations on those who process personal data. Processing is broadly defined to include obtaining, recording, holding, using, disclosing or erasing data. In effect, any activity involving personal data will fall within its scope. Just holding it is sufficient.
Data controllers must notify (register with) the ICO before processing. The information to be provided in the notification includes:
- The data controller’s name and address.
- A description of the personal data being or to be processed by or on behalf of the data controller, and a description of the category or categories of data subject to which they relate – for example, contact or financial details relating to tenants or prospective tenants.
Failure to notify where required to do so under the DPA is a criminal offence.
Notification is a fairly straightforward process, although it will often require an understanding of the data processing operations carried on.
Registration cannot, as yet, be effected online in the UK, but the forms may be completed using the standard templates available from the ICO website and, once completed online, may be printed off, signed and sent by email with the appropriate fee (currently £35) to the ICO.
Notifications are renewable annually.
Notification is only one of a series of obligations imposed on data controllers under the DPA. This means that data controllers must comply with the remaining obligations of the DPA even if they are exempt from, or have failed to comply with, the notification obligations.
Exemption from notification
- You are exempt from notification if you only process data for:-
- Staff administration (including payroll).
- Advising marketing and public relations (for your own business activity).
- Accounts and records.
- Where you do not use a computer for the processing.
Data protection principles
The DPA applies to many different types of data and a wide range of processing activities, and imposes a range of obligations on data controllers to ensure that data is processed properly. The DPA sets out a number of data protection principles, which require that:
- Data must be processed fairly and lawfully.
- Data must be obtained only for specified lawful purposes and not further processed in a manner which is incompatible with those purposes.
- Data must be adequate, relevant and not excessive in relation to the purposes for which it is processed. In practice, this means that data controllers must keep existing data under review.
- Data must be accurate and, where necessary, kept up to date. Generally, controllers are required to update all databases unless they constitute a static archive.
- Data must not be kept for longer than is necessary.
- Data must be processed in accordance with the rights of data subjects under the DPA.
- Appropriate technical and organisational security measures must be taken to prevent unauthorised or unlawful processing, accidental loss of or destruction or damage to personal data.
- 8. Personal data must not be transferred outside the EEA (European Union and certain other countries such as Norway) unless the destination country ensures an adequate level of protection for the rights of the data subject in relation to the processing of personal data.
Some of the most important principles are discussed below:
1st principle – fair and lawful processing
The first data protection principle, requiring fair and lawful processing of personal data, is probably the most important of all the data protection principles.
Processing will not be lawful where, for example, the processing relates to information contained in a stolen document.
However, the fairness requirement is harder to define. Processing will clearly not be fair where the data subject is misled, and may not be fair where any pressure or inducements are applied when collecting data.
Otherwise, the Commissioner has indicated that the first consideration in assessing fairness will be given to the consequences of the processing to the interests of the data subject.
In addition to the general fairness requirement, certain criteria are prescribed under the first principle as a pre-condition to legitimate processing. Most importantly, data will be processed fairly as required by the first principle only if at least one of the following conditions is satisfied:
- The individual has consented to the processing.
- The processing is necessary to perform a contract with the individual, or for taking steps to comply with a request made by the individual with a view to entering into a contract (for example to process a tenancy application).
- The processing is necessary to comply with a legal obligation of the data controller (other than a contractual obligation).
- The processing is necessary to protect the vital interests of the individual (for example, to protect the life of the data subject).
- The processing is necessary for the administration of justice, or for the exercise of any function conferred by statute.
- The processing is necessary for the legitimate interests of the data controller or a third party to whom the data is disclosed, except where it is unwarranted because it is prejudicial to the individual.
Normally the consent condition will be relied on, but consent is not always necessary, particularly due to the last of the conditions or the fact that you are required to process data to comply with the contractual or legal requirements. In such a case you can process data even if you do not hold a consent, for example to comply with a court order or legal obligation.
These criteria relate to the processing of all personal data. Where the controller processes sensitive personal data, additional criteria will also need to be complied with.
Data controllers should also be aware that, even where one or more of these grounds for processing can be satisfied, there is still an obligation to ensure that the processing is otherwise fair.
5th principle – retaining data
The fifth data protection principle requires the data controllers to put procedures in place to delete data which is no longer required to fulfil the purposes for which it was originally collected. For example, where data is collected for a specific tenancy, once the tenancy has ended, the data should be deleted.
The DPA does not set out specified time limits for the retention of data or guidance on the application of this principle, leaving the onus on data controller to determine what is ‘necessary’ in any particular circumstances.
Retaining data once a tenancy has ended would be permissible to deal with any issue which might arise once a tenancy ends, but not indefinitely.
7th principle – security
The seventh data protection principle places one of the most onerous duties on a data controller under the DPA and poses particular problems in respect of data held on mobile devices like laptops and hand-held devices.
The DPA also applies to information recorded in a ‘relevant filing system’.
This is defined as a set of information relating to individuals to the extent that the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.
This means the DPA will apply to certain types of manual data contained in structured files, card indexes and microfiches as well as to data held on a computer.
The DPA contains a number of exemptions from the data protection principles, the provisions conferring rights on data subjects and the notification requirements under the Act.
These include exemptions for data processed for the purposes of personal data, processed by an individual only for the purposes of that individual’s personal, family or household affairs, including recreational purposes. For example, this exemption will apply to an electronic personal diary, or a file such as an address book with details of family and friends.
Key Definitions in the DPA (Data Protection Act)
All of the obligations under the DPA fall on the data controller. This is defined as the person who determines the purposes for which and the manner in which any personal data is, or is to be, processed. For example, a landlord will be the controller of the data processed relating to his/her tenants.
Someone may still be a data controller even if the information concerned is held by a third party – for example, where payroll administration or records are outsourced to a third party.
The DPA applies only to personal data. This is very widely defined.
Data is defined as information which is being processed by means of equipment that operates automatically in response to instructions given for that purpose, or is recorded with the intention that it should be processed by means of such equipment. The DPA therefore applies to automated data, such as that stored on a computer. It also extends to certain manual records if kept in an organised form.
Personal data is data relating to living individuals who can be identified from that data, or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller. Personal data includes, for example:
- Telephone numbers
- Job titles
- Dates of birth
- Records of rent payments
- Credit searches
- Utility bills
- Bank statements
The information does not have to be confidential. A simple list of tenants on a computer will constitute personal data under the DPA. Even a number, such as a telephone extension number, may qualify as personal data when an individual can be identified from that number, for example, where that number may be linked to his name in another database.
The definition of personal data also includes expressions of opinion and any indication of the intentions of the data controller or any other person in respect of the individual concerned. Data which is anonymous will not come within this definition if there is no way of linking, so far as you can identify, living individuals. The person to whom the data relates is called the data subject.