Housing associations rely on the processing and sharing of personal data, such as contact details and medical records, to provide services and support to their residents. However, it is important to note that anyone who processes personal data has a responsibility to protect it under data protection law. Failure to do so in the housing sector can put your residents at risk, which may have serious consequences for both your residents and your organisation.
The ICO has issued guidance highlighting common issues relating to data protection in the housing sector, and how these issues can be prevented to help housing associations understand how to ensure the protection of their residents’ data.
Common data protection issues in the housing sector
Common Issue 1: Inappropriate disclosures of personal data
Personal data should only be disclosed when it is necessary and appropriate. To determine whether the sharing of data is justified, consider:
- What are you intending to achieve by sharing this data?
- Have you assessed the potential benefits and risks to individuals and/or society by sharing this data?
- Is it fair to share the data in this way?
- Is the sharing of data proportionate to the issue you are addressing?
- What is the minimum data you can share to achieve your aim?
- Could the objective be reached without sharing any personal data, or by sharing less personal data?
- What safeguards can you put in place to minimise the risk of adverse effects of sharing this data?
- Is there an applicable lawful basis in the Data Protection Act 2018 (e.g., crime, law and public protection, health, social work and child abuse, etc.)
Common Issue 2: Perceiving data protection law as a barrier to the necessary sharing of information
Data protection law provides a framework for making decisions about sharing data appropriately – it is not intended to act as a barrier to sharing information to support residents when this is needed. When deciding whether to share personal information, consider:
- What information will you share?
- Are you intending to share special category data (e.g., political opinions, religious beliefs, genetic and biometric data)? If so, what safeguards will you have in place?
- What is to happen to the data at every stage?
- Who in your organisation can access the data?
- What technical and organisational measures are appropriate to ensure the security of the data?
Common Issue 3: Failure to keep accurate records
Good record management is vital to ensure the avoidance of data protection issues for both your organisation and your residents.
Practical steps to avoid data protection harms in the housing sector
The ICO has set out some practical steps to assist you with the lawful processing and sharing of residents’ personal information, including:
- Prioritise staff training – ensure that all of your staff are adequately trained so they are aware of their organisation’s data protection obligations, and internal processes for handling any queries about personal data.
- Practice good records management – Keep an accurate record of any contact with residents to help you address issues and provide an appropriate level of service to those residents requiring additional support.
- Be transparent about what you do with your residents’ personal data – you must inform your residents about what information about them is being collected and ensure they understand the purposes for which this information might be used.
For more information or to discuss staff training on data protection legislation, please contact Hetal Ruparelia, Head of our Information Law team.