Data protection law previously focused on computerised databases, many of which were fairly anodyne records of names, addresses and rents.
Changes to the law now mean normal paper files come within the legislation, as do emails and word processing documents.
The European Union directive on which the new law is based states that data systems must, "respect fundamental rights and freedoms, notably the right to privacy, and contribute to economic and social progress and the well being of individuals".
These are aspirations, which RSLs are likely to share, and they should be borne in mind in complying with the legislation.
The law will have most impact in relation to staff and housing management data, but it also applies to data held on board members, suppliers and consultants.
If an RSL runs a day centre or is involved in Housing Plus initiatives, personal data is likely to be held.
If this is the case, all concerned must be provided with 'fair processing information' setting out the purposes for which data is held and any uses or disclosures that they would not expect.
The RSL must make sure it can satisfy statutory conditions for lawful processing, and must process data fairly and comply with other rules for good processing, known as data protection principles.
Those on whom data is held can make subject access requests to find out what data is held on them.
RSLs need to be able to answer questions such as: "Why are we holding the data? Who gave it to us? What will we do with the data? To whom will we disclose it?"
They need to provide tenants, and those living with tenants, with fair processing information. But what is the best way to provide this?
One approach is to produce a document explaining the data held and what is done with it in a way that affirms respect for individuals' rights, freedoms and privacy.
Alternatively, the information could be given in a tenancy agreement, included in tenancy application forms, or sent by letter.
In deciding on this, RSLs must distinguish between ordinary personal data and sensitive personal information (such as that on health or ethnic origin).
Meeting the conditions for processing ordinary personal data is easy. In general, RSLs can also process this if it is necessary for its legitimate interests. Many RSLs share information with other agencies such as local authorities or the police. Careful thought needs to be given to the particular circumstances to ensure sharing is lawful.
Processing sensitive personal data is altogether more difficult. The conditions are stricter and more limited in scope.
Obtaining consent is one option but this must be explicit, specific and informed. People should be told what will be done with their data and who will see it.
Other options include conditions permitting processing where it is necessary in connection with employment obligations (for example, to justify keeping data on tenants who may be violent to staff), in life-and-death situations, for equal opportunities monitoring purposes, or for the prevention and detection of crime.
Information can also be used for advice and support where explicit consent cannot reasonably be obtained (a useful option in some supported housing contexts).
What is "necessary" will be interpreted strictly; it means more than convenient or appropriate.
Data must be processed fairly and for specific purposes. It must be adequate, relevant, up to date and held no longer than necessary. It must also be kept securely.
The requirement to process data fairly is a big issue in relation to employment, permeating all its aspects.
Although housing management data must also be processed fairly, it is normally less of an issue because relationships are more remote and most RSLs have structured systems for deciding who, for example, is given a tenancy or medical priority for a transfer.
For many RSLs, ensuring that data is accurate, relevant and not kept longer than necessary is more of a challenge. Tenancy files tend to get bigger and bigger and weeding them is easy to put off.
Tenants and others who live with them are entitled to make written subject access requests. Requests can be made not only for the data itself but for information on who supplied it, what the RSL does with it and to whom it is disclosed.
What should an RSL do when it receives such a request?
Unless the relevant housing officer knows the person and recognises his or her signature, the first thing to do is check identity. Data protection is about privacy and protection of personal data; it is not a good idea to give data out to the wrong person.
Secondly, find out what information is held. This is likely to be on the tenancy file but there may be references to the tenant in emails or word processing documents. Do word searches against the tenant's name and address.
Having identified the data, can it just be disclosed?
It depends what the information is. There is no need to disclose information identifying a third party unless that individual consents or disclosure is reasonable.
If the third party refuses consent or cannot be found, the RSL should consider carefully whether disclosure is 'reasonable'.
It is less likely to be reasonable to disclose a confidential complaint from a neighbour than information from some official source, but it depends on the circumstances.
All this takes time. In the interim, make the information anonymous by deleting the third party's name and other indicators and then disclose what is left.
Care must be taken before disclosing information on health, unless the data subject knows the information. Otherwise, this must not be done without medical confirmation that disclosure is unlikely to cause serious harm to health.
There is a similar provision on local authority social services data. Although there is power to extend it to organisations such as RSLs, this has not been done.
As RSLs receive similar data, sometimes from social workers, the National Housing Federation should consider making representations for this extension.
Ignoring the law is not a good idea. The information commissioner, who is the statutory regulator, has extensive powers to ensure compliance, though in practice she is taking a relatively gentle approach, focusing on clear abuses.
RSLs are most likely to come face to face with data protection law when challenged by aggrieved tenants or employees claiming damages because personal data is used unfairly or is inaccurate.
What should be done?
- appoint someone with responsibility for data protection
- make sure line managers and staff with access to personal data understand their responsibilities and know that casual emails may need to be disclosed
- identify personal data
- make sure that fair processing information has been given to those on whom data is held
- check data is relevant, accurate and not excessive
- make sure one of the statutory conditions for lawful processing is satisfied for both ordinary and sensitive personal data – if consent is relied on, make sure there is a record
- check the RSL's notification to the information commissioner
- check security systems
Source
Housing Today
Postscript
Steve Lorber is a partner at solicitor Lewis Silkin.