Many of our clients have substantial residential portfolios, often managing their own tenancies in-house, including gathering and processing tenants’ personal data.
What is Personal Data?
Personal data is written or electronic information about living individuals, usually found in contact details, images, databases, documents, recordings, notes, letters, emails etc: There is no specified list. However, tenancy information forms and records will undoubtedly contain personal data.
In our modern world, loss of data can lead to all manner of risks, such as those of identity fraud, material, financial or property damage or loss, reputational damage, and many others. This is why data protection laws have recently been fortified and there are now strict obligations to comply.
The UK data protection regulator, the Information Commissioner’s Office (ICO), has a number of powers, the most well-known being the fines, which can run into millions of pounds for large organisations. More commonly, it can impose alternative sanctions, including an Information notice, an Assessment notice or an Enforcement notice and it carries with powers of entry and inspection.
Are you compliant?
Compliance is more than just ‘ticking the box’ to show that you have met the requirements. In order to ensure you are on the right tracks, it is worth familiarising yourself with the six principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
These principles underpin the legislation. The ICO refers to them as the ‘spirit of the general data protection regime’. This is where your compliance journey should start, and the benchmark you measure your organisation against when it comes to data protection.
There is an over-arching obligation of accountability, which means your organisation needs to be able to show it is taking data protection seriously at the highest level, and can evidence its policies, procedures and security measures.
You need to also consider registering as a fee payer with the ICO. There is a questionnaire online on the ICO’s website that will assist you decide which fee tier is appropriate for you.
To assist with compliance, you must consider what relevant policies you have, or should have, in place. Policies help you implement the principles, and depending on the size and the type of personal data you process, landed estates and landlords should consider having (for example) privacy policies for residential and commercial tenant data, a general data protection policy, policies relating to staff data, data protection impact assessments and records of breaches and consents.
Specifically, consider whether you need to retain the personal data of tenants and former tenants indefinitely: It will rarely be acceptable to do so, so consider why you want to retain it and how long is a reasonable period of retention, in the circumstances.
A number of landed estates and large residential portfolio holders will collect and process personal data and whilst they likely do it in a sensitive and careful manner, this may not be sufficient to comply with the new data protection requirements.
Muckle LLP has the expertise to assist clients to assess the requirements expected of them and to ensure compliance, through pragmatic advice on data protection and processing and through the provision of standard policies.