Data Protection for Landlords

David Smith

Anthony Gold Solicitors

Why Protect Data at All?

• Personal data is key important in everyday life

• Internet allows information about people to be spread quickly

• Also enables criminality

• Data misuse can cause massive loss to individuals

What Data is Protected?

• Personal data is the important element

• Data that will identify an individual

• Sensitive personal data is even more important

• Data that tells you something very personal about an individual such as sexual preference, health etc

• GDPR uses personal data and special category data

• Meanings are the same but extended categories for special category data

• Special category data includes data about:

• racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics, biometrics, health, sex life, or sexual orientation

• Not every piece of data is personal• It can be anonymised

• Or it might just be random life events in which a person is involved

What Tenant Data is Covered?

• Name and address

• Ethnic origin

• Right to rent data for example

• Financial data

• Payment and behaviour history

So How do I Deal With This?

• You can process data

• With consent

• Or with a justification

• Consent

• Can be implied at the moment

• Usually found in a clause in the tenancy agreement

• More complex under GDPR

• Justification

• Contractual need

• Law enforcement and justice

• Transparency is key to consent and justification

Common Errors

• Broadcasting data unlawfully

• Facebook etc

• Inaccurate data

• Not giving data to those lawfully entitled

• Local authorities are entitled to data for their law enforcement work

• Stupid self-tying

• Making promises about data to tenants without thinking

• Data loss or theft

• Carelessness, hacking etc

Data Protection Gone Mad

• Sometimes people get over excited about DPA issues

• Not all data is covered by the DPA

• Some data is something that people you are entitled to

• References are usually obtained for the landlord so they are entitled to them

• You can retain data you need

• Even if you are asked to delete it

• But only as much as you need and for as long as required

Are Landlords not Exempt?

• Nobody is entirely exempt from Data Protection requirements really

• Being small or a sole trader is irrelevant

• Specific relevant exemptions for:

• Domestic data- ie personal household data

• Confidential references

• Accounts data

• No other data is exempt

• Except unsorted data

• That means data that is stored on paper and not categorised in any way

• Data that is about one specific thing (eg. a tenancy) is not unsorted!

What About Registration?

• There is no exemption from registering because you are a small business

• The ICO is clear that landlords should be registered

• Registration can be avoided if:

• You are a not for profit

• Hobby purposes- eg. small clubs and societies

• Most ordinary landlords should be registered

What is GDPR?

• Replaces former EU Data Protection Directive

• UK compliance with the former directive was through the DPA

• New GDPR increases consistency

• Partly a response to increased movement of data throughout EU

• Data is rarely stored in originating country

• And may be used in several countries

• Directly in force from 25 May 2018

• So in force even if states take no action to implement

• States will be expected to take their own action as well

Why change at all?

• Directives are general

• So scope for variation between member states

• Compliance problem for businesses with multiple establishments

• Technology has moved on a lot

• Much more data is collected

• More data is collected by following activity as opposed to asking questions

• Big data is of great concern to the EU

• Data moves pretty freely between EU states

• Very easy to move data unthinkingly elsewhere

• Serious problems with some states

• US data privacy and collapse of Safe Harbour

What about Brexit?

• We remain in the EU for the next two years

• So we must follow EU rules

• GDPR in force by default during exit period

• We are a knowledge and service economy

• So we need free data transfer with the EU

• This will not happen without strong data control

• Using GDPR eases regulatory discussion later

• As we already have convergence

• UK government was supportive of GDPR

• So would be likely to do something similar anyway

GDPR- A summary

• Applies to all organisations processing data from EU residents

• Regardless of where they are established (extra-territorial applicability)

• Massively increased fines

• Up to the larger of 4% of annual turnover or €20 million

• Consent regime tightened

• Simpler, purpose clear, easy to withdraw consent

• Breaches more directly notified

• Within 72 hours, customer notification too

• More access rights

• More right to be forgotten

• Privacy built into system design

• Data protection officers

Key changes in thinking

• Risk-based approach

• Need to consider risks to privacy associated with processing

• Accountability principle

• Requires compliance with principles

• You must demonstrate that compliance

• More documentation of decision-making and actions

• Codes of conduct

• Optional and you do not have to sign up

• Demonstrates probable compliance with accountability though

• None yet available but trade bodies could set these up

The core principles

• Not hugely different from DPA

• Personal data shall be1. processed lawfully, fairly and in a transparent manner in relation to individuals;

2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

4. accurate and, where necessary, kept up to date;

5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;

6. processed in a manner that ensures appropriate security including protection against unauthorised processing and loss, destruction or damage.

Lawful processing

• Always necessary to identify a lawful processing basis

• Should be one of

• Consent of the data subject

• Necessary for the performance of a contract with the data subject or to take steps to enter into a contract

• Necessary for compliance with a legal obligation

• Necessary to protect the vital interests of a data subject or another person

• Other permission necessary for sensitive data

• Now called ‘special category’ data

• But this should not normally be relevant

• May apply to Right to Rent data

• Requires explicit consent

Consent

• ICO does not believe that you have to refresh all consents necessarily

• Contrary to some statements

• Consent must be opt-in

• No pre-ticked boxes

• Or inferred by silence

• Must be verifiable

• Consent must be granular, clear, prominent and opt-in

• Current consents may be ok

• If they meet the above

Core rights

• GDPR creates rights for data subjects1. The right to be informed

2. The right of access

3. The right to rectification

4. The right to erasure

5. The right to restrict processing

6. The right to data portability

7. The right to object

8. Rights in relation to automated decision making and profiling

Right to be informed

• Must give information clearly, transparently and accessibly

• At the time the data is obtained or within one month if obtained indirectly

• Must supply

• Identity and contact details of the controller and the data protection officer

• Purpose of the processing and the lawful basis for the processing

• Categories of personal data

• Any recipient or categories of recipients of the personal data

• Details of transfers to third country and safeguards

• Retention period or criteria used to determine the retention period

• The existence of each of data subject’s rights

• The right to withdraw consent at any time, where relevant

• The right to lodge a complaint with a supervisory authority

• The source the personal data originates from

• Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data

• The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.

Privacy notices

• Right to be informed is largely upheld by a suitable privacy notice

• Might be helpful to conduct a Privacy Impact Assessment when thinking about this

• Guidance from ICO on how to do these

• Key to make clear

• What data are you collecting?

• Why are you collecting it?

• What will you do with it?

• Will it leave your organisation for processing or for other marketing use?

• Who will get it exactly?

• How will you get rid of it and when?

Right of access

• Similar to the old subject access request

• However there is now no fee allowed

• Three different access rights

• To know that whether you are processing at all- straight ‘yes’ or ‘no’

• Access to what you have- similar to previous DPA right

• Appropriate supplementary data- basically the privacy notice

• Much shorter compliance timeline

• Now just one month

• Extendible by further two months if requests are numerous or complex

• But that does not mean three months!

• Excessive requests

• Can be refused

• Or charged for

• Preference is for electronic data provision

Rectification and erasure

• Subjects can ask for rectification for inaccurate data

• Must be done within one month

• Right to be forgotten

• Actually a right to data erasure not total cleansing

• Data should be deleted when

• No longer needed

• Consent is withdrawn

• Objection is made and there is no legitimate interest in continuing to process

• Change from DPA in that there is no limit in relation to distress etc

• All data is deletable

• You can only refuse to delete data which you need for legal purposes

• You will need to tell third parties and get them to delete too if you provided the data

• May need changes to agreements with referencing companies etc

• This is potentially a big deal

• Backups, marketing data etc

Restriction & Objection

• Subjects can demand restriction of processing

• You can store data but should not process it in these cases

• At least until you investigate further

• Need an internal process for this

• Subjects can also object to processing

• You must then establish need

• Or legal claim justification

• Marketing will be an issue here

• Online processing or data collection requires you to offer online objection process

Breach reporting

• Only have to report breaches which lead to risk to individuals rights

• PIA should help here

• But this will be most breaches

• If in doubt, report

• Individuals need to be notified where there is a ‘high risk’ to their rights

• That is a higher threshold than telling the ICO

• So if you are telling individuals you are long past the ICO report stage

• Must report within 72 hours

• Early reporting has been shown to limit fines

Data Protection Officers

• GDPR does not require these

• But UK Data Protection Bill does

• Some mandatory requirements

• Core activity is large scale processing

• Core activity involve processing of more personal data

• Disagreement about some of these issues

• Is agency work primarily involved in data processing?

• i.e. is it a core activity?

• Is it large scale?

• Referencing agents and deposit schemes certainly qualify

• As will most agents with a research team