10 Data Protection Tips for Landlords: Compliance with UK GDPR
4 November 2021
UK GDPR can be a minefield to understand and navigate. It can be tricky to gets to grips with how it should be applied in practice to certain sectors. We have put together these tips to help landlords stay on the straight and narrow when it comes to processing personal data.
Let us jump straight into the nitty gritty then!
- Register with the Information Commissioner’s Office (“aka the ICO”)
As a landlord you will hold personal data about your tenants, and this is the case whether it is for just the 1 tenant or 100 tenants. That personal data will include information such as the tenant’s name, date of birth, occupation, contact telephone number, address, copies of their identification, credit check, references and their right to rent.
Therefore, as you are holding personal data, whether it is on physical paper or on an electronic device, you will be subject to UK data protection law as a data controller. This means you must register with the ICO otherwise, if you do not, you risk falling foul of the legislation and receiving a fine.
- Check the reasons why the data is being processed
The key ingredients of the UK GDPR are that personal data must be processed lawfully, fairly and in a transparent manner.
Processing means using, storing, sharing or deleting information.
There are six lawful bases for processing personal data. Those which are likely to apply to landlords are:
Consent: The data subject has freely given consent for their information to be processed.
Legal Obligation: Processing is necessary to comply with the law.
Contract: Processing is necessary to fulfil a contract
Legitimate Interest: Processing is necessary to the legitimate interests of an organisation or third-party affiliate.
As there is a tenancy agreement (or lease) which is a contract, processing data is necessary under the terms of the contract. This will also apply in relation to guarantors who are entering into the agreement.
In relation to data held about other occupants of the property, other than the tenant, if this is required, then the appropriate grounds are the processing is necessary to your legitimate interests as the Landlord to know who is living at the property for health and safety purposes.
A note to the wary, if consent is the chosen basis to process the data, then there are extra obligations that you must adhere to such as giving the tenants (or other data subjects) the ongoing ability to revoke consent. Consent will be the basis for processing data if, for example, you need to speak with the local housing services or universal credit regarding rental payments.
Landlords are obliged to check if their tenants have the right to rent and, in some cases, must place any deposit into an appropriate Tenancy Deposit Scheme. Therefore, the data is being processed because there is a legal obligation on the Landlord to do so.
If you use tenant’s data to pass on to a contractor to conduct a repair, the data is being processed under the ground of contract fulfillment.
- Document the processing activities
You must ensure that you document your processing activities and the bases under which the information falls under for processing purposes, i.e., legitimate interest, contract fulfillment, consent or legal obligation.
Your processes and policies should show what information you are holding about parties, who that data is shared with and how long the information is retained for.
- Less is more
Assess all the data that you are holding and conduct regular audits to see where you can minimise the data. As a landlord, you will probably notice that you hold quite a lot of personal data about your tenants and third parties, such as guarantors and other occupants of the property.
Give some thought as to how long you really need to retain this information for and when it is legitimate to delete it.
If you have a managing agent who looks after your portfolio, consider whether you need to have any information over and above the tenants’ name and contact details. If your managing agents keeps detailed records of personal data relating to the tenants (and others) then there is no need for this information to be duplicated by you holding onto that same data.
Data minimisation is key to complying with UK GDPR.
- Security
Another key part of UK GDPR is security. All personal data you are holding should be secured against any unauthorised access. This can be done through IT processes such as sufficient virus protections and firewalls.
If you employ staff then you should provide them with training so that they know how to keep the data secure, to look out for the latest phishing frauds and to ensure physical security in relation to devices that are holding the information such as laptops, mobile phones, USBs etc.
You are obliged to show your compliance with the security principle and have written documents and procedures in place around IT security, staff training relating to their responsibility to keep the data secure. These policies should be signposted, and copies given to all relevant people.
- Privacy Notices
A good privacy notice will explain to tenants (and others) about all the many ways that you will collect, process and store data. Ensure that you provide a copy to all relevant persons or, if it is on your website (if you have one), direct them there.
The privacy notice should cover all stages of the tenancy, from pre-application, the credit and reference checks right through to the signed tenancy agreement stage.
Your tenants (and others) have the right to be forgotten about and so it is important that you explain when and how their data will be deleted. However, bear in mind that you will need to retain information about a tenant’s right to rent to ensure that you comply with your obligations under the Immigration Act 2014. Your privacy notice should detail this obligation and how you will continue to hold the data even once the tenancy has ended.
If there is any CCTV installed at any of your properties, the privacy notice should say how the data is recorded and stored. You will also need to include details about how long the information will be retained and when it will be deleted.
- CCTV
Any CCTV installed at properties is likely to capture personal data about tenants and anyone else visiting a property, including tradesman. The use of CCTV, whether this is installed inside the property in communal areas or, to the exterior is going to subject to UK GDPR.
You should take steps to install signs in prominent positions so that anyone entering onto the property is fully aware that CCTV is in operation. You should make it clear you have a privacy policy in place.
- Data Processing Agreements
If you use a managing agent to manage your properties, then, the managing agent will be regarded as a data processor because they will have access to the tenants’ data and, they are likely to pass that information on to third party contractors where necessary.
Therefore, considering that, it is important that the contract between you and your managing agent contains relevant clauses which cover the security of the data and how it will be processed. It is a requirement under UK GDPR to have such a written contract in place.
- Subject Access Requests
Your tenant (and any other party that you hold personal data about) are entitled to ask you to provide them with a copy of all the personal data that you hold about them under a data subject access request.
If your tenant (or other party that you hold data about) makes a subject access request, you are obliged to respond to that request without delay and must do so within one month of receiving the request.
- Data Breaches
If the worst should happen and you become aware of any incident which puts the personal data of your tenants at risk, you are obliged to report it to the ICO within 72 hours.
You must explain the nature of the breach, how many individuals have been affected and the consequences of the breach to the individuals concerned. You must also explain any steps you have taken to limit the effects of the breach.
For further information or help, contact our dispute resolution expert, Kelly Ellery.