CHAPTER ONE – INTRODUCTION TO DATA PROTECTION IN SOCIAL HOUSING
Books and articles about data protection and the GDPR often feature images of computers and padlocks, sometimes a shield. These images represent the idea of keeping electronic data secure, which is of course crucial, but it is far from being the only important aspect of what we call ‘data protection.’
Unfortunately, the term ‘data protection’ doesn’t do itself justice, because it can sound like its focus is on keeping data protected from external leaks. However, there is much more to data protection law. Organisations also need to comply with the other aspects of data protection, which include considering the purpose for collecting the data in the first place, as well as accuracy, not keeping data for too long, and upholding individuals’ rights, amongst other requirements.
The social housing sector exists to support people and communities, which means that social housing providers cannot operate without collecting, and using, a vast amount of information about the people they interact with; current, past, and potential tenants, customers, employees, and others.
There are undoubtedly many pros to having this data; being able to analyse tenant demographics, behaviour, and preferences can allow landlords to improve their services, and plan better for future needs and wants.
These benefits are often discussed in the housing sector, but the risks related to the collection and storage of personal data are not so widely acknowledged.
The benefits of data protection are not often examined either. The positive impacts of data protection compliance include increased trust and respect, better efficiency, improved tenant and employee relations, reduced costs, and reduced risks of causing people harm.
Data Protection Law
Data protection law is actually based on upholding human rights, and as such it holds so much potential for improving the lives of social housing tenants and employees, and society in general.
“This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.” [Art. 1 (UK)GDPR]
‘Data Protection’ includes more legal requirements than only the GDPR, too. In the UK we are subject to:
- The UK General Data Protection Regulation (‘(UK)GDPR’)
- The Data Protection Act 2018 (‘DPA 2018’)
- The Privacy and Electronic Communications Regulations (EC Directive) (‘PECR’)
There are also circumstances where social housing providers will need to consider the common law duty of confidentiality, and – less often – other laws relating to personal data such as the Access to Medical Reports Act.
Due to the nature of social housing, where organisations work with a huge number of individuals, a clear understanding of the scope of the legislation is critical.
“This Regulation does not apply to—
(a) the processing of personal data by an individual in the course of a purely personal or household activity;”
[Art. 2 (UK)GDPR]
When personal data is used for “a purely personal or household activity” the processing of that data is not subject to the (UK)GDPR, but that doesn’t mean that customers or members of the public will never need to be aware of the law; see chapter 12 on the use of CCTV and ASB (Anti-social Behaviour).
Data Protection law does apply to most processing of personal data, relating to the people we interact with, our data subjects.
A ‘data subject’ is a person whose data is being processed, and ‘process’ means to do almost anything with or to that personal data.
In the social housing sector, we routinely process information about:
- Our colleagues, including employees, volunteers, board members;
- People who work with us, including colleagues from our contractors, our suppliers, Local Authorities, Regulators, Government departments, law enforcement, charities, community groups and more;
- People who live in our homes, including applicants and former tenants/customers;
- People who use our services, including potential and former customers;
- People linked to the people who live in our homes or use our services;
- People who make enquiries or complaints;
Myths about Data Protection
There are so many myths about data protection in general and about the GDPR and (UK)GDPR in particular. These range from needing consent to process any personal data, to the likelihood of being fined millions of pounds for any size of data breach, to organisations being prevented from helping vulnerable people due to the data protection laws. Unfortunately, these myths are often perpetuated by news articles and statements that are widely available.
To briefly address just those three myths, processing certainly does not always need consent, most organisations are not likely to be fined millions of pounds, and organisations including housing providers absolutely can help people in need without breaching data protection law. Each of these myths, and more, will be addressed throughout this book.
The Social Housing Sector’s Values and Data Protection:
The social housing sector is largely based on values that are aligned with good data protection, even if it’s not always recognised, perhaps due to the misunderstandings and myths around data protection.
Values including fairness, transparency, accountability, security, and respect for human rights can all be seen in the documented values, visions and missions of many social housing providers. What is not always realised is that they also all feature heavily in the data protection legislation.
It is unfortunate, but understandable, that many social housing providers will see data protection as a tick box exercise, or even as a blocker to achieving their goals. When in reality, the values in social housing align so closely with those that the data protection legislation is built upon.