Data Protection and the GDPR
Personal Data:
The General Data Protection Regulation (GDPR) is a Europe (EU) initiative, a new legal framework in the EU, and of course this along with other EU legislation this will be ported across to the UK, post Brexit.
GDPR has similarities with the existing UK Data Protection Act 1998 (DPA), but it goes deeper into what constitutes personal data. For example, even an IP address can be classed as personal data under this new definition. The more expansive GDPR definition provides for a wider range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – i.e. the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, and landlords, agents and reference agencies will be, it is likely that you will also be subject to the GDPR.
The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
Currently the Information Commissioners Office under DPA Schedule 1 lays down these basic Data Protection Principles for handling data, but the GDPR will go further:
- Personal data shall be processed fairly and lawfully
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under this Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
There are two types of data:
- Personal data – such as things that will identify someone, and
- Sensitive personal data – which tells you something personal about the individual, for example, sexual preference.
What is Sensitive Personal Data?
Sensitive personal data includes information on an individual which contains details of their:
- racial or ethnic origin;
- political opinions;
- religious beliefs or other beliefs of a similar nature;
- membership of a trade union;
- physical or mental health and conditions;
- sexual life;
- commission or alleged commission of an offence;
- proceedings for any offence committed or alleged to have been committed;
- disposal of such proceedings or the sentence of any court in such proceedings.
Again, landlords, agents and reference agencies will be involved in collecting at least some of this sensitive personal data. Details of ethnic origin, financial data, personal references, payment histories, credit scores, bank accounts, National Insurance numbers, passports and drivers’ licenses, personal photos, telephone numbers, debt records (CCJs) and sensitive information on a range of medical, welfare or social service issues and possibly even criminal records will almost certainly be involved if tenants are being checked out properly.
Is it legal to hold this data?
Yes, it is not illegal per se to hold this data, so long legitimately required for the purpose and as it is dealt with in a proper and lawful way. For example, these instances would be unlawful:
- Posting data on public forums, blogs, facebook etc, about an individual
- Refusing to give it to those lawfully entitled to it, e.g. Local Authorities*
- Losing it through leaving laptops in taxis or being hacked (where prevention was possible)
*Obtaining Data on Individuals
Sections 29 35(2) of the DPA, allow others to apply for personal information on an individual in some circumstances. For example, a landlord may request personal information about a subject from a local authority. If you are asked for personal information in this way about a tenant you should seek legal advice before supplying it.
Section 29 allows for the disclosure of personal data if this disclosure is necessary for:
- the prevention of crime
- the apprehension or prosecution of offenders
- the assessment or collection of any tax or duty or similar
- and where not disclosing the information would be likely to prejudice any of these purposes in the particular circumstances of the case.
Section 35(2) allows for the disclosure of personal data if that disclosure is:
- necessary for the purpose of or in connection with any legal proceedings of any nature (including prospective legal proceedings)
- necessary for the purpose of obtaining legal advice
- necessary in order to establish, exercise or defend any legal right.
Landlords and Data Protection
There are a lot of myths and misconceptions about data protection.
For example, landlords are entitled to be shown references obtained on their behalf by agents, though the tenant must have agreed to this sharing of data with relevant persons when they signed the tenancy application form (electronic signatures are now legal).
You can retain data when asked to delete it if you have a lawful reason for keeping it. For example, landlords are entitled to keep data about tenancies for up to six years in case they are sued and therefore tenants cannot destroy a landlord’s defence to a claim by requiring that their defence data be deleted.
All landlords will be covered by the Data Protection rules both under DPA and GDPR.
The fact that you may only have one rented property is irrelevant. However, if you are a genuine “not for profit” you could be exempt?
The GDPR is coming!
You should already know and be complying with the rules above. However, from 25 May 2018 the new rules are in force.
There are massively increased fines for non-compliance which can be up to the greater of 4% of turnover or 20 million Euros, obviously the latter for very large organisations, but well worth taking seriously.
The main effect of these new rules is that if you keep information it needs to be used only for the specific purpose it was provided by the individual. So if you obtain information about someone because they are a tenant this does not mean you can send them mailings trying to sell them something else.
All this is perhaps not hugely significant for landlords provided they do not hang on to data too long. However, it is going to be very significant for agents who may no longer be able to rely on, for example, purchased mailing lists.
Preparing for GDPR
- If you use mailing lists, you need to use the time we have before 25 May next year to ensure that everyone on your list has opted into the type of mailings you are sending to them.
- You need to make sure that you are not retaining information inappropriately and have a proper privacy notice.
- You need to ensure, if your data is held by another organisation, that where appropriate they delete their data also.
If you are involved with large amounts of personal data, the best way to deal with all this is to carry out a Privacy Impact Assessment – there is guidance on the ICO website on how to do this.
Thanks to Tessa Shepperson’s Newsletter for some of this content: www.landlordlaw.co.uk
©1999 – Present | Parkmatic Publications Ltd. All rights reserved | LandlordZONE® – Data Protection and the GDPR | LandlordZONE.
View Full Article: Data Protection and the GDPR
Post comment
Categories
- Landlords (19)
- Real Estate (9)
- Renewables & Green Issues (1)
- Rental Property Investment (1)
- Tenants (21)
- Uncategorized (11,916)
Archives
- December 2024 (43)
- November 2024 (64)
- October 2024 (82)
- September 2024 (69)
- August 2024 (55)
- July 2024 (64)
- June 2024 (54)
- May 2024 (73)
- April 2024 (59)
- March 2024 (49)
- February 2024 (57)
- January 2024 (58)
- December 2023 (56)
- November 2023 (59)
- October 2023 (67)
- September 2023 (136)
- August 2023 (131)
- July 2023 (129)
- June 2023 (128)
- May 2023 (140)
- April 2023 (121)
- March 2023 (168)
- February 2023 (155)
- January 2023 (152)
- December 2022 (136)
- November 2022 (158)
- October 2022 (146)
- September 2022 (148)
- August 2022 (169)
- July 2022 (124)
- June 2022 (124)
- May 2022 (130)
- April 2022 (116)
- March 2022 (155)
- February 2022 (124)
- January 2022 (120)
- December 2021 (117)
- November 2021 (139)
- October 2021 (130)
- September 2021 (138)
- August 2021 (110)
- July 2021 (110)
- June 2021 (60)
- May 2021 (127)
- April 2021 (122)
- March 2021 (156)
- February 2021 (154)
- January 2021 (133)
- December 2020 (126)
- November 2020 (159)
- October 2020 (169)
- September 2020 (181)
- August 2020 (147)
- July 2020 (172)
- June 2020 (158)
- May 2020 (177)
- April 2020 (188)
- March 2020 (234)
- February 2020 (212)
- January 2020 (164)
- December 2019 (107)
- November 2019 (131)
- October 2019 (145)
- September 2019 (123)
- August 2019 (112)
- July 2019 (93)
- June 2019 (82)
- May 2019 (94)
- April 2019 (88)
- March 2019 (78)
- February 2019 (77)
- January 2019 (71)
- December 2018 (37)
- November 2018 (85)
- October 2018 (108)
- September 2018 (110)
- August 2018 (135)
- July 2018 (140)
- June 2018 (118)
- May 2018 (113)
- April 2018 (64)
- March 2018 (96)
- February 2018 (82)
- January 2018 (92)
- December 2017 (62)
- November 2017 (100)
- October 2017 (105)
- September 2017 (97)
- August 2017 (101)
- July 2017 (104)
- June 2017 (155)
- May 2017 (135)
- April 2017 (113)
- March 2017 (138)
- February 2017 (150)
- January 2017 (127)
- December 2016 (90)
- November 2016 (135)
- October 2016 (149)
- September 2016 (135)
- August 2016 (48)
- July 2016 (52)
- June 2016 (54)
- May 2016 (52)
- April 2016 (24)
- October 2014 (8)
- April 2012 (2)
- December 2011 (2)
- November 2011 (10)
- October 2011 (9)
- September 2011 (9)
- August 2011 (3)
Calendar
Recent Posts
- Landlords’ Rights Bill: Let’s tell the government what we want
- 2025 will be crucial for leasehold reform as secondary legislation takes shape
- Reeves inflationary budget puts mockers on Bank Base Rate reduction
- How to Avoid SDLT Hikes In 2025
- Shelter Scotland slams council for stripping homeless households of ‘human rights’