The General Data Protection Regulations comes into force in May 2018. They impose a new EU wide system of regulating data protection and the UK Government has made it clear that, despite Brexit, the UK will be adopting these Regulations so that they will remain in force even after we leave the EU. But as a landlord, are these changes relevant to you?
In short, yes. These Regulations strengthen existing UK Data Protection Legislation and build on it. They make significant changes around obtaining consent to process data and more stringent requirements about privacy notices, in particular.
Your Landlord responsibilities
As a landlord, you need to be aware of your responsibilities in relation to data protection. This includes safeguarding tenant’s data, making sure that you only pass it on if you are legally entitled to do so, and not retaining it for longer than necessary. However, there are circumstances where you can legitimately pass over data and indeed on occasion may be compelled to do so because of the legal obligation. It may well be necessary to give your tenants a privacy notice to tell them what can be done with data which you hold and how you could use it.
Landlords should notify the Information Commission’s office if they are holding/processing data, as well as providing your tenants with a privacy notice explaining how your process/use data which you collect on your tenants.
Privacy notices
You should provide tenants with a privacy notice explaining how data will be processed. Should you own a website, you can make this available through a digital format here. The RLA has prepared a sample notice applicable to renting residential accommodation. However, you may need to adapt it depending on what you hold/process data for and the nature of your business.
Consents
The best way of ensuring that you comply with your obligations where you pass data onto a third party regarding a tenant (or any resident in the property) is to obtain their written consent. Consent must be freely given and needs to be fully informed. This is why it is also important to provide a privacy notice because it explains what you do with the data which you collect. For example, if you share data with others such as local authority and utility companies you should get your tenant’s consent to do so.
Likewise, if you need to obtain information about your tenants/residents from others, then you can ask tenants/residents to give their consent to this being done.
When you obtain the consent you should obtain a separate signature or other confirmation (such as a tick box). You must not rely simply on including a clause in your tenancy agreement. Data protection consents need to be signed for separately.
The principles of data protection
The Data Protection Act applies to many different types of data and a wide range of processing activities, and imposes a range of obligations on data controllers to ensure that data is processed properly. The DPA sets out a number of data protection principles, which require that:
- Data must be processed fairly and lawfully.
- Data must be obtained only for specified lawful purposes and not further processed in a manner which is incompatible with those purposes.
- Data must be adequate, relevant and not excessive in relation to the purposes for which it is processed. In practice, this means that data controllers must keep existing data under review.
- Data must be accurate and, where necessary, kept up to date. Generally, controllers are required to update all databases unless they constitute a static archive.
- Data must not be kept for longer than is necessary.
- Data must be processed in accordance with the rights of data subjects under the DPA.
- Appropriate technical and organisational security measures must be taken to prevent unauthorised or unlawful processing, accidental loss of or destruction or damage to personal data.
- Personal data must not be transferred outside the EEA (the European Union and certain other countries such as Norway) unless the destination country ensures an adequate level of protection for the rights of the data subject in relation to the processing of personal data
