ICO Publishes Guidance for Housing Sector
Published: December 12th, 2023
7 min read
The ICO has recently published guidance specifically targeted at the housing sector setting out how data protection law can be used to prevent harm. In a blog published by the ICO, it discusses a number of common complaints it sees from the housing sector and highlights how poor data protection practices can put customers at risk of harm such as distress, discrimination, identity theft, or physical harm.
The blog also stated that there is a lack of understanding about data protection law across the housing sector and gave examples from the recent report from the Housing Ombudsman (HO) relating to its investigation into an RP which identified record-keeping and data accuracy as key areas for improvement.
Common Issues in the Housing Sector
The ICO states that it commonly receives complaints relating to the following areas:
Inappropriate disclosures of personal data - The ICO gives an example of a customer raising a complaint with an RP relating to their neighbour. The RP then shared information relating to customer's health with a legal advisor who was considering the merit of the complaint. The ICO determined that it was not necessary for the housing association to disclose his health information in order to assess the complaint (for further discussion on this point, please see 'Analysis' below).
Failure to disclose data through fear of breaching data protection law - The ICO gives an example of a customer making a request to their RP for factual information relating to a repair, following a leak in a neighbouring flat. The request was refused, with staff citing data protection law, and the customer was unable to carry out the repairs to the property in a timely manner which resulted in additional damage and expense. The ICO states that this information should have been provided as the customer did not request any personal data, only information that would allow her to plan her own repairs. This situation could have been prevented by a better understanding of data protection law.
Failure to keep accurate records - The ICO gives an example of an RP failing to keep records of complaints and ended up in the HO ordering the RP to pay compensation to the customer.
ICO Recommendations
In order to address these common issues, the ICO recommends RPs take the following practical steps:
Practice good records management and ensure records kept are accurate and up to date;
Be transparent about your use of customer personal data;
Appoint a Data Protection Officer if required;
Access the ICO's resources in relation to sharing personal data with third parties.
Analysis
The guidance from the ICO provides some basic and sensible recommendations for RPs. However, we understand the complexity RPs face of competing legal and regulatory obligations along with managing complaints from extremely vulnerable customers. Our concern is that this guidance on one hand warns against inappropriate disclosures of personal data while on the other states that there is a fear of disclosing information in case data protection law is breached. It is understandable that an RP may read the example given by the ICO of a complainant's health details being disclosed to a legal advisor and be concerned that this means that they are unable to share details in this way. Whilst we do not know the background details of this particular complaint, there are circumstances in which it is both appropriate and necessary to disclose a complainants' health details when seeking legal advice, for the purposes of ensuring the safeguarding of both the complainant and the perpetrator, in order to consider the vulnerabilities of both parties and to ensure compliance with obligations under the Equality Act 2010 to avoid taking any action which is potentially discriminatory and comply with the public sector equality duty.
Should RPs receive a complaint in relation to its data protection practices, it should consult with its Data Protection Officer and seek specialist legal advice on responding to the complaint and corresponding with the ICO so that your lawful basis for handling personal data is clearly and correctly documented.