You are viewing 1 of your 1 free articles
Watertight record-keeping and rigorous staff training can mitigate data breaches
Recent enforcement actions against social landlords suggest many have not got to grips with data protection. It is an issue that must be given priority, writes Ed Hayes
Although GDPR has been in force for two years, startling stories about high-profile data breaches illustrate that far too many organisations are still struggling with compliance.
Social landlords and housing associations, typically holding large amounts of individuals’ sensitive personal data, should be mindful to keep their data protection arrangements under constant review to avoid becoming the next big breach story.
As far back as 2014, the Information Commissioner’s Office (ICO) published a report which followed a series of advisory visits to housing associations across the country.
The report made recommendations for improved compliance, and they remain valid today. Enforcement action by the ICO since that report, and subsequent social housing data breaches, suggest many have still not followed those recommendations.
It seems obvious, but the bare minimum for social landlords and housing associations should be to follow the ICO’s sector-specific guidance.
READ MORE
The guidance has a clear emphasis on staff training and organisational management on data protection issues.
Aside from that training emphasis, most of the recommendations are on security matters; from the encryption of personal data on staff devices such as laptops and phones, to the need for robust remote working policies, (including restrictions on removable storage media such as USB flash drives), and the importance of suitable staff access management arrangements so tenant data is only visible on a ‘need to know basis’.
The ICO is clear that those arrangements should all be checked through continuous monitoring of company-wide compliance with policies and procedures.
The ICO’s main recommendation of a need for a sea change in staff training remains relevant today, given that failure of training has been a constant theme in reported data breaches over recent years.
While cyber security threats generate more column inches, human error is often the culprit when it comes to large data losses.
Quite simply, the most effective change many organisations can make is to roll out more regular, high-quality staff training and instruction on data protection.
Aside from the strong emphasis on improving staff competence and adherence to rules and guidelines, the next step for any social housing provider checking compliance would be to carefully review the ICO’s recommendations.
The first port of call for that check should be the record of processing – under GDPR, every organisation that processes personal data must keep a record of this.
Frequently, housing associations often find that carrying out a periodic update serves as a checklist for other required actions.
The record must contain information on:
- The purposes for which personal data are processed (which can lead to a cross-check of privacy statements to confirm if they have been notified to tenants)
- The categories of personal data being processed (which should be verified against tenancy application forms and databases in use)
- Third-party recipients of personal data (which should be used to confirm proper data sharing agreements are in place)
- Retention periods (which should inform an audit of historic data to check deletion arrangements are working)
- Technical and organisational security measures being used (which should prompt regular internal compliance audits)
Apart from mitigating the risk of ICO enforcement action, having in place good data protection measures makes it much easier to demonstrate compliance to tenants. It is in the earliest stage of a relationship with a prospective tenant – a tenancy application form – that a social housing provider can show good practice.
A tenancy application form should be written in plain English, state what personal data is required from applicants and why, make clear if a prospective tenant’s consent is required for any processing (and collect that consent if it is), and include all of the other ‘fair processing’ information required under GDPR.
“Only by giving data protection compliance sufficient prominence in their operations can housing associations and social landlords avoid the sort of costly enforcement action to which breaches now lead”
After the application stage, ongoing engagement with tenants – whether through scrutiny panels, tenants’ bodies, or informal consultation – will help an organisation comply with its transparency obligations.
This is particularly the case where a housing association recognises an obligation to conduct a data protection impact assessment because it wants to start using personal data it holds in a new way; the opportunity for tenant engagement in those assessments can significantly improve outcomes.
The strong focus on data protection many housing associations and social landlords had in the run-up to GDPR coming into force in 2018 should not slip now.
The ICO is clear that its expectations on all organisations are increasing, and data protection compliance must be an ongoing part of organisations’ operations, not a one-off matter.
Only by giving data protection compliance sufficient prominence in their operations can housing associations and social landlords avoid the sort of costly enforcement action to which breaches now lead.
Ed Hayes, legal director, TLT