Data protection must be a priority for housing associations

As the UK’s data protection regulator, we want to support all organisations, including housing associations, to handle personal information responsibly and lawfully.

 

Prioritising basic steps – such as staff training, double-checking records and restricting access – can help to prevent personal data breaches before they happen, reducing the risk of harm for residents.

 

As well as regularly producing helpful guidance and resources, the ICO can take enforcement action when organisations get this wrong and share the recommendations to help other organisations improve their practices.

 

With the case studies below, we want to highlight some practical steps that housing associations can take to ensure they have robust data protection practices in place.

 

Case study: the importance of testing and data protection training

 

Yesterday we issued a reprimand to Clyde Valley Housing Association for exposing residents’ personal information on an online customer portal.

 

On the first day the portal was launched, a resident logged in and found that they were able to view personal information about other residents.

 

They called a customer service advisor to flag the data breach, but the advisor did not escalate their concerns and the personal information remained accessible on the portal until further concerns were flagged.

 

Our investigation found that the housing association failed to carry out adequate testing prior to the online customer portal going live, and staff were not aware of the process to escalate a breach.

Test all new services with data protection in mind

 

While new digital products and services can improve the experience for residents, these must not come at a cost to the security of personal information.

 

When rolling out new products and services, we expect all organisations to ensure they have appropriate security measures in place and have tested them thoroughly for any issues with data security.

 

Ensure training is thorough and relevant

 

All organisations must ensure that staff are properly trained so that they are aware of their data protection obligations.

 

All staff must be fully trained on the correct processes and procedures involving personal information, so they know when to escalate any breaches, and what records they are allowed to access. 

 

It is also important to make sure any training is role-specific, tailored and relevant to the tasks being completed. Staff should feel confident in handling people’s personal information securely and following the processes at their organisation.

Case study: preventing inappropriate disclosure of personal information

 

In 2022, we issued a reprimand to housing provider Bolton at Home for inappropriately disclosing the home address of a domestic abuse victim.

 

A woman had approached Bolton at Home hoping to be rehoused to escape alleged domestic abuse.

 

But a member of staff left a message for the woman, including details of the new address she hoped to move to, on a phone belonging to her husband, who she was intending to leave.

 

Our investigation found that the housing association needed to be more careful with their record-keeping.

 

Regularly check and double-check whether information is accurate

Organisations must take steps to ensure the personal information they hold is accurate and many breaches can be prevented by ensuring staff always double-check before any personal information is transferred, altered or disclosed.

 

Frequently checking with people that the information and instructions held for them are still accurate could prevent information from being disclosed to an old address, email address or contact number.

 

Keeping an accurate record of contact with residents will also help you to address issues in a timely manner.

 

Sharing personal information with third parties

 

Housing associations may occasionally receive requests for information about their current and former residents from third parties, such as utility companies and debt collectors.

 

There are situations where it may be necessary to share personal information about residents with third parties, and housing associations should have an appropriate system in place.

 

Having a system in place that requires senior members of staff, trained in data protection, to decide whether to release personal information on a case-by-case basis can reduce the likelihood of data being shared inappropriately.

 

If a housing association decides to share personal information, it should only provide relevant, necessary information and make a record of the decision.

 

For example, a utility company may contact a housing association asking for the forwarding address of a former tenant who was in arrears on their gas and electricity account.

 

If residents have been advised at the start of their tenancy that such disclosures would be made because of the contractual relationship between the residents and the utility company, this information can be shared.

 

The ICO is here to help both housing associations and residents

 

For further case studies about issues such as data-sharing and accurate record-keeping, the ICO has a blog post specifically on how data protection law can prevent harm in the housing sector.

 

Any housing association that needs support to process or share personal information can find further guidance on our website or contact us for advice.

 

We are also here to support the public and ensure their data protection rights are respected. If anyone is concerned about how their data is being handled by an organisation, they can make a complaint to us here.

 

Helen Raftery, head of data protection complaints, ICO

 

Hear from the ICO’s Emma Wright, group manager in the public advice and data protection complaints service and Melissa Wilde, team manager for data protection complaints on 8 May, in London. To see the full list of more than 70 speakers, browse the agenda and secure remaining tickets, click here.