Information-sharing in a time of breaches: what does a safe data management approach look like?
Data management is under the spotlight in the public realm following the recent Police Service of Northern Ireland breaches, raising important questions for housing associations. How can a balance be found between complying with rules for sharing information and managing data to avoid a leak or breach? Kate O’Flaherty reports
Picture: Alamy
Sharelines
Data management at public authorities is under the spotlight in the UK, following high-profile breaches at the Police Service of Northern Ireland (PSNI). The incidents, in August, saw officers’ personal information exposed online on an Excel spreadsheet in a response to a Freedom of Information (FOI) request.
Of such concern were the events that UK regulator the Information Commissioner’s Office (ICO) has issued new guidance on Excel spreadsheets. The advisory notice to public authorities calls for an “immediate end” to the use of original source spreadsheets when responding publicly to FOI requests.
And even more recently, on 5 December the ICO published “practical advice” for housing organisations concerning data protection, after it received a number of complaints from residents.
It comes as housing associations grapple with new and incoming data requirements, including the tenant satisfaction measures (TSMs) introduced by the Regulator of Social Housing (RSH) earlier this year, for reporting against from April 2024. Meanwhile, government continues to consult on and develop the proposed Access to Information Scheme, pledged in its Charter for Social Housing Residents, which would give residents the ability to request information from their provider about the management of their homes in a manner more in line with local authority residents.
Read more
In a 30 November update on its broader work “to improve the quality of social housing”, the Department for Levelling Up, Housing and Communities promised to set out next steps for the scheme during the “autumn/winter” period.
Housing associations already have to collect large amounts of data, around building safety, financial information and more. This often-sensitive information is integral to the effective running of organisations, but it also needs to be safeguarded.
The PSNI breaches showed the potentially devastating impact of poor data management, further highlighted by housing-sector case studies shared by the ICO. So, how can the balance be found between complying with rules for collecting and sharing information, and managing data to avoid a leak or a breach?
Significant amounts of data
Housing associations typically hold a significant amount of sensitive data about their tenants. This can range from addresses, contact details and ethnic origins, to medical information and counselling history, says Matt Cowen, senior associate at law firm Winckworth Sherwood.
If this information is leaked, it can have major repercussions, he warns. “A data breach has the potential to violate regulatory standards – which can have significant consequences.”
Yet at the same time, data is integral to the day-to-day running of things, as well as for improving services. Social housing providers must ensure they have the right data for every resident, says Emily Orme, chair of Zebra Housing Association, board member at Women’s Pioneer Housing, and a freelance consultant. “So much of what we do when looking at changing and improving services, tailoring services for residents and how we manage the homes is based on data analysis on residents and their needs.”
Social housing providers may hold sensitive data including health information, special educational needs and social services reports, says Ms Orme. “A lot of the work social housing providers do involves collaborating and working with other agencies and local authority services to support residents in their homes and improve lives. By necessity that means we sometimes hold and exchange sensitive data to ensure a holistic approach for every case and to access the right support.”
The sector is currently awaiting new consumer standards from the Regulator of Social Housing, as part of a new proactive consumer regulatory regime expected to be implemented in April 2024. A 12-week consultation on the new standards closed in October.
“While these don’t directly regulate sensitive data, the new standards do set out requirements for housing associations to know their residents in greater detail so they can provide tailored services to meet specific needs,” says Ms Orme.
The revised consumer standards will require housing associations to collect even more data than currently, Mr Cowen says. This includes sensitive data on protected characteristics, which he says makes the risk of a breach “even higher”.
There is a much greater emphasis on providing support for residents who need it so they can access services easily. This means housing associations and stock-holding local authorities will have to ensure that they hold the right data to be able to support individual residents. And they will also need to make sure their software systems and data processing are “fit for purpose” and can deliver on the new requirements, says Ms Orme.
Southern Housing focuses on data management to gain trust
Southern Housing sees the Access to Information Scheme as an opportunity to increase residents’ trust. The 77,000-home group was formed via a merger between Optivo and Southern Housing Group last December.
“While some may see the introduction of the scheme as a challenge, we value it as an opportunity to maintain our residents’ trust by being open and honest on how we make decisions that affect them,” says Puneet Rajput, director of governance and regulation at Southern Housing.
Southern Housing is starting to make plans now to ensure it is ready to comply with the Access to Information scheme, says Mr Rajput. “We intend to increase the information we make publicly available through our website and other channels of communication to our residents and we will be involving them in helping us to prepare for the scheme.”
Mr Rajput describes how the organisation safeguards sensitive personal data of customers and colleagues. “The recent PSNI breach highlights the importance of ensuring the information we process is handled securely and that we take appropriate precautions when disclosing information to ensure data is reviewed, redacted where necessary and shared in a secure format.”
After all, Mr Rajput points out, administrative errors are one of the main causes of breaches, as recognised by the ICO. “We place a lot of emphasis on comprehensive and bespoke training for our colleagues to help minimise the occurrence of these types of errors.”
Managing data
It is important to be able to find the balance between managing data and ensuring access to it.
Sensitive data tends to impact supported and sheltered housing the most, making it important that teams understand the nature of the information they have access to. “The high volumes of correspondence and contact points with residents is a big challenge when protecting resident privacy,” Ms Orme says.
Taking this into account, she highlights the importance of having the right processes and training programmes in place.
Housing providers must ensure staff are suitably trained to access the information they require, agrees Kevin Tighe, compliance manager at data and insight company Housemark. “They should also ensure those with access are monitored and that logs can be produced and are checked, to ensure staff members or suppliers are not going beyond their remit.”
The ICO advises investing in data management systems that support data integrity. This generally means ensuring the accuracy and consistency of data, says Chris Garrett, partner at Winckworth Sherwood.
“The ICO is encouraging organisations to have systems which minimise the risk of data anomalies and ensure their information remains accurate, consistent and reliable over time,” he says.
“This could include steps as simple as data entry training, having data validation rules that control and restrict the values that users can enter into a system and ensuring accurate data exchange across various systems and platforms.”
Maintaining data integrity can also be achieved through comprehensive data management systems, says Chris Hornung, managing director for public sector services at field services specialist Totalmobile. “These systems should grant specific privileges for adding, editing and deleting data, safeguarding the accuracy and consistency of information.”
When a business has a robust data management system, employees can easily find the information they need to do their jobs, Mr Tighe says. “An organisation’s customers are the best resource to ensure the data held on them is correct and up to date. This is the easiest way to ensure the integrity of the data. Housing providers that have given their customers the opportunity to look after their own data have found there was an increase in data changes,” he says.
Five ways to boost data management
- Audit your data: know what data you have and where it resides, including any information held in spreadsheets.
- Make sure teams understand the data they have access to by training employees to identify sensitive information.
- Get buy-in from the board: the board needs to understand and buy into the importance of investing in data management.
- Take advantage of technology: comprehensive data management systems are available for organisations prepared to invest.
- Keep system requirements under review: keep checking that the controls you have in place are sufficient to manage and protect your data.
Data audit
At the same time, housing providers should conduct an audit of their data, identifying any information still being held in spreadsheets, says Craig March, senior data business partner at Housemark. This should be done with a view to moving the data and associated processes into a software application that supports data integrity, he advises.
Mona Schroedel, a data protection specialist at national law firm Freeths, thinks it is worth referring to the ICO’s “helpful checklists” aiming to minimise the risk of accidental disclosure, which includes stipulations based on each step being cross-checked by a colleague. She advises ongoing training supported by systems that allow for safe data extraction. “For example, some have the functionality to automatically produce bundles of data from the wider dataset.”
Keeping system requirements under review is sensible to make wise and timely investments, says Catherine Little, director at consultancy Campbell Tickell. She advises that “relentless data-cleansing and checking controls are in place and working as they should”.
It starts from the top down. Boards should start with setting and understanding organisational culture, Ms Little says. “We’d also suggest considering whether you have the right senior staffing and board or committee skills in this area. There needs to be robust assurance in place and board members will want to show curiosity in their questioning and discussions.”
‘Practical steps’ from the ICO for housing organisations
The ICO published the following advice to housing associations in its 5 December article:
Prioritise staff training
You must ensure that all staff are properly trained so that they are aware of their organisation’s data protection obligations. You must also ensure that all staff are aware of internal processes for handling any queries about personal data. This will ensure that residents can trust that their data is managed appropriately and support you to handle issues in a timely manner.
Practice good record management
Keeping an accurate record of contact with residents will help you to address issues and provide an appropriate level of service to those residents that may require additional support. Remember that residents can also make a subject access request for the information you hold about them and accurate records will make it easier to do this.
Be open about what you do with your residents’ personal data
Residents should be informed about what information about them is being collected and understand the purposes for which this might be used. Our guidance on transparency can help to achieve this.
Appoint a data protection officer if required
You must have a data protection officer if you are a public authority under FOI law or process certain types of data. We have guidance on if you need to appoint a data protection officer.
Access our data sharing resources
There are situations where it may be necessary to share personal information about residents with third parties and you should have an appropriate system in place. Our data sharing code of practice provides guidance, alongside practical tools, to help organisations be confident they can share data within the law. Our data sharing information hub has many helpful resources including myth-busting facts, case studies, FAQs and checklists.
Sign up for Social Housing’s weekly news bulletin
Picture: Alamy
Social Housing’s weekly news bulletin delivers the latest news and insight across finance and funding, regulation and governance, policy and strategy, straight to your inbox. Meanwhile, news alerts bring you the biggest stories as they land.
Already have an account? Click here to manage your newsletters.
RELATED
News28 Mar 2025
RSH upgrades landlord to V1 and hands out five C1 grades
News27 Mar 2025
Welfare cuts to affect three million people, OBR says
- © 2025 Social Housing
- All rights reserved