15 November, 2023
On 14 October 2023, the Regulator for Social Housing (RSH) published its annual Sector Risk Profile report (the Report), detailing its view of the most significant risks preventing registered providers (RPs) from achieving compliance with the RSH regulatory standards. RSH's publication statement reminds RPs of the need to prepare themselves for a new era of increased consumer regulation, following the introduction of the Social Housing (Regulation) Act.
As in 2022, the Report recognises the value of data within the social housing sector, in providing accurate, up to date analytics as to the functioning of an RP and the success of its activities. Despite this, the Report continues to acknowledge the significant task facing RPs in protecting the data security and integrity of stakeholders.
Within this article, we will consider the data and cyber security risks identified by the Report and the consequences associated with failing to adequately address these risks from both a legal and regulatory perspective.
Cyber security and data breaches
The Report references a series of high-profile cyber security incidents that have taken place during the course of the previous year, including continued incidents of phishing, malware and ransomware attacks. The RSH associates the majority of these incidents with a failure by many RPs to maintain an adequate IT infrastructure and/or the move to remote working and increased online service delivery. Furthermore, the RSH correctly identifies that the proposed requirements of the Transparency, Influence and Accountability Standard (due to come into force in April 2024) will require RPs to collect increasingly sensitive data about their tenants, in order to understand and meet their needs. In collecting increasingly sensitive data, it is noted that there is a potential to increase the severity of data breaches as/when they occur.
The Report goes on to advice that RPs should adopt appropriate technical and organisations measures in place to anticipate unforeseen data and cyber security incidents, to prevent harm to individuals and ensure continued service.
The Report continues by referencing the importance of maintaining reliable, up to date data, as a key component underpinning effective decision making, forecasting and regulatory engagement.
The Report recalls instances where regulatory involvement has been implicated, as a result of poor data storage and maintenance. This practice is considered to lead to poor awareness of housing stock and a lack of compliance with the Decent Homes Standard. Moreover, the Housing Ombudsman estimates that around two thirds of consumer regulation casework has been delayed in the previous year as a result of a lack of information availability and awareness.
The Report summarises its recommendations in respect of data integrity by suggesting that RPs ensure their data is managed and maintained effectively, including the use of adequate quality controls and audit trails, which is reflected in the requirements of the Transparency, Influence and Accountability Standard. Moreover, data should be sufficiently detailed to comply with the requirements of health and safety legislation, the Decent Homes Standard and the delivery of repairs, maintenance and improvements to stock.
The Report identifies several areas of crossover, between the legal obligations imposed on RPs and the regulatory standards RPs are required to adhere to. As data controllers, RPs are required to comply with the obligations set out in the Data Protection Act 2018 (DPA) and the UK GDPR, which includes compliance with the following principles:
Specifically, RPs should be clear about the purposes for which they are processing personal information and the way in which they communicate this to individuals; implement robust policies and procedures for ensuring the accuracy of the data they collect and the security with which it is stored; and, create clear audit trails of decision making with regards to processing and maintaining personal data, to be in a position to account for their actions. As RPs will undoubtedly recognise, these obligations align with the regulatory standards expected by the RSH.
Failure to comply with the principles in the DPA and UK GDPR can lead to intervention and enforcement action from the UK's data protection regulator, the Information Commissioner's Office (ICO), including:
RPs also risk enforcement action from individuals, who choose to enforce their data protection rights through the courts.
Both of these consequences are not only timely and costly for RPs, but they also have the potential to attract a degree of reputational damage and undermine public confidence.
In addition to the legal risks, the Report clarifies that RPs risk non-compliance with the regulatory standards, as a result of poor data and cyber security practices.
For example, the Transparency, Influence and Accountability Standard referred to in the Report will require social landlords to be open with tenants and treat them with fairness and respect, which includes transparency and fairness with regards to their use of personal information.
Failure to comply with the standards required by the RSH leaves RPs vulnerable to investigation and potentially, enforcement. In light of the new Social Housing (Regulation) Act, the RSH is anticipated to exercise increasing enforcement power, including the use of Performance Improvement Plans, unlimited fines, entering housing stock at shorter notice, and use of a simpler mechanism for deregistering an RP.
RPs are advised to give careful consideration to its current data and cyber security practices, especially areas involving a higher degree of personal information and/ or more sensitive information, such as supported housing schemes. Each year, the Report provides RPs with opportunity for reflection and to exercise caution. Now is a good time for RPs to consider conducting an audit of their data systems and practices, to identify areas of weakness and where required, implement more robust procedures and controls. Whilst RPs are advised to heed the RSH's warning, the Report can primarily be used as a mechanism for identifying and being more proactive in tackling data protection risks, in preparation for what is expected to be an era of increasing enforcement.
For more information contact Laura Rae in our Governance, Procurement & Information department via email or phone on 01772 220221. Alternatively send any question through to Forbes Solicitors via our online Contact Form.
Learn more about our Governance, Procurement & Information department here