ICO Publishes Guidance for Housing Sector

Together we are Forbes

Governance, Procurement & Information Article

12 December, 2023

Bethany_Paliga
Bethany Paliga
Senior Associate

The ICO has recently published guidance specifically targeted at the housing sector setting out how data protection law can be used to prevent harm. In a blog published by the ICO, it discusses a number of common complaints it sees from the housing sector and highlights how poor data protection practices can put customers at risk of harm such as distress, discrimination, identity theft, or physical harm.

The blog also stated that there is a lack of understanding about data protection law across the housing sector and gave examples from the recent report from the Housing Ombudsman (HO) relating to its investigation into an RP which identified record-keeping and data accuracy as key areas for improvement.

Common Issues in the Housing Sector

The ICO states that it commonly receives complaints relating to the following areas:

  • Inappropriate disclosures of personal data - The ICO gives an example of a customer raising a complaint with an RP relating to their neighbour. The RP then shared information relating to customer's health with a legal advisor who was considering the merit of the complaint. The ICO determined that it was not necessary for the housing association to disclose his health information in order to assess the complaint (for further discussion on this point, please see 'Analysis' below).
  • Failure to disclose data through fear of breaching data protection law - The ICO gives an example of a customer making a request to their RP for factual information relating to a repair, following a leak in a neighbouring flat. The request was refused, with staff citing data protection law, and the customer was unable to carry out the repairs to the property in a timely manner which resulted in additional damage and expense. The ICO states that this information should have been provided as the customer did not request any personal data, only information that would allow her to plan her own repairs. This situation could have been prevented by a better understanding of data protection law.
  • Failure to keep accurate records - The ICO gives an example of an RP failing to keep records of complaints and ended up in the HO ordering the RP to pay compensation to the customer.

ICO Recommendations

  • In order to address these common issues, the ICO recommends RPs take the following practical steps:
  • Practice good records management and ensure records kept are accurate and up to date;
  • Be transparent about your use of customer personal data;
  • Appoint a Data Protection Officer if required;
  • Access the ICO's resources in relation to sharing personal data with third parties.

Analysis

The guidance from the ICO provides some basic and sensible recommendations for RPs. However, we understand the complexity RPs face of competing legal and regulatory obligations along with managing complaints from extremely vulnerable customers. Our concern is that this guidance on one hand warns against inappropriate disclosures of personal data while on the other states that there is a fear of disclosing information in case data protection law is breached. It is understandable that an RP may read the example given by the ICO of a complainant's health details being disclosed to a legal advisor and be concerned that this means that they are unable to share details in this way. Whilst we do not know the background details of this particular complaint, there are circumstances in which it is both appropriate and necessary to disclose a complainants' health details when seeking legal advice, for the purposes of ensuring the safeguarding of both the complainant and the perpetrator, in order to consider the vulnerabilities of both parties and to ensure compliance with obligations under the Equality Act 2010 to avoid taking any action which is potentially discriminatory and comply with the public sector equality duty.

Should RPs receive a complaint in relation to its data protection practices, it should consult with its Data Protection Officer and seek specialist legal advice on responding to the complaint and corresponding with the ICO so that your lawful basis for handling personal data is clearly and correctly documented.

For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.

Learn more about our Governance, Procurement & Information department here

ICO reprimands Finham Park Multi Academy Trust following cyber-…

ICO takes Enforcement against Charnwood Borough Council for Data…

Contact Us

Get in touch to see how our experts could help you.

Call0800 689 0831

CallRequest a call back

EmailSend us an email

Make an Enquiry

Contacting Us

Monday to Friday:
09:00 to 17:00

Saturday and Sunday:
Closed