Loading Guild Resources
Loading Guild Resources
Loading Guild Resources
The General Data Protection Regulation (GDPR) and the Data Protection Act will replace the current data protection rules from 25 May 2018.
Under the GDPR, you must audit the information you collect and hold, decide on the lawful basis for processing the data, document the audit, and provide privacy notices for people to view. These notices are usually provided when collecting personal information.
First, we must identify the key definitions and the lawful bases for processing data. This will help carry out the auditing stage and produce privacy notices.
The Information Commissioner’s Office (ICO) has issued extensive guidance on the GDPR, and most of this article is taken from their direction. Only about 1% has been used here so as not to be too overwhelming! The guidance should, therefore, be consulted for the complete information.
A ‘controller’ is the person who determines the purposes and means of processing personal data.
‘Personal data’ means any information relating to a person (a ‘data subject’) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
‘Processing’ means any operation or set of operations that are performed on personal data or sets of personal data (whether or not by automated means), such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction.
In most cases, a landlord or letting agent will be the controller and the processor of the data they hold. For example, a landlord or agent may receive an email enquiry from a prospective tenant expressing an interest in viewing a property. The landlord or agent controls the data, i.e., decides what to do with it and processes the information (perhaps storing the information in a note, database, or spreadsheet).
Article 5 of the GDPR requires that personal data shall be:
The controller shall be responsible for and be able to demonstrate compliance with the principles. To process the data, you must have a valid and lawful basis.
There are six lawful bases to process data:
If you want to process personal information under one of these bases, you will need to decide on the most appropriate basis (or bases), document why, and provide a privacy notice explaining the purposes of the processing to the individual.
More information about processing information is on the ICO website.
The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, you can look for a different lawful basis.
For example, consent will be needed to use personal information for sales or marketing purposes.
Perhaps surprisingly, landlords or agents don’t rely as heavily on ‘consent’ to process personal information as they may think.
Most personal information will be processed under ‘contract’ or ‘legitimate interests’.
For example, if you require a credit check to be completed before a tenancy is offered, you can’t seek consent from the prospective tenant to obtain a credit check because it’s not a choice. You must inform them that you will be doing a credit check (and everything else you will be using the personal information for), but you mustn’t mislead them by suggesting they have a choice when the person has no choice.
Furthermore, when obtaining consent, they must be able to opt-out just as quickly as they opted-in under the GDPR.
This wouldn’t be much use to a landlord or agent if they opted in for a credit check and then, two hours later, opted out!
As such, ‘consent’ is not the most appropriate basis for processing the data for a credit check.
More information about consent is on the ICO website.
The ‘contract’ basis for processing personal information will often be the most appropriate for landlords and agents, especially when dealing with tenants (as opposed to prospective tenants).
It is a lawful basis to process personal information where:
“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.”
For example, if a tenant contacts a landlord or agent about a broken-down boiler, the landlord or agent will likely pass contact details to an engineer.
This is necessary to fulfil the obligation to repair the boiler under the tenancy agreement.
However, only ‘necessary’ information, such as name, address, telephone number, and email, should be passed.
Consent is not required when a ‘contract’ has been decided as the most appropriate basis for processing the data.
Please document your decision that processing is necessary for the contract and include information about your purposes and lawful basis in your privacy notice.
The processing will be lawful if you must disclose information due to some legal obligation.
An example of this would be tenancy deposit prescribed information.
It’s a legal requirement to provide the tenant's name, address, telephone number, email, and fax where a deposit has been received in connection with an assured shorthold tenancy.
The processing of this information (collecting on an application form, for example) is lawful because it’s a legal requirement to collect and insert it into the prescribed information to be signed by the tenant(s).
Consent is not required to collect this information, but the privacy notice should explain this basis for processing during collection.
If you are processing based on a legal obligation, the individual has no right to erasure, right to data portability, or right to object.
When relying upon a ‘legal obligation’ to process personal information, you must:
Vital interests will rarely (if ever) be a lawful basis for processing personal information for landlords or agents. It is the basis for processing personal data to protect someone’s life. The public task is for public bodies such as local authorities.
This will likely be an everyday basis for our readers processing personal information.
Legitimate interests are the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.
It is likely to be most appropriate when you use people’s data in ways they would reasonably expect, with minimal privacy impact, or when there is a compelling justification for the processing.
Legitimate interests can be yours or those of third parties, including commercial interests, individual interests, or broader societal benefits.
However, to rely upon this basis, a legitimate interests assessment must be completed and recorded comprising three tests:
More information about how to carry out the LIA and what should be included can be found on the ICO website here.
In addition to the LIA, the privacy notice must explain the information used. For example, when a prospective tenant wishes to take property after viewing, the landlord or agent will usually want a credit check carried out.
This is a legitimate interest to protect the landlord’s assets. Furthermore, prospective tenants reasonably expect a credit check to be carried out.
More information about legitimate interests is available on the ICO website.
Special rules apply if ‘special category data’ is to be processed. As the information should never be required in the day-to-day business of lettings, it’s best to avoid the processing of any of the following data about an individual entirely:
The processing of criminal offence data is tricky because, on the one hand, there is a legitimate interest in knowing if a person has a conviction for arson when letting a property, so asking the question about criminal offences may be considered acceptable.
However, it seems that asking about criminal offences will need to be stopped.
Article 10 of the GDPR says:
“Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.”
There are categories for when criminal offence data may be processed in the UK as being:
(Schedule 1 provides further definitions and information) However, none of these apply to property lettings. As such, it appears there is no lawful basis for landlords or agents to process (i.e. collect) criminal offence information relating to an individual. As such, it seems there’s no point in asking the question.
Only personal information held may be processed in compliance with GDPR from 25 May 2018.
Any information held that is not in compliance or has no lawful basis for processing (for example, if consent was obtained through ticking a box NOT to receive communication) cannot be used any longer.
As processing includes “deleting” information, the information should not be held beyond 24 May 2018.
As a general rule, the individual who is subject to the processing of data has several rights under the GDPR:
Depending on the lawful basis of the processing, some of the above will apply (e.g., legal obligation), and for other bases, all will apply (e.g., consent).
More information about the rights of data subjects is available on the ICO website here.
In respect of registration with the ICO, everything is relatively the same.
The guidance at the time of writing requires the same registration as previously.
You have a maximum turnover of £632,000 for your financial year or no more than ten staff members.
The fee is classed as tier 1 and will likely be £40 per year with a discount of £5 if paid by direct debit.
Most (if not all) landlords and letting agents should already be registered, and they will continue to need to be registered.
You can use the simple self-assessment tool to determine if you need to register.
You will need to register if all of the following apply:
If your processing (collecting or storing, etc.) is entirely on paper, you must still comply with the GDPR outlined above, but registration won’t be necessary.
If you text a tenant (perhaps to arrange an inspection or remind them about the next rent payment), you are storing information automatically and require registration with the ICO.
The ICO has produced guidance available here.
In essence, you must document the data you process through a data audit and have privacy policies for each data set. In practice, a single privacy notice will not be possible.
For small and medium-sized organisations, if you have less than 250 employees, you only need to document processing activities that:
In practice, most processing for lettings will need to be documented because it will be regular and similar processing. The following information must be recorded:
The ICO has produced specific guidance on documenting processing activities.
Templates for documenting are available from within the above-linked guidance.
Categories of individuals for lettings may include (but not an exhaustive list):
For agents, in addition to the above categories of persons, there may be additional categories, for example:
With each category of a person identified, you will need to decide what information you hold, under what lawful basis it’s processed, etc.
For example, regarding prospective viewers, you will need to have basic contact information (name, telephone, email, and maybe address).
It would be best to decide how long you will hold the information (we suggest three to six months is long enough because they’re likely to have found somewhere by then) and the lawful basis for processing.
The lawful basis of processing will be consent (if they subscribed to the mailing list on a website, for example - this will be the basis if they can opt out of the mailing list anytime as quickly as they opted in). Legitimate interests may be appropriate (because they’re interested in properties and would reasonably expect you to send them information when a new property becomes available).
It would not be suitable to process the information for any other purpose than providing information about new properties (unless you have consent for different purposes, which should then be documented).
Under the “right to be informed”, privacy notices are essential to the GDPR.
The starting point of a privacy notice should be to tell people:
When relying on consent, your method of obtaining the consent should:
In addition, if you are processing information for a range of purposes, you should:
Our tenancy agreements produced by Tenancy Builder contain built-in privacy policies.
In summary, the starting point is to determine the categories of individuals you hold personal information on and decide the lawful basis for processing, which needs to be documented.
Suppose you hold information which does not comply with GDPR (for example, you email people for sales purposes, but they have not consented). That information should not be processed beyond 24 May 2018 unless another lawful basis can be found and documented.
Privacy notices should be created to ensure all categories of individuals see these.
Ensure you’re up to date with individuals' rights and think about how you will deal with requests to delete an individual's data if asked or deal with subject access requests.
Check all your consents. Are they opt-in and not too general? They need to be “specific and granular”.