Data Protection – Our Guidance for Landlords

Data protection is something that is becoming more important as the years go on. We all know the dangers of data theft and how someone with your personal details can use this fraudulently.

The Data Protection Legislation is designed to protect data by requiring everyone who holds personal information to look after it properly.

Landlord Data Protection Guide

As a landlord, you will hold data such as:

names and addresses
people’s ethnic origin (part of the ‘right to rent’ data that you will hold)
financial data
payment and behaviour history

Some of this data will be very sensitive and indeed it is data which a criminal would find especially useful! Therefore, it is important that you look after it properly in accordance with the rules… as you would hope someone else would do with your own data.

Registration with the ICO

If you are a landlord, especially if you self-manage your properties, you will need to register with the Information Commissioner’s office.

There are a few exceptions where you will not need to:

If you are a not for profit
If you only have unsorted data on paper (data about a specific thing such as a tenancy is not unsorted)
If you use a letting agent and do not personally hold any details about your tenants i.e., financial, employment or personal details

There is NO exemption just because you are a small business – even if you only have one property you will probably need to register.

If you are not sure whether you need to be registered or not, it is always safest to contact the ICO office and ask for guidance.

Make sure you keep a record of their response.

How long should you retain data?

You should only retain people’s data for as long as you need it.

So, if someone is not and never has been your customer, and you are not entitled to contact them about anything – for example, they have not consented to receive information from you – it is probably best to remove them from your database entirely if this is the case.

You are entitled to, and should, retain their data under the following circumstances:

If they have given consent – if they have signed up to your information mailing list
If there is a contract between you – if they are a tenant of yours – you will need to retain their data for at least 7 years after the end of the tenancy. It is advisable to keep the information in case they sue you or you need the information for some other reason connected with their tenancy
If they are any kind of customer – you will also need to retain information in case it is required by the revenue in the future
If you are required to retain it by law – you will need to keep any right to rent check information and documentation in case, you are asked to produce it by the Home Office/ Local Authorities

So, if you rent a property out, you should retain ALL information and paperwork for a minimum of seven years after any tenancy ends.

Common problems

Here are a few examples of things you should NOT do:

Publish it unlawfully – if you publish a post on Facebook detailing details about a tenant’s failure to pay rent. You should only provide others with a person’s data if you are legally obligated to do so or if the tenant has consented.
Withhold it from the authorities or those entitled to receive it – Local Authorities are legally entitled to request information from you to enable them to enforce housing law.

Letting agents should provide landlords with tenant referencing material which they have obtained for the purpose of checking a tenant on the landlord’s behalf – as it belongs to the landlord.

Fail to protect data properly

There are many innocent ways which people do this without realising such as:

Leaving a laptop containing customer details without any password protection in a taxi
Failing to secure data online properly by using an unsafe password (such as ‘mypassword’)
Send Confidential Data in an open email – confidential matters/documents should be sent via another method

The General Data Protection Regulation (GDPR)

These latest data Protection rules came into place on 25 May 2018. The regulations tighten up the law relating and put anybody holding data under greater duties to protect it. Failure to comply with the rules can attract substantial fines.

Under the GRPR data subjects have the following rights:

To be informed – this is normally done via a comprehensive privacy notice – which can be on your website or can be given to tenants as a separate document
Access – people can ask for details of data that you hold, and you can no longer charge a fee for providing this
Rectification and erasure – people can ask you to correct your data and remove it – unless you have a contractual obligation or legal duty to retain it such as the right to rent or the tax rules
To restrict or object to processing – if they want you to stop mailing them. You need to have a procedure for dealing with these requests

This is not a complete list but contains the main rights that will affect you, however, you will be entitled to process data in the following circumstances:

To perform your duties under a contract
If you are required to do so under law for things such as carrying out money laundering checks and complying with the right to rent rules
If you have a legitimate interest such as protecting your legitimate commercial or other core interests.
If you have the person’s specific consent – this is essential for marketing purposes, but not if one of the other three reasons above apply

A data protection plan of action for Landlords

If you have not considered how you use people’s data before or if you are a new landlord, then here is a basic plan of action for you to follow:

1. Make sure you are registered

As discussed above, if you are a landlord or letting agent – you should already be registered with the Information Commissioners Office. If you are not registered, you need to get this done asap.

2. Do a list of the type of data that you hold

For example, if you are a landlord or letting agent you will hold personal details about your tenants and if you are a letting agent you will also have details about your landlords.

You may also hold details about ‘prospects’ such as your mailing list.

3. Do a list of the places where it is held

You may just hold all the information on your own computer. But you may also hold some of it in the cloud.

There will probably (especially if you are a letting agent) be more than one place where you hold data – for example, your software, any separate service used to send out newsletters, your accounts software. You may also use a storage service such as Dropbox or OneDrive.

4. Check that those places are GDPR compliant

If data is held online, it should be on a secure site and be password protected.

Most services are fully aware of the rules and should have a policy statement somewhere. It is a good idea to find out where it is and keep a record of it.

Remember – if you input people’s data onto these services YOU are responsible for its safety as well as the service company.

5. Check you have permission from people to use their data in the way that you are using it.

For example, if Mr B gave you his email address in connection with an application for a tenancy that does not necessarily mean that he gave permission for you to send marketing mailings to him.

If you are using data from a purchased list to send out marketing emails you need to be careful. Even if you created your mailing list in-house, it may be best to start again from scratch so you can be sure that you have everyone’s permission.

Remember that it must be an active ‘opt-in’. One of the purposes of the new rules is to reduce spam and unwanted mailings – so make sure that you can show that everyone on your list has actively consented to get your emails.

6. Do a ‘privacy page’ on your website

Assuming you have a website, you need to have a privacy page which sets out in detail what you do with people’s data and inform people what they can do if they want to unsubscribe from your mailing list or get their data deleted if appropriate.

If you don’t have a website, then you will need a privacy notice handout which you can give to tenants or prospective tenants. It wouldn’t be a bad idea to do this even if you have a website.

7. Appoint a Data Protection Officer

If you are a small firm or one-man band – this will probably be you!

The Data Protection Officer’s job is to monitor compliance, ensure that your employees are informed of their duties under the regulations, and to be the first point of contact for members of the public contacting you about data protection issues.

Generally, the Data Protection Officer will be responsible for compliance within your organisation. They should be someone of reasonable seniority and have the authority to make any necessary charges. You should arrange for your Data Protection Officer to have suitable training.

8. Keep a diary or record of actions taken

Use this to record any work you do to do with compliance with the GDPR so if the ICO contact you about a breach you can show them that you are taking it seriously.

9. Answer the ICO GDPR checklist

You will find this on the ICO website in their GDPR section. Keep a dated record of your answers and review it from time to time.

Needless to say, take any action which is flagged up and do not assume that the checklist is the final answer! It is only a starting point.

10. Serve suitable data information notices for example on your tenants and any household members.

You do not need permission from your tenants to use their data, but you do need to give them information about the data you hold, why and where you are holding it and what their rights are.