The General Data Protection Regulation (GDPR) and a new (as yet to be finalised) Data Protection Act will replace the current data protection rules from 25 May 2018. As currently, the new rules will apply to the UK.
Under the GDPR, you will need to audit the information you collect and hold, decide under what lawful basis the information is being processed, document the audit and have privacy notices available for persons to view which will usually be provided at the time of collecting any personal information.
First we need to identify the key definitions and the lawful bases for processing data. This will help in carrying out the auditing stage and with producing privacy notices.
The Information Commissioner’s Office (ICO) has issued extensive guidance on the GDPR and most of this article is taken from their guidance. Only about 1% has been used here so as not to be too overwhelming! The guidance should therefore be consulted for the full information.
- 1 Key definitions
- 2 Controller and processor
- 3 Processing personal information
- 4 Existing personal information held
- 5 Rights of the individual
- 6 Registration
- 7 What to do in preparation for the GDPR
- 8 In summary
A ‘controller’ is the person who determines the purposes and means of processing personal data.
‘Personal data’ means any information relating to a person (a ‘data subject’) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
‘Processing’ means any operation or set of operations that is performed on personal data or on sets of personal data (whether or not by automated means), such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction.
Controller and processor
In most cases a landlord or letting agent will be both the controller and the processor of data they hold.
For example, a landlord or agent may receive an email enquiry from a prospective tenant expressing an interest to view a property. The landlord or agent is in control of the data i.e. deciding what to do with it and will also process the information (perhaps store the information in a note, database or spreadsheet).
Processing personal information
Article 5 of the GDPR requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- adequate, relevant and limited to what is necessary
- accurate and kept up to date
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
- processed in a manner that ensures appropriate security of the personal data.
The controller shall be responsible for, and be able to demonstrate, compliance with the principles.
In order to process the data, you must have a valid and lawful basis to do so. There are six lawful bases to process data under:
- legal obligation
- vital interests
- public task
- legitimate interests
In order to process the personal information under one of these bases, you will need to decide the most appropriate basis (or bases), document why and have a privacy notice explaining to the individual the purposes of the processing.
The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult you can look for a different lawful basis.
Consent will be needed for using any personal information for the purposes of sales or marketing for example.
- Consent means offering individuals real choice and control.
- Avoid making consent to processing a precondition of a service.
- Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
- Explicit consent requires a very clear and specific statement of consent.
- Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.
- Name any third party controllers who will rely on the consent.
- Keep your consent requests separate from other terms and conditions.
- Keep evidence of consent – who, when, how, and what you told people.
Perhaps surprisingly, landlords or agents won’t rely upon ‘consent’ to process personal information as much as they may think. In reality, most personal information will be processed under ‘contract’ or ‘legitimate interests’.
For example, if you require a credit check to be completed before a tenancy is offered, you can’t seek consent from the prospective tenant to obtain a credit check because it’s not really a choice. You must inform them that you will be doing a credit check (and everything else you will be using the personal information for) but you mustn’t mislead by suggesting they have a choice when in reality the person has no choice. Furthermore, when obtaining consent, they must be able to opt-out just as easily as they opted-in under the GDPR. This wouldn’t be of much use to a landlord or agent if they opted-in for a credit check then two hours later opted-out! As such, ‘consent’ is not the most appropriate basis for processing the data for the purpose of a credit check.
The ‘contract’ basis for processing personal information will often be the most appropriate basis for landlords and agents especially when dealing with tenants (as opposed to prospective tenants).
It is a lawful basis to process personal information where:
“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
For example, if a tenant contacts a landlord or agent about a broken down boiler, the landlord or agent will likely pass contact details to an engineer. This is necessary to fulfil the obligation to repair the boiler under the tenancy agreement.
However, only ‘necessary’ information should be passed such as name, address, telephone and email.
Where ‘contract’ has been decided as being the most appropriate basis for processing the data, consent is not required.
You will need to document your decision that processing is necessary for the contract, and include information about your purposes and lawful basis in your privacy notice.
Where you are required to disclose information due to some legal obligation, the processing will be lawful.
An example of this would be tenancy deposit prescribed information. It’s a legal requirement to provide the name, address, telephone, email and fax of the tenant where a deposit has been received in connection with an assured shorthold tenancy. The processing of this information (collecting on an application form for example) is lawful processing because it’s a legal requirement to collect this information and insert it into the prescribed information to be signed by the tenant(s).
Consent is not required to collect this information but during collection, the privacy notice should explain this basis for processing.
If you are processing on the basis of legal obligation, the individual has no right to erasure, right to data portability, or right to object.
When relying upon ‘legal obligation’ to process personal information, you must:
- document your decision that processing is necessary for compliance with a legal obligation;
- identify an appropriate source for the obligation in question; and
- include information about your purposes and lawful basis in your privacy notice.
Vital interests and public task
Vital interests will rarely (if ever) be a lawful basis for processing personal information for landlords or agents. It is the basis used to process personal data to protect someone’s life.
Public task is for public bodies such as local authorities.
This will likely be a common basis for our readers processing personal information. Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.
It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
However, in order to rely upon this basis, a legitimate interests assessment must be completed and recorded comprising of three tests:
- Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?
More information about how to carry out the LIA and what should be included can be found on the ICO website here.
In addition to the LIA, the privacy notice will need to explain what the information is being used for.
For example, when a prospective tenant wishes to take a property after a viewing, the landlord or agent will want a credit check carried out in most cases. This is a legitimate interest to protect the landlord’s asset. Furthermore, it is reasonably expected by a prospective tenant that a credit check will be carried out.
Special category data
Special rules apply if ‘special category data’ is to be processed. As the information should never be required in the day to day business of lettings, it’s best to avoid entirely the processing of any of the following data in relation to an individual:
- ethnic origin;
- trade union membership;
- biometrics (where used for ID purposes);
- sex life; or
- sexual orientation.
Criminal offence data
The processing of criminal offence data is a tricky one because on the one hand there is a legitimate interest in knowing if a person has a conviction for arson when letting a property and so asking the question about criminal offences may be thought to be acceptable.
However, it seems that asking about criminal offences will need to be stopped although we will continue to monitor this position especially when the Data Protection Bill is finalised.
Article 10 of the GDPR says:
“Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.”
The Data Protection Bill which is yet to be finalised provides categories for when criminal offence data may be processed in the UK as being:
- employment, social security and social protection;
- substantial public interest;
- health and social care;
- public health;
- archiving, research and statistics.
(Schedule 1 provides further definitions and information)
However, non of these apply to property lettings. As such it appears there is no lawful basis for landlords or agents to process (i.e. collect) criminal offence information relating to an individual and as such it seems there’s no point asking the question. As said earlier, we will continue to monitor and maybe seek confirmation from the ICO.
Existing personal information held
Only personal information held may be processed in compliance with GDPR from 25 May 2018. Any information held that is not in compliance or has no lawful basis for processing (for example if a consent was obtained by means of ticking a box NOT to receive communication), it cannot be used any longer. As processing includes “deleting” information, the information should not be held beyond 24 May 2018.
Rights of the individual
As a general rule, the individual who is subject to the processing of data has a number of rights under the GDPR:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling.
Depending upon the lawful basis of the processing, some of the above will apply (legal obligation for example) and for other bases, all will apply (consent for example).
More information about the rights of data subjects are available on the ICO website here.
In respect of registration with the ICO, nothing is particularly changing. The guidance at the time of writing (which is still in draft form) requires the same registration as previously.
Where you have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff. The fee is classed as tier 1 and is likely to be £40 per year with a discount of £5 if paid by direct debit.
Most (if not all) landlords and letting agents should be registered already and will continue to need to be registered.
Basically, you will need to register if all of the following applies:
- you collect, record, store or delete personal information (such as names, addresses, telephone numbers and email addresses)
- the information is processed (including collected or stored) by automated means (such as a mobile phone, computer, tablet etc.)
- the processing is for the purpose of “Property management, including the selling and/or letting of property”.
If your processing (collecting or storing etc.) is entirely on paper, you must still comply with the GDPR as outlined above but registration won’t be necessary. Have in mind, if you are even texting a tenant (perhaps to arrange an inspection or for a reminder about the next rent payment) you are storing information by automated means and require registration with the ICO.
What to do in preparation for the GDPR
The ICO has produced a “12 steps to take now” guidance leaflet and a “getting ready for the GDPR checklist” both of which are available here.
In essence, you will need to document the data you process by way of a data audit and have privacy policies in place for each set of data. In practice, a single privacy notice will not be possible.
For small and medium-sized organisations, if you have less than 250 employees, you only need to document processing activities that:
- are not occasional; or
- could result in a risk to the rights and freedoms of individuals; or
- involve the processing of special categories of data or criminal conviction and offence data.
In practice, most processing for lettings will need to be documented because it will be regular and similar processing.
The following information must be documented:
- The name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer).
- The purposes of your processing.
- A description of the categories of individuals and categories of personal data.
- The categories of recipients of personal data.
- Details of your transfers to third countries including documenting the transfer mechanism safeguards in place.
- Retention schedules.
- A description of your technical and organisational security measures.
Templates for documenting are available from within the above linked guidance (or directly on this page).
Categories of individuals for the purposes of lettings may include (but not an exhaustive list):
- prospective viewers (general enquiries on mailing list for new properties)
- prospective tenants (after viewing and wish to apply for a tenancy)
For agents, in addition to above categories of persons, there may be additional categories for example:
- prospective landlords
- landlord clients
- ex-landlord clients
With each category of person identified, you will need to decide what information you hold, under what lawful basis it’s processed etc.
For example, in respect of prospective viewers, you will hold basic contact information (name, telephone , email and possibly address).
You would need to decide how long you will hold the information (we suggest three to six months is long enough because they’re likely to have found somewhere by then) and the lawful basis for processing.
The lawful basis of processing will be either consent (if they subscribed to the mailing list on a website for example – this will be the basis if they can opt-out of the mailing list anytime as easily as they opted-in) and/or legitimate interests may be appropriate (because they’re interested in properties and would reasonably expect you to send them information when a new property becomes available). It would not be suitable to process the information for any other purpose than providing information about new properties (unless you have consent for other purposes which should then be documented).
Under the “right to be informed”, privacy notices are an important element of the GDPR.
The starting point of a privacy notice should be to tell people:
- who you are;
- what you are going to do with their information; and
- who it will be shared with.
When relying on consent, your method of obtaining the consent should:
- be displayed clearly and prominently;
- ask individuals to positively opt-in, in line with good practice; and
- give them sufficient information to make a choice. If your consent mechanism consists solely of an “I agree” box with no supporting information then users are unlikely to be fully informed and the consent cannot be considered valid.
In addition if you are processing information for a range of purposes you should:
- explain the different ways you will use their information; and
- provide a clear and simple way for them to indicate they agree to different types of processing. In other words, people should not be forced to agree to several types of processing simply because your privacy notice only includes an option to agree or disagree to all. People may wish to consent to their information being used for one purpose but not another.
In addition, there are some excellent examples of good and bad privacy notices contained at the bottom of this page on the ICO website (and within the code linked above).
We will be updating our tenancy agreement and application forms with appropriate privacy notices in due course.
Example for prospective viewer:
In summary, the starting point is to determine the categories of individuals you hold personal information on and decide the lawful basis for processing. This needs to be documented.
If you hold information which does not comply with GDPR (for example, you email people for sales purposes but they have not consented), that information should not be processed beyond 24 May 2018 unless another lawful basis can be found and documented.
Privacy notices should be created and a means put in place to ensure all categories of individuals see these.
Ensure you’re up to date with individuals rights and think about how you will deal with requests to delete an individuals data if asked or deal with subject access requests.
Check all your consents. Are they opt-in and not too general in nature? They need to be “specific and granular”.
Check out the “12 steps to take now” GDPR guidance issued by the ICO.
Check out the getting ready for GDPR checklist from the ICO.