Wales Landlord Guidance
Record Keeping and Data Protection
You are in Pre-tenancy
Responsibilities and Liabilities
Start of a Tenancy
During the Tenancy
Ending a Tenancy
1.10 Record Keeping and Data Protection
It is essential that landlords have a good system of record keeping.
A file should be kept for a property and then each time a new tenancy is given to a new tenant, a new file should be placed into the property file. The same structure could be kept for computer storage.
Under the General Data Protection Regulations, landlords will, in almost every occasion, be required to register with the Information Commissioner's Office (ICO). Registration is required if personal information is processed on an electronic device which includes mobile phones, tablets and computers. Processing includes: storing, using and deleting information.. Registration is straightforward and inexpensive.
To complete registration, visit the ICO website where there is a quick and simple self-assessment tool which establishes in a few easy steps if a fee is payable - https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/
The General Data Protection Regulations significantly alter the way data controllers must operate. Firstly, if processing is based on consent, consent to process data must be “opt in”, not “opt out”. This means they have to undertake some specific action to choose to allow their data to be processed. Secondly, consent is not the only lawful basis upon which data can be processed. There are four relevant lawful basis that are likely to affect lettings: consent, fulfilment of a contract, compliance with the law and legitimate interests of the data controller.
The new rules give more rights to the individual about whom you have data, including the right to be informed about what you will do with data, the right to access their information (no fee can now be charged), the right to have errors corrected, the right to have their data erased (in some circumstances) and the right to restrict the reasons their data can be processed.
The first step in compliance is to understand what data you hold and on what basis you process it. Arranging a plumber for a repair may fall under the lawful basis of processing of contract fulfilment, and may not therefore need the consent of the tenant. However, if you want to send a surveyor to value the property, this is not likely to be “contractual” and so giving out the tenant’s information would have to be based on another basis of processing, perhaps either legitimate interest of the landlord or consent.
Note that if the data controller provides the data to a third party then a record must be made of this so that if the data is later updated you know to whom the data was given and pass on the correct updated data. You should also make sure any third party will be handling the data in accordance with GDPR and what they are and are not allowed to do with the data, this is referred to as a data processing agreement.
Nowadays many people store copies of tenancy agreements on their computer or in the ‘cloud’. Ensure any format they are being stored in will still exist in many years time (think 20 years plus). Although average lets are around 18 months, it is not too unusual to see a tenant stay in a property for 10 - 20 years. If you needed the tenancy agreement for possession in 15 years time, could you still open it? Is the cloud provider you were using still going to be in business then? It is always best to have a paper copy of important things such as tenancy agreements.
Although there are no guarantees, suitable formats that should survive include PDF or JPEG (or JPG).
A good rent accounting system should be used. There is nothing wrong with a simple spreadsheet such as Excel or Google Docs Spreadsheet.
There are other specialist software also available, but again ensure there is longevity.