Anyone who processes personal data has a legal responsibility to protect it. For serious breaches of the data protection principles, the ICO can issue fines of up to £17.5 million or 4% of a company’s annual turnover, whichever is higher.
However, being over-cautious can also be detrimental, so it’s important to understand the rules. The following case studies help to demonstrate how UK GDPR should be applied in practice. Althouth the wording of the advice leans towards housing associations, the principles and examples apply across the sector.
Personal data must only be disclosed when it is necessary and appropriate
The ICO cites a case where a tenant raised a complaint about a neighbour. The housing provider shared information about the tenant’s health with a legal advisor who was assessing the complaint.
The housing provider did not consider whether there was a good reason, or lawful basis, for sharing the data. When the tenant complained to the ICO, they determined that the housing association didn't need to disclose his health information to assess the complaint.
The situation caused significant distress to the tenant, and he decided he had to move as a result. The ICO states that appropriate staff training could have prevented this from happening - for example, staff could have used the ICO’s data sharing checklist to determine whether sharing this data was justified.
Don’t be afraid of data-sharing
Data protection law provides a framework for making decisions about sharing data appropriately; it is not a barrier to sharing information to support residents when this is needed.
In this case study, the tenant asked for information about a repair following a leak in a neighbouring flat. The request was refused, with staff citing data protection law, which meant the tenant couldn’t carry out the repairs needed to her property promptly, resulting in additional damage. and expense. In this case, the information should have been provided. The tenant didn’t ask for any personal data, just information that would allow them to plan repairs.
Useful UK GDPR resources for agents
Propertymark’s training course on helping agents comply sets out the requirements of legislation and provides practical approaches to manage risk and ensure compliance to avoid penalties, which can be significant.
Other resources include a fact sheet on the regulations and FAQs on how to respond to a subject access request.
Understanding GDPR: Compliance made simple
In today’s data-driven world, GDPR compliance is non-negotiable with potentially large fines for non-compliance.
eLearning: Records management
Managing information properly is vitally important for an organisation of any size and keeping solid records can be one of the most important assets of a company.
eLearning: Reporting a data breach
The General Data Protection Regulation (GDPR) came into effect in 2018. To comply, you must be able to demonstrate that you are processing personal data in compliance with the principles of the GDPR.
eLearning: Personal data protection
This course focuses on the General Data Protection Regulations (GDPR) with an emphasis on accountability and ownership when it comes to processing and storing personal data.
