Anyone who processes personal data has a legal responsibility to protect it. For serious breaches of the data protection principles, the ICO can issue fines of up to £17.5 million or 4% of a company’s annual turnover, whichever is higher.
However, being over-cautious can also be detrimental, so it’s important to understand the rules. The following case studies help to demonstrate how UK GDPR should be applied in practice. Althouth the wording of the advice leans towards housing associations, the principles and examples apply across the sector.
Personal data must only be disclosed when it is necessary and appropriate
The ICO cites a case where a tenant raised a complaint about a neighbour. The housing provider shared information about the tenant’s health with a legal advisor who was assessing the complaint.
The housing provider did not consider whether there was a good reason, or lawful basis, for sharing the data. When the tenant complained to the ICO, they determined that the housing association didn't need to disclose his health information to assess the complaint.
The situation caused significant distress to the tenant, and he decided he had to move as a result. The ICO states that appropriate staff training could have prevented this from happening - for example, staff could have used the ICO’s data sharing checklist to determine whether sharing this data was justified.
Don’t be afraid of data-sharing
Data protection law provides a framework for making decisions about sharing data appropriately; it is not a barrier to sharing information to support residents when this is needed.
In this case study, the tenant asked for information about a repair following a leak in a neighbouring flat. The request was refused, with staff citing data protection law, which meant the tenant couldn’t carry out the repairs needed to her property promptly, resulting in additional damage. and expense. In this case, the information should have been provided. The tenant didn’t ask for any personal data, just information that would allow them to plan repairs.
Useful UK GDPR resources for agents
Propertymark’s training course on helping agents comply sets out the requirements of legislation and provides practical approaches to manage risk and ensure compliance to avoid penalties, which can be significant.
Other resources include a fact sheet on the regulations and FAQs on how to respond to a subject access request.
GDPR and how to comply
This course sets out the requirements of the legislation and provides practical approaches to manage risk and ensure GDPR compliance in the sales and letting agency sector. The penalties for non-compliance are significant.
General Data Protection Regulations (GDPR)
This foundation course will ensure you understand what is required of you in your daily role in light of GDPR.
Personal data protection
This course focuses on the General Data Protection Regulations (GDPR) with an emphasis on accountability and ownership when it comes to processing and storing personal data.