This includes computer files, CCTV images and paper filing systems. The act covers all personal data processing: this includes organising, adapting, altering, retrieving, combining, consulting, using, disclosing, aligning and erasing information. In common with other businesses, registered social landlords use data in these ways. Both tenants and employees are affected.
A "data controller", in the language of the act, is an organisation or individual that determines the purpose of processing personal data. Associations will almost always be seen as "data controllers".
To avoid committing a criminal offence, data controllers must register with the Information Commission, an independent supervisory authority that regulates the act. This costs £35. They must also designate someone responsible for compliance. It is important to nominate a senior manager or board member to fulfil this role.
A matter of principles
Personal data must be processed in accordance with eight data protection principles. These require that data is:
The first principle – fair and lawful processing – also requires that five conditions are met. These include the requirement that informed consent for processing has been given, or where it is in the legitimate interests of the data controller, as long as it does not prejudice the subject's rights.
Subjects are also entitled to know the details of data collection purposes. Most RSLs now have a privacy or data protection policy in place, together with information for tenants. There are also conditions that must be met on the processing of sensitive personal data. Sensitive personal data is information about racial or ethnic origin, political opinions, religious beliefs, union membership, physical/mental heath, sexual life, commission of offences and proceedings for sentences.
The conditions are more limited than those on fair and lawful processing but authorise processing where, for example, explicit consent has been provided or when it is required by legal obligations, such as employing people.
The Information Commission recognises that there may be circumstances in which a relevant condition is unavailable. The failures of the police and other agencies to retain and share information about Soham murderer Ian Huntley has led to a government review of the Act and suggestions that it either needs amendment or has been wrongly interpreted, and that further guidance is required.
Although no one principle is more important than any other, the first and second underpin the philosophy behind the act – that people should be treated fairly when it comes to using information about them. If this is reflected in an RSL's policy and practice, compliance with the other principles is likely to happen easily.
Data subjects have a right to access information held about them if they pay a £10 fee, unless a statutory exception applies. They can also prevent processing that will cause them damage or distress, and have a right to compensation if the act has been breached. The Information Commission has the power to issue enforcement notices under these circumstances. But note that in the case of Durant v the Financial Services Authority (8 December, 2003), the Court of Appeal favoured a narrow definition of the terms "personal data" and "relevant filing system", so it should not be assumed that a person will be entitled to see any document in which his or her name is mentioned.
Of course, there are specific and important exemptions to all of the above – for example, where data is processed for research purposes – but they will not apply to most day-to-day processing.
Help for your staff
An easily accessible policy can help guide staff in how to use information. Some organisations have separate policies for employees, and there is also the act's Codes of Practice, guidance for employees published by the Information Commission.
The fourth and fifth data protection principles can be met through annual data reviews, correcting and updating inaccurate information. IT systems need reviewing in order to meet principle seven. The act recommends that companies aim for the following standards for IT security: BS7799 and ISO/IEC standard 17799.
Information-sharing protocols are also subject to compliance. Disclosing information to the police, social services or for housing benefit purposes requires compliance with Schedule 2 or 3. Statutory agencies often have specific legal powers to obtain information: RSLs should not be afraid to ask them for the relevant authority.
It is essential that housing associations comply with the act and they would be wise to have a data protection and privacy policy readily available on paper and on a website.
As always, the best protection against non-compliance is awareness. The act's requirements can be met through good practice, together with awareness of its practical application at all levels.
Get compliant
- Register with the Information Commission – it is a criminal offence not to
- Tell tenants and employees what data you hold about them and for what purpose it is being processed
- Develop a data protection/privacy policy that includes provision for identifying and handling sensitive data
- Review data on an annual basis
- Check your contracts with third parties that process data on your behalf
Source
Housing Today
Postscript
Joanne Easterbrook is a partner in the housing management litigation department of solicitor Trowers & Hamlins
No comments yet