The Information Commissioner has recently spoken at the Chartered Institute of Housing conference about the importance of data protection issues facing the social housing sector, emphasising that it is crucial for Registered Providers (RPs) to understand and comply with their data protection obligations. The Commissioner's speech follows a report published in February this year by the Information Commissioner's Office (ICO).
Over the last three years, the ICO has undertaken several advisory visits to a variety of social housing organisations, including a number of RPs, to review their compliance with the Data Protection Act 1998 (the DPA). Following on from these advisory visits, the ICO issued a report which outlines where RPs are failing in their data protection obligations and the practical steps they can take to improve compliance.
We summarise below the key recommendations arising from the report and recommend that RPs consider whether their practices and procedures match up to the ICO's expectations.
Implementation of formal data sharing arrangements
The ICO noted that whilst RPs often need to share personal data that they hold with other organisations (for example where unpaid bills need to be chased or in relation to legal proceedings), there are not always formal policies or procedures in place to govern how that data is shared.
RPs should ensure that they implement and regularly review formal data sharing arrangements with any third party organisations. This will allow the RP to deal with issues such as the type of information that can be shared, who can authorise data sharing, how to deal with subject access requests, how the information is disposed of and what records should be maintained.
Maintenance of formal retention schedules and records inventory
The ICO found that RPs often do not have formal retention schedules in place to deal with destroying and recording records held. This is very important as under the DPA, organisations should not hold personal data for longer than is necessary. RPs should implement formal retention schedules that apply to both electronic and manual records.
The ICO also found that RPs were often failing to maintain a comprehensive records inventory. A records inventory enables organisations to have a clear view of the data that is being processed and to manage its records effectively. RPs should ensure that they maintain an appropriate inventory.
Access and encryption
Access to records should be strictly controlled to maximise information security. As such, RPs should consider restricting access only to those members of staff who require the relevant information to work. In particular, RPs should ensure that access is updated when an employee moves to a different role, leaves, or is suspended or dismissed.
Password protection should always be used and RPs should put in place password requirements. This could include forcing passwords to be changed regularly, to be over a certain length and to contain a combination of numbers, characters and letters of different cases.
Portable devices that store personal data, for example USB sticks and DVDs or CDs, pose a high risk to data security. The ICO suggests that access to these types of portable media should also be restricted to roles where it is required, and access should always be signed off and recorded. RPs should ensure that any external devices are encrypted and password-protected.
Remote or home working increases the risk to data security. Large volumes of personal data can be easily transferred between systems and electronic devices may be targeted by theft.
If a RP has remote or home working available, a policy should be in place to ensure that the increased risk is mitigated. The policy should deal with when remote working is appropriate, how it should be authorised and the responsibilities of staff in relation to remote working.
Where portable devices are used, the ICO recommends encryption (see above) combined with password protection. It also suggests that having "kill codes" in place may help to mitigate the risk. Kill codes allow the RP to wipe information from a device remotely should the device be lost or stolen.
Staff awareness and training
RPs should make sure that all staff are aware of their data protection obligations. This could include displaying posters around offices and requiring staff to sign to say that they have read and understood data protection policies.
RPs should also ensure that they have appropriate and adequate training in place to enable staff to fulfil their obligations.
The ICO found that most RPs did not have a data protection leader. Having a member of staff in a data protection leadership position helps to ensure compliance throughout the organisation, so RPs should consider appointing a member of staff to this role.
Printing and faxing
Where printing is not secure, RPs risk allowing unauthorised internal access to personal data or sensitive printed material being sent externally to the wrong person. The ICO recommends that RPs consider secure printing devices to improve security. For example, pin codes or swipe cards should be used to access printing devices.
Fax machines also pose a significant risk to data security. If a RP can remove fax machines altogether and use a different form of electronic transfer, this should be done. Where RPs still need to use fax machines, however rarely, they should implement a fax usage policy to promote security and prevent information from being wrongly disclosed.
RPs should make sure that unauthorised access to premises is prevented. The ICO found that RPs were generally demonstrating best practice in this area but highlighted certain elements including having a staffed reception, ID badges, swipe card access and dedicated areas for confidential meetings.
Fair processing information
Organisations are legally required to tell individuals how their personal data will be used and it is good practice to tell them how they can access any personal data held.
RPs should therefore ensure that all staff members are able to communicate the relevant information verbally and in written form, for example by making copies of the information available on the RP's website.
Data protection policies
As a general rule, RPs should always use formal policies and procedures to deal with data protection. The policies should be reviewed and updated regularly and promoted within the organisation along with any training needs they identify.
Once policies are put in place, their effectiveness should be monitored. Often policies are implemented in theory but no checks are made that those policies are in fact being complied with. Monitoring policies allows RPs to evaluate the policies and to make any necessary updates or changes to ensure that the RP continues to comply with data protection requirements.
If you have any concerns about your current practices or need assistance implementing any of the recommendations above, please do not hesitate to contact Alison Deighton who heads up TLT's Data Protection & Privacy team.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at July 2014. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.
TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.