Data Protection for Landlords. David Smith Anthony Gold Solicitors

Transcription

1 Data Protection for Landlords David Smith Anthony Gold Solicitors

2 Why Protect Data at All? Personal data is key important in everyday life Internet allows information about people to be spread quickly Also enables criminality Data misuse can cause massive loss to individuals

3 What Data is Protected? Personal data is the important element Data that will identify an individual Sensitive personal data is even more important Data that tells you something very personal about an individual such as sexual preference, health etc GDPR uses personal data and special category data Meanings are the same but extended categories for special category data Special category data includes data about: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics, biometrics, health, sex life, or sexual orientation Not every piece of data is personal It can be anonymised Or it might just be random life events in which a person is involved

4 What Tenant Data is Covered? Name and address Ethnic origin Right to rent data for example Financial data Payment and behaviour history

5 So How do I Deal With This? You can process data With consent Or with a justification Consent Can be implied at the moment Usually found in a clause in the tenancy agreement More complex under GDPR Justification Contractual need Law enforcement and justice Transparency is key to consent and justification

6 Common Errors Broadcasting data unlawfully Facebook etc Inaccurate data Not giving data to those lawfully entitled Local authorities are entitled to data for their law enforcement work Stupid self-tying Making promises about data to tenants without thinking Data loss or theft Carelessness, hacking etc

7 Data Protection Gone Mad Sometimes people get over excited about DPA issues Not all data is covered by the DPA Some data is something that people you are entitled to References are usually obtained for the landlord so they are entitled to them You can retain data you need Even if you are asked to delete it But only as much as you need and for as long as required

8 Are Landlords not Exempt? Nobody is entirely exempt from Data Protection requirements really Being small or a sole trader is irrelevant Specific relevant exemptions for: Domestic data- ie personal household data Confidential references Accounts data No other data is exempt Except unsorted data That means data that is stored on paper and not categorised in any way Data that is about one specific thing (eg. a tenancy) is not unsorted!

9 What About Registration? There is no exemption from registering because you are a small business The ICO is clear that landlords should be registered Registration can be avoided if: You are a not for profit Hobby purposes- eg. small clubs and societies Most ordinary landlords should be registered

10 What is GDPR? Replaces former EU Data Protection Directive UK compliance with the former directive was through the DPA New GDPR increases consistency Partly a response to increased movement of data throughout EU Data is rarely stored in originating country And may be used in several countries Directly in force from 25 May 2018 So in force even if states take no action to implement States will be expected to take their own action as well

11 Why change at all? Directives are general So scope for variation between member states Compliance problem for businesses with multiple establishments Technology has moved on a lot Much more data is collected More data is collected by following activity as opposed to asking questions Big data is of great concern to the EU Data moves pretty freely between EU states Very easy to move data unthinkingly elsewhere Serious problems with some states US data privacy and collapse of Safe Harbour

12 What about Brexit? We remain in the EU for the next two years So we must follow EU rules GDPR in force by default during exit period We are a knowledge and service economy So we need free data transfer with the EU This will not happen without strong data control Using GDPR eases regulatory discussion later As we already have convergence UK government was supportive of GDPR So would be likely to do something similar anyway

13 GDPR- A summary Applies to all organisations processing data from EU residents Regardless of where they are established (extra-territorial applicability) Massively increased fines Up to the larger of 4% of annual turnover or 20 million Consent regime tightened Simpler, purpose clear, easy to withdraw consent Breaches more directly notified Within 72 hours, customer notification too More access rights More right to be forgotten Privacy built into system design Data protection officers

14 Key changes in thinking Risk-based approach Need to consider risks to privacy associated with processing Accountability principle Requires compliance with principles You must demonstrate that compliance More documentation of decision-making and actions Codes of conduct Optional and you do not have to sign up Demonstrates probable compliance with accountability though None yet available but trade bodies could set these up

15 The core principles Not hugely different from DPA Personal data shall be 1. processed lawfully, fairly and in a transparent manner in relation to individuals; 2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; 3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; 4. accurate and, where necessary, kept up to date; 5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; 6. processed in a manner that ensures appropriate security including protection against unauthorised processing and loss, destruction or damage.

16 Lawful processing Always necessary to identify a lawful processing basis Should be one of Consent of the data subject Necessary for the performance of a contract with the data subject or to take steps to enter into a contract Necessary for compliance with a legal obligation Necessary to protect the vital interests of a data subject or another person Other permission necessary for sensitive data Now called special category data But this should not normally be relevant May apply to Right to Rent data Requires explicit consent

17 Consent ICO does not believe that you have to refresh all consents necessarily Contrary to some statements Consent must be opt-in No pre-ticked boxes Or inferred by silence Must be verifiable Consent must be granular, clear, prominent and opt-in Current consents may be ok If they meet the above

18 Core rights GDPR creates rights for data subjects 1. The right to be informed 2. The right of access 3. The right to rectification 4. The right to erasure 5. The right to restrict processing 6. The right to data portability 7. The right to object 8. Rights in relation to automated decision making and profiling

19 Right to be informed Must give information clearly, transparently and accessibly At the time the data is obtained or within one month if obtained indirectly Must supply Identity and contact details of the controller and the data protection officer Purpose of the processing and the lawful basis for the processing Categories of personal data Any recipient or categories of recipients of the personal data Details of transfers to third country and safeguards Retention period or criteria used to determine the retention period The existence of each of data subject s rights The right to withdraw consent at any time, where relevant The right to lodge a complaint with a supervisory authority The source the personal data originates from Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.

20 Privacy notices Right to be informed is largely upheld by a suitable privacy notice Might be helpful to conduct a Privacy Impact Assessment when thinking about this Guidance from ICO on how to do these Key to make clear What data are you collecting? Why are you collecting it? What will you do with it? Will it leave your organisation for processing or for other marketing use? Who will get it exactly? How will you get rid of it and when?

21 Right of access Similar to the old subject access request However there is now no fee allowed Three different access rights To know that whether you are processing at all- straight yes or no Access to what you have- similar to previous DPA right Appropriate supplementary data- basically the privacy notice Much shorter compliance timeline Now just one month Extendible by further two months if requests are numerous or complex But that does not mean three months! Excessive requests Can be refused Or charged for Preference is for electronic data provision

22 Rectification and erasure Subjects can ask for rectification for inaccurate data Must be done within one month Right to be forgotten Actually a right to data erasure not total cleansing Data should be deleted when No longer needed Consent is withdrawn Objection is made and there is no legitimate interest in continuing to process Change from DPA in that there is no limit in relation to distress etc All data is deletable You can only refuse to delete data which you need for legal purposes You will need to tell third parties and get them to delete too if you provided the data May need changes to agreements with referencing companies etc This is potentially a big deal Backups, marketing data etc

23 Restriction & Objection Subjects can demand restriction of processing You can store data but should not process it in these cases At least until you investigate further Need an internal process for this Subjects can also object to processing You must then establish need Or legal claim justification Marketing will be an issue here Online processing or data collection requires you to offer online objection process

24 Breach reporting Only have to report breaches which lead to risk to individuals rights PIA should help here But this will be most breaches If in doubt, report Individuals need to be notified where there is a high risk to their rights That is a higher threshold than telling the ICO So if you are telling individuals you are long past the ICO report stage Must report within 72 hours Early reporting has been shown to limit fines

25 Data Protection Officers GDPR does not require these But UK Data Protection Bill does Some mandatory requirements Core activity is large scale processing Core activity involve processing of more personal data Disagreement about some of these issues Is agency work primarily involved in data processing? i.e. is it a core activity? Is it large scale? Referencing agents and deposit schemes certainly qualify As will most agents with a research team