Image Promo description

Register to use our site and access free newsletters, book events and lots more.

You don't have to be a member to use our site. Already registered? Login here

Become a member today

The Chartered Institute of Housing is the independent voice for housing and the home of professional standards

Data protection: Ten issues to stay on top of


Research carried out by CIH and HouseMark has revealed that nearly a quarter of social housing staff are worried about taking mobile devices out of the office for fear of losing tenants’ data – but what other issues do housing organisations need to be on top of when it comes to data protection? David Hall, senior associate at Anthony Collins Solicitors, shares his top ten.

Strategic factors

  1. Training  This means technical training to support subject-matter experts in the organisation, practice training for those who need it, and awareness training for all.
  2. Governance  Good compliance needs board ownership, a strategic director/ “head of” to drive it, and day-to-day ownership by a dedicated data protection officer.  Someone in each team/ department/ office location to act as an overseer and subject matter expert is a wise move.  Their roles, reporting lines and objectives need to be formalised by a written policy.
  3. Culture  For the governance to work you need to establish two way reporting.  It needs to be clear who is available to receive reports on data protection topics.  There need to be clear channels too, e.g. email, phone, perhaps intranet and one to ones.  A balance needs to be struck so that teams/ individuals feel encouraged to make observations and to report breaches, and feel obliged to report more significant points even if that might result in disciplinary action.
  4. Practice guidance  I normally observe a strong separation between the “governance” aspects of data protection policy and the “practice guidance” which I put in an annex.  The practice guidance is a key part of culture: it has to be achievable, it must fit, and it must be subject to constant review.  Governance, culture and good guidance are inextricably linked

    Operational factors
  5. Privacy statement  A single statement for customers and one for staff (plus something about cookies for the website).  These are a vehicle for obtaining consent from customers and staff (including on the subject of data retention periods).  They are also a vehicle for managing staff use of personal data and maintaining a reasonable level of awareness.  An important trick is to build the privacy statement into workflows and processes so that staff use the statements and they are presented to customers continually in lots of different service contexts.
  6. Consent  A privacy statement defines the scope of data protection permission that a landlord needs from its customers and staff.  Getting their permission is a separate piece of work.  The task is to get legally effective consent, and to ensure it is recorded and complied with.  A strategy is needed to address legacy customers and staff who provided their personal data to the organisation before the privacy statement was introduced.
  7. Measures to manage staff and third party usage  The golden rule is that personal data is collected for specific team/ workflow ‘silos’ and is not normally shared with anyone outside of the ‘silo’.  The aim is to limit access to personal data to a “need to know” basis, supported by appropriate permission from the data subject.  How we achieve that will vary from landlord to landlord, service to service, site to site and partner to partner.  Contracts are either mandated by law, or are recommended for commercial reasons.
  8. Data security at the corporate HQ  Data security at the HQ is good for most landlords, but there is usually some room for significant improvements.  Landlords need to look at premises security, storage space, desk usage, private meeting space, safeguarding and paper management as well as ICT security.
  9. Mobile working  Data security away from HQ is a different matter.  In ascending order of riskiness: other corporate premises, mobile operational staff, home workers, management mobile workers.  The security of conversations, telephone calls, paper and electronic data is harder to manage outside the HQ.
  10. Internet  Remote access for employees and third party IT service providers, website hosting, collaborative working and increasingly office software all take us onto the internet.  Moving to the internet is a business no-brainer but achieving passable data security is one of the dark arts and takes significant skill and care.  Landlords are generally too trusting of the internet.

Read more about CIH and HouseMark’s survey on data protection in Inside Housing

Please log in to comment

Your comments

No comments made yet

Join today

We’re here to help you make a difference. Join CIH today and discover your potential


Fire safety

All the latest info and fire safety resources for housing professionals


The new housing apprenticeships

With a century of experience equipping housing professionals with the skills they need to do the brilliant work they do, we can help you make the most of the new housing apprenticeships – whatever stage of the journey you are at.