Data protection: Ten issues to stay on top of
Research carried out by CIH and HouseMark has revealed that nearly a quarter of social housing staff are worried about taking mobile devices out of the office for fear of losing tenants’ data – but what other issues do housing organisations need to be on top of when it comes to data protection? David Hall, senior associate at Anthony Collins Solicitors, shares his top ten.
- Training This means technical training to support subject-matter experts in the organisation, practice training for those who need it, and awareness training for all.
- Governance Good compliance needs board ownership, a strategic director/ “head of” to drive it, and day-to-day ownership by a dedicated data protection officer. Someone in each team/ department/ office location to act as an overseer and subject matter expert is a wise move. Their roles, reporting lines and objectives need to be formalised by a written policy.
- Culture For the governance to work you need to establish two way reporting. It needs to be clear who is available to receive reports on data protection topics. There need to be clear channels too, e.g. email, phone, perhaps intranet and one to ones. A balance needs to be struck so that teams/ individuals feel encouraged to make observations and to report breaches, and feel obliged to report more significant points even if that might result in disciplinary action.
- Practice guidance I normally observe a strong separation between the “governance” aspects of data protection policy and the “practice guidance” which I put in an annex. The practice guidance is a key part of culture: it has to be achievable, it must fit, and it must be subject to constant review. Governance, culture and good guidance are inextricably linked
- Privacy statement A single statement for customers and one for staff (plus something about cookies for the website). These are a vehicle for obtaining consent from customers and staff (including on the subject of data retention periods). They are also a vehicle for managing staff use of personal data and maintaining a reasonable level of awareness. An important trick is to build the privacy statement into workflows and processes so that staff use the statements and they are presented to customers continually in lots of different service contexts.
- Consent A privacy statement defines the scope of data protection permission that a landlord needs from its customers and staff. Getting their permission is a separate piece of work. The task is to get legally effective consent, and to ensure it is recorded and complied with. A strategy is needed to address legacy customers and staff who provided their personal data to the organisation before the privacy statement was introduced.
- Measures to manage staff and third party usage The golden rule is that personal data is collected for specific team/ workflow ‘silos’ and is not normally shared with anyone outside of the ‘silo’. The aim is to limit access to personal data to a “need to know” basis, supported by appropriate permission from the data subject. How we achieve that will vary from landlord to landlord, service to service, site to site and partner to partner. Contracts are either mandated by law, or are recommended for commercial reasons.
- Data security at the corporate HQ Data security at the HQ is good for most landlords, but there is usually some room for significant improvements. Landlords need to look at premises security, storage space, desk usage, private meeting space, safeguarding and paper management as well as ICT security.
- Mobile working Data security away from HQ is a different matter. In ascending order of riskiness: other corporate premises, mobile operational staff, home workers, management mobile workers. The security of conversations, telephone calls, paper and electronic data is harder to manage outside the HQ.
- Internet Remote access for employees and third party IT service providers, website hosting, collaborative working and increasingly office software all take us onto the internet. Moving to the internet is a business no-brainer but achieving passable data security is one of the dark arts and takes significant skill and care. Landlords are generally too trusting of the internet.