Does the housing sector fully understand the Data Protection Act?
CIH’s events team caught up with Audrey Olden and David Hall, who shared their views on data protection within the housing sector and how members can benefit from CIH’s upcoming ‘how safe is your data?’ events.
How you do think the housing sector’s approach to data protection differs from other sectors?
Audrey: I can only compare the housing sector’s approach with the public sector’s approach, as my background is very much public sector based. Data protection has a very high profile in the public sector, and data protection officers (DPOs) are very well imbedded in all public sector environments. The DPO roles tend to manage data protection, freedom of information and environmental information regulation requests, as they are all interlinked in their objectives, but also in law. As a result, data protection has a high profile and tends to be incorporated into project management.
How can organisations ensure that they are using their data in a responsible way?
David: Well, the starting point is to have someone within the organisation whose role is to 'shout' about data compliance! At the moment, it's not a legal requirement for an organisation to have a data protection officer or similar, but it has so much practical value that you shouldn’t wait to be told. A data protection officer becomes your go-to person: someone who has (or will very quickly acquire) solid knowledge about data compliance, has a daily presence in the business, can report to the executive team and knows when external help is needed. How can we expect each other to use data responsibly if we don’t have someone to support and remind us?
Do we fully understand the implications of the Data Protection Act or are we lacking training?
Audrey: I have now been working with First Wessex Housing Association for about seven months and from my experience and exposure to the sector I feel that the profile of data protection has risen recently. There has been some work done by the Information Commissioner around what the housing sector needs to do to ensure compliance. Last year the Information Commissioner highlighted issues facing the social housing sector, which included data sharing with other organisations and data retention. Raising awareness and providing training is great and most definitely something which the housing sector needs to be very targeted to deliver. I’ve always found that if that training can be delivered so that the audience understands why the topic is important and why we should comply with the requirements, then this ‘understanding’ is then taken away and disseminated across an organisation, which begins to change the culture in a positive way.
What are the major challenges facing organisations on a daily basis when handling sensitive data?
David: There are three major challenges: 1) handling sensitive data effectively, 2) achieving appropriate data security, and 3) managing data under contracts.
To understand what 'sensitive' means we need to stand in someone else’s shoes: the customer, your colleague. How much would it harm them if the data was misused or got into the wrong hands? The law requires us to take into account how data can harm or hurt, and treat it accordingly. It also picks out eight or so categories of sensitive data for special treatment, and the organisation can only use those kinds of data in limited circumstances.
Data security is one of those tricky topics where everyone has a valuable view but perhaps no one has the map! It’s hard to keep data secure and confidential because paper and IT are both designed to make data accessible and portable, and modern ways of working are increasingly mobile and require us to take data 'out of doors'.
Managing data under contracts is challenging because data is often just a factor, not the main purpose, so it gets neglected. Good data handling under contracts is partly dependent on good handling of sensitive data and permissions; if you fall at that hurdle, dealing with data under contracts will be hard work. As a consequence, there are very few great examples of contracts out there for you to copy, especially when it comes to data sharing.
You're speaking at data protection events in September - why do you feel delegates would benefit from attending these?
Audrey: I am very passionate about data protection and its ‘raison d'être’. There are a lot of existing challenges facing the housing sector – especially since the announcement of the budget - and there’ll be a lot more to come with the changes in the EU regulation. All of these will see resources stretched while still requiring us all to maintain compliance. I will look at how, as a sector, we can look at addressing this using some existing working models from the public sector. It’s an area I’m constantly learning more about as its never static, and every situation is different depending on the details and the specifics. No matter what I am asked my first response will always be “Well, it depends, please tell me more.”
David: There is a great deal of myth and misinformation surrounding data protection, and there are many reasons for this. The underlying law is high level and difficult for you to apply to real life. There are lots of shades of grey which require you to make judgment calls on a daily basis, and the judgment call you made yesterday (or that another organisation made last week) often won’t work for you today. The regulator’s interpretation of the law, and the EU’s plans for new laws, are often at odds with the views of law courts and organisations. So where do you turn?
The opening session at the event will help to brush away the myth and mystery – it will be led by a senior lawyer who specialises in data and digital technology, and will provide a good overview of data protection compliance. This will provide delegates with a solid platform for building (or consolidating) their knowledge of data protection during the conference, and going forwards.
- With large amounts of sensitive personal data being held by housing providers, it's essential that they have a secure data protection regime. Our ‘how safe is your data?’ events take place on 10 September in London and 30 September in Manchester and are designed to help delegates who have a responsibility for processing personal data.
- Keep an eye on our 'how safe is your data?' webpage for blogs, briefings and opportunities for discussion among housing professionals.