News and Publications

Disposals of social housing stock: the implications of sharing personal data with a purchaser

Posted: 16/12/2022

Following a series of recent major cyber-attacks - most notably upon Clarion Housing and Bromford Housing earlier in the year - the social housing sector is under increased scrutiny.

When a housing association negotiates a transfer of tenanted properties, it may need to share the tenants’ personal data with the potential buyer to enable them to consider the deal more thoroughly. Later, the new owner will need the data to manage the property and to provide services to the tenant.

This article highlights a few key data protection issues to consider in the context of a housing stock transfer or stock rationalisation. We also make some recommendations on how to navigate these.

Data protection laws

The Data Protection Act and UK General Data Protection Regulation (UK GDPR) define personal data as any information relating to an identified or identifiable person. This includes, for example, their name, address, date of birth or bank account number. Special category data (previously known as sensitive data) includes information about a person’s racial or ethnic origin, religious beliefs and health data.  

Data controllers must ensure that personal data is processed fairly, lawfully and in a transparent manner. In particular, data may only be processed if there is a lawful basis for doing so such as legitimate interest or consent and the relevant individuals have been informed. Processing includes sharing the personal data.

The UK GDPR sets out exactly what information must be provided to individuals when their personal data is being processed. Also, data controllers must minimise the personal data they process or share. This is discussed further below.

Tenant Involvement and Empowerment Standard

One of the key aspects of regulation surrounding social housing stock transfers and a change in landlord is the Social Housing Regulator’s Tenant Involvement and Empowerment Standard (TIE Standard) which spells out the need to consult with the tenants in a 'fair, timely, appropriate and effective manner'.

This means that the seller must consult its tenants and explain to them what the proposed transfer of their home and tenancy to the buyer means for them before signing a contract with the buyer to transfer the properties. The seller must then consider and have proper regard to the responses they receive. Typically, these consultations start with a consultation letter.

This means scoping out with the buyer the services they will need to provide in relation to specific tenant needs, including tenants with mental and physical health needs and any language requirements if English is not their first language or spoken at all. 

This will require the sharing of special category data (or sensitive personal data).  Only aggregated data or, where possible, anonymised data should be shared with the buyer However, even if data is aggregated, if there are low numbers of tenants with these characteristics, it may still be possible to identify individuals from the aggregated data. 

Practical considerations

Notification that data is being processed
Tenants need to be informed about the processing of their personal data, typically as part of a privacy notice from the seller. It is important that the privacy notice states that data may be shared as part of a stock transfer and what the lawful basis for doing so is (for example, legitimate interest for personal data; consent for special category data).

The buyer does not need to be named in the buyer’s privacy notice. This privacy notice should be provided to the tenants when their information is initially collected but it is also good practice to provide this privacy notice or a link to it as part of the consultation process.

However, where special category data will be shared between the seller and the buyer, simply providing the tenants with a privacy notice will not suffice to comply with data protection laws. Explicit consent from the tenant will be needed, unless the housing association provides social care services (with a basis in law) and can therefore rely on this as a lawful basis for sharing the data. If consent is needed, it can be obtained in the consent capture form sent with the consultation letter described below.

As the buyer has not itself collected the data from the tenants but instead received it from the seller, it will have to provide the tenants with its own privacy notice. It must do this within one month at the latest after receiving the data to comply with the UK GDPR. The buyer may ask the seller to include a copy or a link to its privacy notice in the consent capture form sent with the consultation letter (see below). 

Obtaining consent
Where tenants’ special category data is shared with the buyer, explicit consent must be obtained from those tenants. Explicit consent needs to be a 'freely given, specific, informed and unambiguous indication of a data subject’s wishes' and 'must be expressly confirmed in words, rather than by any other positive action'. 

Freely given
This means the tenant must have a 'genuine choice' about sharing their data with the buyer. The seller needs to consider how to manage the situation if a tenant withholds consent. Simply redacting a tenant’s details might still allow them to be identified if they are the only one to be anonymous or if they are one of are a small group of tenants needing special provision for disability, for example. In those circumstances, it would be safer to anonymise all the special category data if possible. 

Specific and informed 
Both the seller and buyer need to be identified as both are relying on such consent. The tenant must also be informed of the purpose for processing their data, how it will be processed and that they can withdraw their consent to such processing at any time. This information should be set out in the consent capture form which also links to or provides a copy of the seller’s privacy notice. 

As the consent must be actively given, 'pre-ticked' boxes are not appropriate. Explicit consent cannot be inferred from the tenant’s actions.  

Once consent has been collected, it is important that it is properly recorded and that both the seller and buyer retain such records for compliance purposes.

Data minimisation
As mentioned above, the seller must minimise the data that it shares, i.e. it must only share data that is relevant and necessary to enable the buyer to make an informed decision about the proposed acquisition, and then to manage the property once acquired and provide services to the tenants. The seller should therefore consider carefully what personal data it needs to share with the buyer. 

Key guidance points

The seller should:

  • make sure it has a clear and up to date privacy notice which informs tenants when their data is first collected and clearly explains that their data may be shared with an acquiring housing association as part of the stock transfer or stock rationalisation in the future. The acquiring housing association will not be named in the general privacy notice as its identity will not be known at this stage.
  • have a procedure for obtaining the tenants’ explicit consent for sharing special category data with the buyer. This can be done as part of the consultation process.
  • only share data that is relevant and necessary to enable the buyer to decide whether to proceed with the acquisition, to manage the property once acquired, and to provide the suitable levels of service to the tenants (including as required by the TIE Standard).

It is best practice for the parties to sign a data sharing agreement that sets out the basis for sharing the personal data and an agreement to safeguard the shared data.

This article was co-written with Alison Ross, trainee solicitor in our IP, IT and commercial team.

Arrow GIFReturn to news headlines

Penningtons Manches Cooper LLP

Penningtons Manches Cooper LLP is a limited liability partnership registered in England and Wales with registered number OC311575 and is authorised and regulated by the Solicitors Regulation Authority under number 419867.

Penningtons Manches Cooper LLP