Following a series of recent major cyber-attacks - most notably upon Clarion Housing and Bromford Housing earlier in the year - the social housing sector is under increased scrutiny.
When a housing association negotiates a transfer of tenanted properties, it may need to share the tenants’ personal data with the potential buyer to enable them to consider the deal more thoroughly. Later, the new owner will need the data to manage the property and to provide services to the tenant.
This article highlights a few key data protection issues to consider in the context of a housing stock transfer or stock rationalisation. We also make some recommendations on how to navigate these.
The Data Protection Act and UK General Data Protection Regulation (UK GDPR) define personal data as any information relating to an identified or identifiable person. This includes, for example, their name, address, date of birth or bank account number. Special category data (previously known as sensitive data) includes information about a person’s racial or ethnic origin, religious beliefs and health data.
Data controllers must ensure that personal data is processed fairly, lawfully and in a transparent manner. In particular, data may only be processed if there is a lawful basis for doing so such as legitimate interest or consent and the relevant individuals have been informed. Processing includes sharing the personal data.
The UK GDPR sets out exactly what information must be provided to individuals when their personal data is being processed. Also, data controllers must minimise the personal data they process or share. This is discussed further below.
One of the key aspects of regulation surrounding social housing stock transfers and a change in landlord is the Social Housing Regulator’s Tenant Involvement and Empowerment Standard (TIE Standard) which spells out the need to consult with the tenants in a 'fair, timely, appropriate and effective manner'.
This means that the seller must consult its tenants and explain to them what the proposed transfer of their home and tenancy to the buyer means for them before signing a contract with the buyer to transfer the properties. The seller must then consider and have proper regard to the responses they receive. Typically, these consultations start with a consultation letter.
This means scoping out with the buyer the services they will need to provide in relation to specific tenant needs, including tenants with mental and physical health needs and any language requirements if English is not their first language or spoken at all.
This will require the sharing of special category data (or sensitive personal data). Only aggregated data or, where possible, anonymised data should be shared with the buyer However, even if data is aggregated, if there are low numbers of tenants with these characteristics, it may still be possible to identify individuals from the aggregated data.
Notification that data is being processed
Tenants need to be informed about the processing of their personal data, typically as part of a privacy notice from the seller. It is important that the privacy notice states that data may be shared as part of a stock transfer and what the lawful basis for doing so is (for example, legitimate interest for personal data; consent for special category data).
The buyer does not need to be named in the buyer’s privacy notice. This privacy notice should be provided to the tenants when their information is initially collected but it is also good practice to provide this privacy notice or a link to it as part of the consultation process.
However, where special category data will be shared between the seller and the buyer, simply providing the tenants with a privacy notice will not suffice to comply with data protection laws. Explicit consent from the tenant will be needed, unless the housing association provides social care services (with a basis in law) and can therefore rely on this as a lawful basis for sharing the data. If consent is needed, it can be obtained in the consent capture form sent with the consultation letter described below.
As the buyer has not itself collected the data from the tenants but instead received it from the seller, it will have to provide the tenants with its own privacy notice. It must do this within one month at the latest after receiving the data to comply with the UK GDPR. The buyer may ask the seller to include a copy or a link to its privacy notice in the consent capture form sent with the consultation letter (see below).
Where tenants’ special category data is shared with the buyer, explicit consent must be obtained from those tenants. Explicit consent needs to be a 'freely given, specific, informed and unambiguous indication of a data subject’s wishes' and 'must be expressly confirmed in words, rather than by any other positive action'.
This means the tenant must have a 'genuine choice' about sharing their data with the buyer. The seller needs to consider how to manage the situation if a tenant withholds consent. Simply redacting a tenant’s details might still allow them to be identified if they are the only one to be anonymous or if they are one of are a small group of tenants needing special provision for disability, for example. In those circumstances, it would be safer to anonymise all the special category data if possible.
Specific and informed
Both the seller and buyer need to be identified as both are relying on such consent. The tenant must also be informed of the purpose for processing their data, how it will be processed and that they can withdraw their consent to such processing at any time. This information should be set out in the consent capture form which also links to or provides a copy of the seller’s privacy notice.
As the consent must be actively given, 'pre-ticked' boxes are not appropriate. Explicit consent cannot be inferred from the tenant’s actions.
Once consent has been collected, it is important that it is properly recorded and that both the seller and buyer retain such records for compliance purposes.
As mentioned above, the seller must minimise the data that it shares, i.e. it must only share data that is relevant and necessary to enable the buyer to make an informed decision about the proposed acquisition, and then to manage the property once acquired and provide services to the tenants. The seller should therefore consider carefully what personal data it needs to share with the buyer.
The seller should:
It is best practice for the parties to sign a data sharing agreement that sets out the basis for sharing the personal data and an agreement to safeguard the shared data.
This article was co-written with Alison Ross, trainee solicitor in our IP, IT and commercial team.