What do social housing providers need to know about UK GDPR?
Since 1st January 2021, the UK has adopted the UK General Data Protection Regulation (UK GDPR) which sits alongside the UK Data Protection Act 2018 (DPA). While regulations surrounding data protection are not new for UK businesses or sectors, they do have a continuing affect.
How does the UK GDPR work for social housing providers?
Social housing providers sit between the Regulator of Social Housing and the people they are providing a service to. Whilst the relationship between the regulator and provider will be governed by robust policies and procedures relating to data protection, the relationship between the provider and their customers will likely be a contractual one.
For individuals (or ‘data subjects’, for the purposes of this article, which is any person whose personal data is being processed) who use the providers’ services, this can be a complicated and daunting task – one that involves a great deal of personal information and data sharing communications.
Data sharing
The types of data being shared or processed are important, as they will undoubtedly contain personal information e.g. name, address and email etc. In addition, special category data which is data that contains race, health, ethnic origin, political religious, genetics and biometric data may be shared. Information relating to children and criminal records may also be shared.
When sharing personal data, Article 6 of the UK GDPR (or Article 9 for special category data) says you must identify the lawful basis for doing so. For example, is the processing necessary for a contractual arrangement or does the legitimate interests of the controller override those of the data subject without affecting the data subject’s rights and freedoms.
It may be the case that data subjects may not have access to the necessary media to make best use of the services being offered to them, and therefore, the personal information processed and shared by the housing provider may need to be recorded or managed in many different ways so that it can be accessed by everyone.
Data subjects may also be transient and therefore moving between different council wards. It may be that many different third party professionals are needed to assist in the delivery of the services to the data subject.
Understanding what data you process
All of these relationships involve communication, so understanding every aspect of the movement of information is vital. We carry out many data mapping activities and constantly see how these data landscapes can be complicated and ever growing. Once this work is carried out and recorded it is much easier to see any potential gaps and risks.
Being able to support data subjects is vital but understanding their rights as a service provider is critical.
If all of the service providers’ processes and policies are in order, acting upon a Subject Access Request (which is a request an individual can make to obtain access to their data) or dealing with a data breach will be much more manageable. So when things go wrong, which even with the very best intentions, it might, you will have plans in place to deal with it.
The much talked about fines and bad publicity can be avoided if you can be seen to have taken positive steps towards compliance.
Focusing on the data subject’s rights and freedoms
The UK GDPR discusses the need for data controllers to implement ‘data protection by design’ and ‘data protection by default’.
These concepts are a legal requirement and need to be engrained into the very fabric of an organisation to really have an effect. Its purpose is to ensure that privacy is a main ingredient to any new type of processing or product. This might include new tech i.e. a new App or file sharing site.
To help mitigate the potential risks that this type of new processing may bring it is important to carry out data protection impact assessments or DPIAs as they are known.
This process can help by applying a questions and answers approach to the risk faced with a report as an outcome. A decision can be made on the future of the project or the processing based on this report, therefore helping to mitigate any risk.
The cornerstone of the UK GDPR centres on transparency and fairness; it’s about data subjects knowing what will or has been done with their data. This might be especially relevant when dealing with people that might be in need.
You can read more about the changes from the EU GDPR to the UK GDPR here.
If you’re a social housing provider looking for advice on UK GDPR, please get in touch.