Protecting personal data is a challenge faced by all organisations, both public and private. The Data Protection Act 1998 (DPA) governs how corporate bodies use personal data (defined as data from which a living person can be identified) and failure to comply with it can result in hefty fines and considerable reputational damage.
Understanding what the DPA requires is particularly crucial for housing associations which, quite legitimately, hold a considerable amount of personal data relating to their tenants, some of which is shared with third party organisations such as maintenance contractors.
In May 2018, a new set of EU regulations, the General Data Protection Regulation (GDPR) will come into force, representing the biggest change to the EU data protection regime in 20 years. Currently the Information Commissioner’s Office (ICO) is able to issue fines of up to £500,000 for serious breaches of the DPA; once the GDPR comes into force the ICO will be able to issue fines of up to 4% of global annual turnover for the preceding year (for undertakings) or 20 million Euros, whichever is greater. Therefore, this is the time to check that your association is fully compliant with the DPA – and don’t assume that Brexit will intervene as these regulations come in before the UK’s exit from the EU.
The ICO has, very helpfully, produced five top tips for preventing data breaches which can be found on its website:
- Tell people what you are doing with their data
Be open and honest when telling people what you are doing with their information and who it will be shared with. This is both a legal requirement and established best practice.
- Make sure your staff are adequately trained
Appoint and train a Data Protection Officer to help you comply with the DPA. New employees must be trained on how they should store and handle personal information. Refresher training should be provided at regular intervals for existing staff.
- Use strong passwords
To protect your data against hackers, it is essential to have strong passwords. All passwords should contain upper and lower case letters, a number and ideally a symbol.
- Encrypt all portable devices
Make sure all portable devices – such as memory sticks and laptops – used to store personal information are encrypted.
- Only keep people’s information for as long as necessary
Make sure your organisation has a process in place to review how long data has been held and whether it is still required. If not longer needed, it must be deleted.
The Data Protection Act (DPA) sets out eight principles governing the management of personal data which requires that personal data is:
- processed fairly and lawfully
- obtained only for specified and lawful purposes
- be adequate, relevant and not excessive
- accurate and kept up to date
- not kept longer than is necessary for the purposes for which it is processed
- processed in accordance with the individual’s rights
- kept secure
- not transferred to a country or territory outside the European Economic Area unless that country or territory has adequate protection for the individual.
Data Action Network
In order to help housing associations and other organisations manage both current data protection challenges (including consent, data sharing, peoples rights and transparency and records management systems) and the General Data Protection Regulation, we have created a Data Action Network. The DAN network was initially piloted in England and Wales as a set of regional community-based networks of professionals to help them mitigate the risk of enforcement action. The ICO said: “The ICO wants to work with all sectors to help improve compliance with the Data Protection Act. Having regional networks allows the ICO to engage with the housing and care sector and we are happy to support events organised by the DAN network. Having the trust of tenants and service users is an extremely valuable resource which shouldn’t be squandered on preventable data breaches.”
Do not underestimate the risk of a data breach
It is essential that you do not underestimate the risks associated with poor data management or the importance of good compliance. Collecting, using and storing personal data is a sensitive matter particularly in the light of rising cyber crime and the penalties are severe – and set to get more severe – for breaches of the DPA. When creating robust procedures to comply with the Data Protection Act, it is worth considering the following question: “If this was my data, how would I want it dealt with?”