For housing providers, storing significant amounts of personal data is now the norm. Much of it is a natural response to the challenges thrown at the sector over the last few years, such as welfare reform and universal credit, as well as identifying protected characteristics to ensure that we are offering a fair service that reflects diversity among our tenants.
We are typically well-run businesses with good governance. I would say the majority of housing providers want to do the right thing, understand their obligations, employ internal auditors, have policies in place for everything and have the benefit of quite simple business models. So, surely we are all ‘acing’ those data protection principles then?
Well, no. The sector has always had a ‘we know you’re there but if we don’t make eye contact, you’ll leave us alone’ relationship with the Information Commissioner and a ‘does that really apply to us?’ attitude towards the Data Protection Act 1998. Why? Well. I have a theory about why the sector is generally not as hot on data protection as it should be.
The first reason is housing management systems. They just don’t have the tools within them to handle the existing principles that came into force 16 years ago. You would think that by now we would have the appropriate controls within those systems to manage data retention, ensure appropriate consent is recorded, handle data subject access requests and allow the secure transit of data to other parties.
The second reason is attitude. We just don’t care that much about it as businesses. Only IT people tend to get worked up about it and everyone else just wonders why they are getting so animated. It isn’t difficult to resolve this one; making everyone aware of data protection legislation is an absolute must and the ICO would expect annual refresher training to be mandatory. You should use this as a mechanism to drive the data protection agenda in your organisation.
More importantly, there is the causal link. The systems are not compliant because we don’t think it’s that important. Also, because the systems are not compliant, we don’t want to draw attention to that. One of the best things I’ve done is to implement privacy impact assessments (PIA) for new systems, processes and policies. Rather like when you get to see how clean your teeth really are, a PIA is a nice big disclosing tablet which shows you how you can provide privacy and comply with the DPA. It is also worth mentioning that if you do one of these as part of your next IT tendering process, you’ll be amazed at the discussions you will have.
Typically, to get change requires a catalyst. The good news is there is a catalyst in the near future which will allow you to up your game.
As Father Christmas was starting to prepare his Christmas deliveries, the three institutions that form the EU (parliament, commission and council) reached their tripartite agreement on the new General Data Protection Regulation (GDPR), a replacement for the 1995 directive that most of you will recognise as the Data Protection Act 1998.
The EU realised that a single harmonised framework for data protection was the way forward, replacing the patchwork quilt of legislation for each country that met the minimums of the 1995 directive, but also reflected the very specific attitudes of the each country.
The new agreed texts will now go back to the council and the parliament for ratification. Once the final text has been translated into all of the EU languages, it will be formally signed by the presidents of the parliament and the council and then published in the Official Journal.
It should be in force from 2018. I won’t bore you with lots of detail; you can look it up online (make sure you read the latest text agreed in December 2015) or engage with one of the data protection consultants in the sector. What you can’t afford to do is to keep your head buried in the sand.
Hopefully, we all have finance departments; teams of people who specialise in understanding where money enters the business in the form of income, what it does while it’s there, and where it leaves in the form of expenditure. Transactional data is recorded and reconciliations are carried out to ensure that we can all comply with accounting practices. Why? Money has a value.
Well, information has a value too. It has a value to the person whose data it is. It also has a value to the business. Indeed, if the value of the data is zero, we shouldn’t hold onto it. So, why not track it and ensure that it still has value? The new regulations tighten up on ‘consent’ to the point where we will have to start tracking personal data. When a tenant fills out a form, we need to record that data along with some metadata that says that it came from a particular form that we received on a certain date, that they gave explicit consent and that we said we would store it for a certain amount of time or delete it once it was worthless to us. We need the record keeping because if we fail to record things, we could be liable to a fine of 2 per cent of our turnover. Can you think about how you would record this metadata for each element of data, or even type of data, in your housing management system?
Well, if we apply the right amount of pressure to housing management system providers, then we will get the tools to manage information in that way, to start thinking about it as a valuable entity, just like the money. After all, you wouldn’t buy a housing management system that couldn’t handle income correctly. So, we need to ensure that they will work with the new regulations and that they support us. I would urge user groups for housing systems to start discussing this as soon as you can to provide a set of standard requirements for them to implement in their systems.
In the meantime, start to think about data protection in everything you do. Privacy impact assessments are a great idea to help you do that and you could start doing these now. Start now, but start small. You could do risk assessments on your contractors to see how good they are at data protection. There are lots of useful resources on the ICO website (ico.org.uk) or you could go to one of the data protection consultancies in the housing sector.
Paul Rowley is head of information services at Havebury Housing Partnership.