You are viewing 1 of your 1 free articles
The big data dilemma: how housing associations are tackling new data protection challenges
After recent reports of data vulnerabilities at housing associations, James Wilmore finds out how the sector is tackling issues around data protection. Illustration by Gary Bates
When news broke last month that Home Group had to contact around 4,000 of its residents about possible data vulnerabilities in its IT systems, housing associations took notice.
Fortunately, there was no evidence that a log, which contained personal information of 11 of Home Group’s residents, had been used. Contacting the other 4,000 residents was a precaution for the landlord. But across the River Tyne, at Sunderland-based Gentoo, it sparked interest.
“People heard it on the radio and by the time I got back to my desk, I’d had two or three emails saying, ‘Have you seen this?” Paul Sandersfield, head of data governance at Gentoo, tells Inside Housing.
The reaction illustrates how the sector is on heightened alert around data protection.
It was the second high-profile data issue at an association this year following a breach at Midlands-based Bromford in March, which saw the group mistakenly leak the personal information of 253 of its residents.
But much of the increased awareness is down to two big changes last year – the introduction of the EU General Data Protection Regulation (GDPR) and an update to the UK’s own Data Protection Act.
Effectively, GDPR is a shift in how organisations should handle the information of their customers. And the financial penalties for those that breach these requirements are eye-watering. British Airways is facing a fine of £183m from the Information Commissioner’s Office (ICO) for GDPR infringements. Meanwhile, the ICO has also set out its intention to fine hotel group Marriott for infringements after 339 million guest records were exposed in a cyber incident.
READ MORE
While fines of this nature have not been handed out in the social housing sector, incidents of breaches are on the rise. Figures provided to Inside Housing by the ICO show that in the seven months to October this year, the ICO recorded 86 individual incidents of data breaches involving housing associations. This is compared to 74 incidents between August last year and March this year.
So what is causing this, and what are the risks for housing associations? Mr Sandersfield points to the problem of phishing emails and the fact that it is a hacker’s job to “keep one step ahead”.
For him, when it comes to breaches the number one risk is human error. “We see people accidentally doing the wrong thing, emailing the wrong person, attaching the wrong file, or leaving information in the file,” he says. “Phishing emails have gone through the roof over the past few years.”
“Sharing and oversharing data, disclosing it in error, either to unauthorised people or by accident via misdirected emails or letters, is a risk area”
Eeshma Qazi, solicitor, Anthony Collins
In Scotland, hackers are targeting the sector. The Scottish Housing Regulator (SHR) said last month it had been told of several recent incidents of fraud against social landlords through cyber attacks. In at least one incident, hackers gained access to personal data, the SHR said.
Cyber attacks are a particular risk for housing associations, as they handle vast amounts of data. As Eeshma Qazi, a solicitor who specialises in data protection at law firm Anthony Collins, explains: “Housing associations historically hang on to a huge pile of data. At some point they might have taken something over from a council and sometimes they may not even know what data they hold. And the more you hold, the more you are accountable for.”
She adds: “Sharing and oversharing data, disclosing it in error, either to unauthorised people or by accident via misdirected emails or letters, is a risk area.”
Her advice to associations is to think about whether the data they have and the collection of it is still lawful, under current data laws. She says: “For example, when associations send in contractors to a property they might say, ‘Visit this property in pairs as the person has a criminal record or a mental health condition.’ So the question is: how much of that data should be there?”
But GDPR appears to have sharpened minds. Companies and organisations covered by GDPR are also required to nominate a dedicated data protection officer.
Top tips on data protection
- Consider if collecting and using the data is still lawful under GDPR. Or should you update your data collection, approach to retention and consent mechanisms? Or all three?
- Run quality checks on housing databases and any downloads you are working from, to ensure data has not been mixed up in error, and to check for general accuracy and gaps.
- Getting security procedures right in customer services – for example security questions and password – is key to ensure data is not shared with unauthorised people. Training is crucial, to ensure staff know the security rules, but also how important the security is.
- Good record management will help when handling data subject access requests and other rights, as will an understanding of how to apply exemptions.
- If housing associations only keep perusal data for as long as necessary and do regular data cleanses, they are likely to have less to trawl through and disclose.
- In dealing with contractors, due diligence needs to be done and contracts need to be reviewed to ensure that they are commercially sound and not just GDPR compliant. Ultimately, housing associations may take risk-based approaches with larger service providers.
- Do not think of data protection as a tick-box compliance exercise, but embed into behaviours top-down. Think how you would like your own personal information to be treated and remember that the trust of residents and employees is of huge value to housing associations.
Tips supplied by Eeshma Qazi, solicitor, Anthony Collins
He is also aware that tenants are often being advised to put in a request by their solicitor during disputes. “I’ve seen more and more requests from solicitor firms in support of their client,” says Mr Sandersfield. “And they want everything. I guess they are looking for a chink in the armour.”
He adds: “It’s almost a little victory for the common man against the corporate, which is frustrating, but they are entitled to it.”
G15 housing association Network Homes has been forced to grapple with similar issues over access requests. “There are some tenants that will make an access request every three months,” says Tabitha Kassem, director of governance, legal and compliance at Network. Last year Network even recruited a new member of staff whose sole responsibility is dealing with the requests.
But there can be a positive outcome from complaints, she suggests. “Generally, we find that people are aggrieved for a good reason and often we might become alert to a wider issue within the business,” she says.
"GDPR is not just for Christmas, it’s for life”
Eeshma Qazi, solicitor, Anthony Collins
Network has mailed out hard copies of its privacy policy to all 22,000 of its residents. Due to access requests, Network has also reminded staff to be careful what to include in emails. As part of a request, an association can be forced to hand over any email that refers to a tenant.
Ms Qazi says she has also noticed a jump in access requests and advises landlords to get rid of any historical data that is no longer required.
With this increased focus on data protection, moves are being stepped up to tackle the issue. Ms Kassem says she is in the early stages of working with others to draw up a housing code of conduct for data protection and will be meeting with the National Housing Federation (NHF). She hopes the ICO will sign off the code.
Paul Bayly, head of governance and compliance at the NHF, confirms to Inside Housing that it has held “initial conversations” with its members to see if a data protection code of conduct would be “helpful”. He adds: “If it is, then we can start working with housing associations and the ICO to develop one.”
Elsewhere, Gentoo’s Mr Sandersfield has launched a working group among North East associations.
Despite being an EU-based piece of legislation, GDPR looks set to stay. The UK will, according to Ms Qazi, implement a similar version of GDPR called UKGDPR, even if we eventually leave the EU.
In the meantime, for those at housing associations involved in data protection, being on constant alert is vital. “It’s a daily issue for me,” admits Mr Sandersfield. But he says it helps that GDPR has meant there is more awareness of data protection.
As Ms Qazi concludes: “It’s not a tick-box exercise, it’s about embedding behaviours. GDPR is not just for Christmas, it’s for life.”
