At the June Chartered Institute of Housing Conference in Manchester, the Information Commissioner (ICO) highlighted some of the key data protection issues faced by social housing organisations.
The ICO had already published a report in February 2014 in relation to its findings, following advisory visits to nine social housing organisations. The ICO undertook such visits to gain a better understanding of the processing and handling of personal data by social housing organisations. ICO staff attending these visits also provided guidance and advice to the organisations and subsequently issued them with short reports.
The ICO report addresses 20 challenges for social housing organisations, such as data sharing, remote working, training, staff awareness, policies and security.
Firstly, it was noted that housing organisations often have to regularly share personal data with other organisations. This can be in the normal course of business, but can also relate to debt recovery and legal proceedings for damage to property. The ICO found that, in most circumstances, formal policies and procedures were not in place for this type of data sharing. In order to remedy this, the ICO advises that data sharing agreements are an effective method of ensuring good practice and compliance with data protection rules. Data sharing agreements can specify when information will be shared, for what purposes, how information will be processed and how data will be disposed.
Secondly, remote working was identified as an area where data protection issues can arise. It was also noted that many organisations do not have a formal policy regarding remote or home working. This may be a real issue for social housing organisations as this type of working may often involve employees carrying large volumes of personal data in paper form or on portable electronic devices. Putting a policy in place would allow an organisation to assess when remote or home working is appropriate, place technical controls for the security of data and, furthermore, make employees aware of their responsibilities when working remotely or from home.
Training is an important tool for social housing organisations. It was reported that each of the organisations visited provided differing levels of training to its employees in relation to data protection rules and procedures. Training should be carried out regularly and training content should be reviewed on an annual basis.
Moreover, security issues were documented in the report as being a challenge to an organisation on a variety of levels such as: physical security regarding premises; printing security and password security. The ICO advises that organisations should consider zone-restricted access for employees and that IT security should be in place to control access to personal data and printing of data.
The ICO report highlights the importance of data protection compliance and also stresses how easy it can be for a breach to occur. The consequences of a data protection breach can be very costly to an organisation from both a financial and reputational viewpoint. The ICO recently issued an enforcement notice to Wolverhampton City Council due to sensitive personal data being released in error by a social worker, and notably, in March 2014, the British Pregnancy Advice Service was fined £200,000 for data protection breaches.
Implementation of appropriate procedures combined with regular, updated training and good procedures can reduce the risk of breaches occurring. Although these processes can be costly to an organisation, it is important to weigh up costs of implementing them against financial and reputational loss if a breach was to occur.
The ICO report can be viewed here.