Letting and estate agents collect a fair bit of data from prospective property purchasers and even more from prospective tenants. This has only been exacerbated by the Covid pandemic with pressure from vendors and landlords being applied to pre-qualify purchasers and tenants in order to minimise viewings. Interestingly, the Irish Data Protection Commissioner (DPC), the GDPR regulator for Eire, has issued two guidance documents on these topics. Naturally, these need to be viewed with care. Eire is not the UK and it has its own regulator. We are also technically operating on a slightly different version of the GDPR now as the UK has its own GDPR flavour post-Brexit. That said, the Irish have often taken a pretty similar line to the UK on GDPR matters and we are not so far diverged at this stage that guidance on the GDPR in Ireland is of no value here.
The guidance on tenants has been around for some time. One of the key points it makes is that consent is not the appropriate means of collecting data from prospective tenants for referencing and other purposes. Given the power imbalance between landlord and tenant and the fact that a refusal to hand over the data would lead to the prospective tenant being refused the tenancy it is not realistic to say that consent is freely given. This remains a notable issue with many letting agents still asking prospective tenants to “consent” to their data being used to assess their suitability for the tenancy. The DPC is of the view that the appropriate processing bases are in fact contract as the landlord and tenant are intending to enter into an agreement, legitimate interests in terms of protecting the legitimate interests of the landlord, and legal obligation where there is a legal obligation to collect certain data.
The DPC is concerned to point out that the principle of data minimisation should apply. That means that prospective tenants should not be asked for extensive information prior to viewing a property but at the point that they are being referenced. The principle of purpose limitation is also important here as data should only be collected and stored for a specific declared purpose (ie. not “just in case you decide to go ahead with this property”) and only used for that purpose.
These lessons are no less applicable in the UK. Excessive data collection from prospective tenants has long been an issue with some landlords seeking information about mental health and other irrelevant matters. There has also been considerable pressure to ask for more data earlier in the process. The DPC guidance makes clear that this is wrong.
The DPC has issued a second guidance more recently after some reports of agents seeking substantial data to “pre-qualify” purchasers before viewings. A similar thing has been happening in the UK. In some cases agents have simply asked for confirmation that an offer has been made, usually by way of an email from an agent, but in some cases there is extensive data being sought and a requirement to speak to a mortgage broker to confirm that there are funds in place to pay for the property. The DPC is of the view that this activity breaches the GDPR. In particular, they suggest that this breaches the principle of data minimisation which requires organisation to collect no more data than they need for a specific task. The DPC is of the view that financial data is not needed to arrange a viewing and is more appropriate to a later stage in the process. Given that many of the discussions with mortgage brokers in order to carry out “pre-qualification” are also used by those same mortgage brokers to sell their services the practice is certainly questionable and open to challenge under the GDPR.
While the ICO has not opined on these issues and the Irish DPC is not the regulator for the UK, agents would be well advised to consider the guidance and make sure their own procedures are not demanding excessive data at an inappropriately early stage.