Domestic Abuse – Social Housing Tenancy Provisions: Statutory Guidance for Social Landlords

14. Data Protection Considerations

14.1 The Information Commissioner’s (ICO’s) Data Sharing Code: Data sharing: a code of practice | ICO sets out the practical steps that need to be taken to share data in a fair, safe and transparent way while also protecting people’s privacy.

14.2 The data protection regime in the UK consists of two pieces of legislation: the UK General Data Protection Regulation (UKGDPR), which replaced the EU GDPR following the UK’s exit from the European Union in 2020; and the Data Protection Act 2018, which provides additional conditions and exemptions to the UK GDPR. It also governs processing for law enforcement purposes, in Part 3.

14.3 When gathering and sharing evidence to support the use of the new abusive behaviour ground, social landlords and their partner agencies will need to demonstrate that they are complying with the provisions contained in the data protection legislation including adhering to the 7 general principles of data protection as set out in the UK GDPR which are:

• Lawfulness, fairness and transparency - The processing of data must be lawful, fair and transparent. Transparency requires controllers to be clear, open and honest about the data they process, for example by updating their privacy notices to include changes related to the processing of personal data or new purposes for processing personal data.
• Purpose limitation - The purposes for processing of data must be specified, explicit and legitimate and data must not be further processed in a manner that is incompatible with those purposes.
• Data minimisation - Personal data must be adequate, relevant and not excessive. Social landlords should ensure that they process enough data to fulfil the purposes they are processing for, but not more than this.
• Accuracy - Personal data must be accurate and kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purpose for which it is processed, is erased or rectified without delay.
• Storage limitation - Personal data to be kept no longer than is necessary. Social landlords should establish and document retention periods for personal data which imbeds a practice of regular review. Social landlords should also consider how long they need to keep the evidence gathered, which may depend on the outcome of the individual case.
• Integrity and confidentiality (security) - Personal data to be processed in a secure manner.
• Accountability - The data controller takes responsibility for what is done with the personal data and how that complies with the other principles.

14.4 Social landlords may share data with partner agencies such as Police Scotland, Local Authorities and the Scottish Courts and Tribunal Service in certain circumstances.

14.5 Social landlords should consider reviewing any relevant data sharing policies and any relevant Information Sharing Agreements/Protocols in advance of using the provisions at Part 2 of the 2021 Act once in force.

14.6 Social landlords may find assistance from the resources in the ICO’s data sharing information hub. In particular, the data sharing agreements section and the data sharing decision form template may be of assistance.

14.7 The ICO recommend that any organisation sharing data, as a first step, carry out a Data Protection Impact Assessment (DPIA), even if they are not legally obliged to carry one out.^[16] Organisations are obliged to carry out a DPIA for data sharing that is likely to result in a high risk to individuals. Carrying out a DPIA is an example of best practice, allowing organisations to build in openness and transparency.

14.8 A DPIA will help social landlords and their partner agencies to assess risks in their planned data sharing and determine the safeguards required to mitigate risk and document these. This will also help to provide reassurance to those whose data the organisations plan to share.

14.9 Social landlords will process the data gathered under Part 2 of the Data Protection Act 2018. The obligation lies on the controller who holds the information to be satisfied that any sharing is authorised by law.

Special category data

14.10 It is highly likely that social landlords will be processing special category data, particularly when seeking information from the victim/survivor.

14.11 The UK GDPR singles out some types of personal data as likely to be more sensitive, and gives them extra protection:

• personal data revealing racial or ethnic origin;
• personal data revealing political opinions;
• personal data revealing religious or philosophical beliefs;
• personal data revealing trade union membership;
• genetic data;
• biometric data (where used for identification purposes);
• data concerning health;
• data concerning a person’s sex life; and
• data concerning a person’s sexual orientation.

14.12 This type of data needs to be treated with greater care because collecting and using it is more likely to interfere with a person’s fundamental rights or open someone up to discrimination. The ways in which social landlords and their partner agencies safeguard special category data could include:

• Additional security measures for special category data;
• Ensuring they have a clear and strong justification for collecting special category data, taking into account the data minimisation principle;
• Completing or updating documentation such as a data protection impact assessment, and identifying whether an ‘appropriate policy document’ is needed.

14.13 Article 9 of the UK GDPR prohibits the processing of special category data unless it falls under one of the 10 conditions for processing special category data. Social landlords are encouraged to consider how best to comply with the requirements of Article 9 and which condition applies in each individual case. The ICO’s guidance on special category data may be of assistance in this regard.

Criminal offence data

14.14 The UKGDPR gives extra protection to ‘personal data relating to criminal convictions and offences or related security measures’. This covers information about offenders or suspected offenders in the context of criminal activity, allegations, investigations and proceedings. It is highly likely that social landlords will be in the position of processing criminal offence data. As such, social landlords will need to ensure that they are compliant with Article 10 of the UKGDPR.

14.15 Article 10 restricts the processing of criminal offence data and provides that it can only be processed if it is:

• under the control of official authority; or
• authorised by domestic law. In the UK, this means you need to meet one of the conditions in Schedule 1 of the DPA 2018.

14.16 Social landlords are encouraged to consider the ICO’s guidance on criminal offence data.

Children’s data

14.17 There might be some circumstances in which social landlords require to process the personal data of children. Children are to receive specific protections when processing their personal data. Social landlords are encouraged to consider the ICO’s general approach to processing children’s data, in particular the rights that children have around the use of their personal data.

14.18 Data controllers should:

• take into account the transparency requirements under the right to be informed;
• ensure that all documentation is accessible to children; and
• ensure that there are processes in place to handle requests made on behalf of a child by a parent or carer.

14.19 The priority of the social landlord as a controller in all cases must be to protect all personal information relating to children and to ensure it is processed in a manner that serves their best interests.