Civica’s executive director for housing and asset management, Jeff Hewitt, looks at the results of a recent survey into privacy policies for housing providers ahead of the 2018 GDPR legislation.
When it comes to the collection and storage of extremely sensitive data, housing providers often hold vast amounts of records about both their tenants and the communities they support. As well as general contact, tenancy and financial information, this data can include details on people living with a disability as well as information on elderly or vulnerable people.
In addition, housing providers mostly provide various services to tenants, and use external contractors as well as collecting information digitally. This can mean that it’s far too easy to share sensitive data across different organisations and departments without recognising the legal implications and increase the risk of sensitive data being lost or hacked.
Therefore before GDPR comes into play next May, there are practical and important steps that housing providers should take; one of the first is a thorough review of your organisation’s privacy policy.
In partnership with MyLife Digital, Civica compiled a report to help housing providers identify gaps in their privacy policies to better prepare for GDPR. We’ve analysed the privacy policies of 100 housing providers across England, Scotland and Wales, while researching the requirements of GDPR and reading the guidance from the Information Commissioner’s Office (ICO) regarding its findings against organisations that have breached the current Data Protection Act 1998.
Our research looked at a number of key measures of how the current privacy policies of the studied housing providers measured up:
- Around 18 per cent of housing providers don’t have a privacy policy, which is substantially higher than the top 100 UK charities (eight per cent) or local authorities (four per cent).
- A staggering 99 per cent of housing providers do not mention profiling in their policies, while under the GDPR, it should clearly state how collected data is used to create profiles.
- 52 per cent of privacy policies scrutinised showed a clear reference to sharing of data; a practice which is highly likely to occur in housing associations.
- Looking at how long data is kept, the majority (96 per cent) do not mention details; but under GDPR it will be essential to consider how long we retain data and verify that this period has been considered and documented.
- One of the most significant changes under GDPR is for housing providers (and all public bodies) to have a named data controller or processor, but only 12 per cent clearly state a named person in their current privacy policy.
Complying with GDPR will inevitably involve increased work, time and cost in implementing strategies and processes to comply. Yet, if done in the right way, the opportunity it creates to build or strengthen trust could well outweigh these issues. Now is the time to not only protect your organisation, but also go a step further; to build and deepen trust with your tenants.
Jeff Hewitt is the executive director for housing and asset management at Civica.
